Privacy policy
Note: This English version of the Privacy Policy is a translation provided for convenience. The legally binding and authoritative version is the German Privacy Policy. In the event of any discrepancies between the two versions, the German version shall prevail.
Preamble
With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, the purposes for which we process them, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in connection with the provision of our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offering").
The terms used are gender-neutral.
Last updated: November 2, 2025
Table of Contents
- Preamble
- Controller
- Overview of Processing Activities
- Applicable Legal Bases
- Security Measures
- International Data Transfers
- General Information on Data Storage and Deletion
- Rights of Data Subjects
- Business Services
- Business Processes and Procedures
- Use of Online Platforms for Offer and Sales Purposes
- Payment Procedures
- Provision of the Online Offering and Web Hosting
- Use of Cookies
- Registration, Login and User Account
- Blogs and Publication Media
- Contact and Inquiry Management
- Artificial Intelligence (AI)
- Cloud Services
- Newsletters and Electronic Notifications
- Web Analytics, Monitoring and Optimization
- Online Marketing
- Customer Reviews and Rating Procedures
- Social Media Presences
- Plugins, Embedded Functions and Content
- Management, Organization and Utility Tools
- Changes and Updates
Controller
Kaffeerösterei Gewinner
Tödistrasse 21
8810 Horgen
Switzerland
Authorized Representative: Joscha Gewinner
Email address: datenschutz@beanwatch.ch
Legal Notice: https://beanwatch.ch/policies/legal-notice
Beanwatch is a trademark of Kaffeerösterei Gewinner.
Overview of Processing Activities
The following overview summarizes the types of data processed, the purposes of processing, and refers to the categories of data subjects concerned.
Types of Data Processed
- Inventory data.
- Payment data.
- Location data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta, communication and procedural data.
- Contact information (Facebook).
- Event data (Facebook).
- Log data.
Categories of Data Subjects
- Service recipients and clients.
- Employees.
- Prospective customers.
- Communication partners.
- Users.
- Business and contractual partners.
- Third parties.
- Customers.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Communication.
- Security measures.
- Direct marketing.
- Reach measurement.
- Tracking.
- Office and organizational procedures.
- Remarketing.
- Conversion measurement.
- Click tracking.
- Audience building.
- A/B testing.
- Organizational and administrative procedures.
- Feedback.
- Heatmaps.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Information technology infrastructure.
- Financial and payment management.
- Public relations.
- Sales promotion.
- Business processes and commercial procedures.
- Artificial Intelligence (AI).
Applicable Legal Bases
Applicable legal bases under the Swiss Federal Act on Data Protection (FADP): If you are located in Switzerland, we process your data on the basis of the Swiss Federal Act on Data Protection ("Swiss FADP"). Unlike the GDPR, the Swiss FADP generally does not require that a specific legal basis be stated for the processing of personal data. Instead, personal data must be processed lawfully, in good faith, and proportionately (Art. 6 para. 1 and 2 Swiss FADP). Furthermore, personal data is only collected for a specific purpose that is recognizable to the data subject and is processed only in a manner compatible with that purpose (Art. 6 para. 3 Swiss FADP).
Security Measures
In accordance with legal requirements and taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity and availability of data through controls on physical and electronic access to data, as well as access, input, disclosure, availability protection and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data breaches. We also take the protection of personal data into account when developing or selecting hardware, software and procedures, in accordance with the principles of privacy by design and privacy by default.
IP address truncation: Where IP addresses are processed by us or by the service providers and technologies we use, and processing of the full IP address is not required, the IP address is shortened (also referred to as "IP masking"). In this process, the last two digits or the last part of the IP address after a period are removed or replaced with placeholders. The purpose of IP masking is to prevent or significantly hinder the identification of a person based on their IP address.
Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services against unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information exchanged between a website or app and a user's browser (or between two servers), thereby protecting data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and in encrypted form.
International Data Transfers
Disclosure of personal data abroad: In accordance with the Swiss FADP, we only disclose personal data abroad if an adequate level of protection for the data subjects is ensured (Art. 16 Swiss FADP). If the Swiss Federal Council has not recognized an adequate level of protection (list available at https://www.bj.admin.ch/en/recognition-by-switzerland-of-states-that-guarantee-an-adequate-level-of-data-protection), we implement alternative safeguards.
For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as an adequate legal framework by Switzerland through an adequacy decision dated June 7, 2024. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers, approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), which establish contractual obligations to protect your data.
This dual protection mechanism ensures comprehensive protection of your data. The DPF serves as the primary layer of protection, while the Standard Contractual Clauses provide an additional safeguard. Should changes occur regarding the DPF, the SCCs act as a reliable fallback mechanism. This ensures that your data remains adequately protected even in the event of political or legal changes.
For each service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. A list of certified companies and further information about the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (available in English).
For data transfers to other third countries, appropriate safeguards apply, including international agreements, specific guarantees, Standard Contractual Clauses approved by the FDPIC, or binding corporate rules previously recognized by the FDPIC or another competent supervisory authority.
General Information on Data Storage and Deletion
We delete personal data that we process in accordance with legal requirements as soon as the underlying consent is withdrawn or no other legal basis for processing exists. This applies in cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where statutory obligations or legitimate interests require longer retention or archiving of data.
In particular, data that must be retained for commercial or tax law purposes, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.
Our privacy notices contain additional information regarding the retention and deletion of data that specifically applies to particular processing activities.
If several retention periods or deletion deadlines apply to a particular item of data, the longest retention period shall always prevail. Data that is no longer required for its original purpose but is retained due to legal requirements or other reasons will only be processed for the reasons justifying its retention.
Retention and deletion of data: The following general retention periods apply under Swiss law:
- 10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, accounting records and invoices, as well as all necessary work instructions and organizational documents (Art. 958f Swiss Code of Obligations).
- 10 years: Data required for the consideration of potential claims for damages or similar contractual claims and rights, as well as the processing of related inquiries, based on previous business experience and common industry practices, is stored for the statutory limitation period of ten years, unless a shorter limitation period of five years applies in specific cases (Art. 127, 130 Swiss Code of Obligations). Claims for rent, lease payments, interest, recurring services, delivery of food, catering, innkeeper claims, craftsmanship, retail sales of goods, medical services, professional services of lawyers, legal agents, procurators and notaries, as well as employment relationships, become time-barred after five years (Art. 128 Swiss Code of Obligations).
Commencement of retention periods at year-end: If a period does not expressly begin on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the date on which the termination or other ending of the legal relationship becomes effective.
Rights of Data Subjects
Rights of data subjects under the Swiss FADP:
As a data subject, you have the following rights under the Swiss Federal Act on Data Protection:
- Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and to receive the information necessary to exercise your rights under this Act and to ensure transparent data processing.
- Right to data portability or disclosure: You have the right to request that the personal data you have provided to us be handed over to you in a commonly used electronic format.
- Right to rectification: You have the right to request the correction of inaccurate personal data concerning you.
- Right to object, erase and destroy: You have the right to object to the processing of your data and to request that personal data concerning you be deleted or destroyed.
Business Services
We process the data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), within the scope of contractual and comparable legal relationships as well as related measures and with regard to communication with contractual partners (or pre-contractually), for example to respond to inquiries.
We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any update obligations, and remedies for warranty claims and other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations as well as for corporate organization. In addition, we process the data based on our legitimate interests in proper business management and security measures to protect our contractual partners and our business operations against misuse, risks to their data, confidential information and rights (e.g. involving telecommunications providers, transport and auxiliary services, subcontractors, banks, tax advisors, legal advisors, payment service providers or public authorities). Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about additional forms of processing, such as marketing activities, within this Privacy Policy.
We inform contractual partners which data is required for the aforementioned purposes before or during data collection, for example in online forms, through special markings (e.g. colors), symbols (e.g. asterisks), or personal communication.
We delete data after the expiration of statutory warranty obligations and comparable obligations, generally after four years, unless the data is stored in a customer account or must be retained for legal archiving purposes (for example, ten years for tax purposes). Data disclosed to us by contractual partners within the scope of an assignment is deleted in accordance with the instructions provided and generally upon completion of the assignment.
- Categories of processed data: Inventory data (e.g. full name, residential address, contact information, customer number); payment data (e.g. bank account details, invoices, payment history); contact data (e.g. postal addresses, email addresses and telephone numbers); contract data (e.g. contract subject matter, term, customer category); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and commercial procedures.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- Online shop, order forms, e-commerce and fulfillment of services: We process customer data in order to enable the selection, purchase and ordering of products, goods and related services, as well as their payment, provision, delivery or execution. Where necessary for the fulfillment of an order, we use service providers, particularly postal, freight and shipping companies, to carry out delivery or execution for our customers. For payment processing, we use the services of banks and payment service providers. Required information is marked accordingly during the ordering or comparable purchasing process and includes information necessary for delivery, provision and invoicing, as well as contact information for any necessary communication; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
-
Event management: We process the data of participants in events, functions and similar activities offered or organized by us (hereinafter collectively referred to as "participants" and "events") in order to enable participation and the use of associated services or activities.
If, within this context, we process health-related data, religious, political or other special categories of personal data, this is done either because such information has been made manifestly public (e.g. at topic-specific events), serves health protection or safety purposes, or is processed with the consent of the data subjects.
Required information is marked accordingly within the order, booking or comparable contractual process and includes information necessary for service provision and invoicing, as well as contact details for communication purposes. Where we receive access to information relating to end customers, employees or other individuals, we process such information in accordance with legal and contractual requirements; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
Business Processes and Procedures
Personal data of service recipients and clients, including customers, clients, and in special cases principals, patients or business partners, as well as other third parties, is processed within the scope of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates commercial activities in areas such as customer management, sales, payment processing, accounting and project management.
The collected data is used to fulfill contractual obligations and efficiently manage business processes. This includes the execution of business transactions, customer relationship management, optimization of sales strategies, and the maintenance of internal accounting and financial processes. In addition, the data supports the protection of the controller's rights and promotes administrative tasks and corporate organization.
Personal data may be disclosed to third parties where necessary for the fulfillment of the aforementioned purposes or to comply with legal obligations. After statutory retention periods expire or when the purpose of processing ceases to apply, the data is deleted. This also includes data that must be retained for longer periods due to tax or statutory documentation requirements.
- Categories of processed data: Inventory data, payment data, contact data, content data, contract data, usage data, meta, communication and procedural data, and log data.
- Data subjects: Service recipients and clients; prospective customers; communication partners; business and contractual partners; customers; third parties; users (e.g. website visitors and users of online services); employees (e.g. staff members, applicants, temporary workers and other personnel).
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and commercial procedures; security measures; provision of our online offering and user-friendliness; communication; marketing; sales promotion; public relations; financial and payment management; information technology infrastructure.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).
Further information on processing activities, procedures and services:
- Customer Management and Customer Relationship Management (CRM): Procedures required within the scope of customer management and customer relationship management (CRM), such as customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaint management and customer service while taking data protection into account, data management and analysis to support customer relationships, CRM system administration, secure account management, customer segmentation and audience creation; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Contact Management and Contact Maintenance: Procedures required for organizing, maintaining and safeguarding contact information, such as establishing and maintaining a central contact database, regularly updating contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, conducting backups and restoring contact data, training employees in the effective use of contact management software, and regularly reviewing communication histories and adjusting contact strategies; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Customer Account: Customers may create an account within our online offering (e.g. customer or user account). If registration is required, customers will be informed accordingly and advised of the data required for registration. Customer accounts are not public and cannot be indexed by search engines. As part of the registration process and subsequent logins and use of the customer account, we store customers' IP addresses together with access times in order to verify registration and prevent misuse of customer accounts. If the customer account is terminated, customer account data will be deleted after termination unless retained for purposes other than providing the account functionality or where legal retention obligations apply (e.g. internal storage of customer data, orders or invoices). Customers are responsible for backing up their data before terminating their customer account; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- General Payment Transactions: Procedures required for processing payments, monitoring bank accounts and controlling cash flows, such as preparing and reviewing transfers, processing direct debit transactions, checking account statements, monitoring incoming and outgoing payments, managing returned payments, reconciling accounts and cash management; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Accounting, Accounts Payable and Accounts Receivable: Procedures required for recording, processing and monitoring business transactions in accounts payable and accounts receivable, such as creating and reviewing incoming and outgoing invoices, monitoring and managing outstanding balances, processing payments, debt collection management and account reconciliation; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Financial Accounting and Taxation: Procedures required for recording, managing and monitoring financial transactions as well as calculating, reporting and paying taxes, such as bookkeeping, preparation of quarterly and annual financial statements, payment processing, debt collection management, account reconciliation, tax consulting, preparation and filing of tax returns and tax administration; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Marketing, Advertising and Sales Promotion: Procedures required within the scope of marketing, advertising and sales promotion, such as market analysis and audience identification, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, as well as budget and cost management; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
- Public Relations: Procedures required within the scope of public relations and communications, such as developing and implementing communication strategies, planning and conducting PR campaigns, preparing and distributing press releases, maintaining media contacts, monitoring and analyzing media coverage, organizing press conferences and public events, crisis communications, creating content for social media and corporate websites, and managing corporate branding; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Use of Online Platforms for Offer and Sales Purposes
We offer our services on online platforms operated by third-party providers. In this context, the privacy notices of the respective platform operators apply in addition to our own privacy notices. This applies in particular with regard to payment processing and the procedures used by the platforms for audience measurement and interest-based marketing.
- Categories of processed data: Inventory data, payment data, contact data, contract data, usage data, and meta, communication and procedural data.
- Data subjects: Service recipients and clients; business and contractual partners.
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; marketing; business processes and commercial procedures.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- Shopify: Platform through which e-commerce services are offered and provided. Services and related processes include online stores, websites, content and offerings, community features, purchasing and payment transactions, customer communication, analytics and marketing; Service provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.shopify.com/; Privacy Policy: https://www.shopify.com/legal/privacy.
Payment Procedures
Within the framework of contractual and other legal relationships, due to legal obligations or based on our legitimate interests, we offer data subjects efficient and secure payment options and use banks, financial institutions and other payment service providers (collectively referred to as "payment service providers") for this purpose.
The data processed by payment service providers includes inventory data such as names and addresses, banking data such as account numbers or credit card numbers, passwords, TANs and verification codes, as well as contract, transaction and recipient-related information. This information is required to process payment transactions. However, the data entered is processed and stored exclusively by the respective payment service providers. This means that we do not receive account or credit card-related information, but only information confirming or rejecting a payment. Under certain circumstances, payment service providers may transmit data to credit agencies. Such transmission serves the purpose of identity and creditworthiness verification. Please refer to the terms and conditions and privacy policies of the respective payment service providers.
The terms and conditions and privacy notices of the respective payment service providers apply to payment transactions and can be accessed within the respective websites or transaction applications. We also refer to these documents for further information and for exercising rights of withdrawal, access and other data subject rights.
Business Services
We process the data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), within the scope of contractual and comparable legal relationships as well as related measures and with regard to communication with contractual partners (or pre-contractually), for example to respond to inquiries.
We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any update obligations, and remedies for warranty claims and other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations as well as for corporate organization. In addition, we process the data based on our legitimate interests in proper business management and security measures to protect our contractual partners and our business operations against misuse, risks to their data, confidential information and rights (e.g. involving telecommunications providers, transport and auxiliary services, subcontractors, banks, tax advisors, legal advisors, payment service providers or public authorities). Within the scope of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about additional forms of processing, such as marketing activities, within this Privacy Policy.
We inform contractual partners which data is required for the aforementioned purposes before or during data collection, for example in online forms, through special markings (e.g. colors), symbols (e.g. asterisks), or personal communication.
We delete data after the expiration of statutory warranty obligations and comparable obligations, generally after four years, unless the data is stored in a customer account or must be retained for legal archiving purposes (for example, ten years for tax purposes). Data disclosed to us by contractual partners within the scope of an assignment is deleted in accordance with the instructions provided and generally upon completion of the assignment.
- Categories of processed data: Inventory data (e.g. full name, residential address, contact information, customer number); payment data (e.g. bank account details, invoices, payment history); contact data (e.g. postal addresses, email addresses and telephone numbers); contract data (e.g. contract subject matter, term, customer category); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures; business processes and commercial procedures.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- Online shop, order forms, e-commerce and fulfillment of services: We process customer data in order to enable the selection, purchase and ordering of products, goods and related services, as well as their payment, provision, delivery or execution. Where necessary for the fulfillment of an order, we use service providers, particularly postal, freight and shipping companies, to carry out delivery or execution for our customers. For payment processing, we use the services of banks and payment service providers. Required information is marked accordingly during the ordering or comparable purchasing process and includes information necessary for delivery, provision and invoicing, as well as contact information for any necessary communication; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
-
Event management: We process the data of participants in events, functions and similar activities offered or organized by us (hereinafter collectively referred to as "participants" and "events") in order to enable participation and the use of associated services or activities.
If, within this context, we process health-related data, religious, political or other special categories of personal data, this is done either because such information has been made manifestly public (e.g. at topic-specific events), serves health protection or safety purposes, or is processed with the consent of the data subjects.
Required information is marked accordingly within the order, booking or comparable contractual process and includes information necessary for service provision and invoicing, as well as contact details for communication purposes. Where we receive access to information relating to end customers, employees or other individuals, we process such information in accordance with legal and contractual requirements; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
Business Processes and Procedures
Personal data of service recipients and clients, including customers, clients, and in special cases principals, patients or business partners, as well as other third parties, is processed within the scope of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates commercial activities in areas such as customer management, sales, payment processing, accounting and project management.
The collected data is used to fulfill contractual obligations and efficiently manage business processes. This includes the execution of business transactions, customer relationship management, optimization of sales strategies, and the maintenance of internal accounting and financial processes. In addition, the data supports the protection of the controller's rights and promotes administrative tasks and corporate organization.
Personal data may be disclosed to third parties where necessary for the fulfillment of the aforementioned purposes or to comply with legal obligations. After statutory retention periods expire or when the purpose of processing ceases to apply, the data is deleted. This also includes data that must be retained for longer periods due to tax or statutory documentation requirements.
- Categories of processed data: Inventory data, payment data, contact data, content data, contract data, usage data, meta, communication and procedural data, and log data.
- Data subjects: Service recipients and clients; prospective customers; communication partners; business and contractual partners; customers; third parties; users (e.g. website visitors and users of online services); employees (e.g. staff members, applicants, temporary workers and other personnel).
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; business processes and commercial procedures; security measures; provision of our online offering and user-friendliness; communication; marketing; sales promotion; public relations; financial and payment management; information technology infrastructure.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR).
Legal bases for processing when consent is required: Where we request users' consent for the use of cookies, the legal basis for processing their data is consent. Otherwise, the data processed through cookies is processed on the basis of our legitimate interests (e.g. in the business operation of our online offering and improving its usability) or, where the use of cookies is necessary to fulfill our contractual obligations, if their use is required to fulfill contractual obligations. We explain the specific purposes for which cookies are processed within this Privacy Policy or in the context of our consent and processing procedures.
- Categories of processed data: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
- Data subjects: Users (e.g. website visitors and users of online services).
- Purposes of processing: Provision of our online offering and user-friendliness; security measures; reach measurement; tracking; audience building; marketing.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- Consent Management: We use a consent management solution to obtain, manage and document users' consent to the use of cookies and comparable technologies, as well as the associated processing of personal data. As part of this process, users can grant, reject or withdraw consent. Consent decisions are stored to avoid repeated prompts and to provide evidence of consent in accordance with legal requirements. Storage may take place on the server and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to associate the consent with a user or their device. Unless specific information is provided about the providers of consent management services, the following general information applies: Consent is stored for up to two years. A pseudonymous user identifier is generated and stored together with the date and time of consent, details of the scope of consent (e.g. relevant categories of cookies and/or service providers), as well as information about the browser, system and device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).
Registration, Login and User Account
Users may create a user account. During registration, users are provided with the required mandatory information and such information is processed for the purpose of providing the user account on the basis of contractual fulfillment obligations. The processed data includes, in particular, login information (username, password and email address).
As part of the use of our registration and login functions, as well as use of the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests and on users' interests in protection against misuse and unauthorized use. In principle, this data is not disclosed to third parties unless necessary to pursue our claims or where a legal obligation exists.
Users may be informed via email about processes relevant to their user account, such as technical changes, security-related notifications or changes affecting the contractual relationship.
- Categories of processed data: Inventory data (e.g. full name, residential address, contact information, customer number); contact data (e.g. postal addresses, email addresses and telephone numbers); content data (e.g. textual or visual messages and contributions, as well as related information such as authorship or time of creation); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Users (e.g. website visitors and users of online services).
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures; provision of our online offering and user-friendliness.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- User profiles are not public: User profiles are generally not publicly visible and cannot be indexed by search engines.
- Deletion of data after termination: If users have terminated their user account, the data associated with the user account will be deleted, unless retention is required for legal reasons. Users are responsible for securing their data before termination. We are entitled to irretrievably delete all user data stored during the term of the contract; Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
- No obligation to retain data: Users are responsible for backing up their data before termination of their account.
Blogs and Publication Media
We use blogs or comparable means of online communication and publication (hereinafter referred to as "publication medium"). Reader data is processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. For all other aspects, we refer to the information regarding the processing of visitors to our publication medium within this Privacy Policy.
- Categories of processed data: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
- Data subjects: Users (e.g. website visitors and users of online services).
- Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; feedback; security measures; provision of our online offering and user-friendliness.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
Further information on processing activities, procedures and services:
-
Comments and contributions: When users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interests. This is done for our security in the event that someone posts unlawful content in comments or contributions (e.g. insults, prohibited political propaganda, etc.). In such cases, we may be held liable for the comment or contribution and are therefore interested in the identity of the author.
Furthermore, we reserve the right, based on our legitimate interests, to process user data for spam detection.
The data provided in the context of comments and contributions is stored by us until users object or request deletion; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).
Contact and Inquiry Management
When contacting us (e.g. by post, contact form, email, telephone or via social media) as well as within the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to the inquiries and any requested measures.
- Categories of processed data: Contact data (e.g. postal addresses, email addresses and telephone numbers); content data (e.g. textual or visual messages and contributions, as well as related information such as authorship or time of creation); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Communication partners; users; business and contractual partners; prospective customers.
- Purposes of processing: Communication; organizational and administrative procedures; feedback; provision of our online offering and user-friendliness.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- Contact form: When contacting us via our contact form, by email or through other communication channels, we process the personal data transmitted to us in order to handle and respond to the respective request. This generally includes information such as name, contact details and, where applicable, further information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of establishing contact and communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Artificial Intelligence (AI)
We use artificial intelligence (AI), whereby personal data is processed. The specific purposes and our interest in the use of AI are set out below. According to the term "AI system" as defined in Article 3 No. 1 of the AI Regulation, we understand AI to be a machine-based system designed to operate with varying degrees of autonomy, capable of adaptation after deployment, and which, for explicit or implicit objectives, infers from the inputs it receives how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.
Our AI systems are used in strict compliance with legal requirements. These include both specific regulations applicable to artificial intelligence and data protection requirements. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimization and integrity and confidentiality. We ensure that the processing of personal data is always based on a valid legal basis. This may either be the consent of the data subjects or a legal permission.
When using external AI systems, we carefully select their providers (hereinafter referred to as "AI providers"). In accordance with our legal obligations, we ensure that the AI providers comply with applicable regulations. We also observe our obligations when using or operating the acquired AI services. The processing of personal data by us and the AI providers takes place exclusively on the basis of consent or legal authorization. We place particular emphasis on transparency, fairness and maintaining human oversight over AI-supported decision-making processes.
To protect processed data, we implement appropriate and robust technical and organizational measures. These ensure the integrity and confidentiality of the processed data and minimize potential risks. Through regular reviews of AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.
- Categories of processed data: Content data (e.g. textual or visual messages and contributions, as well as related information such as authorship or time of creation); usage data (e.g. page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
- Data subjects: Users (e.g. website visitors and users of online services); communication partners.
- Purposes of processing: Provision of our online offering and user-friendliness; performance of contractual services and fulfillment of contractual obligations; communication; organizational and administrative procedures.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Further information on processing activities, procedures and services:
- OpenAI: Provision of artificial intelligence services, including language models and associated tools for the generation and processing of text, images and other content; Service provider: OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://openai.com/; Privacy Policy: https://openai.com/privacy/; Data Processing Agreement: https://openai.com/policies/data-processing-addendum/.
Cloud Services
We use software services accessible via the internet and executed on the servers of their providers (so-called "cloud services", also referred to as "Software as a Service"). Within this framework, personal data may be processed and stored on the providers' servers, provided that such data forms part of communication processes with us or is otherwise processed by us as described in this Privacy Policy.
Such data may include, in particular, master data and contact details of users, data relating to transactions, contracts, other processes and their contents. Cloud service providers also process usage data and metadata that they use for security purposes and service optimization.
If we use cloud services to provide forms, documents and content to other users or publicly accessible websites, the providers may store cookies on users' devices for web analytics purposes or to remember user settings (e.g. in the case of media controls).
- Categories of processed data: Inventory data; contact data; content data; contract data; usage data; meta, communication and procedural data.
- Data subjects: Customers; employees; prospective customers; communication partners; users; business and contractual partners.
- Purposes of processing: Information technology infrastructure; organizational and administrative procedures; communication.
- Retention and deletion: In accordance with the information provided in the section "General Information on Data Storage and Deletion".
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).