Last updated: July 2024

Sunhat GmbH (hereinafter "we" "us" "our") is pleased that you are visiting our Website https://www.getsunhat.com/de (hereinafter "Website"). Data protection and data security when using our Website are very important to us. We would therefore like to take this opportunity to inform you about the personal data we collect from you when you visit our Website and the purposes for which it is used.

Our guiding principle is to collect only what we need and that we will solely process this information to provide you with the service you signed up / requested for.

§1 Responsible / Controller

The controller within the meaning of the General Data Protection Regulation (hereinafter "GDPR") for the data processing of personal data on our Website is

Sunhat GmbH
Escher Str. 25A
50773 Cologne
Germany

You can contact our data protection team at our postal address and via E-Mail at 

privacy@sunhat.app

§2 Data Protection Officer

Our appointed data protection officer is:

Kertos GmbH
Dr. Kilian Schmidt
Nymphenburger Str. 86
80636 München
Deutschland

E-Mail: dsb@kertos.io

§3 What is personal data?

Personal data is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth, email address or IP address. Information for which we cannot (or can only with disproportionate effort) establish a link to your person, e.g. by anonymising the information, is not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) always requires a legal basis such as your consent.

§4 Data processing on our Website

1) Provision and use of the Website

a) Scope and purpose of data processing

We collect and use our users' personal data only insofar as this is technically necessary to provide a functional Website and our content and services or information.

When you access and use our Website, we collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called log file.

The following information is collected without any action on your part and stored until it is automatically deleted:

• IP address of the requesting computer,
• Date and time of access,
• Name and URL of the retrieved file,
• Website from which the access is made (referrer URL),
• the browser used and, if applicable, the operating system of your computer and the name of your access provider.

We process the aforementioned data for the following purposes:

• Ensuring a smooth connection to the Website
• Ensuring the convenient use of our Website
• For IT-Security purposes

b) Legal basis

Art. 6 para. 1 lit. f GDPR serves as the legal basis. The processing of the aforementioned data is necessary for the provision of a Website and to enable secure and convenient use and thus serves to safeguard a legitimate interest of    our company.

c) Storage period and data erasure

As soon as the aforementioned data is no longer required to display the Website, it is deleted (latest within 30 days). The collection of data for the provision of the Website and the storage of data in log files is absolutely necessary for the operation of the Website. Consequently, the user has no option to object. Further storage will take place in individual cases if this is required by law.

d) Third Parties

For the hosting of the Website we use an external service provider, Webflow, Inc.. Your personal data will be passed on to Webflow in order to provide the services. Webflow’s servers are based in the United States, therefore it is posbbile that the personal data collected is transferred to the United States. Webflow is certified according to the EU-U.S. Privacy Framework, which is why such transfers are based on the legal basis according to Article 45 GDPR. For more information, please refer to Webflow’s Privacy Policy (https://webflow.com/legal/eu-privacy-policy) or ask us about the DPA that has been concluded.

For the provision of the Website we use Google Fonts. The purpose of using Google Fonts is to ensure a uniform and visually appealing presentation of our Website. Your personal data will be passed on to Google in order to provide the font services. Google’s servers are based in the United States, therefore it is possible that the personal data collected is transferred to the United States. Google is certified according to the EU-U.S. Privacy Framework, which is why such transfers are based on the legal basis according to Article 45 GDPR. For more information, please refer to Google’s Privacy Policy (https://policies.google.com/privacy) or ask us about the DPA that has been concluded.

2) Contact by E-Mail

a) Scope and purpose of data processing

On our Website, we offer you the opportunity to contact us by E-Mail. When you contact us, the personal data you provide such as title, name, content of the e-mail and your e-mail address, will be processed.

This data is processed by us for the purpose of enabling us to process your enquiry properly. If you contact us by e-mail, your personal data will not be passed on to third parties.

b) Legal basis

The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in being able to process your enquiry. If your enquiry serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b GDPR is an additional legal basis.

c) Storage period and data erasure

As soon as your enquiry has been dealt with and the matter in question has been conclusively clarified, your personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law or is necessary for the fulfilment of the contract.

3) Contact form

a) Scope and purpose of data processing

On our website, we offer you the opportunity to get in touch with us via a contact form, e.g. regarding  a consultation.

 If you contact us via this form, the following personal data will be processed:

• Name
• Surname
• E-Mail address
• Name of the company

This data is processed by us for the purpose of enabling us to process your enquiry properly.   When using the contact form, your personal data will not be passed on to third parties.

b) Legal basis

The data processing described above for the purpose of establishing contact is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interests in being able to process your enquiry. If your enquiry serves to prepare the conclusion of a contract, Art. 6 para. 1 lit. b GDPR is an additional legal basis.

c) Storage period and data erasure

As soon as your enquiry has been dealt with and the matter in question has been finally clarified, your personal data processed via the contact form will be deleted. Further storage may take place in individual cases if this is required by law or is necessary for the fulfilment of the contract.

4) Book a demo

a) Scope and purpose of data processing

We collect and use our users' personal data only insofar as this is technically necessary to provide the "Book a Demo" function on our Website. This service allows users to schedule appointments directly through our Website using Hubspot, a tool provided by Hubspot, Inc.

When you use the "Book a Demo" function, we collect the following personal data:

• Name, Surname
• Email address
• Selected appointment time
• Company Name
• Any additional information you provide in the scheduling form (e.g. phone number)

We process the aforementioned data for the following purposes:

• Scheduling and managing demo appointments
• Communicating with users regarding their appointments
• Providing users with reminders and follow-ups related to their scheduled demo

b) Legal basis

Art. 6 para. 1 lit. b GDPR serves as the legal basis. The processing of the aforementioned data is necessary for the performance of pre-contractual measures that are taken at the user's request, specifically to facilitate the scheduling of demo appointments and to communicate effectively with users.

c) Storage period and data erasure

As soon as the aforementioned data is no longer required to manage and follow up on demo appointments, it is deleted. The data is typically retained until the appointment has taken place and any necessary follow-up actions are completed. Further storage will take place in individual cases if this is required by law.

d) Third Parties

For the "Book a Demo" function, we use the external service provider Hubspot, Inc.. Your personal data will be passed on to Hubspot in order to provide the scheduling services. Hubspot’s servers are based in the United States, therefore it is possible that the personal data collected is transferred to the United States. Hubspot is certified according to the EU-U.S. Privacy Framework, which is why such transfers are based on the legal basis according to Article 45 GDPR. For more information, please refer to Hubspot’s Privacy Policy (https://legal.hubspot.com/privacy-policy) or ask us about the DPA that has been concluded.

§5 Cookies

a) Scope and purpose of data processing

We use cookies on our website.

Cookies are small text files that are stored on your computer when you visit our website and enable your browser to be reassigned. Cookies store information such as your language settings, the duration of your visit to our website or the entries you make there.

There are different types of cookies. Session cookies are temporary cookies that are stored in the user's Internet browser until the browser window is closed and the session cookies are deleted. Permanent or persistent cookies are used for repeated visits and are stored in the user's browser for a predefined period of time. First-party cookies are set by the website that the user visits. Only this website is authorised to read information from the cookies. Third-party cookies are set by organisations that do not operate the website that the user is visiting.

A distinction can also be made between technically necessary, functional and advertising cookies. The former are necessary to ensure basic website functions (such as saving the language setting). Functional cookies collect information about the user's behaviour and whether they receive any error messages. Advertising cookies, on the other hand, are used to offer the user customised advertising.

b) Legal basis

Due to the purposes of use described, the legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f GDPR, as we have an interest in the user-friendly presentation of our website. If you have given us your consent to the use of functional and advertising cookies on the basis of a notice ("cookie banner") provided by us on the website, the legality of the use is also governed by Art. 6 para. 1 sentence 1 lit. a GDPR.

c) Storage period and data erasure

As soon as the data transmitted to us via the cookies is no longer required to fulfil the purposes described above, this information is deleted. Further storage will take place in individual cases if this is required by law.

d) Configuration of the browser settings

Most browsers are set to accept cookies by default. However, you can configure your browser so that it only accepts certain cookies or no cookies at all. However, we would like to point out that you may no longer be able to use all the functions of our website if cookies are deactivated by your browser settings on our website. You can also use your browser settings to delete cookies already stored in your browser or to display the storage period. It is also possible to set your browser to notify you before cookies are stored. As the various browsers may differ in their respective functions, we ask you to use the respective help menu of your browser for the configuration options.

e) Cookiebot

For managing user consent regarding cookies, we use Cookiebot provided by Usercentrics A/S. Your personal data will be processed by Cookiebot in order to provide this service. Cookiebot’s servers are based in the European Union, ensuring that your data is processed within the EU. For more information, please refer to Cookiebot’s Privacy Policy (https://www.cookiebot.com/en/privacy-policy/) or ask us about the DPA that has been concluded.

f) Cookies (For further information refer to the Cookie-Policy)

Necessary 

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Name: __cf_bm
Provider: Hubspot
‍Purpose: This cookie is used to distinguish between humans and bots. This is beneficial for the website in order to make valid reports on the use of the website.
Expiration: 1 Day
Type: HTTP-Cookie

Name: _cfuvid
Provider: Hubspot
Purpose: This cookie is part of Cloudflare services - including load balancing, delivering website content, and providing a DNS connection for website operators.
Expiration: Session
Type: HTTP-Cookie

Name: 1.gif
Provider: Cookiebot
‍Purpose: It is used to count the number of sessions on the website, which is necessary for optimizing the delivery of CMP products.
Expiration: Session
Type: Pixel-Tracker

Name: 6422a6ee8328ee2cab8edbde#pages
Provider: cdn.jsdelivr.net
‍Purpose: Pending
Expiration: Persistent
Type: IndexedDB

Name: CookieConsent
Provider: Cookiebot
‍Purpose: Stores the user's consent status for cookies on the current domain.
Expiration: 1 Year
Type: HTTP-Cookie

Name: JSESSIONID
Provider: New Relic
‍Purpose: Maintains the user's states across all page requests.
Expiration: Session
Type: HTTP-Cookie

Name: li_gc
Provider: LinkedIn
‍Purpose: Stores the user's consent status for cookies on the current domain.
Expiration: 180 Days
Type: HTTP-Cookie

Name: test_cookie
Provider: Google
‍Purpose: Used to check if the user's browser supports cookies.
Expiration: 1 Day
Type: HTTP-Cookie

Preference

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region you are in.

Name: lidc
Provider: LinkedIn
‍Purpose: Registers which server cluster is serving the visitor. This is used in connection with load balancing to optimize the user experience.
Expiration: 1 Day
Type: HTTP-Cookie

Statistics

Statistic cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously.

Name: _ga
Provider: Google
‍Purpose: Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
Expiration: 2 Years
Type: HTTP-Cookie

Name: _ga_#
Provider: Google
‍Purpose: Collects data on how often a user has visited a website, as well as data for the first and last visit. Used by Google Analytics.
Expiration: 2 Years
Type: HTTP-Cookie

Name: _hjSession_#
Provider: Hotjar
‍Purpose: Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website, and which pages were read.
Expiration: 1 Day
Type: HTTP-Cookie

Name: _hjSessionUser_#
Provider: Hotjar
‍Purpose: Collects statistics on the user's visits to the website, such as the number of visits, average time spent on the website, and which pages have been read.
Expiration: 1 Year
Type: HTTP-Cookie

Name: _hjTLDTest
Provider: Hotjar
‍Purpose: Registers statistical data on visitors' behavior on the website. Used by the website operator for internal analytics.
Expiration: Session
Type: HTTP-Cookie

Name: hjActiveViewportIds
Provider: Hotjar
‍Purpose: This cookie contains an ID string about the current session. It does not include personal information about the subpages the visitor accesses—this information is used to optimize the visitor's user experience.
Expiration: Persistent
Type: HTML Local Storage

Name: hjViewportId
Provider: Hotjar
‍Purpose: Stores the user's screen size to adjust the size of the images on the website.
Expiration: Session
Type: HTML Local Storage

Marketing

Marketing cookies are used to follow visitors on websites. The intention is to show ads that are relevant and engaging to the individual user and therefore more valuable to publishers and third party advertisers.

Name: __hmpl
Provider: Hubspot
Purpose: Collects information about user preferences and/or interactions with web campaign content - This information is used on the CRM campaign platform employed by website owners to promote events or products.
Expiration: Session
Type: HTML Local Storage

Name: __ptq.gif
Provider: Hubspot
Purpose: Sends data to the marketing platform Hubspot about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.
Expiration: Session
Type: Pixel-Tracker

Name: _gcl_au
Provider: Google
‍Purpose: Used by Google AdSense to experiment with advertising effectiveness on websites that use their services.
Expiration: 3 Months
Type: HTTP-Cookie

Name: _li_id, _li_ses
Provider: leadinfo.com
‍Purpose: Leadinfo sets two so-called cookies that only YOUR COMPANY NAME uses to gain insights into behavior on the website. These cookies are not shared with any third parties under any circumstances.
Expiration: 2 Years
Type: HTTP-Cookie

Name: bcookie
Provider: LinkedIn
‍Purpose: Used by the social networking service LinkedIn for tracking the use of embedded services.
Expiration: 1 Year
Type: HTTP-Cookie

Name: IDE
Provider: Google
‍Purpose: Pending
Expiration: 400 Days
Type: HTTP-Cookie

Name: pagead/1p-user-list/#
Provider: Google
‍Purpose: Used to track whether the visitor has shown interest in specific products or events across multiple websites and how the visitor navigates between the websites - This is used to measure advertising efforts and facilitates the payment of referral fees between websites.
Expiration: Session
Type: Pixel-Tracker

Name: pagead/landing
Provider: Google
‍Purpose: Collects data on visitor behavior across multiple websites to present more relevant advertising - This also allows the website to limit the number of times the same advertisement is shown.
Expiration: Session
Type: Pixel-Tracker

§6 Application form

a) Type and scope of data processing

On our website, we offer you the opportunity to apply for vacancies using an application form. If you contact us via this form (or per E-Mail), the following personal data will be processed:

• Name, Surname
• Reasons for the application
• E-mail address
• LinkedIn
• Living place
• CV
• Certificates
• Cover Letter

This data is processed by us for the purpose of enabling us to process your application properly.

b) Legal basis

The data processing described above for the purpose of processing applications is carried out in accordance with Art. 6 para. 1 lit. b GDPR in conjunction with § 26 (1) 1 BDSG on the basis of contract initiation.

c) Storage duration

If the application leads to an employment relationship, the processed data will be stored until the end of the employment relationship. If no employment relationship is entered into, we will store your data for 6 months on the basis of the General Equal Treatment Act and then delete it.

d) Third Parties

For the "Job application" function, we use the external service providers Notion and Typeform. Notion is used to display open positions and Typeform is used to collect application data.

Notion: Your personal data may be transferred to Notion Labs, Inc., which is based in the United States. Notion is certified according to the EU-U.S. Privacy Framework, which ensures an adequate level of data protection. For more information, please refer to Notion’s Privacy Policy (Privacy Policy) or ask us about the DPA that has been concluded.

Typeform: Your personal data may be transferred to Typeform S.L., which is based in Spain. Typeform complies with the GDPR requirements. For more information, please refer to Typeform’s Privacy Policy (Privacy Policy) or ask us about the DPA that has been concluded.

e) Talent pool

If we do not make you a job offer, it may be possible to include you in our applicant pool. If you are accepted, all documents and information from your application will be transferred to the applicant pool so that we can contact you in the event of suitable vacancies. Inclusion in the applicant pool takes place exclusively on the basis of your express consent (Art. 6 para. 1 lit. a GDPR). The provision of consent is voluntary and is not related to the current application process. The data subject may revoke his/her consent at any time. In this case, the data will be irrevocably deleted from the applicant pool, unless there are legal reasons for retention.

§7 Analytics & Session recording

We use tracking and analysis tools to ensure the continuous optimisation and needs-based design of our website. With the help of tracking measures, we are also able to statistically record the use of our website by visitors and to further develop our online offering for you with the help of the knowledge gained. Based on these interests, the use of the tracking and analysis tools described below is justified in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. If you have given us your consent to the use of cookies on the basis of a notice ("cookie banner") provided by us on the website, the legality of the use is also based on Art. 6 para. 1 sentence 1 lit. a GDPR. The following description of the tracking and analysis tools also shows the respective processing purposes and the processed data.

a) Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site.

The information generated by these cookies, for example about the time, place and frequency of your use of this website, is usually transferred to a Google server in the USA and stored there. When using Google Analytics, it cannot be ruled out that the cookies set by Google Analytics may also collect other personal data in addition to the IP address. Please note that Google may transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.

Google will use the information generated by cookies on behalf of the operator of this website to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. According to Google, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

You can generally prevent the storage of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

b) Hotjar

For session recording on our Website, we use Hotjar, a service provided by Hotjar Ltd. The purpose of using Hotjar is to analyze user behavior on our Website and to understand user interactions through heatmaps and session recordings. This helps us to improve the user experience and optimize our Website's performance.

Heatmapping services show the areas of a page where users most frequently move the mouse or click. This reveals areas of interest. These services make it possible to monitor and analyze web traffic and keep track of user behavior. Some of these services may record sessions and make them available for later visual playback.

When you use our Website, the following personal data may be collected and processed by Hotjar:

• Usage data
• Tracker data
• Various types of data as specified in Hotjar's privacy policy

For the analytics and session recording, we use Hotjar Ltd. Your personal data will be passed on to Hotjar in order to provide these services. Hotjar's servers are based in Malta, ensuring that your data is processed within the European Union. For more information, please refer to Hotjar’s Privacy Policy (https://www.hotjar.com/legal/policies/privacy) or ask us about the DPA that has been concluded.

c) Google Tag Manager

For tag management on our Website, we use Google Tag Manager, a service provided by Google Ireland Limited. The purpose of using Google Tag Manager is to manage the tags or scripts needed on our Website in a centralized manner, which helps us to efficiently control and optimize our Website's performance.

Tag management services help the provider to manage the tags or scripts needed on this Website in a centralized manner. This leads to the user’s data flowing through these services and potentially being stored.

When you use our Website, the following personal data may be collected and processed by Google Tag Manager:

• Tracker data

For the tag management, we use Google Ireland Limited. Your personal data will be passed on to Google in order to provide these services. Google's servers are based in Ireland, ensuring that your data is processed within the European Union. For more information, please refer to Google’s Privacy Policy (https://policies.google.com/privacy) or ask us about the DPA that has been concluded.

§8 E-Mail Newsletter for similar products to existing customers

We would like to inform you that we use direct marketing via email to promote similar products to our existing customers. This marketing activity is conducted based on the legal foundation provided by Section 7 (3) of the German Unfair Competition Act (UWG).

Under this provision, we are permitted to send you email marketing information about our products and services that are similar to those you have previously purchased from us. This ensures that you receive relevant and useful information tailored to your interests and needs.

You have the right to object to this use of your email address at any time. If you do not wish to receive such marketing communications, please let us know by using the opt-out option included in each marketing email or by contacting us directly.

§9 Remarketing and Behavioral Targeting

a) Scope and purpose of data processing

With this type of service, this Website and its partners can analyze how this Website was used during previous user sessions to target, optimize, and serve advertising. This activity is facilitated by tracking usage data and using trackers that collect information, which is then transferred to partners managing the remarketing and behavioral targeting activities.

Some services offer a remarketing option based on email address lists. Typically, services of this kind offer the possibility to opt out of such tracking. In addition to any opt-out feature provided by the services listed below, users can learn more about how to generally opt-out of interest-based advertising in the section "How to opt-out of interest-based advertising" in this document.

b) Legal basis

Art. 6 para. 1 lit. f GDPR serves as the legal basis. The processing of the aforementioned data is necessary for the purposes of our legitimate interests in analyzing user behavior and providing targeted advertising to enhance user experience and engagement.

c) Storage period and data erasure

The collected data will be stored as long as necessary to fulfill the purposes outlined above and will be deleted when no longer needed. Users can opt-out of such tracking by using the opt-out features provided by the services listed below or by adjusting their browser settings.

d) Third Parties

LinkedIn Website Retargeting (LinkedIn Corporation)

LinkedIn Website Retargeting is a remarketing and behavioral targeting service provided by LinkedIn Corporation that connects the activity occurring on this Website with the LinkedIn advertising network.

• Processed personal data: Usage data; Tracker.
• Processing location: United States – Privacy Policy – Opt Out.

Google Ads Remarketing (Google Ireland Limited)

Google Ads Remarketing is a remarketing and behavioral targeting service provided by Google Ireland Limited that connects the activity on this Website with the Google Ads advertising network and the DoubleClick cookie. To learn more about Google's data usage, please refer to Google's partner policy. Users can opt out of Google's use of trackers by visiting Google's ad settings.

• Processed personal data: Usage data; Tracker.
• Processing location: Ireland – Privacy Policy

§10 Management of user databases

We use the lead generation service of Leadinfo B.V., Rotterdam, Netherlands. This recognizes visits from companies to our website based on IP addresses and shows us publicly available information, such as company names or addresses. In addition, Leadinfo sets two first-party cookies to evaluate user behavior on our website and processes domains from form entries (e.g. “leadinfo.com”) in order to correlate IP addresses with companies and improve the services. 

Further information can be found at www.leadinfo.com. 

On this page: www.leadinfo.com/en/opt-out you have an opt-out option. If you opt out, your data will no longer be collected by Leadinfo.

§11 Plugins

a) Scope and purpose of data processing

Our presence on social networks and platforms serves to improve active communication with our customers and interested parties. Therefore, a social plugin of the social network "LinkedIn" (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) is integrated on our Website. Based on the data transmitted to the respective service via the social plugin, the service may be able to assign you to your account with it.

The social plugin is integrated in such a way that no data is transferred directly to LinkedIn. Data is only transferred when you click on the button. By doing so, you leave our Website and establish a direct connection between your browser and the Facebook servers. Information on the data that is subsequently collected by LinkedIn can be found here:

https://de.linkedin.com/legal/privacy-policy

b) Legal basis

The legal basis for this processing of your personal data is your consent (by clicking on the button) according to Art. 6 para. 1 lit. a GDPR.

§12 Recipients of personal data

Within our company, only those persons have access to your personal data who need it for the purposes stated in each case. Your personal data will only be passed on to external recipients if we are legally authorized to do so or if we have your consent. Below you will find an overview of the relevant recipients:

• Processors: Group companies or external service providers, for example in the areas of technical infrastructure and processing, maintenance and payment processing, which are carefully selected and checked. The processors may only use the data in accordance with our instructions.
• Public authorities: Authorities and state institutions, such as tax authorities, public prosecutors or courts, to which we (have to) transfer personal data, e.g. to fulfil legal obligations or to protect legitimate interests

§13 International data transfer

We process your data mainly within the European Union (EU) and the European Economic Area (EEA). However, some of our service providers may be based outside the EEA in so-called "third countries". The General Data Protection Regulation places high demands on the transfer of personal data to third countries. All our data recipients must fulfil these requirements. Before we transfer your data to a service provider in a third country, each service provider is first checked for its level of data protection. A service provider is only selected if it can demonstrate an adequate level of data protection outside the EEA. Regardless of whether our service providers are based within the EEA or in third countries, each service provider must conclude an order processing agreement with us. Service providers outside the EEA must fulfil additional requirements. In accordance with Art. 44 ff. GDPR, personal data may be transferred to service providers who fulfil at least one of the following requirements:

• The European Commission has decided that the third country guarantees an adequate level of                protection (e.g. Israel and Canada).
• Standard contractual clauses have been included in our contract with the data recipient (including any additional measures if necessary).
• Further appropriate safeguards pursuant to Art. 46 GDPR provided (e.g. Binding Corporate        Rules).
• In special exceptional cases in accordance with Art. 49 GDPR

§14 Data security and security measures

We undertake to treat your personal data confidentially. In order to prevent manipulation, loss or misuse of your data stored by us, we take extensive technical and organizational security precautions, which are regularly reviewed and adapted to technological progress.

However, we would like to point out that due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures may not be observed by other persons or institutions outside our area of responsibility. In particular, unencrypted data - e.g. when sent by e-mail - may be read by third parties. We have no technical influence on this. It is your responsibility as a user to protect the data you provide against misuse by means of encryption or in any other way.

§15 Storage of the data

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

§16 Data subject rights

You have the following legal rights vis-à-vis us with regard to your personal data:

Right of access

You have the right to request confirmation as to whether we are processing personal data concerning  you. If this is the case, you have the right to information about this personal data and to further information, e.g. the processing purposes, the recipients and the planned duration of storage or the criteria for determining the duration.

Right to rectification

You have the right to request the rectification of inaccurate data without undue delay. Taking into account the purposes of the processing, you have the right to request the completion of incomplete data.

Right to erasure ("right to be forgotten")

You have the right to erasure if the processing is not necessary. This is the case, for example, if your data is no longer required for the original purposes, if you have revoked your declaration of consent under data protection law or if the data has been processed unlawfully.

Right to restriction of processing

You have the right to restrict processing, e.g. if you believe that the personal data is incorrect.

Right to data portability

You have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.

Right to object 

You have the right to object at any time, on grounds relating to your particular situation, to the processing of certain personal data  concerning you.  In the case of direct advertising, you as the data subject have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

Right to withdraw your consent under data protection law

You can revoke your consent to the processing of your personal data at any time with effect for the future. However, this does not affect the legality of the processing carried out up to the point of revocation.

‍

Without prejudice to these rights, you have the right to lodge a complaint with a supervisory authority at any time if you believe that the processing of your personal data violates data protection regulations.