Privacy Policy

The following overview summarizes the types of data processed and the purposes of their processing and refers to the persons affected.

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. If more specific legal bases are also relevant in individual cases, we will inform you of these in this declaration.

• Consent (Art. 6 (1)(a) GDPR) — the data subject has given consent to processing for one or more specific purposes.
• Performance of a contract (Art. 6 (1)(b) GDPR) — processing necessary for a contract or pre-contractual measures.
• Legal obligation (Art. 6 (1)(c) GDPR) — processing necessary to comply with a legal obligation.
• Legitimate interests(Art. 6 (1)(f) GDPR) — processing necessary for our legitimate interests or those of a third party, unless overridden by the data subject’s interests or rights.

In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (BDSG), covering rights to information, deletion, objection, and automated decision-making. State data protection laws may also apply.

This notice also serves to provide information in accordance with the Swiss DSG. For this reason, GDPR terminology is used due to its broader application and comprehensibility; the legal meaning of terms continues to be determined under the Swiss DSG where applicable.

We take appropriate technical and organizational measures, taking into account the state of the art, implementation costs, and the nature, scope and purposes of processing, to ensure a level of protection appropriate to the risk. This includes controlling physical and electronic access, securing availability, and separating data, as well as procedures for exercising data subjects’ rights and responding to data threats.

TLS/SSL encryption (HTTPS): we use TLS/SSL encryption to protect data transmitted through our online services. A website secured with HTTPS signals to users that their data is transmitted securely and encrypted.

If we process data in a third country (outside the EU/EEA), this is only done in accordance with legal requirements — based on an EU adequacy decision (Art. 45 GDPR), standard contractual clauses (Art. 46(2)(c) GDPR), express consent, or contractual/legal necessity (Art. 49(1) GDPR).

Under the EU-US Data Privacy Framework (DPF), the EU Commission has recognized an adequate level of data protection for certified US companies. We indicate where a service provider we use is DPF-certified.

More information: EU Commission and dataprivacyframework.gov.

We delete personal data as soon as the underlying consent is revoked or there is no further legal basis for processing — unless legal obligations require longer retention (e.g. for commercial, tax, or legal-defense purposes).

The following general retention periods apply under German law:

• 10 years — books, records, annual financial statements, accounting documents and invoices (§ 147 AO, § 14b UStG, § 257 HGB).
• 6 years — other business correspondence and tax-relevant documents (§ 147 AO, § 257 HGB).
• 3 years — data relevant to potential warranty or compensation claims, per the standard statutory limitation period (§§ 195, 199 BGB).

As a data subject, you have the following rights under Art. 15–21 GDPR:

• Right to object — to processing based on Art. 6(1)(e) or (f) GDPR, including profiling, and at any time to processing for direct marketing purposes.
• Right to withdraw consent — at any time, with effect for the future.
• Right to information — confirmation of whether your data is processed, and access to it.
• Right to rectification — completion or correction of inaccurate data.
• Right to deletion and restriction — erasure or restricted processing of your data.
• Right to data portability — receipt of your data in a structured, machine-readable format.
• Right to complain — to a supervisory authority, in particular in your country of residence or workplace.

We process data from our contractual and business partners (e.g. customers and interested parties) in connection with contractual relationships and related communication, to fulfill our contractual obligations, protect our rights, and for administrative and organizational purposes.

Data is shared with third parties only where necessary for these purposes or to fulfill legal obligations (e.g. with telecommunications, transport, banking, tax, legal, or payment service providers).

Storage and deletion: generally up to four years after statutory warranty periods expire, unless longer retention is legally required (e.g. ten years for tax purposes).

Legal basis: contract performance (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Customers can create an account within our online offering. We save IP addresses and access times during registration and login to prove registration and prevent misuse. Account data is deleted after termination, unless retention is legally required.

Customers can also use a watchlist/wishlist feature; saved items are stored until the account is deleted or the entries are removed.

We additionally use third-party tools for customer relationship management, contact management, payment processing, and accounting — including DATEV (accounting and tax communication) and Stripe (payment processing).

We offer secure payment options via banks, credit institutions, and payment service providers. Data such as name, address, and banking details is processed and stored solely by the respective payment provider — we do not receive account or card details, only payment confirmation.

Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA. Legal basis: contract performance (Art. 6(1)(b) GDPR). Basis for third-country transfer: Data Privacy Framework. Privacy policy.

We process your IP address and other technical data to deliver our online services. Access is logged via server log files (address, date, time, data volume, browser, operating system, referrer URL, IP address) for security purposes, such as preventing server overload or DDoS attacks. Log files are stored for a maximum of 30 days unless needed as evidence.

Our hosting also covers sending and receiving emails. Note that emails are generally not end-to-end encrypted across the internet.

Providers used:

• Microsoft Azure — AI-based language and data-processing services. Microsoft Ireland Operations Limited, Dublin, Ireland.
• 1&1 IONOS— infrastructure and storage. 1&1 IONOS SE, Montabaur, Germany.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

We use cookies in accordance with legal requirements, obtaining consent in advance where necessary. Without consent, we rely on legitimate interests where storage and reading of information is essential to provide requested content or functions.

Session cookies are deleted once you close your browser or app. Permanent cookies remain stored — typically up to two years unless stated otherwise.

You can revoke consent at any time, including via your browser’s privacy settings or the cookie preference link below.

Update cookie preferences

We use a consent management solution provided by TermsFeed (Reseller: Bright Market dba FastSpring, Santa Barbara, CA, USA) to obtain, log, manage, and revoke cookie consent. Legal basis: consent (Art. 6(1)(a) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).

We use third-party platforms for video and audio conferences, webinars, and screen sharing. These platforms may process participants’ names, contact details, access data, profile pictures, IP addresses, device information, and the content of communications (chat, audio, video). Recordings, where used, are communicated transparently in advance.

Microsoft Teams — Microsoft Ireland Operations Limited, Dublin, Ireland. Basis for third-country transfer: Data Privacy Framework. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

We send newsletters only with your consent or another applicable legal basis. Registration typically requires only your email address. We may log opening and click rates via a web beacon to improve content relevance — this measurement is based on consent and can only be stopped by unsubscribing entirely.

You can unsubscribe at any time via the link in any newsletter or by contacting us. Unsubscribed addresses may be retained up to three years on the basis of legitimate interests to demonstrate prior consent.

SendGrid (Twilio Ireland Limited, Dublin, Ireland) — email delivery. Basis for third-country transfer: Data Privacy Framework, Standard Contractual Clauses.

We use web analysis tools to evaluate visitor traffic and usage patterns, and may run A/B tests to optimize our online offering. IP addresses are masked (pseudonymized) before storage. No directly identifying data, such as names or email addresses, is stored as part of this process — only pseudonymous profiles.

Google Analytics — Google Ireland Limited, Dublin, Ireland. Cookies and pseudonymous identifiers may be stored for up to two years. Legal basis: consent (Art. 6(1)(a) GDPR). Basis for third-country transfer: Data Privacy Framework. Opt-out.

We maintain profiles on social networks to communicate with users and share information about us. Note that user data may be processed outside the EU, and that platform operators typically also process data for their own market research and advertising purposes. We recommend reviewing each platform’s own privacy policy.

• Instagram — Meta Platforms Ireland Limited, Dublin, Ireland. Privacy policy. Basis for third-country transfer: Data Privacy Framework.
• LinkedIn— LinkedIn Ireland Unlimited Company, Dublin, Ireland. We are jointly responsible with LinkedIn for the collection of visitor statistics (“Page Insights”) under a joint controller addendum. Privacy policy · Opt-out. Basis for third-country transfer: Data Privacy Framework.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

We embed functional and content elements (e.g. fonts, widgets) retrieved from third-party servers, which requires sharing your IP address with the provider so the content can be delivered to your browser.

• Google Fonts— Google Ireland Limited, Dublin, Ireland. IP addresses are not logged or stored on Google’s servers. Basis for third-country transfer: Data Privacy Framework.
• Font Awesome — Fonticons, Inc., Cambridge, MA, USA.
• Spotify player widget — Spotify AB, Stockholm, Sweden. Processed on the basis of your consent (Art. 6(1)(a) GDPR), including transfer to servers in the USA.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR), or consent where stated.

We use third-party services for organizing, managing, and planning our work. This may involve processing master data, contact details, and transaction data.

• Calendly — Calendly LLC, Atlanta, GA, USA. Basis for third-country transfer: Standard Contractual Clauses.
• GitHub — GitHub B.V., Netherlands.
• Notion — Notion Labs, Inc., San Francisco, CA, USA. Basis for third-country transfer: Standard Contractual Clauses.

Legal basis: legitimate interests (Art. 6(1)(f) GDPR).

Personal data — any information relating to an identified or identifiable natural person, such as a name, identification number, location data, or online identifier.

Processing — any operation performed on personal data, including collection, storage, transmission, or deletion.

Responsible party (controller) — the entity that, alone or jointly with others, determines the purposes and means of processing personal data.

Profiles with user-related information — automated processing of personal data used to analyze, evaluate, or predict personal aspects such as interests or behavior.

For full definitions of all data categories referenced above, please contact us using the details provided.