Privacy Policy

We are delighted that you are interested in our organization. The protection of your personal data is particularly important to us. You can use our websites without disclosing any personal data to us. However, if you wish to use more specific services via our websites, other online platforms, applications, and social media pages, we may need to process your personal data. If we wish to process data about you and cannot rely on any other legal basis, we will always ask for your consent first (e.g., via a cookie banner).

We always comply with applicable data protection laws when handling your personal data (such as your name, address, email, or phone number). This Privacy Policy informs you about what data we process. It also explains the rights you have as a data subject.

We have implemented various technical and organizational measures to protect your data on our websites as effectively as possible. Nevertheless, there are always risks on the internet, and complete protection is not possible. Therefore, you may also provide us with your personal data through other channels, such as by phone, if you prefer.

This Privacy Policy serves not only to fulfill the obligations under the GDPR and to comply with the laws of the member states of the European Union (EU) and the European Economic Area (EEA). This Privacy Policy is also intended to ensure compliance with legal regulations such as those of the United Kingdom (UK-GDPR), the Swiss Federal Act on Data Protection and the Swiss Data Protection Ordinance (DSG, DSV), the California Consumer Privacy Act (CCPA/CPRA), China’s Personal Information Protection Law (PIPL), the Delaware Personal Data Privacy Act (DPDPA), the Tennessee Information Protection Act (TIPA), the Minnesota Consumer Data Privacy Act (MCDPA), the Iowa Act Relating to Consumer Data Protection (ICDPA), the Maryland Online Data Privacy Act (MODPA), the Nebraska Data Privacy Act (NDPA), New Hampshire Consumer Data Privacy Law (SB255), New Jersey Data Privacy Law (SB332), South Carolina Consumer Privacy Bill (House Bill 4696), and other global data protection regulations, and shall be interpreted accordingly. The following Privacy Policy shall be interpreted for each country, state, or province such that the terms and legal bases used correspond to the terms and legal bases used in the respective state or province.

1. Definitions

In our Privacy Policy, we use specific terms from various data protection laws. We want our policy to be easy to understand, so we explain these terms in advance.

The following definitions are based, where applicable, on the case law of the General Court of the European Union (GCEU), the Court of Justice of the European Union (CJEU), the Swiss Federal Supreme Court (BGE), the Supreme Court of the United Kingdom (UKSC), or based on national data protection laws or national case law of a country or state, including but not limited to California, including judicial precedent, including under common law, if this is necessary for the application of the law in individual cases.

In this Privacy Policy, we use the following terms, among others:

a) Personal Data

Personal data is any information relating to an identified or identifiable natural person (hereinafter, where applicable, the “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that reflect the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, or who must be regarded as such under national data protection laws or the national case law of a state or federal state, including judicial precedent, even under common law.

b) Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller, a processor, an international organization, or another data recipient, and persons who must be regarded as such under national data protection laws or the national case law of a state or federal state, including judicial precedent, even under common law.

c) Processing

Processing means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making available, alignment or combination, restriction, erasure, or destruction.

d) Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their future processing.

e) Profiling

Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

f) Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures that ensure the personal data is not attributed to an identified or identifiable natural person.

g) Controller

The controller is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

h) Processor

A processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

i) Recipient

A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, regardless of whether or not that body is a third party. However, public authorities that may receive personal data in the course of a specific investigative mandate under Union law or the law of the Member States are not considered recipients.

j) Third party

A third party is a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.

k) Consent

Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and Address of the Data Controller

The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and in the European Economic Area, UK data protection laws, Swiss data protection laws (DSG, DSV), California data protection laws (CCPA/CPRA), Chinese data protection law (PIPL), as well as international laws and other provisions of a data protection nature is:

EventAssets
Emsdettener Str. 10
c/o POSTFLEX PFX-722-080
48268 Greven
Germany

Represented by

Tristan Trommer

Contact

Email: hi@eventassets.com

3. Collection of General Data and Information

Our websites collect a range of general data and information each time a data subject or an automated system accesses the websites. This general data and information is stored in the log files of the respective server. The data collected may include, among other things, (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our websites (so-called referrer), (4) the subpages accessed via an accessing system on our websites, (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system, and (8) other similar data and information that serve to prevent threats in the event of attacks on our information technology systems.

We do not draw any conclusions about the data subject when using this general data and information. Rather, this information is required to (1) deliver the content of our websites correctly, (2) optimize the content of our websites as well as the advertising on them, (3) ensure the continued functionality of our information technology systems and the technology of our websites, and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyberattack. We therefore evaluate this anonymously collected data and information both statistically and with the aim of enhancing data protection and data security within our company, ultimately to ensure an optimal level of protection for the personal data we process. The data from the server log files is stored separately from any personal data provided by a data subject.

The purpose of the processing is to prevent threats and ensure IT security, as well as the aforementioned purposes. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is, in particular, the protection of our information technology systems. The log files are deleted once the specified purposes have been achieved.

4. Contact Options via the Website and Other Data Transmissions and Your Consent

Our websites contain information that enables quick electronic contact with our company as well as direct communication with us, which also includes a general electronic mail address (email address) and, if applicable, a telephone number. If a data subject contacts us via email, a contact form, an input form, or otherwise, the personal data transmitted by the data subject is automatically stored. Such personal data voluntarily transmitted to us by a data subject is processed for the purposes of processing the request or contacting the data subject.

For the transmission, storage, and processing of your contact information and inquiries, as well as for contacting you, we obtain your consent pursuant to Art. 6 (1) (a) GDPR and Art. 49 (1) (1) (a) GDPR as follows:

By submitting your personal data, you voluntarily consent to the processing of the personal data you have entered or submitted for the purpose of handling your inquiry and for us to contact you. By submitting your data to us, you also voluntarily grant your explicit consent pursuant to Art. 49 (1) (1)(a) of the GDPR for data transfers to third countries to and by the companies and for the purposes specified in this Privacy Policy, in particular for such transfers to third countries for which an EU/EEA adequacy decision exists or does not exist, as well as to companies or other entities that are not subject to an existing adequacy decision based on self-certification or other accession criteria, and in which or for which there are significant risks and no suitable safeguards for the protection of your personal data (e.g., due to Section 702 of the FISA, Executive Order EO 12333, and the Cloud Act in the United States). When you provided your voluntary and explicit consent, you were aware that third countries may not provide an adequate level of data protection and that your data subject rights may not be enforceable. You may revoke your consent under data protection law at any time with future effect. The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to the revocation. With a single action (the entry and submission), you grant multiple consents. These include consents under EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacy, and telemedia law, and other international legal provisions that are required, among other things, as a legal basis for any planned further processing of your personal data. By performing this action, you also confirm that you have read and acknowledged this Privacy Policy.

5. Routine Deletion and Restriction of Personal Data

We process and store personal data for the period necessary to achieve the purpose of the processing, or to the extent provided for by the European legislator or another legislator in laws or regulations to which we are subject, or for as long as a legal basis for the processing exists.

If the purpose of the processing ceases to apply, or if a retention period prescribed by the European legislator or another competent legislator expires, or if the legal basis for the processing ceases to apply, the personal data will be routinely restricted or deleted in accordance with legal requirements.

6. Rights of the data subject under the GDPR

a) Right to Confirmation

Every data subject has the right to request confirmation from the controller as to whether personal data concerning them is being processed.

If a data subject wishes to exercise this right, they may contact us at any time.

b) Right of access

Every data subject has the right to obtain from the controller, free of charge, information regarding the personal data stored about them and a copy of such data at any time. Furthermore, the European legislator has granted the data subject the right to obtain the following information:

the purposes of processing,
the categories of personal data being processed,
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations,
if possible, the planned duration for which the personal data will be stored, or, if this is not possible, the criteria for determining this duration,
the existence of a right to rectification or erasure of personal data concerning them, or to restriction of processing by the controller, or a right to object to such processing,
the existence of a right to lodge a complaint with a supervisory authority,
if the personal data are not collected from the data subject: any available information regarding the source of the data,
the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and—at least in such cases—meaningful information regarding the logic involved, as well as the significance and the intended consequences of such processing for the data subject.

Furthermore, the data subject has the right to be informed whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject is also entitled to receive information about the appropriate safeguards in connection with the transfer.

If a data subject wishes to exercise this right, they may contact us at any time.

c) Right to Rectification

Every data subject has the right to request the immediate rectification of inaccurate personal data concerning them. Furthermore, the data subject has the right to request the completion of incomplete personal data—including by means of a supplementary statement—taking into account the purposes of the processing.

If a data subject wishes to exercise this right, they may contact us at any time.

d) Right to erasure (right to be forgotten)

Every data subject has the right to request from the controller that personal data concerning them be erased without delay, provided that one of the following grounds applies and insofar as the processing is not necessary:

The personal data was collected or otherwise processed for purposes for which it is no longer necessary.
The data subject withdraws their consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
The data subject objects to the processing pursuant to Article 21(1) of the GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.
The personal data has been processed unlawfully.
The erasure of the personal data is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
The personal data was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.

If any of the above grounds apply and a data subject wishes to request the erasure of personal data stored by us, they may contact us at any time.

If the personal data has been made public by us and our organization, as the controller, is obligated to erase the personal data pursuant to Article 17(1) of the GDPR, we will take appropriate measures, including technical measures, taking into account available technology and implementation costs, to inform other controllers processing the published personal data that the data subject has requested from those other controllers the deletion of all links to such personal data or of copies or replicas of such personal data, insofar as the processing is not necessary.

e) Right to restriction of processing

Every data subject has the right to request that the controller restrict processing if one of the following conditions is met:

The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
The processing is unlawful, the data subject opposes the erasure of the personal data and requests, instead, the restriction of the use of the personal data.
The controller no longer needs the personal data for the purposes of processing, but the data subject needs it to establish, exercise, or defend legal claims.
The data subject has objected to the processing pursuant to Art. 21(1) of the GDPR, and it has not yet been determined whether the legitimate grounds of the controller override those of the data subject.

If any of the above conditions are met and a data subject wishes to request the restriction of personal data stored by us, they may contact us at any time.

f) Right to data portability

Every data subject has the right to receive the personal data concerning them, which the data subject has provided to a controller, in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, when exercising their right to data portability pursuant to Art. 20(1) GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another controller, provided this is technically feasible and does not infringe upon the rights and freedoms of others.

If a data subject wishes to exercise this right, they may contact us at any time.

g) Right to object

Every data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions.

In the event of an objection, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or the processing is necessary for the establishment, exercise, or defense of legal claims.

If we process personal data for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to us regarding processing for direct marketing purposes, we will no longer process the personal data for these purposes.

In addition, the data subject has the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them that is carried out by us for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) of the GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.

If a data subject wishes to exercise this right, they may contact us at any time. The data subject is also free, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise their right to object by means of automated procedures using technical specifications.

h) Automated individual decision-making, including profiling

Every data subject has the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into or performing a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.

If the decision (1) is necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) is made with the explicit consent of the data subject, we will take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, including at least the right to request the controller to involve a person, to present their own point of view, and to challenge the decision.

If a data subject wishes to exercise this right, they may contact us at any time.

i) Right to withdraw consent under data protection law

Every data subject has the right to withdraw consent to the processing of personal data at any time.

If a data subject wishes to exercise this right, they may contact us at any time.

7. General Purpose of Processing, Categories of Processed Data, and Categories of Recipients

The general purpose of processing personal data is to handle all matters concerning the controller, customers, prospects, business partners, or other contractual or pre-contractual relationships between the aforementioned groups (in the broadest sense) or the controller’s legal obligations. This general purpose applies unless more specific purposes are stated for a particular processing activity.

The categories of personal data we process are customer data, prospect data, employee data (including applicant data), and supplier data. The categories of recipients of personal data are public authorities, external entities, internal processing, intra-group processing, and other entities.

A list of our processors and data recipients in third countries, as well as international organizations where applicable, is either published on our website or can be requested from us free of charge.

8. Legal Bases for Processing

Art. 6 (1) (a) of the GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party—as is the case, for example, with processing operations required for the delivery of goods or the provision of other services or consideration—the processing is based on Art. 6 (1) (b) of the GDPR. The same applies to processing operations necessary for the implementation of pre-contractual measures, such as in cases of inquiries regarding our products or services. If we are subject to a legal obligation that requires the processing of personal data, such as to fulfill tax obligations, the processing is based on Article 6(1)(c) of the GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and their name, age, health insurance information, or other vital information had to be disclosed to a doctor, a hospital, or other third parties. In such cases, the processing would be based on Article 6(1)(d) of the GDPR.

If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Article 6(1)(e) of the GDPR.

Finally, processing operations could be based on Article 6(1)(f) of the GDPR. Processing operations not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and fundamental freedoms of the data subject do not override those interests. We are permitted to carry out such processing operations in particular because they were specifically mentioned by the European legislator. In this regard, the legislator took the view that a legitimate interest could be assumed, for example, if the data subject is a customer of the controller (Recital 47, Sentence 2 of the GDPR).

9. Legitimate Interests in Processing Pursued by the Controller or a Third Party and Direct Marketing

If the processing of personal data is based on Article 6(1)(f) of the GDPR, and no more specific legitimate interests are specified, our legitimate interest is the conduct of our business activities for the benefit of our staff and shareholders.

We may send you direct marketing regarding our own goods or services that are similar to the goods or services you have inquired about, ordered, or purchased. You may object to direct marketing at any time (e.g., by email). This will not incur any costs for you other than the transmission costs according to standard rates. The processing of personal data for direct marketing purposes is based on Article 6(1)(f) of the GDPR. The legitimate interest is direct marketing.

Our messages and newsletters may also constitute communications for direct marketing purposes within the meaning of Article 13(2) of EU Directive 2002/58 (Directive on Privacy and Electronic Communications) and the national law resulting from the Directive, provided that we have received your electronic and other contact information in connection with the sale of a service or product, which includes the creation of a free user account that allows you, among other things, to access free content on our websites and publications (newsletters, etc.), provided that we use direct marketing to promote similar products or services, so that direct marketing is also permissible without consent (see ECJ, judgment of Nov. 13, 2025, Case C-654/23). In such cases, you may object to the use of your contact information at any time free of charge.

10. Duration for which personal data is stored

The criterion for the duration of storage of personal data is the respective statutory retention period. If no statutory retention period exists, the criterion is the contractual or internal retention period. After the period expires, the relevant data is routinely deleted unless it is still required for the performance of the contract or for entering into a contract. This applies in particular to all processing operations for which no more specific criteria have been established.

11. Legal or contractual requirements for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide personal data; possible consequences of non-provision

We inform you that the provision of personal data is in part required by law (e.g., tax regulations) or may also result from contractual provisions (e.g., information regarding the contractual partner). In some cases, it may be necessary for a data subject to provide us with personal data in order to conclude a contract, which we must subsequently process. For example, the data subject is obligated to provide us with personal data when our organization enters into a contract with them. Failure to provide the personal data would result in the contract with the data subject not being able to be concluded. Before providing personal data, the data subject must contact us. We inform the data subject on a case-by-case basis as to whether the provision of personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what consequences the failure to provide the personal data would have.

12. Existence of Automated Decision-Making

As a responsible company, we generally refrain from automated decision-making or profiling. If, in exceptional cases, we carry out automated decision-making or profiling, we will inform the data subject either separately or via a sub-section in our Privacy Policy (here on our website). In this case, the following applies:

Automated decision-making, including profiling, may occur if this (1) is necessary for the conclusion or performance of a contract between the data subject and us, or (2) is permitted under Union or Member State law to which we are subject, and such law includes appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, or (3) this is done with the data subject’s explicit consent.

In the cases referred to in Article 22(2)(a) and (c) of the GDPR, we will take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject. In these cases, you have the right to request intervention by a person on the part of the controller, to present your own point of view, and to challenge the decision.

Meaningful information regarding the logic involved, as well as the scope and intended effects of such processing on the data subject, will be provided in this Privacy Policy where applicable.

13. Recipients in a third country and appropriate or suitable safeguards, and how to obtain a copy of them or where they are available.

Pursuant to Art. 46 (1) GDPR, the controller or a processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards and provided that enforceable rights and effective legal remedies are available to the data subjects. Appropriate safeguards may be provided by standard data protection clauses without the need for specific authorization from a supervisory authority, Art. 46(2)(c) GDPR.

Prior to the first transfer of personal data, the EU Standard Data Protection Clauses or other appropriate safeguards are agreed upon with all recipients in third countries, or the transfers are based on adequacy decisions. Consequently, it is ensured that appropriate safeguards, enforceable rights, and effective legal remedies are guaranteed for all processing of personal data. Any data subject may obtain a copy of the Standard Data Protection Clauses or adequacy decisions from us. In addition, the Standard Data Protection Clauses and adequacy decisions are available in the Official Journal of the European Union.

Article 45(3) of the GDPR empowers the European Commission to decide, by means of an implementing act, that a non-EU country ensures an adequate level of protection. This means a level of protection for personal data that is essentially equivalent to the level of protection within the EU. Adequacy decisions mean that personal data can flow from the EU (as well as from Norway, Liechtenstein, and Iceland) to a third country without further obstacles. Similar provisions apply to the United Kingdom, Switzerland, and some other countries.

In all cases where the European Commission, or a government or competent authority of another country, has determined that a third country ensures an adequate level of protection and/or a valid framework exists (e.g., EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework), all transfers by us to members of such frameworks (e.g., self-certified entities) are based exclusively on that entity’s membership in the respective framework or on the respective adequacy decisions. If we or one of our group companies is a member of such a framework, all transfers to us or our group company are based exclusively on the respective company’s membership in that framework. If we or one of our group companies is located in a third country with an adequate level of protection, all transfers to us or our group company are based exclusively on the respective adequacy decisions.

Any data subject may obtain a copy of the frameworks from us. In addition, the frameworks are also available in the Official Journal of the European Union, in published legislative materials, or on the websites of data protection supervisory authorities or other authorities or institutions.

14. Right to lodge a complaint with a data protection supervisory authority

As the controller, we are obligated to inform the data subject of their right to lodge a complaint with a supervisory authority. This right to lodge a complaint is governed by Article 77(1) of the GDPR. Under this provision, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, their workplace, or the place of the alleged infringement, without prejudice to any other administrative or judicial remedy, if the data subject considers that the processing of personal data concerning them infringes the General Data Protection Regulation. The right to lodge a complaint has been restricted by the EU legislator solely to the extent that it may be exercised only with a single supervisory authority (Recital 141, Sentence 1 of the GDPR). This provision is intended to prevent duplicate complaints regarding the same matter by the same data subject. If a data subject wishes to file a complaint against us, we therefore ask that only a single supervisory authority be contacted.

15. Registration or Filling Out Forms on Our Website and Your Consent

You have the option to register on our websites by providing personal data and/or to fill out input forms. The specific personal data transmitted to us in this process is determined by the respective input form used for registration or data entry. The personal data you enter is processed exclusively for our internal use and for our own purposes. However, we may transfer your personal data to one or more processors, such as parcel delivery services, who will also use your personal data exclusively for purposes attributable to us as the controller. A transfer may also occur if you have instructed us to do so; the legal basis in this case is Article 6(1)(b) of the GDPR.

When you register or enter data on our website, the IP address assigned by your Internet service provider (ISP), as well as the date and time of the registration or data entry, may also be stored. This data is stored because it is the only way to prevent misuse of our services, and this data enables us to investigate criminal offenses if necessary. In this respect, the storage of this data is necessary for our protection. The purpose of this processing is to prevent threats, detect misuse, and investigate criminal offenses, as well as the aforementioned purposes. The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest is, in particular, the protection of our information technology systems and the investigation of criminal offenses. This data is generally not disclosed to third parties, unless there is a legal obligation to do so or the disclosure serves the purposes of criminal prosecution.

The registration, entry, and transmission of your personal data also serve to enable us to offer you content or services that, by their very nature, can only be offered to registered users or individuals known to us. You are free to modify the personal data provided during registration at any time or have it completely deleted from our database. The purposes of processing are the receipt of data by us and the use of your data for further processing, for communication with you, and for the fulfillment or implementation of the registration or input purposes. The legal basis is your consent pursuant to Art. 6 (1) (a) GDPR and/or Art. 49 (1) (1) (a) GDPR.

By entering and submitting your data, you voluntarily consent to the processing of the personal data you have entered. By entering your data and submitting it to us, you also voluntarily grant explicit consent pursuant to Art. 49 (1) (1)(a) of the GDPR for data transfers to third countries to and by the companies and for the purposes specified in this Privacy Policy, in particular for such transfers to third countries for which an EU/EEA adequacy decision exists or does not exist, as well as to companies or other entities that are not subject to an existing adequacy decision based on self-certification or other accession criteria, and in which or for which there are significant risks and no suitable safeguards for the protection of your personal data (e.g., due to Section 702 of the FISA, Executive Order EO 12333, and the Cloud Act in the United States). When you provided your voluntary and explicit consent, you were aware that third countries may not provide an adequate level of data protection and that your data subject rights may not be enforceable. You may revoke your consent under data protection law at any time with future effect. The revocation of consent does not affect the lawfulness of processing carried out on the basis of the consent prior to the revocation. With a single action (the entry and submission), you grant multiple consents. These include consents under EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacy, and telemedia law, and other international legal provisions that are required, among other things, as a legal basis for any planned further processing of your personal data. By performing this action, you also confirm that you have read and acknowledged this Privacy Policy.

We will provide any data subject, upon request, with information at any time regarding which personal data has been stored about them. Furthermore, we will correct or delete personal data at the request or upon notification by the data subject, provided that no legal retention obligations or other reasons justifying processing preclude this. We are happy to serve as your point of contact in this regard.

16. Events and User-Generated Content

Our platform enables registered users (hereinafter “Hosts”) to create events and share them with guests via an invitation link. As part of this core functionality, personal data is processed in various contexts.

a) Event Data and Guest View

Hosts populate their events with their own content, which is visible to guests who have the invitation link. Guests can access events anonymously without the need to register or log in. Guests have the option to voluntarily provide a display name. This is used exclusively for display purposes within the event. The legal basis for processing is Art. 6 (1) (a) GDPR (consent through voluntary provision).

b) Media Uploads by Guests

If the host has enabled the upload function, guests can upload media (e.g., photos and videos) via the platform. If the host has enabled the corresponding function, these uploads may also be visible to other guests of the event. Please note the following:

Uploaded media may contain personal data of third parties, in particular images of individuals. Media files may also contain metadata (so-called EXIF data), such as GPS coordinates of the location where the image was taken, the date and time of capture, and device information. This metadata is stored along with the file.

The responsibility for ensuring that the necessary legal basis exists for the processing of third-party personal data—in particular for images of recognizable individuals—lies with the user who uploads the content. We process the uploaded content exclusively for the purpose of providing the contractually agreed-upon platform functionality.

The purpose of the processing is to provide platform functions for hosts and guests. The legal basis is Art. 6 (1) (b) GDPR (performance of a contract). Uploaded media and event data are stored on the Cloudflare infrastructure (Cloudflare R2); for more details, please refer to Section 19 of this Privacy Policy. The data is stored for the duration of the contractual relationship or until deleted by the host.

17. Privacy Policy Regarding the Use of Cloudflare Zaraz Consent Management

Cloudflare Zaraz is a tool integrated into the Cloudflare infrastructure for managing third-party scripts and for obtaining and managing user consent (Consent Management). It enables the data protection-compliant control of cookies and tracking technologies on our website without the need for a separate plugin or an external consent management service. Cloudflare Zaraz automatically detects and controls which third-party services may be activated and ensures that cookies and tracking are loaded only after explicit consent has been granted.

When using Cloudflare Zaraz Consent Management, personal data may be processed, in particular users’ consent decisions (opt-in/opt-out), technical identifiers (e.g., cookies for storing the consent decision), IP addresses, and timestamps of the granting or revocation of consent.

The operator of the service and thus the recipient of the personal data is: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA. For data subjects in the EU and the EEA, Cloudflare Netherlands B.V., Keizersgracht 62, 1015CS Amsterdam, Netherlands, acts as the contact person and representative within the meaning of Art. 27 GDPR. The representative under UK national law is: Cloudflare, Ltd., County Hall/The Riverside Building, Belvedere Road, London, SE1 7PB, United Kingdom.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of using Cloudflare Zaraz Consent Management is to ensure compliance with data protection laws such as the GDPR by managing consent for cookies and tracking technologies, as well as documenting granted and revoked consents. The processing is based on Article 6(1)(c) of the GDPR, as the processing is necessary for compliance with a legal obligation to which our organization is subject.

The service provider is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. The service provider may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

The criteria for determining the duration for which personal data is processed are the statutory or contractual retention periods. The use of personal data is required by law, as it is necessary to fulfill legal obligations regarding data protection and consent management. Users are required to specify their cookie preferences or reject cookies, and this information must be stored to properly document the decision.

Further information and Cloudflare Zaraz’s applicable privacy policy can be found at https://www.cloudflare.com/.

18. Privacy Policy Regarding the Use of Cloudflare

Cloudflare is our exclusive hosting and infrastructure provider. Our website and all associated applications run entirely on the Cloudflare platform. In particular, we use Cloudflare Workers (serverless execution environment for our applications), Cloudflare D1 (serverless relational database), Cloudflare R2 (object storage), Cloudflare Queues (message queues for asynchronous processing), Cloudflare Email Workers (serverless email sending for transactional emails), Cloudflare DNS (Domain Name System), Cloudflare CDN (Content Delivery Network for fast content delivery), DDoS protection, and a Web Application Firewall (WAF). By operating entirely on Cloudflare, we can ensure high availability, security, and performance of our services worldwide.

When using Cloudflare services, data such as IP addresses, system configurations, network traffic information, application and database data, as well as recipient email addresses, subject lines, email content, and delivery-related metadata are processed. This information is necessary to operate our applications, defend against threats, optimize traffic, and ensure the functionality of our services.

We use Cloudflare Email Workers exclusively for sending transactional emails, such as contact form confirmations and system notifications. No marketing emails are sent via this service. When sending emails, personal data such as recipient addresses, subject lines, email content, and delivery-related metadata (e.g., delivery status, bounce information) may be processed.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of processing is the use of services to secure and optimize websites and web applications, as well as the sending of transactional emails in connection with the performance of a contract or pre-contractual measures. Processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in ensuring the security, performance, and reliability of our online presence, as well as on Article 6(1)(b) of the GDPR insofar as emails are sent to fulfill a contract with the data subject.

The criteria for determining the duration for which personal data is processed are the contractual relationship between us and the service provider or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obligated to provide personal data to us or to the service provider. However, if you do not provide such data, you may not be able to use our services or those of the service provider.

Further information and the applicable privacy policy of Cloudflare, Inc. can be found at https://www.cloudflare.com.

19. Privacy Policy Regarding the Use of Apple Maps

Apple Maps is the mapping and navigation service provided by Apple Inc. that allows users to view maps, plan routes, and find local businesses and services. We use Apple Maps to display locations and route information on our website. The service offers features such as detailed map views, satellite imagery, real-time traffic conditions, and navigation assistance.

When using Apple Maps, personal data such as location data, search queries, and usage statistics may be processed. This information is necessary to provide the service and improve the user experience.

The operator of the service and thus the recipient of the personal data is: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA. For data subjects in the EU and the EEA, Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, acts as the contact person and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Apple (UK) Limited, 2 Furzeground Way, Stockley Park, Uxbridge, UB11 1BB, United Kingdom.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to provide and use a user-friendly and accurate map and navigation service. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in providing an efficient and intuitive location display for our users.

The service operator is based in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. The service operator may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

Further information and the applicable privacy policy for Apple Maps can be viewed at https://www.apple.com/legal/privacy/.

20. Privacy Policy Regarding the Use of Auth0

Auth0 enables companies to create secure, seamless, and scalable login experiences for their users by offering a wide range of authentication methods and security features. These services support various authentication standards such as OAuth, OpenID Connect, and SAML, and allow for easy integration into existing applications.

When using Auth0, personal data is processed to provide authentication services. This includes information such as email addresses, usernames, and customer-specific data transmitted as part of the authentication process.

The operator of the service and thus the recipient of the personal data is: Auth0, LLC, 100 First Street, Floor 6, San Francisco, CA 94105, USA. For data subjects in the EU and the EEA, Okta GmbH, Friedrich-Ebert-Anlage 49, OG, 60308 Frankfurt am Main, Germany, acts as the contact person and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Okta UK Limited, 20 Farringdon Road, London EC1M 3HE, United Kingdom.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The processing of personal data is carried out for the purpose of providing and improving authentication services and ensuring IT security. This includes the management of user identities, the authentication and authorization of users, and the use of security features. The legal basis for this processing is Article 6(1)(b) of the GDPR for contracts to which the data subject is a party, as well as Article 6(1)(f) of the GDPR (legitimate interest) for processing activities aimed at improving the security and efficiency of our services and IT security.

The criteria for determining the duration for which personal data is processed are the statutory or contractual retention periods. The provision of personal data is required by law or contract, or is necessary for the conclusion of a contract. You are obligated to provide us with personal data for this processing.

For more information and Auth0’s applicable privacy policies, please visit https://auth0.com.

21. Privacy Policy Regarding the Use of Cloudflare Email Protection

We use Cloudflare Email Protection to secure our email traffic against threats such as phishing, spoofing, malware, and targeted attacks. The service is part of the Cloudflare Zero Trust Platform and protects incoming and outgoing emails by applying advanced filtering mechanisms, behavioral analysis, and real-time checks. In this context, personal data may be processed, particularly if it is contained in email content, attachments, or associated metadata. Among other things, the following data is processed: sender data and recipient addresses, subject lines, header information, email content, IP addresses, location data, file attachments, timestamps, as well as security-related connection data and event data.

Cloudflare automatically analyzes the transmitted emails via data centers distributed worldwide. In doing so, the service detects and blocks suspicious messages, flags potential threats, and stores security-related information for further analysis. Additionally, connection data is logged to detect anomalies, prevent abuse, and improve the effectiveness of protective measures. The Cloudflare Email Protection solution is also used to meet compliance requirements and to document security-related email transactions.

Purposes for which the personal data will be processed, as well as the legal basis for the processing: The purpose of the processing is to protect email communications from attacks and tampering, to analyze and filter potentially harmful content, to ensure a stable and secure email infrastructure, and to comply with internal company security policies. The processing is based on Article 6(1)(f) of the GDPR. The legitimate interest lies in protection against cyber threats, the integrity of our communication systems, and the security of our employees and business partners.

The criteria for determining the duration for which personal data is processed are the contractual relationship between us and the service provider or statutory or contractual retention periods. The provision of personal data is not required by law or contract, nor is it necessary for the conclusion of a contract. You are not obligated to provide personal data to us or to the service provider. However, if you do not provide such data, you may not be able to use our services or those of the service provider.

Further information and Cloudflare’s applicable privacy policy can be found at https://www.cloudflare.com/.

22. Privacy Policy Regarding the Use of Cloudflare Web Analytics

Cloudflare Web Analytics is a powerful analytics tool that provides us with detailed insights into the behavior of our website visitors. The solution enables us to measure key metrics such as visitor numbers, page views, device types, and traffic sources. By using Cloudflare Web Analytics, we can analyze our website’s performance, improve user experiences, and make data-driven decisions to optimize our online presence.

When using Cloudflare Web Analytics, data such as IP addresses, usage data, and information about user behavior is processed. This information helps us monitor the performance and accessibility of our website.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of processing is to analyze and improve the performance of our website. Processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in optimizing our website and providing a better user experience.

Further information and the applicable privacy policy for Cloudflare Web Analytics can be found at https://www.cloudflare.com.

23. Privacy Policy Regarding the Use of Cloudflare Turnstile

Cloudflare Turnstile is a privacy-friendly CAPTCHA service from Cloudflare that is used on our website to distinguish between human users and automated bots and to protect our forms and services from abuse, spam, and automated attacks. Unlike traditional CAPTCHA solutions, Cloudflare Turnstile does not display image puzzles; instead, it relies on client-side challenge procedures that run in the background and are generally invisible to users.

When using Cloudflare Turnstile, personal data may be processed, in particular IP addresses, browser information (user agent, language settings), interaction data (e.g., mouse movements, click and timing data), cookies and similar technologies, as well as information about the device and operating system used.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to protect our website and services from abuse by automated systems, spam, and malicious activities, as well as to ensure the integrity of form submissions. The processing is based on Article 6(1)(f) of the GDPR, where the legitimate interest lies in defending against bot attacks, protecting our IT infrastructure, and ensuring the security of our users.

The criteria for determining the duration for which personal data is processed are the contractual relationship between us and the service provider or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obligated to provide personal data to us or to the service provider. However, if you do not provide such data, certain features of our website—in particular forms—may not be available.

Further information and the applicable privacy policy of Cloudflare Turnstile can be found at https://www.cloudflare.com/products/turnstile/.

24. Privacy Policy Regarding the Use of Google Analytics

Google Analytics is a tool provided by Google LLC that offers website and app operators detailed statistics on traffic and user behavior. It enables the collection and analysis of data regarding website visits, user interactions, and conversion rates, which helps operators understand and optimize their online presence. Google Analytics uses cookies to collect information about user behavior, including page views, time spent on the site, and the paths users take on the website.

When using Google Analytics, personal data such as IP addresses, browser information, and interaction data are processed. This data helps website operators measure their website’s performance, improve the user experience, and develop targeted marketing strategies.

The operator of the service and thus the recipient of the personal data is: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For data subjects in the EU and the EEA, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as the contact point and representative within the meaning of Article 27 of the GDPR. The representative under UK national law is: Google UK Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Google Switzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of processing is the analysis and optimization of websites and apps, as well as advertising. Processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in improving the website, enhancing user-friendliness, and increasing the effectiveness of online marketing.

Further information and the applicable privacy policy of Google Analytics can be viewed at https://policies.google.com/privacy.

25. Privacy Policy Regarding the Use of Buffer

Buffer offers a platform for managing social media accounts, which allows us to schedule and publish posts and analyze the performance of our content across various social media channels. These tools help us optimize our online presence, increase engagement with our target audience, and make our marketing strategies more effective. By using Buffer, we can gain insights into user behavior, analyze trends, and tailor our social media campaigns accordingly.

When using Buffer, personal data such as names, email addresses, and social media profiles are processed. This data enables us to use the platform efficiently, create personalized reports, and improve our communication strategies.

The operator of the service and thus the recipient of the personal data is: Buffer, Inc., 2443 Fillmore St 380-7163, San Francisco, CA 94115, USA.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to manage and optimize our social media activities. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in the efficient design and analysis of our social media presence and in automation.

The service provider is based in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other appropriate or suitable safeguards referred to in Article 46(2) of the GDPR. The service provider may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

Further information and the applicable privacy policy of Buffer, Inc. can be found at https://buffer.com.

26. Privacy Policy Regarding the Use of Google Ad Manager

Google Ad Manager is an advertising platform from Google that enables us to display ads and optimize ad performance. The service helps deliver the right ads to the right audience based on user behavior and interests. Through the use of Google Ad Manager, personal data such as IP addresses, cookie IDs, and information about user behavior—such as the frequency of page visits and interactions with the displayed ads—is processed. This data is used to optimize advertisements and analyze campaign performance. Google uses this data to personalize ads and measure the success of advertising campaigns. In addition, Google Ad Manager helps us maximize the reach and relevance of our ads by continuously evaluating data on user interaction with the ads and making appropriate adjustments.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to optimize ad placement and analyze the performance of advertising campaigns. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in improving the reach and relevance of the advertising.

Further information and the applicable privacy policy can be found at https://admanager.google.com/.

27. Privacy Policy Regarding the Use of Google Ads

Google Ads, formerly known as Google AdWords, is an online advertising program by Google LLC that enables businesses to place targeted ads to increase their visibility on the internet. Google Ads offers various ad formats, including search ads, display ads, YouTube video ads, and more, which allow businesses to reach potential customers on Google search results pages, partner websites, and other platforms within the Google network.

When using Google Ads, personal data such as IP addresses, cookies, and other identifiers derived from interactions with advertisements are processed. This data helps measure the effectiveness of advertising campaigns, precisely target audiences, and personalize advertisements based on users’ interests and behavior.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is the analysis and optimization of online advertising campaigns. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in the effective design and delivery of advertising campaigns that are relevant to both advertisers and users.

Further information and the applicable Google Ads privacy policy can be viewed at https://policies.google.com/privacy.

28. Privacy Policy Regarding the Use of Google Ads Conversion Tracking

Google Ads Conversion Tracking helps us measure the effectiveness of our advertising campaigns by recording which users perform a desired action on our website—such as a purchase or registration—after clicking on an ad. The use of this tool involves the processing of personal data such as IP addresses, click information, and website visits. This data is used to evaluate and optimize the success of Google Ads campaigns by providing insights into which ads and keywords lead to conversions. Google Ads Conversion Tracking helps us use our marketing budget more efficiently and plan targeted advertising measures to maximize return on investment (ROI).

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to measure and optimize advertising campaigns and to improve marketing ROI. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in the optimization of advertising measures and the efficient use of the budget.

Further information and the applicable privacy policy can be found at https://ads.google.com/.

29. Privacy Policy Regarding the Use of Google Ads Enhanced Conversions

Google Ads Enhanced Conversions enables us to measure the performance of our ad campaigns more accurately by identifying converted users using additional data points, such as email addresses and phone numbers, collected on our website. This service processes personal data, including contact information, and helps us improve the effectiveness of advertising and marketing efforts. By using Enhanced Conversions, we can ensure that our ads are served in a more targeted manner by presenting them to relevant users who are highly likely to convert.

The operator of the service and thus the recipient of the personal data is: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For data subjects in the EU and the EEA, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as the contact point and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Google UK Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Google Switzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to optimize the targeting accuracy of Google Ads campaigns and to measure conversion-relevant actions. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in improving the marketing strategy and tailoring advertisements.

Further information and the applicable privacy policy can be found at https://support.google.com.

30. Privacy Policy Regarding the Use of Google Ads Optimized Targeting

Google Ads Optimized Targeting is a service that helps us target our ads to suitable users by using algorithms and machine learning to select the best audience for an ad based on available user data. The service processes personal data, particularly regarding user behavior, such as website visits, interactions with ads, and demographic data. The use of this data enables us to maximize the reach of our campaigns by displaying ads to users who are most likely to interact with our content.

The operator of the service and thus the recipient of the personal data is: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For data subjects in the EU and the EEA, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as the contact point and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Google UK Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Google Switzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to optimize targeting and improve campaign performance. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in improving marketing strategies and maximizing advertising success.

Further information and the applicable privacy policy can be found at https://support.google.com.

31. Privacy Policy Regarding the Use of Google Ads Remarketing

Google Ads Remarketing enables us to display targeted advertisements to users who have already interacted with our website or our products. This is achieved by using cookies and similar technologies to identify visitors and present them with more relevant ads. In doing so, personal data such as IP addresses and browsing behavior are collected and used to display personalized advertisements tailored to users’ interests. Google Ads Remarketing helps us improve the user experience and deploy our marketing resources where they have the greatest impact.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to address users in a personalized manner through advertising and to improve campaign performance. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in the effective promotion of our products and the increase in reach.

The service operator is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. The service operator may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

Further information and the applicable privacy policy can be found at https://support.google.com.

32. Privacy Policy Regarding the Use of Google Ads Smart Bidding

Google Ads Smart Bidding is an automated bidding strategy from Google Ads that uses machine learning to optimize bids for ads based on conversion data and target goals. Through the use of Smart Bidding, personal data such as IP addresses, device information, and information about past interactions with ads is collected and processed. This data is used to improve bid management and serve ads to the most relevant users in order to increase the likelihood of a conversion. Google Ads Smart Bidding helps us increase the effectiveness of our advertising campaigns by continuously drawing on user data and adjusting bids accordingly to achieve the desired results.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to optimize the bidding strategy for targeted advertisements and to maximize the likelihood of conversion. The processing is based on Article 6(1)(f) of the GDPR, whereby the legitimate interest lies in optimizing advertising campaigns and achieving a higher conversion rate.

Further information and the applicable privacy policy can be found at https://support.google.com.

33. Privacy Policy Regarding the Use of Facebook

Facebook is a social network that allows people to connect online, share content, and communicate. Users can create profiles, post photos and videos, exchange messages, and organize themselves into groups. Facebook also offers businesses and organizations a platform for advertising and interacting with their target audience.

When using Facebook, personal data such as names, email addresses, phone numbers, usage data, location information, and information about shared content is processed. This data is necessary to provide the platform, offer personalized content and advertising, ensure user safety, and develop new services.

The operator of the service and thus the recipient of the personal data is: Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. For data subjects in the EU and the EEA, Meta Platforms Ireland Ltd., Merrion Road, Dublin D04 X2K5, Ireland acts as the contact point and representative within the meaning of Article 27 of the GDPR. The representative under UK national law is: Meta Platforms Technologies UK Ltd, 10 Brock Street, Regent’s Place, London, NW1 3FG, United Kingdom.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is to use and improve social networking features and network services. The processing is based on Article 6(1)(b) of the GDPR for the performance of a contract to which the data subject is a party, as well as on Article 6(1)(f) of the GDPR, where the legitimate interest lies in improving the user experience, providing personalized content and advertising, and ensuring the security of the network.

The criteria for determining the period for which personal data is processed are the contractual relationship between us and the service provider, or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obligated to provide personal data to us or to the service provider. However, if you do not provide such data, you may not be able to use our services or those of the service provider.

Further information and Facebook’s applicable privacy policy can be found at https://facebook.com.

34. Privacy Policy Regarding the Use of Instagram

Instagram is a widely used social network that allows users to share photos and videos, post Stories, and interact with followers and friends. Instagram offers a variety of features, including direct messages, IGTV for longer videos, Instagram Live for real-time broadcasts, and an Explore page to discover new content and users.

When using Instagram, personal data such as names, email addresses, phone numbers, user content (photos, videos, comments, etc.), location data, usage information, and, in some cases, payment information is processed. This data helps provide the service, ensure the security of the platform, offer personalized advertising, and improve the user experience.

The operator of the service and thus the recipient of the personal data is: Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. For data subjects in the EU and the EEA, Meta Platforms Ireland Ltd., Merrion Road, Dublin D04 X2K5, Ireland acts as the contact point and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Meta Platforms Technologies UK Ltd, 10 Brock Street, Regent’s Place, London, NW1 3FG, United Kingdom.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is the use and optimization of social networking features. The processing is based on Article 6(1)(b) of the GDPR for the performance of a contract to which the data subject is a party, as well as on Article 6 (1)(f) of the GDPR, whereby the legitimate interest lies in improving and personalizing the user experience, providing customer support, and ensuring the security and integrity of the platform, as well as in the use of the platform and marketing.

Further information and Instagram’s applicable privacy policy can be viewed at https://instagram.com.

35. Privacy Policy Regarding the Use of LinkedIn

LinkedIn is a social network for professional connections and career development. The platform allows users to create a professional profile, network with colleagues, business partners, and potential employers, share professional experiences and skills, and stay informed about industry news. LinkedIn also offers tools for companies and recruiters to search for talent, post job listings, and build a brand presence.

When using LinkedIn, personal data such as names, email addresses, professional titles and experience, educational background, skills, interests, and platform usage data are processed. This information is necessary to provide and use the service, create networking opportunities, present personalized content and job offers, and ensure the security of user data.

The operator of the service and thus the recipient of the personal data is: LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is the use and optimization of networking and career services. The processing is based on the user’s consent (Art. 6 (1)(a) GDPR), the performance of a contract (Art. 6(1)(b) GDPR) to which the data subject is a party, and on legitimate interests (Art. 6(1)(f) GDPR), such as marketing and recruitment.

The service provider is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The service provider may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

Further information and the applicable privacy policy of LinkedIn Corporation can be viewed at https://www.linkedin.com.

36. Privacy Policy Regarding the Use of TikTok

TikTok, a platform for short video clips that enjoys great popularity worldwide, allows users to create, share, and discover creative content. On TikTok, users can dance, sing, showcase art, or participate in trends, thereby interacting with a global community.

When using TikTok, personal data such as names, email addresses, phone numbers, dates of birth, profile information, user content (videos, comments), location data, and information from social networks is processed. This data is necessary to provide the services, personalize the platform, enable user interactions, and improve support.

The operator of the service and thus the recipient of the personal data is: TikTok Pte. Ltd., 1 Raffles Quay, No. 26-10, South Tower, 048583, Singapore. For data subjects in the EU and the EEA, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, acts as the contact person and representative within the meaning of Article 27 of the GDPR. The representative under UK national law is: TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, EC1A 9HP, United Kingdom.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the data processing is the use of the video platform. The processing is based on the performance of a contract pursuant to Article 6(1)(b) of the GDPR, to which the data subject is a party, as well as on legitimate interests pursuant to Article 6(1)(f) of the GDPR, such as the use of a global platform for advertising and the enhancement of our market presence.

The criteria for determining the duration for which personal data is processed are the contractual relationship between us and the service operator or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obligated to provide personal data to us or to the service operator. However, if you do not provide such data, you may not be able to use our services or those of the service operator.

Further information and TikTok’s applicable privacy policy can be viewed at https://www.tiktok.com.

37. Privacy Policy Regarding the Use of Apple Pay

Apple Pay is a payment service provided by Apple Inc. that allows users to make secure and convenient payments using their Apple devices, such as iPhone, Apple Watch, iPad, and Mac. By using Apple Pay, users can make payments in stores, apps, and on websites without having to use physical payment cards or cash. When setting up and using Apple Pay, personal data such as credit or debit card numbers, transaction data, device information, and location data are processed. This information is used to authorize transactions, prevent fraud, and improve the user experience.

The operator of the service and thus the recipient of the personal data is: Apple, Inc., One Apple Park Way, Cupertino, CA 95014, USA. For data subjects in the EU and the EEA, Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, acts as the contact person and representative within the meaning of Article 27 of the GDPR. The representative pursuant to Article 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Apple Switzerland AG, Löwenstrasse 29, 8001 Zurich, Switzerland.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of using Apple Pay is to provide a secure and convenient payment service. Processing is based on Article 6(1)(b) of the GDPR, as it is necessary for the performance of a contract to which the data subject is a party. Additionally, the processing may be based on Article 6(1)(f) of the GDPR when it concerns improving security and fraud prevention, our use of the solution, or the acceptance of the Apple Pay payment method.

The service provider is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. Apple may be a certified member of one or more data privacy frameworks. Further details can be found at https://www.dataprivacyframework.gov/list. You may request a copy of the appropriate or adequate safeguards from us.

The criteria for determining the duration for which personal data is processed are the statutory or contractual retention periods. The provision of personal data is required by law or contract, or is necessary for the conclusion of a contract. While you are not obligated to provide us with personal data for this processing, you will not be able to use our services if you do not provide it.

Further information and the applicable Apple Pay privacy policy can be found at https://www.apple.com.

38. Privacy Policy Regarding the Use of Google Pay

Google Pay is a digital payment service provided by Google LLC that allows users to make secure and convenient payments via their mobile devices or the internet. Google Pay supports contactless payments in stores, online purchases, and money transfers between users. It integrates various payment methods, such as credit cards, debit cards, and bank accounts, to provide a seamless payment experience. In addition, Google Pay offers features such as the storage of loyalty cards, gift cards, and airline tickets.

When using Google Pay, personal data such as names, addresses, email addresses, phone numbers, payment information, transaction data, and device information is processed. This information is necessary to provide payment services, ensure the security of transactions, prevent fraud, and create personalized offers.

Purposes for which the personal data is to be processed, as well as the legal basis for the processing: The purpose of the processing is the use and optimization of the payment service. The processing is based on Article 6(1)(b) of the GDPR for the performance of a contract to which the data subject is a party, and on Article 6(1)(f) of the GDPR, where the legitimate interest lies in the provision and use of a secure, efficient, and user-friendly payment system.

The criteria for determining the duration for which personal data is processed are the statutory or contractual retention periods. The provision of personal data is required by law or contract, or is necessary for the conclusion of a contract. While you are not obligated to provide us with personal data for this processing, you will not be able to use our services if you do not provide it.

Further information and the applicable Google Pay privacy policy can be viewed at https://policies.google.com/privacy.

39. Privacy Policy Regarding the Use of PayPal

PayPal is a payment service provider that enables us to process payments for our products and services securely and efficiently online. When using PayPal, personal data such as name, address, email address, payment information, and transaction data are processed. This data is necessary to authorize payments, verify the buyer’s identity, prevent fraud, and securely process the payment. PayPal also uses this information to analyze transactions and improve security measures. Additionally, PayPal helps us optimize the payment process and offer users a convenient payment option.

The operator of the service and thus the recipient of the personal data is: PayPal, Inc., 2211 N. First Street, San Jose, CA 95131, USA. For data subjects in the EU and the EEA, PayPal (Europe) S.à r.l. et Cie., S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, acts as the contact person and representative within the meaning of Art. 27 of the GDPR. The representative under UK national law is: Bird & Bird GDPR Representative UK, 12 New Fetter Lane, Holborn, London, EC4A 1JP, United Kingdom.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of processing is to execute online payments and ensure a secure payment process. Processing is based on Article 6(1)(b) of the GDPR, as it is necessary for the performance of a contract to which the data subject is a party.

The service provider is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. The service provider may have concluded one of the EU standard contractual clauses with us. You may request a copy of the appropriate or adequate safeguards from us.

The criteria for determining the duration for which personal data is processed are the contractual relationship between us and the service provider or statutory or contractual retention periods. The provision of personal data is required by law or contract, or is necessary for the conclusion of a contract. You are obligated to provide us with personal data for this processing.

Further information and PayPal, Inc.’s applicable privacy policy can be found at https://www.paypal.com/am/home.

40. Privacy Policy Regarding the Use of Stripe

Stripe is a technology company that offers powerful and flexible tools for e-commerce, including payment processing, billing, and financial management solutions. Stripe enables businesses of all sizes to accept and process online payments, manage subscriptions, and prevent fraud. The platform is known for reducing the complexity of financial transactions and making them more secure and user-friendly.

When using Stripe services, personal data such as names, addresses, email addresses, phone numbers, bank and payment information, and transaction data are processed. This information is necessary to provide payment services, prevent fraud, offer customer support, and comply with legal requirements.

The operator of the service and thus the recipient of the personal data is: Stripe, Inc., 354 Oyster Point Boulevard, San Francisco, CA 94080, USA. For data subjects in the EU and the EEA, Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland, acts as the contact point and representative within the meaning of Article 27 of the GDPR. The representative under UK national law is: Stripe Payments UK Ltd., 9th Floor, 107 Cheapside, London, EC2V 6DN, United Kingdom.

Purposes for which personal data is to be processed, as well as the legal basis for processing: The purpose of data processing is to use payment processing via Stripe. The processing is based on the performance of a contract pursuant to Article 6(1)(b) of the GDPR, to which the data subject is a party, as well as on legitimate interests pursuant to Article 6(1)(f) of the GDPR, such as improving our services, preventing fraud, using efficient payment applications, and complying with legal requirements.

The service provider is located in a third country, namely the United States. Transfers to third countries may be based on the conclusion of standard contractual clauses or on other suitable or appropriate safeguards referred to in Article 46(2) of the GDPR. The service provider may have concluded one of the EU standard contractual clauses with us. You may request a copy of the appropriate or adequate safeguards from us.

The criteria for determining the duration for which personal data is processed are the statutory or contractual retention periods. The provision of personal data is required by law or contract, or is necessary for the conclusion of a contract. While you are not obligated to provide us with personal data for this processing, you will not be able to use our services if you do not provide it.

Further information and Stripe’s applicable privacy policy can be viewed at https://stripe.com.