Data pro­tec­tion

 Pri­va­cy policy

Pri­va­cy set­tings

Con­troller

Fabi­enne Müller
T +49 (0)911/4777 24 0
E  fabienne.mueller@ideenhaus.de

Ver­sion dated: 12 August 2022

Max­i­m­il­ian Kratzer
T +49 (0)911/4777 24 38
E maximilian.kratzer@ideenhaus.de

1. Basic information on data pro­cess­ing and legal bases

A This pri­va­cy policy pro­vides information on the nature, scope and pur­pose of personal data pro­cess­ing within our online pres­ence and the web­sites, func­tions and con­tent asso­ci­at­ed with the same (here­inafter referred to col­lec­tive­ly as the ‘online pres­ence’ or ‘web­site’). The pri­va­cy policy applies regard­less of the domains, sys­tems, plat­forms and devices (e.g. desk­top com­put­er or mobile device) the online pres­ence is oper­at­ed on.     B For def­i­n­i­tions of the terms used, such as ‘personal data’ or ‘personal data pro­cess­ing’, see Arti­cle 4 of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR).     C Users’ personal data processed in the context of this online pres­ence includes: gen­er­al data (names, address­es), con­tact details (email address­es, phone num­bers, fax num­bers), usage data (inter­ests, web­sites vis­it­ed, access times) and meta/communication data (device IDs, IP address­es)     D The term ‘user’ encom­pass­es all cat­e­gories of data sub­jects affect­ed by data pro­cess­ing. They include: clients, prospec­tive clients, users, web­site vis­i­tors and recip­i­ents of mar­ket­ing cam­paigns. The terms used (e.g. ‘user’) apply to people of all gen­ders and none.     E We process users’ personal data exclu­sive­ly in com­pli­ance with the rel­e­vant data pro­tec­tion reg­u­la­tions. This means users’ data is only processed if we are legal­ly per­mit­ted to do so. This applies, in par­tic­u­lar, if data pro­cess­ing is nec­es­sary or legal­ly required for the pro­vi­sion of our con­trac­tu­al ser­vices (e.g. order pro­cess­ing) and our online ser­vices, if the user has given their con­sent to this effect and due to our legit­i­mate inter­ests (i.e. our inter­est in analysing, opti­mis­ing and eco­nom­i­cal­ly oper­at­ing and secur­ing our online pres­ence under Arti­cle 6 (1) (f) of the GDPR), which is the case, notably, in the event of reach mea­sure­ments, cre­at­ing pro­files for advertising and mar­ket­ing pur­pos­es, col­lect­ing access cre­den­tials and using third-party ser­vices. Where a user is below the age of 16 years, con­sent to data pro­cess­ing must be given or autho­rised for the child by the holder of parental respon­si­bil­i­ty over the child.     F We would like to point out that the legal basis for con­sent is Arti­cle 6 (1) (a) and Arti­cle 7 of the GDPR and for con­sent in the case of minors is Arti­cle 8 of the GDPR, the legal basis for pro­cess­ing for the per­for­mance of our ser­vices and the imple­men­ta­tion of con­trac­tu­al activ­i­ties is Arti­cle 6 (1) (a) (1) (c) of the GDPR and the legal basis for pro­cess­ing to uphold our legit­i­mate inter­est is Arti­cle 6 (1) (f) of the GDPR. (1) (a) c. DSGVO, und die Rechts­grund­lage für die Ver­ar­beitung zur Wahrung unser­er berechtigten Inter­essen Art. 6 Abs. (1) (a) GDPR, the legal basis for pro­cess­ing for the ful­fil­ment of our legal oblig­a­tions is Arti­cle 6 of the GDPR.

2. Users’ rights

Your rights:   A Under Arti­cle 15 of the GDPR, you have a right of access to the personal data about you that we process. In par­tic­u­lar, you can access information about the pur­pos­es of pro­cess­ing, the cat­e­gories of personal data, the cat­e­gories of recip­i­ents to whom your data has been or will be dis­closed, the planned dura­tion of stor­age, the exis­tence of a right to rec­ti­fi­ca­tion, a right to era­sure, a right to restric­tion of pro­cess­ing or a right to object, the exis­tence of the right to lodge a com­plaint, the origin of your data, pro­vid­ed we did not col­lect it, the exis­tence of auto­mat­ed deci­sion-making, includ­ing pro­fil­ing, and if applic­a­ble, mean­ing­ful information on these details.     B Under Arti­cle 16 of the GDPR, you have the right to obtain, with­out undue delay, the rec­ti­fi­ca­tion of inac­cu­rate or incom­plete personal data about you that we store.     C Under Arti­cle 17 of the GDPR, you have the right to request the era­sure of personal data about you that we store, pro­vid­ed that pro­cess­ing is not required for exer­cis­ing the right to free­dom of expres­sion and information, for com­pli­ance with a legal oblig­a­tion, on grounds of public inter­est or for the estab­lish­ment, exer­cise or defence of legal claims.     D Under Arti­cle 18 of the GDPR, you have the right to request the restric­tion of pro­cess­ing of your personal data, pro­vid­ed you con­test the accu­ra­cy of the data, pro­cess­ing is unlaw­ful but you oppose the era­sure of the personal data and we no longer need the data for the pur­pos­es of pro­cess­ing and you nonethe­less need it for the estab­lish­ment, exer­cise or defence of legal claims or you have object­ed to pro­cess­ing pur­suant to Arti­cle 21 of the GDPR.     E Under Under Arti­cle 20 of the GDPR, you have the right to receive your personal data, which you pro­vid­ed to us, in a struc­tured, com­mon­ly used and machine-read­able format or to request it be trans­mit­ted to anoth­er con­troller.     F Under Arti­cle 7 (3) of the GPPR, you have the right, at any time, to revoke the con­sent you gave us. This means we will not be per­mit­ted to con­tin­ue with data pro­cess­ing based on this con­sent in the future.     G Under Arti­cle 77 of the GDPR, you have the right to lodge a com­plaint with a super­vi­so­ry author­i­ty. In gen­er­al, you may con­tact the super­vi­so­ry author­i­ty in your habit­u­al place of res­i­dence or place of work, or our company’s reg­is­tered office.

3. Right to object

If your personal data is being processed based on legit­i­mate inter­ests pur­suant to the first sen­tence of Arti­cle 6 (1) (f) of the GDPR, you have the right under Arti­cle 21 GDPR to object to the pro­cess­ing of your personal data on grounds relat­ing to your par­tic­u­lar sit­u­a­tion or to object to pro­cess­ing of your personal data for direct mar­ket­ing pur­pos­es. In the latter case, you have a gen­er­al right to object; we will apply this with­out a spe­cif­ic sit­u­a­tion being stated.

4. Secu­ri­ty mea­sures

A We take state-of-the-art organ­i­sa­tion­al, con­trac­tu­al and tech­ni­cal secu­ri­ty mea­sures to ensure that the reg­u­la­tions set out in data pro­tec­tion law are com­plied with and to pro­tect the data we process from acci­den­tal or inten­tion­al manip­u­la­tion, loss, destruc­tion or access by unau­tho­rised indi­vid­u­als.     B In par­tic­u­lar, these secu­ri­ty mea­sures include encrypt­ed data trans­fer between your brows­er and our server.

5. Dis­clo­sure of data to third par­ties and third-party providers

A A Data is only dis­closed to third par­ties as per­mit­ted by law. In this case, we only dis­close users’ data to third par­ties if doing so is required for con­trac­tu­al pur­pos­es based on Arti­cle 6 (1) (a) of the GDPR, for instance, or based on our legit­i­mate inter­ests in eco­nom­i­cal­ly Arti­cle 6 (1) (a) of the GDPR.     B If we engage sub­con­trac­tors to pro­vide our ser­vices, we take suit­able legal pre­cau­tions and appro­pri­ate tech­ni­cal and organ­i­sa­tion­al mea­sures to pro­tect personal data in line with the rel­e­vant legal require­ments.     C If, in the context of this pri­va­cy policy, con­tent, tools or other resources made avail­able by other providers (here­inafter referred to col­lec­tive­ly as ‘third-party providers’) are used and their reg­is­tered office is locat­ed in a third coun­try, it is to be assumed that data is trans­ferred to the coun­tries in which the third-party providers’ reg­is­tered offices are locat­ed. Third coun­tries are nations in which the GDPR does not apply direct­ly (i.e. coun­tries out­side of the EU and the Euro­pean Eco­nom­ic Area, in prin­ci­ple). Data is trans­ferred to third coun­tries either if there is an ade­quate level of data pro­tec­tion, the user has grant­ed their con­sent to this effect or there is oth­er­wise legal per­mis­sion to do so.

6. Pro­vi­sion of con­trac­tu­al ser­vices

A We process gen­er­al data (e.g. users’ names, address­es and con­tact details) and con­tract data (e.g. ser­vices used, names of con­tacts, pay­ment information) for the pur­pose of ful­fill­ing our con­trac­tu­al oblig­a­tions and ser­vices pur­suant to Arti­cle 6 (1) (b) of the GDPR.     B As part of reg­is­tra­tion and repeat­ed login, and the util­i­sa­tion of our online ser­vices, we store the IP address and the time of the user’s action in ques­tion. Die Spe­icherung erfol­gt auf Grund­lage unser­er berechtigten Inter­essen, als auch der Nutzer an Schutz vor Miss­brauch und son­stiger unbefugter Nutzung. Such stor­age is under­tak­en based on both our and the user’s legit­i­mate inter­ests in pre­vent­ing abuse and other unau­tho­rised access. In prin­ci­ple, this data is not dis­closed to third par­ties unless doing so is required for pur­su­ing our claims or there is a legal oblig­a­tion in this respect pur­suant to Arti­cle 6 (1) (a) of the GDPR.  

7. Con­tact

A When users con­tact us (using the con­tact form or by email), their details are processed for han­dling and pro­cess­ing the con­tact request pur­suant to Arti­cle 6 (1) (a) of the GDPR or based on your vol­un­tary con­sent under Arti­cle 6 (1) (a) of the GDPR. The personal data we col­lect for use of the con­tact form and the personal data you trans­fer by email is erased as soon as it is no longer required for its pur­pose.     B User details can be stored in our cus­tomer rela­tion­ship management (CRM) system or a sim­i­lar system for organ­is­ing enquiries.

8. Col­lec­tion of access data and log files

A We col­lect data on every instance of access to the server that our ser­vices are locat­ed on (known as ‘server log files’); we do so based on our legit­i­mate inter­ests under Arti­cle 6 (1) (a) of the GDPR. This access data includes the name of the web­site accessed, the file, the date and time of access, the quan­ti­ty of data trans­ferred, noti­fi­ca­tion of successful access, the brows­er type and ver­sion, the user’s oper­at­ing system, the refer­rer URL (the page vis­it­ed pre­vi­ous­ly), the IP address and the provider making the request.     B Log file information is stored on secu­ri­ty grounds (e.g. to clar­i­fy abu­sive or fraud­u­lent actions) for a max­i­mum of 14 days, after which it is erased. Data that needs to be retained for a longer period of time for evi­dence pur­pos­es is exclud­ed from such era­sure until the case in ques­tion has been defin­i­tive­ly clar­i­fied.  

9. Cook­ies and reach mea­sure­ment

A Cook­ies are pieces of information that are trans­ferred from our web server or third-party web servers to users’ web browsers, where they are stored and can be sub­se­quent­ly accessed. Cook­ies may be small files or other forms of information stor­age.     B We use what are known as ‘ses­sion cook­ies’, which are only stored for the dura­tion of your cur­rent visit to our online pres­ence (e.g. to save your login status or the shop­ping basket fea­ture, which thus enable our online pres­ence to be used in the first place). ses­sion cookie stores a ran­dom­ly gen­er­at­ed, unique iden­ti­fi­ca­tion number, known as a ‘ses­sion ID’. A cookie also con­tains information about its origin and the stor­age period. These cook­ies cannot store any other information. Ses­sion cook­ies are delet­ed when you have fin­ished using our online pres­ence and either log out or close the brows­er.     C This pri­va­cy policy pro­vides users with information on the use of cook­ies during pseu­do­nymised reach mea­sure­ment.     D If users object to the stor­age of cook­ies on their com­put­er, they are request­ed to dis­able the rel­e­vant option in their browser’s system set­tings. Stored cook­ies can be erased using the browser’s system set­tings. Exclud­ing cook­ies can limit the func­tion­al­i­ty of this online pres­ence.     E You can object to the use of cook­ies to mea­sure reach and for advertising pur­pos­es using the NAI opt-out page (http://optout.networkadvertising.org/). You can also do this using the US web­site (http://www.aboutads.info/choices) or the Euro­pean web­site (http://www.youronlinechoices.com/uk/your-ad-choices/).  

10. Google Ana­lyt­ics

A We use Google Ana­lyt­ics, a web ana­lyt­ics ser­vice pro­vid­ed by Google, Inc. (‘Google’), based on our legit­i­mate inter­ests (i.e. our inter­est in analysing, opti­mis­ing and eco­nom­i­cal­ly oper­at­ing our online pres­ence under Arti­cle 6 (1) (f) of the GDPR). Google uses cook­ies. The information that the cookie gen­er­ates on how users use the online pres­ence is gen­er­al­ly trans­ferred to and stored on a Google server in the USA.     B B Google is cer­ti­fied under the EU-US Pri­va­cy Shield and there­fore guar­an­tees it will comply with Euro­pean data pro­tec­tion law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).     C Google will use this information on our behalf to eval­u­ate how users use our online pres­ence, to com­pile reports on activ­i­ties within this online pres­ence and to pro­vide us with fur­ther ser­vices asso­ci­at­ed with the use of this online pres­ence and the inter­net. Pseu­do­nymised user pro­files may be cre­at­ed from the data processed for this pur­pose.     D D We only use Google Ana­lyt­ics with IP anonymi­sa­tion acti­vat­ed. This means that Google trun­cates users’ IP address­es within Member States of the Euro­pean Union or in other states that are party to the Agree­ment on the Euro­pean Eco­nom­ic Area. Only in excep­tion­al cases will the full IP address be trans­ferred to and trun­cat­ed on a Google server in the USA.     E The IP address trans­ferred by the user’s brows­er is not merged with any other data that Google holds. Users can pre­vent the set­ting of cook­ies by chang­ing their brows­er set­tings accord­ing­ly. Addi­tion­al­ly, users can also pre­vent Google’s col­lec­tion and pro­cess­ing of the information the cookie gen­er­ates about their use of the online pres­ence by down­load­ing and installing the brows­er plugin avail­able at: http://tools.google.com/dlpage/gaoptout?hl=en. As an alter­na­tive to the brows­er add-on or for browsers on mobile devices, please click on the hyper­link below to pre­vent Google Ana­lyt­ics from col­lect­ing data within this web­site in future: Google Ana­lyt­ics opt-out (the opt-out only works within the brows­er and only for this domain).     F Please refer to Google’s web­sites – https://policies.google.com/technologies/partner-sites?hl=en (‘How Google uses information from our part­ners’ web­sites or apps), http://www.google.com/policies/technologies/ads (‘Using data for advertising pur­pos­es’), http://www.google.en/settings/ads (‘Man­ag­ing information that Google uses to show you advertising) – for fur­ther information on how Google uses data, set­tings and opting out.  

11. Inte­grat­ing third-party ser­vices and con­tent

A Within our online pres­ence, we use con­tent or ser­vices offered by third-party providers to inte­grate their con­tent and ser­vices (e.g. videos or fonts) (here­inafter referred to col­lec­tive­ly as ‘con­tent’). We do so based on our legit­i­mate inter­ests (i.e. our inter­est in analysing, opti­mis­ing and eco­nom­i­cal­ly oper­at­ing our online pres­ence under Arti­cle 6 (1) (f) of the GDPR). This always requires the third-party providers of this con­tent to know users’ IP address­es, as they cannot send the con­tent to their browsers with­out the IP address­es. As a result, an IP address is required for this con­tent to be dis­played. We strive only to use con­tent from providers that use the IP address to exclu­sive­ly deliv­er this con­tent. Fur­ther­more, third-party providers may use what are known as ‘pixel tags’ (invis­i­ble graph­ics, also known as ‘web bea­cons’) for sta­tis­ti­cal or mar­ket­ing pur­pos­es. The pixel tags enable eval­u­a­tion of information, such as vis­i­tor traf­fic to this website’s pages. The pseu­do­nymised information may also be stored in cook­ies on the users’ devices and may con­tain tech­ni­cal information about the brows­er and oper­at­ing system, web­sites referred to, the length of the visit and fur­ther details on how our online pres­ence is used, along with other pieces of data. It may also be asso­ci­at­ed with information of this nature from other sources.     B The list below pro­vides an overview of third-party providers and their con­tent, along with links to their pri­va­cy poli­cies, which con­tain fur­ther details on data pro­cess­ing and opt-out options, some of which are listed here:  
    • Exter­nal fonts from Google, Inc., https://www.google.com/fonts (‘Google Fonts’). Google Fonts are inte­grat­ed by means of retrieval from Google’s server (gen­er­al­ly in the USA). Pri­va­cy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
 
    • Maps from the ‘Google Maps’ ser­vice pro­vid­ed by the third-party provider Google, Inc., of 1600 Amphithe­atre Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
 
    • Videos from the plat­form ‘YouTube’ pro­vid­ed by the third-party provider Google, Inc., of 1600 Amphithe­atre Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy policy: https://www.google.com/policies/privacy/, opt-out: https://www.google.com/settings/ads/.
 

12. Era­sure of data

A The data we store is erased as soon as it is no longer required for its pur­pose and such era­sure does not con­flict with any statu­to­ry reten­tion require­ments. Pro­vid­ed that users’ data is not erased because it is required for other, legal­ly per­mis­si­ble pur­pos­es, pro­cess­ing of the same will be lim­it­ed. This means the data will be blocked and not processed for other pur­pos­es. This applies to user data that needs to be retained under com­mer­cial or tax law, for exam­ple.     B Under the legal require­ments, data is retained for six years pur­suant to Sec­tion 257 (1) of the German Com­mer­cial Code (com­mer­cial records, inven­to­ries, open­ing bal­ance sheets, annual finan­cial state­ments, com­mer­cial let­ters, vouch­ers for account­ing entries, etc.) and for ten years pur­suant to Sec­tion 147 (1) of the German Fiscal Code (accounts and records, sit­u­a­tion reports, account­ing records, trade and busi­ness let­ters, doc­u­ments of relevance for tax­a­tion, etc.).

13. Mod­i­fi­ca­tions to the pri­va­cy policy

A We reserve the right to modify the pri­va­cy policy to take reg­u­la­to­ry changes, changes to the ser­vice and changes to data pro­cess­ing into account. How­ev­er, this only applies in respect of dec­la­ra­tions regard­ing data pro­cess­ing. Pro­vid­ed users’ con­sent is required or com­po­nents of the pri­va­cy policy include pro­vi­sions on the con­trac­tu­al rela­tion­ship with users, the mod­i­fi­ca­tions may only be made with the users’ con­sent.     B Users are request­ed to obtain information about the con­tent of the pri­va­cy policy at reg­u­lar inter­vals.