1. Data Protection at a Glance

General Information

The following notes provide a simple overview of what happens to your personal data when you visit this website. Personal data is any data by which you can be personally identified. Detailed information on data protection can be found in our privacy policy listed below this text.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the section “Notice on the Responsible Authority” in this privacy policy.

How do we collect your data?

Some of your data is collected when you provide it to us. This may, for example, be data that you enter into a contact form.

Other data is collected automatically or with your consent when you visit the website through our IT systems. This includes primarily technical data (e.g. internet browser, operating system, or time of the page visit). The collection of this data occurs automatically as soon as you enter this website.

What do we use your data for?

Part of the data is collected to ensure the proper functioning of the website. Other data may be used to analyse your user behaviour.

What rights do you have regarding your data?

You have the right to receive information free of charge at any time about the origin, recipient, and purpose of your stored personal data. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you may revoke this consent at any time with effect for the future. In certain cases, you also have the right to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the relevant supervisory authority.

You can contact us at any time with questions about data protection or to exercise these rights.

2. Hosting and Content Delivery Networks (CDN)

Our website is hosted on the Google Cloud Platform. We also use Builder.io as a CMS (Content Management System) and for content delivery via its integrated CDN.

Google Cloud Platform (GCP)

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereafter "Google").

Your data is stored and processed in Google's secure data centres. This may include data being stored outside the EU. Google ensures compliance with European data protection standards through the EU Commission’s Standard Contractual Clauses and is certified under the EU-US Data Privacy Framework.

The use of Google Cloud is based on Art. 6(1)(f) GDPR. We have a legitimate interest in secure, high-performance, and scalable website provision. Where consent is required, processing is based solely on Art. 6(1)(a) GDPR and § 25(1) TDDDG (to the extent that it includes the storage of cookies or access to information on the user's device). Consent can be withdrawn at any time.

More about Google's privacy policy: https://cloud.google.com/security/privacy/

Cloudflare

We use the “Cloudflare” service. Provider: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.

Cloudflare provides a globally distributed Content Delivery Network (CDN) with DNS services. Technically, this routes data transfer between your browser and our website through Cloudflare’s network, allowing it to analyse traffic and act as a firewall against potentially harmful traffic. Cloudflare may use cookies or similar technologies for this purpose only.

The use of Cloudflare is based on our legitimate interest in error-free and secure website delivery (Art. 6(1)(f) GDPR).

Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details: https://www.cloudflare.com/privacypolicy/

Certified under the EU-US Data Privacy Framework. Details: DPF Participant Details

Builder.io

Provider: Builder.io, Inc., 548 Market St, San Francisco, CA 94104, USA.

Builder.io is a headless CMS with an integrated CDN for fast content delivery. Your IP address may be temporarily processed for delivery optimisation. Data transfer occurs to the USA. Builder.io is certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection.

The use is based on our legitimate interest under Art. 6(1)(f) GDPR. If consent is required, processing is also based on Art. 6(1)(a) GDPR and § 25(1) TDDDG. Consent can be withdrawn at any time.

Builder.io privacy details: https://www.builder.io/privacy-policy

Google Cloud Storage (Google Bucket)

We use Google Cloud Storage to store and manage data. Provider: Google Ireland Limited.

It allows us to securely and reliably store large volumes of data, which may be stored on servers in various countries, including outside the EU.

Usage is based on our legitimate interest in reliable data storage (Art. 6(1)(f) GDPR). If consent is obtained, processing follows Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be revoked at any time.

More info: https://cloud.google.com/security/privacy/

Google Cloud Functions

Used to execute serverless functions. Provider: Google Ireland Limited.

Allows code execution without managing servers. Use is based on our legitimate interest in efficient feature delivery (Art. 6(1)(f) GDPR). With consent, processing follows Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent is revocable at any time.

More info: https://cloud.google.com/security/privacy/

Firebase

We use several services from Google Firebase to enhance our app and website. Provider: Google Ireland Limited.

• Firebase Firestore: A NoSQL database used to store and retrieve data in real time. Based on Art. 6(1)(f) GDPR, for efficient data management. If consented, processing is based on Art. 6(1)(a) GDPR and § 25(1) TTDSG. Consent can be revoked.
• Firebase Authentication: Used for user authentication via email/password, Google, Facebook, etc. Based on Art. 6(1)(b) GDPR as required for contract fulfilment.
• Firebase Hosting: Provides web hosting for static content and applications. Based on Art. 6(1)(f) GDPR. With consent, processing is based on Art. 6(1)(a) GDPR and § 25(1) TTDSG.

More info on Firebase privacy: https://firebase.google.com/support/privacy

3. General Information and Mandatory Disclosures

Data Protection

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the applicable UK data protection regulations, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as this privacy notice.

When you use this website, various personal data are collected. Personal data means any information relating to an identifiable person. This privacy notice explains what data we collect, how we use it, and for what purpose.

Please note that data transmission over the internet (e.g. via email communication) can have security vulnerabilities. Absolute protection of your data from third-party access is not possible.

Responsible Party for Data Processing

The data controller is the individual or legal entity that alone or jointly determines the purposes and means of processing personal data (e.g. names, email addresses, etc.).

Data Retention

Unless a more specific retention period is stated in this privacy notice, your personal data will be retained only for as long as necessary to fulfil the purpose for which it was collected. Once the purpose no longer applies, your data will be erased unless there are legal grounds requiring retention (e.g. for tax or accounting purposes). In such cases, data will be erased after the expiration of those obligations.

Legal Basis for Data Processing

We process your personal data based on the following lawful grounds:

• Consent (UK GDPR Art. 6(1)(a)) where you have explicitly agreed.
• Contractual necessity (Art. 6(1)(b)) where data processing is required to fulfil a contract or pre-contractual steps.
• Legal obligation (Art. 6(1)(c)) where we are required to process your data by law.
• Legitimate interests (Art. 6(1)(f)) where we have a legitimate interest that is not overridden by your rights.

Where we rely on your consent, this can be withdrawn at any time with future effect.

Data Protection Officer

We have appointed a data protection officer:

heyData GmbH

Schützenstraße 5, 10117 Berlin

www.heydata.eu

Email: [email protected]

International Data Transfers

We may use tools or services from companies located in countries outside the UK that do not provide an equivalent level of data protection. Some providers in the US may not be certified under the UK Extension to the EU-US Data Privacy Framework (DPF). If such tools are active, your personal data may be transferred to and processed in these countries.

Where data is transferred to the US, it is permissible if the recipient is certified under the DPF or appropriate safeguards (e.g. standard contractual clauses) are in place.

Recipients of Personal Data

We work with external service providers in the course of our business. Data may be shared with these providers if:

• It is necessary for contract performance.
• It is required by law.
• We have a legitimate interest.
• You have provided consent.

Where processors are used, data is shared only under a valid data processing agreement.

Your Rights

You have the following rights under the UK GDPR:

• Withdraw consent at any time.
• Object to processing based on legitimate interests or for direct marketing (Article 21 UK GDPR).
• Access, rectification, or erasure of your data.
• Restriction of processing under certain circumstances.
• Data portability to obtain your data in a structured, commonly used, and machine-readable format.

For any such requests or questions about data protection, you may contact us directly.

Complaints to the ICO

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

www.ico.org.uk

Data Security

SSL/TLS Encryption

We use SSL or TLS encryption for security reasons and to protect the transmission of confidential content (e.g. form submissions). You can recognise an encrypted connection by the "https://" in the browser address bar and the padlock symbol.

Secure Payment Processing

Where payment information is collected (e.g. for card payments), it is transmitted securely using SSL/TLS encryption.

Objection to Marketing Emails

We object to the use of contact information published under legal notice requirements for sending unsolicited advertisements or informational materials. We reserve the right to take legal action in case of the unsolicited sending of marketing materials, such as spam emails.

4. Data Collection on This Website

Cookies and Consent Management

Our website uses "cookies," which are small data packets stored on your device. These may be temporary (session cookies) or permanent (persistent cookies), and can originate from us (first-party) or third-party providers. Cookies may be technically necessary or used for analytics and personalisation.

The legal basis for essential cookies is our legitimate interest under Article 6(1)(f) UK GDPR. Non-essential cookies are stored/accessed only with your consent under Article 6(1)(a) UK GDPR and PECR. Consent can be withdrawn at any time.

You can configure your browser to inform you about cookie settings, allow cookies on a case-by-case basis, or block them entirely. Disabling cookies may limit website functionality.

Consent Management with Usercentrics

We use Usercentrics to manage cookie consent in compliance with data protection law. Provider: Usercentrics GmbH, Sendlinger Str. 7, 80331 Munich, Germany.

When visiting our site, Usercentrics records settings such as IP address (anonymised), timestamp, device info, and consent status. This is legally required under Article 6(1)(c) UK GDPR.

Privacy details: https://usercentrics.com/de/datenschutzerklaerung/

Server Log Files

The site provider automatically collects and stores data in server log files transmitted by your browser:

• Browser type/version
• Operating system
• Referrer URL
• Hostname of the accessing computer
• Time of server request
• IP address

These data are not merged with other sources and are processed based on legitimate interest under Article 6(1)(f) UK GDPR to ensure the website is technically accurate and optimised.

Contact Form

When you contact us via the contact form, your submitted data and contact details are stored to process your request. This data will not be shared without your consent.

Processing is based on contract necessity (Art. 6(1)(b) UK GDPR) or legitimate interest (Art. 6(1)(f)), or consent if provided (Art. 6(1)(a)). You may withdraw consent anytime.

Contact via Email, Phone, or Fax

When contacting us through email, phone, or fax, the data you provide is stored and used solely to respond to your enquiry. These data will not be shared without consent.

Processing is based on contractual necessity (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), or consent (Art. 6(1)(a)), which may be withdrawn.

WhatsApp Communication

We use WhatsApp (WhatsApp Business) for communication. Provider: WhatsApp Ireland Ltd., Dublin, Ireland. Messages are end-to-end encrypted, but WhatsApp may access metadata (e.g., sender/recipient/time). WhatsApp may share data with its US-based parent company Meta.

Legal basis: legitimate interest in quick communication (Art. 6(1)(f)). If consent is required, processing is based on Art. 6(1)(a). Communication data is stored until deletion is requested.

Meta is certified under the EU-US Data Privacy Framework. Details: https://www.dataprivacyframework.gov/

WhatsApp privacy policy: https://www.whatsapp.com/legal/#privacy-policy

No contact syncing is enabled on our WhatsApp accounts.

Calendly Appointment Booking

We use Calendly (Calendly LLC, Atlanta, GA, USA) to allow appointment scheduling. When booking, you input data into a form which is used for appointment planning, execution, and follow-up.

Data remains with us until deletion is requested. Processing is based on legitimate interest (Art. 6(1)(f)), or consent if obtained (Art. 6(1)(a)).

Data transfers are subject to Standard Contractual Clauses. Details: https://calendly.com/pages/dpa

Calendly privacy policy: https://calendly.com/privacy

Website Registration

You can register on our site for additional features. Data entered is used only for the associated service and will be stored until your account is deleted. Mandatory fields must be filled out.

Processing is based on contractual necessity (Art. 6(1)(b)).

Register with Google

Instead of registering directly, you may sign up with Google. Provider: Google Ireland Ltd., Dublin. Google confirms your identity and may share account info with us depending on your Google privacy settings.

Processing is based on our legitimate interest (Art. 6(1)(f)). Participation is voluntary.

Google is certified under the EU-US DPF. Details: https://www.dataprivacyframework.gov/

Register with Facebook Connect

You may register via Facebook Connect. Provider: Meta Platforms Ireland Ltd. Data is also processed in the US and other third countries.

Upon login via Facebook, data such as name, email, and profile information is shared with us to personalise your account.

Processing is based on consent (Art. 6(1)(a)). You may withdraw consent at any time.

We share joint responsibility with Meta for initial data capture and transmission. Facebook handles further processing.

Joint Controller Agreement: https://www.facebook.com/legal/controller_addendum

Meta is DPF-certified. Details: https://www.dataprivacyframework.gov/

Comments on This Website

When commenting, we store your comment, timestamp, email address, and username (if not anonymous).

We also store your IP address to address legal violations.

You may subscribe to follow-up comments. A confirmation email will verify your identity. You may unsubscribe at any time.

Comments and related data remain on the website until the content is deleted or comments must be removed legally.

Legal basis: consent (Art. 6(1)(a)), which can be withdrawn.

5. Social Media

Facebook

This website integrates elements of the Facebook social network. Provider: Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland. According to Facebook, data may also be transferred to the USA and other third countries.

Overview of Facebook social plugins: https://developers.facebook.com/docs/plugins/

When the social media element is active, a direct connection is established between your device and Facebook's servers. Facebook is informed that your IP address visited our website. If you click the Facebook “Like” button while logged into your Facebook account, content from our site may be linked to your Facebook profile. Facebook can then associate your visit with your user account. We do not have knowledge of the transmitted content or its use by Facebook. Facebook's privacy policy: https://facebook.com/privacy/explanation

The service is used based on your consent under Article 6(1)(a) UK GDPR and PECR. You may withdraw consent at any time.

For the initial data collection and transfer to Facebook, we share joint responsibility with Meta Platforms Ireland Ltd. as per Article 26 UK GDPR. This joint responsibility is limited to the data capture and forwarding. Further processing by Facebook is outside our responsibility. Details of the agreement: https://www.facebook.com/legal/controller_addendum

Data transfers to the USA rely on EU Commission's Standard Contractual Clauses. Details: https://www.facebook.com/legal/EU_data_transfer_addendum, https://facebook.com/help/566994660333381, and https://facebook.com/policy.php

Meta is certified under the EU-US Data Privacy Framework (DPF). Info: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active

Instagram

Instagram features are embedded on this website. Provider: Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland.

When activated, a direct connection is established between your device and Instagram's servers. Instagram receives data about your visit.

If logged into Instagram, clicking its button can link content to your Instagram profile. Instagram may associate this with your user account. We receive no information on content or use. Instagram’s privacy policy: https://privacycenter.instagram.com/policy/

Use of Instagram features is based on your consent (Art. 6(1)(a) UK GDPR and PECR). Consent may be withdrawn at any time.

Joint responsibility with Meta Platforms Ireland Ltd. applies for data collected and transferred (Art. 26 UK GDPR). Processing beyond this is the sole responsibility of Meta. Joint Controller Agreement: https://www.facebook.com/legal/controller_addendum

Transfers to the USA rely on Standard Contractual Clauses. Info: https://www.facebook.com/legal/EU_data_transfer_addendum, https://privacycenter.instagram.com/policy/, and https://facebook.com/help/566994660333381

Meta is certified under the EU-US Data Privacy Framework (DPF): https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active.

6. Analytics Tools and Advertising

Google Tag Manager

We use Google Tag Manager by Google Ireland Ltd., Dublin. It enables us to integrate tracking and analytics tools. It does not process personal data directly, but may transmit IP addresses to Google's parent company in the USA.

Use is based on our legitimate interest under Art. 6(1)(f) UK GDPR. If consent is required for technologies managed via Tag Manager, this is based on Art. 6(1)(a) UK GDPR and PECR. Consent can be withdrawn.

Google is DPF-certified: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Google Analytics

We use Google Analytics to analyse visitor behaviour. Data includes pages viewed, time spent, operating systems, and more. These are linked to a user ID and device.

Google may use modelling and machine learning to enhance insights. Data is transferred to Google in the USA, using technologies like cookies and device fingerprinting.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR). Consent can be withdrawn.

IP anonymisation is enabled. Browser plugin to opt-out: https://tools.google.com/dlpage/gaoptout?hl=de

Google privacy policy: https://support.google.com/analytics/answer/6004245?hl=de

Processing agreement: Enforced under strict terms by UK data protection authorities.

E-Commerce tracking allows analysis of purchase behaviour.

Hotjar

We use Hotjar (Hotjar Ltd., Malta) to analyse user behaviour. It tracks mouse movements, clicks, and time spent on elements. Data is used to create heatmaps and conversion funnels.

Also collects user feedback. Uses cookies and device fingerprinting.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR), or legitimate interest (Art. 6(1)(f)). Consent can be withdrawn.

Opt-out: https://www.hotjar.com/policies/do-not-track/

Privacy info: https://www.hotjar.com/privacy

Google Ads and AdSense

We use Google Ads and Google AdSense to serve ads. Provider: Google Ireland Ltd., Dublin.

Ads are served based on keywords or user data. AdSense enables third-party ads based on user behaviour and content context.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR). Consent can be withdrawn.

Google DPF certification: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

AdSense may collect IP addresses and behavioural data. This info may be transferred to the USA.

More: https://privacy.google.com/businesses/controllerterms/mccs/

Google Conversion Tracking

Used to identify actions like clicks and purchases following ad interactions. Does not identify users personally.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR). Consent can be withdrawn.

More: https://policies.google.com/privacy

Meta Pixel (Facebook Pixel)

Used to measure ad conversion from Facebook. Meta Platforms Ireland Ltd. is the provider.

Tracks post-click activity and informs ad effectiveness. Data is anonymous to us but linked to profiles by Facebook.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR). Consent can be withdrawn.

Joint data processing agreement: https://www.facebook.com/legal/controller_addendum

More on Facebook privacy: https://facebook.com/about/privacy/

Disable custom audiences: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen

Non-account holders: http://www.youronlinechoices.com/de/praferenzmanagement/

Meta is DPF-certified: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt0000000GnywAAC&status=Active

TikTok Pixel

We use TikTok Pixel by TikTok Technology Ltd., Dublin. Allows tracking and measurement of ad effectiveness.

Processes IP, session duration, OS, user activity, and device info. These are tied to a User-ID and device.

Use is based on consent (Art. 6(1)(a) UK GDPR and PECR). Consent can be withdrawn.

Data transfers rely on EU Standard Contractual Clauses.

More info: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE and https://ads.tiktok.com/i18n/official/policy/controller-to-controller

7. Newsletter

Newsletter Data

If you would like to receive the newsletter offered on this website, we require your email address and information that allows us to verify that you are the owner of the provided email address and that you consent to receiving the newsletter. No additional data is collected unless provided voluntarily.

We use external newsletter service providers to manage the newsletter distribution. These are detailed below.

Brevo

This website uses Brevo for sending newsletters. Provider: Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

Brevo is a service that helps manage and analyse newsletter campaigns. The data you enter for subscribing to the newsletter is stored on servers located in Germany.

Data Analysis by Brevo

Brevo allows us to analyse the effectiveness of our newsletter campaigns. For example, we can see if an email has been opened and which links have been clicked. This helps us understand which content is of most interest to our readers.

Additionally, we can track whether predefined actions (conversions) occur after newsletter interactions — such as a purchase made following a link click.

Brevo also enables segmentation of newsletter recipients by various criteria (e.g. age, gender, location) to tailor content more effectively to different audience groups.

If you do not wish to be part of this analysis, you must unsubscribe from the newsletter. A link for unsubscribing is provided in every email.

For more details on Brevo’s features: https://www.brevo.com/de/newsletter-software/

Legal Basis

The processing of your data is based on your consent (Article 6(1)(a) UK GDPR). You may withdraw your consent at any time. The legality of any processing that occurred prior to withdrawal remains unaffected.

Data Retention

Your data provided for newsletter purposes will be retained until you unsubscribe from the newsletter. Once unsubscribed, your data will be removed from the active mailing list. Any data stored for other purposes remains unaffected.

After you unsubscribe, your email address may be placed on a suppression (blacklist) file if necessary to prevent future emails. This blacklist data is not combined with other data and is used solely for this purpose — a legitimate interest under Article 6(1)(f) UK GDPR. Blacklisting is indefinite unless you object and demonstrate overriding legitimate interests.

Brevo's privacy policy:

https://www.brevo.com/de/datenschutz-uebersicht/

https://www.brevo.com/de/legal/privacypolicy/

Data Processing Agreement

We have a Data Processing Agreement (DPA) in place with Brevo, as legally required. This ensures that your personal data is processed only in accordance with our instructions and in full compliance with UK GDPR.

9. eCommerce and Payment Providers

Processing of Customer and Contract Data

We collect, process, and use personal customer and contract data to establish, manage, and modify our contractual relationships. Personal usage data relating to the use of this website is only collected, processed, and used to the extent required to enable users to use the service or to bill them accordingly. The legal basis is Article 6(1)(b) UK GDPR.

Collected customer data will be deleted once the purpose has been fulfilled (e.g. after contract completion or termination of business relationship) and legal retention periods have expired. Statutory retention obligations remain unaffected.

Data Transfer upon Conclusion of a Contract for Services or Digital Content

We only share personal data with third parties when it is necessary for the performance of a contract—for example, with payment service providers or financial institutions involved in the payment process.

Data is not transferred beyond this unless you have given explicit consent. Your data will not be shared with third parties for advertising purposes without consent.

The legal basis is Article 6(1)(b) UK GDPR, which permits data processing for the performance of a contract or pre-contractual measures.

Payment Services

We integrate third-party payment services on our website. When you make a purchase, your payment data (e.g. name, payment amount, account number, credit card details) is processed by the respective provider for the purpose of processing the transaction. The provider’s own contract and privacy policies apply.

Processing is based on Article 6(1)(b) UK GDPR (contract performance), and also on our legitimate interest in secure and efficient payment handling (Article 6(1)(f)). Where explicit consent is required, Article 6(1)(a) UK GDPR applies. Consent can be withdrawn at any time.

The payment services we use include:

PayPal

Provider: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Data transfers to the USA are based on EU Standard Contractual Clauses: Link

Apple Pay

Provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA

Privacy policy: https://www.apple.com/legal/privacy/de-ww/

Google Pay

Provider: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy: https://policies.google.com/privacy

Stripe

Provider in the EU: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin

Privacy and data handling: https://stripe.com/de/privacy

Standard Contractual Clauses info: https://stripe.com/de/guides/general-data-protection-regulation

Klarna

Provider: Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden

Privacy policy: https://www.klarna.com/de/datenschutz/

Klarna uses cookies to optimise its checkout system: Cookie policy

Sofort (Immediate Bank Transfer)

Provider: Sofort GmbH, Theresienhöhe 12, 80339 Munich

Details and data handling: https://www.klarna.com/sofort/

giropay

Provider: paydirekt GmbH, Stephanstraße 14–16, 60313 Frankfurt am Main

Privacy policy: https://www.paydirekt.de/agb/index.html

Mastercard

Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium

Data may be transferred to its US parent under Binding Corporate Rules (BCRs)

More: https://www.mastercard.de/de-de/datenschutz.html and https://www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf

VISA

Provider: Visa Europe Services Inc., 1 Sheldon Square, London W2 6TT, United Kingdom

UK is recognised as a country with adequate data protection standards.

Data may be transferred to the US under EU Standard Contractual Clauses.

Privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html

10. Audio and Video Conferencing

Data Processing

To communicate with our clients, we utilise online conferencing tools. The specific tools we use are listed below. When you engage with us via video or audio call over the internet, your personal data will be processed by us and the provider of the respective conferencing tool.

These tools collect all the data you provide to use their services (e.g. your email address and/or phone number). They also process metadata such as the duration of the conference, time of entry and exit, participant count, and other contextual data related to the communication.

The provider also processes technical data required to facilitate the online session, such as IP and MAC addresses, device identifiers, device type, operating system and version, client version, and hardware information (e.g. camera, microphone, speaker), as well as connection details.

If files are shared or uploaded during the session—such as recordings, chat logs, voicemails, images, videos, whiteboard content—these may be stored on the servers of the respective providers.

Please note that we have limited influence over the data handling practices of these third-party tools, which are governed by the providers’ internal policies. You can find more detailed information in the privacy policies of each conferencing tool listed below.

Purpose and Legal Basis

These tools are used to facilitate communication with (potential) clients or to deliver services under contract (Article 6(1)(b) UK GDPR). They are also employed to simplify and accelerate communication, which constitutes a legitimate interest (Article 6(1)(f) UK GDPR). Where consent is obtained, the relevant processing is based on that consent (Article 6(1)(a) UK GDPR); such consent can be withdrawn at any time with future effect.

Data Retention

Data directly collected by us via these tools will be erased from our systems upon your request, the withdrawal of your consent, or once the processing purpose no longer applies. Cookies remain on your device until deleted by you. Statutory retention obligations remain unaffected.

We have no control over the retention periods applied by conferencing tool providers; please consult their privacy policies for more details.

Conferencing Tools Used

Google Meet

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy policy: https://policies.google.com/privacy?hl=de

Google is certified under the EU-US Data Privacy Framework (DPF):

DPF certification link

eSprechstunde.net

Provider: Digineo GmbH, Fahrenheitstraße 15, 28359 Bremen, Germany

This platform allows us to conduct virtual appointments and communicate with users in real time.

Usage is based on our legitimate interest in efficient appointment and communication management (Article 6(1)(f) UK GDPR). Where consent is required, the processing is based on Article 6(1)(a) UK GDPR and applicable national laws. Consent can be withdrawn at any time.

Privacy policy: https://esprechstunde.net/datenschutz

11. Internal Services

Handling of Applicant Data

We offer the opportunity to apply for roles with us (e.g. via email, post, or an online application form). Below, we outline the scope, purpose, and use of your personal data collected during the application process. We assure you that your data will be collected, processed, and used in compliance with applicable data protection laws and will be treated as strictly confidential.

Scope and Purpose of Data Collection

When you submit an application, we process your personal data (e.g. contact and communication details, application documents, interview notes, etc.) to the extent required for deciding whether to establish an employment relationship. The legal basis for this includes Article 6(1)(b) UK GDPR (contract initiation), and where applicable, Article 6(1)(a) UK GDPR (consent). Consent may be withdrawn at any time. Your data will only be accessible to individuals involved in the recruitment process.

If your application is successful, the data provided will be stored in our systems for the purposes of the employment relationship in accordance with Article 6(1)(b) UK GDPR.

Data Retention

If we cannot offer you a position, if you decline a position, or if you withdraw your application, we reserve the right to retain the data you have provided for up to 6 months following the conclusion of the recruitment process. This is based on our legitimate interest (Article 6(1)(f) UK GDPR), particularly in the event of legal disputes. After this period, the data will be deleted and physical documents destroyed. If there are indications that the data will be needed beyond the 6-month period (e.g. due to an impending legal case), deletion will take place once the reason for extended retention no longer applies.

Longer retention is possible if you have given your explicit consent (Article 6(1)(a) UK GDPR) or if statutory retention requirements prevent deletion.

Inclusion in the Applicant Pool

If we do not offer you a position, we may invite you to join our applicant pool. In such cases, your application documents will be stored to contact you in the event of suitable openings.

Inclusion in the applicant pool is based solely on your explicit consent (Article 6(1)(a) UK GDPR). Granting consent is voluntary and unrelated to the ongoing recruitment process. Consent can be withdrawn at any time. If consent is withdrawn, all data in the applicant pool will be permanently deleted unless legal obligations prevent this.

Data in the applicant pool will be permanently deleted no later than two years after consent was granted.