Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter referred to as “data”) we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and particularly on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are not gender-specific.

Last updated: 05.06.2024

Table of Contents

• Introduction
• Controller
• Overview of Processing Operations
• Data Protection Officer Contact
• Relevant Legal Bases
• Security Measures
• Collection and Processing of Sensitive Personal Data
• Transfer and Disclosure of Personal Data
• Data Processing in Third Countries
• Use of Cookies
• Commercial and Business Services
• Payment Service Providers
• Provision of Online Services and Web Hosting
• Contact
• Newsletter and Electronic Notifications
• Web Analytics, Monitoring and Optimization
• Online Marketing
• Social Media Presence
• Plugins and Embedded Functions and Content
• Deletion of Data
• Changes and Updates to the Privacy Policy
• Rights of Data Subjects
• Definition of Terms

Controller

Jasmin Peters
Ehrenbergstraße 59

22767 Hamburg

Germany

Email address: info@jasminpeters.de

Imprint: https://jasminpeters.de/impressum

Overview of Processing Operations

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data (e.g., names, addresses).
• Content data (e.g., entries in online forms).
• Contact data (e.g., email, phone numbers).
• Meta/communication data (e.g., device information, IP addresses).
• Usage data (e.g., websites visited, interest in content, access times).
• Location data (information about the geographic position of a device or person).
• Contract data (e.g., subject matter of contract, term, customer category).
• Payment data (e.g., bank details, invoices, payment history).

Categories of Data Subjects

• Business and contractual partners.
• Interested parties.
• Communication partners.
• Customers.
• Users (e.g., website visitors, users of online services).

Purposes of Processing

• Provision of our online offering and user-friendliness.
• Visit action evaluation.
• Office and organizational procedures.
• Cross-device tracking (processing of user data across devices for marketing purposes).
• Direct marketing (e.g., by email or postal mail).
• Interest-based and behavioral marketing.
• Contact requests and communication.
• Conversion measurement (measuring the effectiveness of marketing measures).
• Profiling (creating user profiles).
• Remarketing.
• Reach measurement (e.g., access statistics, recognition of returning visitors).
• Security measures.
• Tracking (e.g., interest/behavioral profiling, use of cookies).
• Provision of contractual services and customer service.
• Management and response to inquiries.
• Target group formation (determination of target groups relevant for marketing purposes or other output of content).

Relevant Legal Bases

Below, we share the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that in addition to the GDPR regulations, national data protection requirements in your country or our country of residence may apply. Furthermore, should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contract Performance and Pre-contractual Inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate Interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of, and segregation of the data. We have also established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data compromise. Furthermore, we consider the protection of personal data already during the development and selection of hardware, software, and processes according to the principle of privacy by design and privacy by default.

SSL Encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.

Collection and Processing of Sensitive Personal Data

As part of our services, it may be necessary to collect sensitive data such as information about psychological and emotional states. The collected data includes, among other things, assessments of your well-being in various areas (e.g., self-esteem, stress management abilities, and joy of life). This data is used exclusively for the purpose of documenting progress and changes to best support you in achieving your goals.

Consent and Right of Withdrawal

The processing of this data takes place exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a), Art. 9(2)(a) GDPR. You have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of data processing up to the point of withdrawal.

Storage and Deletion of Data

The data is stored only as long as necessary for the above-described purpose or as required by legal retention obligations. Generally, the data is deleted or anonymized after 12 months unless consent for longer storage exists.

Transfer and Disclosure of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of this data may include payment institutions for payment processing, service providers commissioned with IT tasks, or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosure or transfer of data to other persons, entities, or companies, this will only take place in accordance with legal requirements.

Subject to explicit consent or contractually or legally required transfer, we only process or allow the processing of data in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Under the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level for certain companies in the USA as safe through the adequacy decision of July 10, 2023. The list of certified companies and additional information about the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We inform you within the privacy notices which service providers used by us are certified under the Data Privacy Framework.

Use of Cookies

Cookies are small text files or other storage records that store information on end devices and read information from the end devices. For example, to store the login status in a user account, shopping cart contents in an e-shop, accessed content, or used functions of an online service. Cookies can also be used for various purposes, e.g., for purposes of functionality, security, and comfort of online offerings as well as the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, except when it is not legally required. Consent is not necessary in particular if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offering) they have explicitly requested. The revocable consent is clearly communicated to users and contains information about the respective cookie use.

Notes on Legal Bases under Data Protection Law: The legal basis on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g., in a business operation of our online offering and improvement of its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device (e.g., browser or mobile application).
• Permanent Cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Similarly, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and that the storage duration can be up to two years.

General Information on Withdrawal and Objection (Opt-Out): Depending on whether the processing is based on consent or legal permission, you have the option at any time to withdraw your consent or to object to the processing of your data using cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection through your browser settings, e.g., by deactivating the use of cookies (though this may also restrict the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via various services, especially in the case of tracking, through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further objection instructions in the context of the information on the service providers and cookies used.

Processing of Cookie Data Based on Consent: We use a cookie consent management procedure in which users’ consent to the use of cookies, or the processing and providers mentioned in the cookie consent management procedure, can be obtained and managed and withdrawn by users. The declaration of consent is stored to prevent having to repeat its request and to be able to prove consent in accordance with legal obligations. Storage can take place server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to be able to assign consent to a user or their device. Subject to individual information about cookie management service providers, the following notes apply: The duration of consent storage can be up to two years. A pseudonymous user identifier is created and stored with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), and the browser, system, and device used.

Cookie Settings/Opt-Out Option:

Commercial and Business Services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships as well as associated measures and in the context of communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations, to secure our rights, and for the purposes of the administrative tasks associated with this information as well as business organization. We only disclose the data of contractual partners to third parties within the scope of applicable law to the extent necessary for the aforementioned purposes or to fulfill legal obligations or with the consent of the data subjects (e.g., to involved telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Contractual partners will be informed about further processing, e.g., for marketing purposes, within this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or in the context of data collection, e.g., in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be kept for legal archiving reasons (e.g., for tax purposes usually 10 years). Data disclosed to us in the context of an assignment by the contractual partner will be deleted according to the specifications of the assignment, generally after the end of the assignment.

If we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply in the relationship between users and providers.

Customer Account:
Contractual partners can create an account within our online offering (e.g., customer or user account, in short “customer account”). For orders or bookings, we automatically create a customer account with the data you provide. This is necessary to give you access to your appointment bookings, order history, and personal settings. You will be informed about the account creation during the ordering process.

• Required Information: Name, email address, billing and delivery address.
• Purpose of Processing: Management of orders, appointment bookings, customer communication, and provision of a personal customer area.
• Legal Basis: Contract performance pursuant to Art. 6(1)(b) GDPR.

Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins and use of the customer account, we store the IP addresses of customers along with access times to be able to prove registration and prevent any misuse of the customer account.

When customers have terminated their customer account, the data relating to the customer account will be deleted, subject to retention being required by law. It is the responsibility of customers to secure their data before termination of the customer account.

Further information on data processing can be found in the corresponding sections of this privacy policy.

Economic Analyses and Market Research: For business reasons and to identify market trends, wishes of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc., whereby the group of affected persons may include contractual partners, interested parties, customers, visitors, and users of our online offering.

The analyses are carried out for the purpose of business evaluations, marketing, and market research (e.g., to determine customer groups with different characteristics). In doing so, we can, if available, take into account the profiles of registered users including their information, e.g., on services used. The analyses serve us alone and are not disclosed externally unless they are anonymous analyses with aggregated, i.e., anonymized values. Furthermore, we respect the privacy of users and process the data for analysis purposes as pseudonymously as possible and, if feasible, anonymously (e.g., as aggregated data).

Shop and E-Commerce: We process the data of our customers to enable them to select, purchase, or order the selected products, goods, and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, particularly post, freight, and shipping companies, to carry out the delivery or execution to our customers. For handling payment transactions, we use the services of banks and payment service providers. The required information is marked as such within the ordering or comparable purchasing process and includes the information needed for delivery or provision and billing as well as contact information to be able to hold any consultation.

• Types of Data Processed: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contact data (e.g., email, phone numbers), contract data (e.g., subject matter, term, customer category), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data Subjects: Interested parties, business and contractual partners, customers.
• Purposes of Processing: Provision of contractual services and customer service, contact requests and communication, office and organizational procedures, administration and response to requests, security measures, visit action evaluation, interest-based and behavioral marketing, profiling (creating user profiles).
• Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legal obligation (Art. 6(1)(c) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Payment Service Providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions (collectively “payment service providers”).

The data processed by the payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, sum and recipient-related information. The information is necessary to complete the transactions. However, the entered data is only processed by the payment service providers and stored with them. I.e., we do not receive any account or credit card related information, but only information with confirmation or negative disclosure of the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transmission aims at identity and credit checks. For this, we refer to the terms and conditions and privacy policies of the payment service providers.

For payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for further information and assertion of withdrawal, information, and other data subject rights.

• Types of Data Processed: Inventory data (e.g., names, addresses), payment data (e.g., bank details, invoices, payment history), contract data (e.g., subject matter, term, customer category), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Data Subjects: Customers, interested parties.
• Purposes of Processing: Provision of contractual services and customer service.
• Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and Service Providers Used:

• PayPal: Payment services and solutions (e.g., PayPal, PayPal Plus, Braintree); Service Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Provision of Online Services and Web Hosting

To provide our online service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The data processed in the course of providing the hosting service may include all information concerning the users of our online service that arises in the context of use and communication. This regularly includes the IP address, which is necessary to deliver the contents of online services to browsers, and all entries made within our online service or from websites.

Email Sending and Hosting: The web hosting services we use also include sending, receiving, and storing emails. For these purposes, the addresses of recipients and senders, as well as other information concerning email sending (e.g., the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails on the Internet are generally not sent in encrypted form. As a rule, emails are encrypted during transport, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore accept no responsibility for the transmission path of emails between the sender and reception on our server.

Collection of Access Data and Log Files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). Server log files may include the address and name of the accessed websites and files, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider.

The server log files may be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability.

• Types of data processed: Content data (e.g., entries in online forms), Usage data (e.g., visited websites, interest in content, access times), Meta/communication data (e.g., device information, IP addresses).
• Categories of persons affected: Users (e.g., website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact

When contacting us (e.g., via contact form, email, telephone, or social media), the information provided by the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

The response to contact requests in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.

• Types of data processed: Master data (e.g., names, addresses), Contact data (e.g., email, phone numbers), Content data (e.g., entries in online forms), Usage data (e.g., visited websites, interest in content, access times), Meta/communication data (e.g., device information, IP addresses).
• Categories of persons affected: Communication partners, interested parties.
• Purposes of processing: Contact requests and communication, administration and response to requests.
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

• Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the communicated concern. For this purpose, we process personal data within the scope of pre-contractual and contractual business relationships, to the extent necessary for their fulfillment and otherwise on the basis of our legitimate interests and the interests of the communication partners in responding to the concerns and our legal retention obligations.

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or legal permission. If the contents of a newsletter are specifically described during registration, they are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter, or other information if it is required for the purposes of the newsletter.

Double-Opt-In Procedure: Registration for our newsletter generally takes place in a so-called double-opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with foreign email addresses. Newsletter registrations are logged to be able to prove the registration process according to legal requirements. This includes storing the registration and confirmation time as well as the IP address. Changes to your data stored with the dispatch service provider are also logged.

Deletion and Processing Restriction: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove previously given consent. The processing of this data is limited to the purpose of possible defense against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist (so-called “blacklist”).

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Notes on Legal Basis: Newsletters are sent on the basis of recipients’ consent or, if consent is not required, on the basis of our legitimate interests in direct marketing, insofar as and to the extent this is legally permitted, e.g., in the case of existing customer advertising. If we commission a service provider to send emails, this is done on the basis of our legitimate interests. The registration process is recorded on the basis of our legitimate interests to demonstrate that it was conducted in accordance with the law.

Content: Information about us, our services, promotions, and offers.

Analysis and Performance Measurement: The newsletters contain a so-called “web beacon”, i.e., a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. During this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected.

This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether newsletters are opened, when they are opened, and which links are clicked. This information can be assigned to individual newsletter recipients for technical reasons. However, it is neither our endeavor nor, if used, that of the mailing service provider to observe individual users. Rather, the evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The evaluation of the newsletter and performance measurement takes place, subject to the express consent of users, on the basis of our legitimate interests for the purposes of using a user-friendly and secure newsletter system that serves both our business interests and meets user expectations.

A separate revocation of the performance measurement is unfortunately not possible; in this case, the entire newsletter subscription must be cancelled or objected to.

• Types of data processed: Master data (e.g., names, addresses), Contact data (e.g., email, phone numbers), Meta/communication data (e.g., device information, IP addresses), Usage data (e.g., visited websites, interest in content, access times).
• Categories of persons affected: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or postal mail).
• Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
• Opt-out option: You can cancel the receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or can otherwise use one of the contact options listed above, preferably email.

Services and service providers used:

No external services are used. The newsletter is sent from the server where this website is hosted.

Web Analysis, Monitoring, and Optimization

Web analysis (also known as “reach measurement”) is used to evaluate visitor flows to our online offering and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offering or its functions or content are most frequently used or invite reuse. We can also understand which areas need optimization.

In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called “cookie”) or similar procedures can be used for the same purpose. This information can include, for example, content viewed, websites visited and elements used there, and technical information such as the browser used, computer system used, and information about usage times. If users have consented to the collection of their location data, this may also be processed depending on the provider.

The IP addresses of users are also collected. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of users (such as email addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on Legal Basis: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times), Meta/communication data (e.g., device information, IP addresses).
• Categories of persons affected: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors), Tracking (e.g., interest/behavioral profiling, use of cookies), Visit action evaluation, Profiling (creating user profiles).
• Security measures: IP masking (pseudonymization of IP address).
• Legal basis: Consent (Art. 6(1)(a) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Services and service providers used:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user identification number. This identification number does not contain unique data such as names or email addresses. It is used to assign analytical information to a device to recognize which content users have accessed within one or multiple usage sessions, which search terms they have used, accessed again, or interacted with our online offering. The time of use and its duration are also stored, as well as the sources of users referring to our online offering and technical aspects of their devices and browsers. Pseudonymous profiles of users with information from the use of various devices are created, whereby cookies may be used. In Analytics, data about the geographical location is provided at a higher level by collecting the following metadata through IP lookup: “City” (and the derived latitude and longitude of the city), “Continent”, “Country”, “Region”, “Subcontinent” (and the ID-based equivalents). To ensure the protection of user data in the EU, Google receives and processes all user data via domains and servers within the EU. Users’ IP addresses are not logged and are standardly shortened by the last two digits. The IP address shortening takes place on EU servers for EU users. Additionally, all sensitive data collected from users in the EU is deleted before it is collected via EU domains and servers; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/en/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; Basis for Third Country Transfer: Data Privacy Framework, Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out Option: Opt-out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for Ad Display: https://adssettings.google.com/authenticated; Further Information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).
• Google Tag Manager: Google Tag Manager is a solution that allows us to manage website tags through an interface and thus integrate other services into our online offering (please refer to further information in this privacy policy). The Tag Manager itself (which implements the tags) does not create user profiles or store cookies. Google only learns the IP address of the user, which is necessary to run the Google Tag Manager; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms; Basis for Third Country Transfer: Data Privacy Framework, Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Further Information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).

Online Marketing

We process personal data for online marketing purposes, which may include in particular the marketing of advertising space or display of advertising and other content (collectively referred to as “Content”) based on potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (referred to as a “cookie”) or similar procedures are used, by means of which the information relevant for the display of the aforementioned Content about the user is stored. This information may include, for example, Content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, computer system used, and information about usage times. If users have consented to the collection of their location data, this may also be processed.

The IP addresses of users are also collected. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, in the context of online marketing procedures, no clear data of users (such as email addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of online marketing procedures, do not know the actual identity of users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or by means of similar procedures. These cookies can later generally also be read on other websites that use the same online marketing procedure, analyzed for purposes of Content display, and supplemented with additional data and stored on the server of the online marketing procedure provider.

Exceptionally, clear data can be assigned to the profiles. This is the case if, for example, users are members of a social network whose online marketing procedures we use and the network connects the profiles of users with the aforementioned information. We ask to note that users may make additional agreements with the providers, e.g., by consent in the context of registration.

We generally only receive access to summarized information about the success of our advertisements. However, as part of conversion measurements, we can check which of our online marketing methods have led to a so-called conversion, e.g., to a contract conclusion with us. The conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, please assume that cookies used will be stored for a period of two years.

Information on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., visited websites, interest in content, access times), meta/communication data (e.g., device information, IP addresses), location data (information about the geographical position of a device or person).
• Affected persons: Users (e.g., website visitors, users of online services), interested parties.
• Purposes of processing: Tracking (e.g., interest/behavior-based profiling, use of cookies), remarketing, visit action evaluation, interest-based and behavioral marketing, profiling (creating user profiles), conversion measurement (measuring the effectiveness of marketing measures), reach measurement (e.g., access statistics, recognition of returning visitors), target group formation (determining target groups relevant for marketing purposes or other output of content), cross-device tracking (cross-device processing of user data for marketing purposes).
• Security measures: IP masking (pseudonymization of IP address).
• Legal bases: Consent (Art. 6 Para. 1 S. 1 lit. a. GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f. GDPR).
• Opt-out options: We refer to the privacy notices of the respective providers and the opt-out options provided for the providers. If no explicit opt-out option is specified, you have the option to disable cookies in your browser settings. However, this may restrict functions of our online service. We therefore additionally recommend the following opt-out options, which are offered collectively for respective areas:a) Europe: https://www.youronlinechoices.eu.
  b) Canada: https://www.youradchoices.ca/choices.
  c) USA: https://www.aboutads.info/choices.
  d) Cross-territorial: https://optout.aboutads.info.

Services and service providers used:

• Meta Pixel and Target Group Formation (Custom Audiences): Using the Meta Pixel (or comparable functions for transmitting event data or contact information via interfaces in apps), Facebook can determine visitors to our online service as a target group for displaying advertisements (so-called “Facebook Ads”). Accordingly, we use the Meta Pixel to display the Facebook Ads placed by us only to those users on Facebook and within the services of Facebook’s cooperating partners (so-called “Audience Network” https://www.facebook.com/audiencenetwork/) who have also shown interest in our online service or who have certain characteristics (e.g., interest in certain topics or products, which becomes apparent through the websites visited) that we transmit to Facebook (so-called “Custom Audiences”). With the help of the Meta Pixel, we also want to ensure that our Facebook Ads correspond to the potential interest of users and do not appear annoying. Using the Meta Pixel, we can also track the effectiveness of Facebook advertisements for statistical and market research purposes by seeing if users were redirected to our website after clicking on a Facebook advertisement (so-called “conversion measurement”); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfer: Data Privacy Framework, Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum) in case of order processing by Facebook as basis for processing event data of EU citizens in the USA and inclusion in the “Facebook Platform Terms” (https://developers.facebook.com/terms) regarding Facebook’s independent processing of event data in the context of advertising; Additional information: The “Data Processing Terms” (https://www.facebook.com/legal/terms/dataprocessing/update) apply regarding event data that Facebook processes on behalf of companies to provide reports and analyses; Furthermore, the “Controller Addendum” applies as an agreement on joint responsibility (Art. 26 Para. 1 S. 3 GDPR), which is relevant in the case of independent processing of event data by Facebook for targeting purposes and improvement and security of Facebook products.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context to communicate with active users or to provide information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users, as it could, for example, make it more difficult to enforce users’ rights.

Furthermore, user data within social networks is typically processed for market research and advertising purposes. For example, usage profiles can be created based on users’ behavior and resulting interests. These usage profiles can then be used to display advertisements both within and outside the networks that presumably match users’ interests. For these purposes, cookies are usually stored on users’ computers, in which users’ behavior and interests are stored. Furthermore, data can be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed presentation of the respective forms of processing and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be most effectively claimed from the providers. Only the providers have access to the users’ data and can directly take appropriate measures and provide information. Should you still need help, you can contact us.

• Types of data processed: Master data (e.g., names, addresses), contact data (e.g., email, phone numbers), content data (e.g., entries in online forms), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Contact requests and communication, tracking (e.g., interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g., access statistics, recognition of returning visitors).
• Legal bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

Services and service providers used:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy.
• Facebook Pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (known as “Fanpage”). This data includes information about the types of content users view or interact with, or the actions they take (see under “Things you and others do and provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in Facebook’s Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called “Page Insights,” to site operators to help them understand how people interact with their pages and the content associated with them. We have entered into a special agreement with Facebook (“Page Insights Information”, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically regulates what security measures Facebook must observe and in which Facebook has agreed to fulfill data subject rights (i.e., users can send information or deletion requests directly to Facebook). The rights of users (particularly to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfer: Data Privacy Framework, Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Joint Controller Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These can be, for example, graphics, videos, or social media buttons as well as posts (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functionality. We strive to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit, and other information regarding the use of our online offering, as well as being combined with such information from other sources.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economic, and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses), location data (information about the geographical position of a device or person), content data (e.g., entries in online forms), master data (e.g., names, addresses), contact data (e.g., email, phone numbers).
• Affected persons: Users (e.g., website visitors, users of online services), communication partners.
• Purposes of processing: Provision of our online offering and user-friendliness, provision of contractual services and customer service, contact requests and communication, tracking (e.g., interest/behavioral profiling, use of cookies), interest-based and behavioral marketing, profiling (creating user profiles), security measures, managing and responding to requests.
• Legal bases: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR), Consent (Art. 6 para. 1 p. 1 lit. a. GDPR), Performance of contract and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR).

Services and Service Providers Used:

• Facebook Plugins and Content: Facebook Social Plugins and Content – These may include content such as images, videos, or texts and buttons that allow users to share content from this online offering within Facebook. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/ – We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt through transmission (but not further processing) of “Event Data” that Facebook collects via Facebook Social Plugins (and embedding functions for content) executed on our online offering or receives through transmission for the following purposes: a) Display of content and advertising information that corresponds to the presumed interests of users; b) Delivery of commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) Improving ad delivery and personalizing functions and content (e.g., improving recognition of which content or advertising information presumably matches users’ interests). We have entered into a special agreement with Facebook (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum), which specifically regulates the security measures Facebook must observe (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address information or deletion requests directly to Facebook). Note: When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain information about individual users and are anonymous for us), this processing does not take place under joint responsibility but based on a data processing agreement (“Data Processing Terms”, https://www.facebook.com/legal/terms/dataprocessing), the “Data Security Terms” (https://www.facebook.com/legal/terms/data_security_terms), and regarding processing in the USA, based on Standard Contractual Clauses (“Facebook-EU Data Transfer Addendum”, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to information, deletion, objection, and complaints to the competent supervisory authority) are not restricted by the agreements with Facebook; Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy.
• Google Fonts: We integrate the fonts (“Google Fonts”) provided by Google, where user data is used solely for the purpose of displaying the fonts in users’ browsers. The integration is based on our legitimate interests in a technically secure, maintenance-free, and efficient use of fonts, their uniform display, and consideration of possible licensing restrictions for their integration; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy.
• reCAPTCHA: We integrate the “reCAPTCHA” function to determine whether inputs (e.g., in online forms) are made by humans and not by automated machines (so-called “bots”). The processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on web pages, previously visited web pages, interactions with reCAPTCHA on other websites, cookies, and results from manual recognition processes (e.g., answering questions or selecting objects in images); Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy; Opt-out option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad settings: https://adssettings.google.com/authenticated.
• Vimeo: Video content; Service Provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street, New York, New York 10011, USA; Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy.
• MailPoet: If you have subscribed to our newsletter, are a member of our website, or have made a purchase on our website, you may receive emails from us. We will only send you emails if you have consented to them. To send you emails, we use the name and email address you provided. Additional identifiable information is not recorded outside of this website.
• Simply Schedule Appointments: This website uses the WordPress plugin Simply Schedule Appointments for appointment booking. Entered data is stored and sent to you via email. Data processing is based on user consent (Art. 6 Para. 1 S. 1 lit. a GDPR). Consent can be withdrawn at any time by informal email notification.

Data Deletion

Data processed by us is deleted as soon as permitted consents are revoked or purposes cease.

Changes and Updates to the Privacy Policy

Please regularly check our privacy policy for updates. Changes will be communicated if user action is required.

Rights of Data Subjects

As a data subject under the GDPR, you have various rights, which are specifically outlined in Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw given consents at any time.
• Right of Access: You have the right to request confirmation as to whether your data is being processed and to obtain information about this data as well as further details and a copy of the data in accordance with legal requirements.
• Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of your data or the correction of incorrect data concerning you.
• Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request that your data be immediately deleted or alternatively to request a restriction of the processing of the data in accordance with legal requirements.
• Right to Data Portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with legal requirements.
• Right to Lodge a Complaint with a Supervisory Authority: You also have the right, in accordance with legal requirements, to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Definitions of Terms

In this section, you will find an overview of the terminology used in this privacy policy. Many of the terms are derived from the law and are primarily defined in Article 4 GDPR. These legal definitions are binding. The following explanations are mainly intended to aid understanding. The terms are listed alphabetically.

• Conversion Tracking: “Conversion Tracking” refers to a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on users’ devices within the websites where marketing measures are conducted and then retrieved again on the target website. For example, this allows us to track whether advertisements we placed on other websites were successful.
• Credit Check: Automated decisions are based on automated data processing without human intervention (e.g., in the case of automatic rejection of a purchase on account, an online credit application, or an online application process without any human involvement). Such automated decisions are only permitted under Article 22 GDPR if data subjects consent, if they are necessary for contract fulfillment, or if national laws allow such decisions.
• Cross-Device Tracking: Cross-Device Tracking is a form of tracking where behavioral and interest information about users is collected across devices in so-called profiles by assigning an online identifier to users. This allows user information to be analyzed for marketing purposes, regardless of the browsers or devices used (e.g., mobile phones or desktop computers). The online identifier is usually not linked to plain data, such as names, postal addresses, or email addresses.
• IP Masking: “IP Masking” is a method in which the last octet, i.e., the last two numbers of an IP address, are deleted so that the IP address can no longer uniquely identify a person. Therefore, IP Masking is a means of pseudonymizing processing procedures, particularly in online marketing.
• Interest-Based and Behavioral Marketing: Interest-based and/or behavioral marketing refers to identifying potential user interests in advertisements and other content as precisely as possible. This is done based on data about their previous behavior (e.g., visiting certain websites, staying on them, purchasing behavior, or interacting with other users) stored in a profile. Cookies are usually used for these purposes.
• Conversion Measurement: Conversion Measurement is a method used to determine the effectiveness of marketing measures. Typically, a cookie is stored on users’ devices within the websites where marketing measures are conducted and then retrieved again on the target website. For example, this allows us to track whether advertisements we placed on other websites were successful.
• Personal Data: “Personal Data” refers to all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific factors expressing the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
• Profiling: “Profiling” refers to any form of automated processing of personal data that involves using this personal data to evaluate, analyze, or predict certain personal aspects relating to a natural person (e.g., age, gender, location data, browsing behavior, purchasing behavior, and social interactions). Cookies and web beacons are often used for profiling purposes.
• Reach Measurement: Reach Measurement (also referred to as Web Analytics) evaluates visitor flows on an online offering and may include analyzing visitor behavior or interests in certain information, such as web content. Reach analysis helps website owners understand when visitors visit their website and what content interests them, allowing for better content alignment. Pseudonymous cookies and web beacons are often used for these purposes.
• Remarketing: “Remarketing” or “Retargeting” refers to marking which products a user has shown interest in on a website to remind them of these products through advertisements on other websites.
• Location Data: Location data is generated when a mobile device (or another device capable of location determination) connects to a cell tower, Wi-Fi, or similar technical intermediaries. Location data indicates the geographical position of the device on Earth. Location data can, for example, be used to display map functions or other location-dependent information.
• Tracking: “Tracking” refers to the monitoring of user behavior across multiple online offerings. Behavioral and interest information is typically stored in cookies or on servers of tracking technology providers. This information can then be used, for example, to display advertisements tailored to users’ interests.
• Controller: The “Controller” is the natural or legal person, authority, agency, or other body that determines, alone or jointly with others, the purposes and means of processing personal data.
• Processing: “Processing” refers to any operation or set of operations performed on personal data, whether or not by automated means. The term covers a wide range and includes data collection, evaluation, storage, transmission, and deletion.
• Audience Building: “Audience Building” refers to determining target audiences for advertising purposes, such as displaying ads based on users’ interests.