Privacy Policy

Preamble

With this privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").
The terms used are not gender-specific.

Last updated: April 6, 2025

Table of Contents

• Preamble
• Data Controller
• Overview of Processing Activities
• Relevant Legal Bases
• Security Measures
• Transfer of Personal Data
• International Data Transfers
• Business Services
• Business Processes and Procedures
• Payment Methods
• Provision of the Online Service and Web Hosting
• Use of Cookies
• Registration, Login, and User Account
• Contact and Inquiry Management
• Newsletters and Electronic Notifications
• Web Analytics, Monitoring, and Optimization
• Social Media Presence

Data Controller
Bettina Steffan
Furadouro CX 281P
8375-039 Messines
Portugal
Email Address: This email address is being protected from spambots. You need JavaScript enabled to view it.
Legal Notice: https://www.aroma-algarve.com/about-us

Overview of Processing Activities
The following overview summarizes the types of data processed and the purposes of their processing. refers to the persons concerned.

Types of Data Processed

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Metadata, communication data, and procedural data
• Log data

Categories of Data Subjects

• Service recipients and clients
• Employees
• Prospective clients
• Communication partners
• Users
• Business and contractual partners
• Third parties
• Customers

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Communication
• Security measures
• Direct marketing
• Audience measurement
• Office and organizational procedures
• Organizational and administrative procedures
• Feedback
• Marketing
• Profiles with user-related information
• Provision of our online services and user-friendliness
• Information technology infrastructure
• Financial and payment management
• Public relations
• Sales promotion
• Business processes and operational procedures.

Relevant legal bases

Relevant legal bases according to the GDPR: Below, you will find an overview of the GDPR legal bases on which we process personal data. Please note that in addition to the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.• Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.

• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.

Security Measures

In accordance with legal requirements, and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, and ensuring the availability and separation of the data. Furthermore, we have established procedures that guarantee the exercise of data subject rights, the erasure of data, and responses to data breaches. We also consider the protection of personal data during the development and selection of hardware, software, and processes, in accordance with the principles of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards.

When a website is secured with an SSL/TLS certificate, this is indicated by HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

Transfer of Personal Data
As part of our processing of personal data, it may be necessary to transfer or disclose this data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.

International Data Transfers
Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in connection with the use of third-party services or the disclosure or transfer of data to other persons, entities, or companies (which is identifiable by the postal address of the respective provider or if the privacy policy explicitly refers to the data transfer to third countries), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an adequacy decision of the EU Commission dated July 10, 2023. In addition, we have concluded standard contractual clauses with the respective providers, which comply with the requirements of the EU Commission and establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the standard contractual clauses serve as an additional safeguard. Should any changes occur under the Data Privacy Framework (DPF), the Standard Contractual Clauses serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For each service provider, we will inform you whether they are DPF-certified and whether Standard Contractual Clauses are in place. Further information about the DPF and a list of certified companies can be found on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov.

For data transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the European Commission's information resource: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=en.

Business Services
We process data from our contractual and business partners, e.g., customers and prospective customers (collectively referred to as "contractual partners"), within the framework of contractual and similar legal relationships and related measures, and about communication with contractual partners (or in the pre-contractual phase), such as responding to inquiries.

We use this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations, and remedying warranty claims and other service disruptions. Furthermore, we use the data to protect our rights and for the administrative tasks associated with these obligations, as well as for the company organization. We also process the data based on our legitimate interests in both proper and sound business management and security measures to protect our contractual partners and our business operations from misuse, compromise of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other support services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). In accordance with applicable law, we only disclose the data of our contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, such as for marketing purposes, within the framework of this privacy policy.

We inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g., in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.

We delete the data after the expiry of statutory warranty periods and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes, generally for ten years). We delete data disclosed to us by the contractual partner within the scope of an order in accordance with the specifications and generally after the end of the order.

• Types of data processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or telephone numbers); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and
• Organizational procedures; organizational and administrative procedures. Business processes and management procedures.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR.

Further information on processing operations, procedures, and services:
• Online shop, order forms, e-commerce, and delivery: We process our customers' data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as to facilitate payment and delivery or fulfillment. If necessary for the execution of an order, we use service providers, in particular postal, freight forwarding, and shipping companies, to carry out delivery or fulfillment for our customers. We use the services of banks and payment service providers to process payments. The required information is marked as such during the ordering or similar purchase process and includes the information needed for delivery, provision, and invoicing, as well as contact information to allow for any necessary follow-up. Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Business Processes and Procedures
Personal data of service recipients and clients – including customers, clients, or in specific cases, customers, patients, or business partners, as well as other third parties – are processed within the framework of contractual and similar legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data serves to fulfill contractual obligations and to design efficient business processes. This includes processing business transactions, managing customer relationships, optimizing sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports the protection of the data controller's rights and facilitates administrative tasks and the organization of the company.

Personal data may be disclosed to third parties if this is necessary to fulfill the aforementioned purposes or legal obligations.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number), payment data (e.g., bank details, invoices, payment history), contact data (e.g., postal and email addresses), content data (e.g., textual or image messages and posts, as well as related information such as authorship details), contract data (e.g., subject matter of the contract, term, customer category), usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types used).

• Operating systems, interactions) Metadata, communication and process data (e.g., IP addresses, timestamps). Log data (e.g., log files concerning logins or data retrieval)

• Data subjects: Service recipients and clients; prospective clients; communication partners; business and contractual partners; customers; users (e.g., website visitors). Employees (e.g., staff, applicants, temporary workers, and other persons).

• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and management procedures; security measures; provision of our online services and user-friendliness; communication; marketing; sales promotion; public relations; financial and payment management. Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers)).

• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".

• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR.

Further information on processing procedures, methods, and services:
• Contact management and maintenance: Procedures necessary for organizing, maintaining, and securing contact information (e.g., setting up and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, and training employees in effective data protection).
Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR, legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR.

• Customer account: Customers can create an account within our online service (e.g., customer or user account, hereinafter referred to as "customer account"). If registration of a customer account is required, customers will be informed of this, as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process, as well as subsequent logins and use of the customer account, we store customers' IP addresses and access times to verify registration and prevent potential misuse of the customer account. If the customer account is terminated, the account data will be deleted after the termination date, unless it is retained for purposes other than providing the account or must be retained for legal reasons (e.g., internal storage of customer data, order processes, or invoices). It is the customer's responsibility to back up their data upon termination of their account. Legal basis: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR, legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR.

• General payment processing: Procedures necessary for processing payments, monitoring bank accounts, and controlling payment flows (e.g., creating and verifying transfers, processing direct debits, checking bank statements, monitoring incoming payments)

Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR, legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Accounting, accounts payable, accounts receivable: Processes necessary for recording, processing, and controlling business transactions in the area of ​​accounts payable and accounts receivable (e.g., creating and verifying incoming and outgoing invoices, monitoring and managing open items, processing payments, handling dunning procedures, and account reconciliation). Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

• Financial accounting and taxes: Processes necessary for recording, managing, and controlling financially relevant business transactions, as well as for calculating, reporting, and paying taxes (e.g., posting and recording business transactions, preparing quarterly and annual financial statements, processing payments, handling dunning procedures, and reconciling accounts; legal bases: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

 • Marketing, advertising, and sales promotion: Processes necessary for marketing, advertising, and sales promotion (e.g., market analysis and target group definition, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• Economic analyses and market research: To fulfill business purposes and to identify market trends and the needs of contractual partners and users, the available data relating to business transactions, contracts, inquiries, etc., are analyzed. The group of data subjects may include contractual partners, prospective customers, customers, visitors, and users of the controller's online services. The analyses are carried out for business evaluations, marketing, and market research (e.g., to identify customer groups with different characteristics). Where available, profiles of registered users, including their information on services used, are taken into account. The analyses are solely for the use of the data controller and will not be disclosed externally, unless they are anonymous analyses with aggregated, i.e., anonymized, data. Furthermore, user privacy is respected; data is pseudonymized for analysis purposes wherever possible and, where feasible, processed anonymously (e.g., as aggregated data). Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

• Public relations: Procedures necessary within the scope of public relations (e.g., development and implementation of communication strategies, planning and execution of PR campaigns, creation and distribution of press releases, maintenance of media contacts, monitoring and analysis of media response, organization of press conferences and public events, crisis communication). Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Payment Methods
Within the framework of contractual and other legal relationships, due to legal obligations, or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, in addition to banks and credit institutions, use other service providers for this purpose (collectively, "Payment Service Providers").

The data processed by the Payment Service Providers includes master data, such as name and address, bank details, such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, amount, and recipient-related information. This information is required to process the transactions. However, the entered data is processed and stored only by the Payment Service Providers. This means that we do not receive any account or credit card-related information, but only confirmation or rejection of the payment. The Payment Service Providers may transmit the data to credit reference agencies. This transmission is for the purpose of identity and creditworthiness verification. Please refer to the terms and conditions and privacy policies of the Payment Service Providers for further information.

For payment transactions, the terms and conditions and privacy policies of the respective payment service providers apply, which can be accessed on their respective websites or transaction applications. We also refer you to these for further information and to exercise your rights of withdrawal, access, and other data subject rights.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., page views and duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; business and contractual partners; prospective customers.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and operational procedures.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

• PayPal: Payment services (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com. Complete Privacy Policy Paypal

• Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/en-pt/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Provision of the online service and web hosting
We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved); log data (e.g., log files concerning logins or data retrieval or access times); content data (e.g., textual or image messages and posts, as well as information relating to them, such as authorship or time of creation).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures. Provision of contractual services and fulfillment of contractual obligations.
• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, processes, and services:

• Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity, and software that we rent from a corresponding server provider (also called "web host") or otherwise obtain; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online services is logged in the form of so-called "server log files". Server log files may contain the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, typically, IP addresses and the requesting provider. Server log files can be used for security purposes, such as preventing server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server capacity and stability. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
• Email sending and hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of the recipients and senders, as well as other information relating to email transmission (e.g., the providers involved) and the content of the respective emails, are processed. The aforementioned data may also be processed for spam detection purposes. Please note that emails are generally not encrypted when sent over the internet. While emails are usually encrypted during transmission, they are not encrypted on the servers from which they are sent and received (unless end-to-end encryption is used). We therefore cannot assume any responsibility for the transmission of emails between the sender and their receipt on our server; legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

• 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

Use of Cookies
The term "cookies" refers to functions that store information on and read information from users' devices. Cookies can also be used for various purposes, such as ensuring the functionality, security, and user-friendliness of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. Where necessary, we obtain users' consent beforehand. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to providing explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We provide clear information about the scope of consent and which cookies are used.

Information on the legal basis for data protection: Whether we process personal data using cookies depends on consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: The following types of cookies are distinguished with regard to their storage duration:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, login status can be saved and preferred content can be displayed directly when the user revisits a website. User data collected using cookies can also be used for audience measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), they should assume that these cookies are persistent and can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to processing in accordance with legal requirements, including via their browser's privacy settings.

• Types of data processed: Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing procedures, methods, and services:

• Processing of cookie data based on consent: We use a consent management solution to obtain users' consent for the use of cookies or for the methods and providers mentioned within the consent management solution. This process serves to obtain, log, manage, and revoke consent, particularly regarding the use of cookies and similar technologies that are used to store, read, and process information on users' end devices. As part of this process, user consent for the use of cookies and the associated processing of information, including the specific processing activities and providers mentioned in the consent management procedure, is obtained. Users also have the option to manage and withdraw their consent. The declarations of consent are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign consent to a specific user or their preferences.

• To be able to assign a device. Unless specific information about the providers of consent management services is available, the following general information applies: The consent is stored for up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g., categories of cookies and/or service providers concerned), and information about the browser, system, and device used; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Registration, Login, and User Account
Users can create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on contractual obligations. The processed data includes, in particular, login information (username, password, and email address).
When using our registration and login functions, as well as the user account, we store the IP address and the time of the respective user action. The data is stored based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use. This data is generally not shared with third parties unless it is necessary for pursuing our claims or there is a legal obligation to do so.

Users may be informed by email about events relevant to their user account, such as technical changes.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or image messages and posts, as well as information relating to them, such as authorship or time of creation); Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Log data (e.g., log files concerning logins, data retrieval, or access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Deletion after termination.
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, processes, and services:

• Deletion of data after termination: If users have terminated their user account, their data relating to the user account will be deleted, subject to any legal requirements.

• Data is deleted without the user's permission, obligation, or consent; legal basis: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

• No obligation to retain data: Users are responsible for backing up their data before the end of the contract if they terminate the contract. We are entitled to irretrievably delete all user data stored during the contract period; legal basis: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Contact and Inquiry Management
When you contact us (e.g., by mail, contact form, email, telephone, or via social media), as well as within the framework of existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to the contact requests and any requested actions.

• Types of data processed: Master data (e.g., full name, residential address, contact information, customer number, etc.); Contact details (e.g., postal and email addresses or telephone numbers); content data (e.g., textual or image messages and posts, as well as related information such as authorship or date of creation); usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, and individuals involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing procedures, processes, and services:

• Contact form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to answer and process your request. This generally includes information such as your name, contact details, and any other information you provide that is necessary for proper processing. We use this data exclusively for the stated purpose of contacting you and communicating with you; legal bases: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Newsletters and electronic notifications
We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the recipient's consent or based on a legal basis. If the newsletter's content is mentioned during the registration process, this content is decisive for the user's consent. Normally, providing your email address is sufficient to subscribe to our newsletter. However, to offer you a personalized service, we may ask for your name for a personal greeting in the newsletter or for further information if necessary for the newsletter's purpose.

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove previously given consent. The processing of this data is limited to the purpose of defending against potential claims. An individual deletion request is possible at any time, provided that the prior existence of consent is confirmed. In cases where we are legally obligated to permanently respect objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The registration process is logged based on our legitimate interests for the purpose of documenting its proper execution. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure email delivery system.

Content:
Information about us, our services, promotions, and offers.

• Types of data processed: Master data (e.g., full name, home address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or telephone numbers); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Usage data (e.g., page views and time spent on the page, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Right to object (opt-out): You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to receiving further newsletters. You will find a link to unsubscribe at the end of each newsletter, or you can use one of the contact options listed above, preferably email.

Web Analytics, Monitoring, and Optimization

Web analytics (also known as "reach measurement") is used to evaluate visitor traffic to our online services and can include pseudonymous data on visitor behavior, interests, or demographic information such as age or gender. Reach analysis allows us, for example, to identify when our online services, their features, or content are most frequently used and encourage repeat visits. It also enables us to understand which areas require optimization. In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online services or their components.

Unless otherwise stated below, profiles—that is, data aggregated from a user session—may be created for these purposes, and information may be stored and then retrieved from a browser or device. The data collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the operating system, and usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored within the scope of web analytics, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Legal basis: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Audience measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles). Provision of our online services and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion." Cookies are stored for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user identification number. This identification number does not contain any unique data, such as names or email addresses. It serves to assign analytical information to a device in order to recognize which content users have accessed within one or more usage sessions, which search terms they have used, whether they have revisited the content, or how they have interacted with our online services. The time and duration of use are also recorded, as well as the sources of users who refer to our online services and technical aspects of their devices and browsers.

Pseudony user profiles are created using information from the use of various devices, and cookies may be used for this purpose. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographic location data by deriving the following metadata from IP addresses: city (and the city's derived latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this derivation of geolocation data before being immediately deleted. It is not logged, is not accessible, and is not used for any other purpose. When Google Analytics collects measurement data, all IP queries are made on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymization of the IP address); Privacy policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Legal basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad settings: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Social Media Presence

We maintain online presences within social networks and process user data in this context to communicate with users active there or to provide information about ourselves. Please note that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on usage patterns and the resulting user interests. These profiles may then be used to display advertisements within and outside the networks that are presumably tailored to the users' interests. Therefore, cookies are typically stored on users' computers to record their usage patterns and interests. Additionally, user profiles may also store data independently of the devices used by the users (especially if they are members of the respective platforms and logged in).

For a detailed description of the respective processing methods and the options to object (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be most effectively addressed directly with the providers. Only the latter have access to the user data and can take appropriate measures and provide information directly. Should you still require assistance, you can contact us.

• Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or image messages and posts, as well as information relating to them, such as authorship or time of creation). Usage data (e.g., page views and time spent on the site, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
• Retention and deletion: Deletion in accordance with the information in the section "General Information on Data Storage and Deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures, and services:

• Instagram: Social network that enables sharing photos and videos, commenting on and liking posts, sending messages, and subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

• Facebook Pages: Profiles within the Facebook social network - We, together with Meta Platforms Ireland Limited, are responsible for collecting (but not further processing) data from visitors to our Facebook Page (so-called "Fan Page"). This data includes information about the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As described in the Facebook Data Policy under "How do we use this information?" Facebook explains that it also collects and uses information to provide analytics services, known as "Page Insights," to page administrators, enabling them to gain insights into how people interact with their pages and the content associated with them. We have entered into a specific agreement with Facebook ("Information on Page Insights," https://www.facebook.com/legal/terms/page_controller_addendum) which, in particular, regulates the security measures Facebook must observe and in which Facebook has agreed to comply with data subject rights (i.e., users can, for example, request information or deletion of their data). (Please contact Facebook directly.) The rights of users (in particular the rights to information, erasure, objection, and complaining with the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular the transfer of data to its parent company, Meta Platforms, Inc., in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/. Legal basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).

• Pinterest: Social network enabling users to share photos, comment on, like, and curate posts, send messages, and subscribe to profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.pinterest.com. Privacy policy: https://policy.pinterest.com/de/privacy-policy.

Created with the free data privacy generator Datenschutz-Generator.de by Dr. Thomas Schwenke