Medizinische Schnelltests "made in Germany"

Privacy Policy

preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

As of: May 31, 2023

Table of contents:

preamble

Person responsible

Overview of processing

Relevant legal bases

Security measures

Transmission of personal data

Deletion of data

Business services

Providers and services used in the course of business activities

Payment methods

Contact and inquiry management

Application process

Newsletters and electronic notifications

Advertising communication via email, post, fax or telephone

Web analysis, monitoring and optimization

Customer reviews and rating processes

Plugins and embedded functions and content

Changes and updates to the privacy policy

Responsible:

VELLAP Diagnostics GmbH

Industriestraße 8

99427 Weimar

Email address: info@vellap.de

Overview of processing:

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed:

Inventory data.

Payment details.

Location data.

Contact details.

Content data.

Contract data.

Usage data.

Meta, communication and procedural data.

Applicant data.

Categories of data subjects:

Customers.

Employees.

Interested parties.

Communication partner.

Users.

applicants.

members.

Business and contractual partners.

Purposes of processing:

Provision of contractual services and customer service.

Contact requests and communication.

Security measures.

Direct marketing.

Reach measurement.

Tracking.

Office and organizational procedures.

Conversion measurement.

Managing and responding to inquiries.

Application process.

Feedback.

Marketing.

Profiles with user-related information.

Provision of our online offering and user-friendliness.

Relevant legal bases:

Below you will find an overview of the GDPR legal bases on which we process personal data. Please note that in addition to the GDPR regulations, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

Consent (Article 6 (1) (a) GDPR) - The data subject has given his or her consent to the processing of personal data concerning him or her for a specific purpose or several specific purposes.

Contractual performance and pre-contractual inquiries (Article 6 (1) (b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject.

Legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary to fulfill a legal obligation to which the controller is subject.

Legitimate interests (Article 6 (1) (f) GDPR) - Processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail.

Application procedure as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR) - If, as part of the application procedure, special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severe disability status or ethnic origin) are requested from applicants so that the controller or the data subject can exercise the rights arising from employment law and social security and social protection law and fulfil his or her obligations in this regard, their processing takes place in accordance with Art. 9 (2) (b) GDPR, in the case of the protection of vital interests of the applicants or other persons in accordance with Art. 9 (2) (c) GDPR or for the purposes of preventive healthcare or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 (2) (h) GDPR. In the case of a communication of special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 (2) (a) GDPR.

In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains, in particular, special provisions on the right to information, the right to erasure, the right of objection, the processing of special categories of personal data, processing for other purposes, and transmission and automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), particularly with regard to the establishment, implementation, or termination of employment relationships and the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.

Security measures:

In accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, and transfer of data, ensuring its availability, and segregation. Furthermore, we have established procedures that ensure the exercise of data subjects' rights, the deletion of data, and responses to data threats. Furthermore, we consider the protection of personal data right from the development and selection of hardware, software, and processes in accordance with the principle of data protection, through technology design, and through data protection-friendly default settings.

Transfer of personal data:

As part of our processing of personal data, it may happen that the data is transmitted to or disclosed to other bodies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the organization: We may transfer personal data to other departments within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of data is based on our legitimate business and operational interests, if it is necessary to fulfill our contractual obligations, or if the data subject has given their consent or is permitted by law.

Deletion of data:

The data we process will be deleted in accordance with legal requirements as soon as the consent to processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or it is no longer required for that purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

Our privacy policy may also contain further information on the storage and deletion of data, which applies primarily to the respective processing operations.

Business services:

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the framework of contractual and comparable legal relationships as well as related measures and within the framework of communication with the contractual partners (or pre-contractually), e.g. to answer inquiries.

We process this data to fulfill our contractual obligations. This includes, in particular, the obligation to provide the agreed services, any update obligations, and remedy in the event of warranty and other service disruptions. Furthermore, we process the data to protect our rights and for the purposes of the administrative tasks associated with these obligations, as well as company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and efficient business management and in security measures to protect our contractual partners and our business operations from misuse and the endangerment of their data, secrets, information, and rights (e.g., the involvement of telecommunications, transport, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the framework of applicable law, we only pass on contractual partners' data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed of other forms of processing, e.g., for marketing purposes, within the framework of this privacy policy.

We will inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by special marking (e.g. colors) or symbols (e.g. asterisks or similar), or in person.

We delete the data after statutory warranty and similar obligations have expired, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal archiving reasons. The statutory retention period is ten years for documents relevant to tax law as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions necessary to understand these documents and other organizational documents and accounting documents, and six years for received commercial and business letters and reproductions of sent commercial and business letters. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance sheet, annual financial statements or management report was prepared, the commercial or business letter was received or sent, or the accounting document was created, furthermore the recording was made or the other documents were created.

To the extent that we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply to the relationship between users and the providers.

Types of data processed: Inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).

Data subjects: customers; interested parties; business and contractual partners.

Purposes of processing: Provision of contractual services and customer service; security measures; contact requests and communication; office and organizational procedures; administration and response to inquiries; conversion measurement (measurement of the effectiveness of marketing measures); profiles with user-related information (creation of user profiles).

Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Legal obligation (Art. 6 (1) (c) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing procedures, methods and services:

Customer account: Customers can create an account within our online offering (e.g., customer or user account, "customer account" for short). If registration of a customer account is required, customers will be informed of this, as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration, as well as subsequent logins and use of the customer account, we store the customer's IP addresses along with the access times in order to verify registration and prevent any misuse of the customer account. If the customer account is terminated, the customer account data will be deleted after the termination date, unless it is retained for purposes other than providing the customer account or must be retained for legal reasons (e.g., internal storage of customer data, order processes, or invoices). It is the customer's responsibility to secure their data upon termination of the customer account; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Economic analyses and market research: For business reasons and in order to identify market trends and the wishes of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc., whereby the group of data subjects may include contractual partners, interested parties, customers, visitors, and users of our online offering. The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). Where available, we may consider the profiles of registered users, including their information, e.g., on services used. The analyses serve our sole purpose and are not disclosed externally, unless they are anonymous analyses with summarized, i.e., anonymized values. Furthermore, we respect the privacy of users and process the data for analysis purposes pseudonymously wherever possible and, where feasible, anonymously (e.g., as summarized data); legal basis: legitimate interests (Art. 6 (1) (f) GDPR).

Shop and e-commerce: We process our customers' data to enable them to select, purchase, or order the selected products, goods, and related services, as well as to pay for and deliver them or execute them. If necessary to execute an order, we use service providers, in particular postal, forwarding, and shipping companies, to carry out the delivery or execution for our customers. We use the services of banks and payment service providers to process payment transactions. The required information is marked as such within the order or similar purchase process and includes the information needed for delivery, provision, and billing, as well as contact information for any follow-up questions. Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Providers and services used in the course of business activities:

As part of our business activities, we use additional services, platforms, interfaces, or plug-ins from third-party providers (hereinafter "Services") in compliance with legal requirements. Their use is based on our interest in the proper, lawful, and economical management of our business operations and our internal organization.

Data subjects: customers; interested parties; users (e.g. website visitors, users of online services); business and contractual partners; members; employees (e.g. employees, applicants, former employees).

Purposes of processing: provision of contractual services and customer service; office and organizational procedures.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing procedures, methods and services:

WaWi program DEVIDIA

DATEV:

Software for accounting, communication with tax advisors and authorities, and document storage; Service provider: DATEV eG, Paumgartnerstr. 6-14, 90429 Nuremberg, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.datev.de/web/de/mydatev/online-anwendungen/; Privacy policy: https://www.datev.de/web/de/m/ueber-datev/datenschutz/; Data processing agreement: Provided by the service provider.

Lexware: Software for invoicing, accounting, banking, and tax filing with receipt storage; Service provider: Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.lexoffice.de/datenschutz/; Privacy policy: https://datenschutz.lexware.de/.

Payment method:

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and, in addition to banks and credit institutions, we use other service providers for this purpose (collectively "payment service providers").

The data processed by the payment service providers includes inventory data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, amount and recipient-related information. This information is required to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account- or credit card-related information, but only information confirming or rejecting the payment. Under certain circumstances, the payment service providers will transmit the data to credit agencies. This transmission is for the purpose of identity and credit checks. For more information, please refer to the terms and conditions and the privacy policy of the payment service providers.

Payment transactions are subject to the terms and conditions and privacy policy of the respective payment service providers, which are available on the respective websites or transaction applications. We also refer to these for further information and to assert your rights of withdrawal, information, and other data subjects.

Types of data processed: Inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter of the contract, term, customer category); usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).

Data subjects: customers; interested parties.

Purposes of processing: provision of contractual services and customer service.

Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing procedures, methods and services:

Check, add credit card if necessary

PayPal: Payment services (technical connection of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR); Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Contact and inquiry management:

When you contact us (e.g. by post, contact form, email, telephone or via social media) as well as within the framework of existing user and business relationships, the information provided by the person making the inquiry will be processed to the extent necessary to answer the contact inquiries and any requested measures.

Types of data processed: Contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status).

Data subjects: communication partners.

Purposes of processing: Contact requests and communication; administration and response to requests; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR).

Further information on processing procedures, methods and services:

Contact form: If users contact us via our contact form, email, or other communication channels, we process the data communicated to us in this context to process the communicated request; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).

Application process:

The application process requires applicants to provide us with the information necessary for their assessment and selection. The information required is stated in the job description or, in the case of online forms, in the information provided there.

Generally, the required information includes personal details such as name, address, contact information, and proof of the qualifications required for the position. Upon request, we will be happy to provide additional information.

If available, applicants can submit their applications using an online form. The data will be transmitted to us using state-of-the-art encryption. Applicants can also submit their applications via email. However, please note that emails are generally not sent encrypted over the internet. While emails are generally encrypted during transport, they are not encrypted on the servers from which they are sent and received. We therefore cannot accept any responsibility for the transmission path of the application between the sender and its receipt on our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may, in compliance with legal requirements, use applicant management or recruitment software and platforms and services from third parties.

Applicants are welcome to contact us regarding the method of submitting their application or to send us their application by post.

Processing of special categories of data: If, as part of the application process, special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severe disability or ethnic origin) are requested from applicants so that the controller or the data subject can exercise the rights arising from employment law and social security and social protection law and fulfil his or her obligations in this regard, their processing takes place in accordance with Art. 9 (2) lit. b GDPR, in the case of the protection of vital interests of the applicants or other persons in accordance with Art. 9 (2) lit. c GDPR or for the purposes of preventive healthcare or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, for care or treatment in the health or social sector or for the administration of systems and services in the health or social sector in accordance with Art. 9 (2) lit. h GDPR. In the case of a notification of special categories of data based on voluntary consent, their processing is based on Art. 9 (2) (a) GDPR.

Deletion of data: In the event of a successful application, the data provided by applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is unsuccessful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified revocation by the applicant, deletion will occur no later than after a period of six months so that we can answer any follow-up questions about the application and fulfill our obligations to provide evidence under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law requirements.

Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to inclusion in the talent pool is voluntary, has no impact on the ongoing application process, and can revoke their consent at any time with effect for the future.

Duration of storage of data in the applicant pool: 6 months

Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); applicant data (e.g. personal details, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letters, CVs, certificates and other information about the person or qualifications provided with regard to a specific position or voluntarily by applicants).

Persons concerned: applicants.

Purposes of processing: Application procedure (justification and possible subsequent implementation as well as possible subsequent termination of the employment relationship).

Legal basis: Application procedure as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

Newsletters and electronic notifications:

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the recipient's consent or legal permission. If the newsletter's content is specifically described when registering for the newsletter, it is decisive for the user's consent. Furthermore, our newsletters contain information about our services and us.

To subscribe to our newsletter, it is generally sufficient to provide your email address. However, we may ask you to provide a name for the purpose of addressing you personally in the newsletter, or other information if this is necessary for the purposes of the newsletter.

Double opt-in process: Registration for our newsletter is generally carried out using a so-called double opt-in process. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary to ensure that no one can register using someone else's email address. Newsletter registrations are logged to provide evidence of the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to your data stored by the shipping service provider are also logged.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the previous consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address on a block list (so-called "blocklist") for this purpose alone.

The registration process is logged based on our legitimate interests for the purpose of demonstrating its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure delivery system.

Contents:

Information about us, our services, promotions and offers.

Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers); meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, consent status).

Data subjects: communication partners.

Purposes of processing: direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Opt-out: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to unsubscribe from the newsletter either at the end of each newsletter or by using one of the contact options listed above, preferably email.

Advertising communication via email, post, fax or telephone:

We process personal data for the purposes of advertising communication, which can be carried out via various channels, such as e-mail, telephone, post or fax, in accordance with legal requirements.

Recipients have the right to revoke consent given at any time or to object to advertising communication at any time.

After revocation or objection, we will store the data required to prove previous authorization for contacting or sending for up to three years after the end of the year of revocation or objection based on our legitimate interests. The processing of this data is limited to the purpose of a possible defense against claims. Based on our legitimate interest in permanently respecting the user's revocation or objection, we also store the data required to avoid further contact (e.g., depending on the communication channel, the email address, telephone number, name).

Types of data processed: Inventory data (e.g. names, addresses); contact data (e.g. email, telephone numbers).

Data subjects: communication partners.

Purposes of processing: direct marketing (e.g. by email or post).

Legal basis: Consent (Art. 6 (1) (a) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR).

Web analysis, monitoring and optimization:

Web analytics (also known as "reach measurement") is used to evaluate visitor traffic to our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. Reach analysis allows us to determine, for example, when our online offering or its functions or content are most frequently used or encourage reuse. Likewise, we can understand which areas require optimization.

In addition to web analysis, we can also use testing procedures to, for example, test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e., data summarized for a usage process, may be created for these purposes, and information may be stored in a browser or on a device and read from it. The information collected includes, in particular, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, location data may also be processed.

Users' IP addresses are also stored. However, we use an IP masking process (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no real user data (such as email addresses or names) is stored for web analysis, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective processes.

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: reach measurement (e.g. access statistics, recognition of recurring visitors); profiles with user-related information (creation of user profiles); tracking (e.g. interest/behavior-related profiling, use of cookies); provision of our online offering and user-friendliness.

Security measures: IP masking (pseudonymization of the IP address).

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing procedures, methods and services:

Google Analytics: Web analysis, reach measurement, and measurement of user flows; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 (1) (a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics /; Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (guaranteeing data protection levels when processing in third countries): https://business.safety.google/adsprocessorterms; Opt-out option: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (Types of processing and data processed).

Customer reviews and rating processes:

We participate in review and rating processes to evaluate, optimize, and promote our services. If users rate us via the participating rating platforms or processes or otherwise provide feedback, the providers' general terms and conditions of use and privacy policies also apply. Typically, the rating also requires registration with the respective providers.

To ensure that the reviewers have actually used our services, we transmit, with the customer's consent, the necessary data regarding the customer and the service used to the respective review platform (including name, email address, and order number or item number). This data is used solely to verify the user's authenticity.

Types of data processed: Contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status).

Data subjects: customers; users (e.g. website visitors, users of online services).

Purposes of processing: Feedback (e.g. collecting feedback via online form); marketing.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing procedures, methods and services:

Rating widget: We integrate so-called "rating widgets" into our online offering. A widget is a functional and content element integrated into our online offering that displays variable information. It can be displayed, for example, in the form of a seal or similar element, sometimes also called a "badge." While the corresponding content of the widget is displayed within our online offering, it is retrieved at that moment from the servers of the respective widget provider. This is the only way to always display the most current content, especially the most recent rating. For this to happen, a data connection must be established from the website accessed within our online offering to the widget provider's server, and the widget provider receives certain technical data (access data, including the IP address) necessary to deliver the widget content to the user's browser. Furthermore, the widget provider receives information that users have visited our online offering. This information can be stored in a cookie and used by the widget provider to identify which online offerings participating in the rating process have been visited by the user. The information can be stored in a user profile and used for advertising or market research purposes; legal basis: legitimate interests (Art. 6 (1) (f) GDPR).

Google Customer Reviews: Service for collecting and/or presenting customer satisfaction and opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Terms and Conditions: https://support.google.com/merchants/topic/7259129?hl=de&ref_topic=7257954; Privacy Policy: https://policies.google.com/privacy; Further information: When collecting customer reviews, an identification number and the time of the business transaction to be evaluated are processed; for review requests sent directly to customers, the customer's email address and their country of residence, as well as the review details themselves, are processed; Further information on the types of processing and the data processed: https://privacy.google.com/businesses/adsservices; Data processing terms for Google advertising products: Information about the services Data processing terms between controllers and standard contractual clauses for third country transfers of data: https://business.safety.google/adscontrollerterms.

Plugins and embedded functions and content:

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "content").

Integration always requires that the third-party providers of this content process the user's IP address, as without the IP address they would not be able to send the content to their browser. The IP address is therefore required to display this content or functions. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, the time of visit and other information about the use of our online offering, as well as be linked to such information from other sources.

Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status); inventory data (e.g., names, addresses); contact data (e.g., email, telephone numbers); content data (e.g., entries in online forms); location data (information on the geographical position of a device or person).

Data subjects: Users (e.g. website visitors, users of online services).

Purposes of processing: Provision of our online services and user-friendliness.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing procedures, methods and services:

Google Fonts (obtained from Google servers): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to timeliness and loading times, their consistent display, and consideration of possible licensing restrictions. The font provider is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted that is necessary for providing the fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA. When visiting our online offering, users' browsers send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) from Google Fonts and then the fonts specified in the CCS. These HTTP requests include (1) the IP address used by the user to access the internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, and the referring URL (i.e., the web page where the Google font should be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referring URL). Access to this data is restricted and tightly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. The Google Fonts Web API requires the user agent to customize the font generated for each browser type. The user agent is logged primarily for debugging purposes and used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the Google Fonts Analytics page. Finally, the referring URL is logged so that the data can be used for production maintenance and to generate an aggregated report on top integrations based on the number of font requests. According to Google, no information collected by Google Fonts is used to create profiles of end users or to serve targeted ads. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Further information: https://developers.google.com/fonts/faq/privacy?hl=de.

Google Maps: We integrate maps from the "Google Maps" service provided by Google. The data processed may include, in particular, users' IP addresses and location data. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR). Website: https://mapsplatform.google.com/; Privacy Policy: https://policies.google.com/privacy.

YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Opt-out option: Opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for displaying advertisements: https://adssettings.google.com/authenticated.

Changes and updates to the privacy policy:

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and ask you to check the information before contacting us.