Data protection

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to simply as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the “online offering”).

The terms used are gender-neutral.

Status: June 3, 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Applicable Legal Bases
• Security Measures
• Data Deletion
• Rights of Data Subjects
• Use of Cookies
• Business Services
• Payment Procedures
• Provision of the Online Offering and Web Hosting
• Registration, Login, and User Accounts
• Contact and Request Management
• Newsletters and Electronic Notifications
• Advertising Communication via Email, Post, Fax or Phone
• Web Analytics, Monitoring and Optimization
• Online Marketing
• Social Media Presence
• Plugins and Embedded Content

Controller

ric Schütz
Gerling&Schütz Immobilien- und Beteiligungsgesellschaft mbH
Kölner Straße 161, 53840 Troisdorf, Germany

Phone: +49 (0)2241 881 881-0
Fax: +49 (0)2241 881 881-1
Email: info@villa-oleandra-roche.com

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects involved.

Types of Processed Data

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta, communication and procedural data
• Event data (Facebook)

Categories of Data Subjects

• Customers
• Prospective customers
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations
• Contact requests and communication
• Security measures
• Direct marketing
• Reach measurement
• Tracking
• Office and organizational procedures
• Conversion tracking
• Audience segmentation
• Management and response to inquiries
• Feedback
• Marketing
• User-based profile creation
• Provision of our online offering and user-friendliness
• IT infrastructure

Applicable Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection regulations in Germany: In addition to the GDPR, national data protection laws apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific regulations on the right of access, right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, and data transfers as well as automated individual decision-making including profiling. In addition, state data protection laws of individual German federal states may apply.

Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (referred to as “Swiss DPA”). This also applies if our data processing otherwise affects you in Switzerland and you are impacted by it. Unlike the GDPR, the Swiss DPA generally does not require that a specific legal basis be named for processing personal data. We only process personal data if the processing is lawful, conducted in good faith, and proportionate (Art. 6(1) and (2) Swiss DPA). Moreover, personal data is only collected for a specific, recognizable purpose and only processed in a manner compatible with that purpose (Art. 6(3) Swiss DPA).

Note on applicability of GDPR and Swiss DPA: These privacy notices serve both as information under the Swiss Federal Act on Data Protection (Swiss DPA) and the General Data Protection Regulation (GDPR). Therefore, please note that for broader applicability and clarity, the terms used are those of the GDPR. In particular, instead of the Swiss DPA terms such as “processing” of “personal data”, “overriding interest”, and “sensitive personal data”, the GDPR terms “processing” of “personal data”, “legitimate interest” and “special categories of data” are used. However, the legal interpretation of these terms under the Swiss DPA remains governed by Swiss law.

Security Measures

We take appropriate technical and organizational measures, in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, transfer, availability, and separation thereof. We have also established procedures to ensure the exercise of data subject rights, data deletion, and response to data threats. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and processes, in accordance with the principle of privacy by design and by default.

TLS/SSL Encryption (https): To protect user data transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transferred between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated, more secure version of SSL. Hyper Text Transfer Protocol Secure (HTTPS) is shown in the URL when a site is secured by an SSL/TLS certificate.

Data Deletion

The data we process is deleted in accordance with legal requirements as soon as the consents permitting processing are revoked or other authorizations cease to apply (e.g., if the purpose for which the data was processed no longer applies or the data is no longer necessary for that purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing is restricted to those purposes. That means the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose storage is required to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person. Within the framework of our privacy notices, we may provide users with additional information regarding the deletion and retention of data that apply specifically to individual processing procedures.
Rights of Data Subjects

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have the following rights under the GDPR, particularly as set out in Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw your consent at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you or the completion of incomplete personal data, in accordance with legal requirements.
• Right to erasure and restriction of processing: You have the right to request the erasure of personal data concerning you without undue delay, or alternatively to request the restriction of processing in accordance with legal requirements.
• Right to data portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit those data to another controller, in accordance with legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

Rights of data subjects under the Swiss FADP:

According to the provisions of the Swiss Federal Act on Data Protection (FADP), you have the following rights:

• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and to receive the information necessary to assert your rights under this law and to ensure transparent data processing.
• Right to data disclosure or transfer: You have the right to request the release of your personal data that you have disclosed to us in a commonly used electronic format.
• Right to rectification: You have the right to request the rectification of incorrect personal data concerning you.
• Right to object, erase, or destroy: You have the right to object to the processing of your data, and to request the erasure or destruction of your personal data.

Use of Cookies

Cookies are small text files or other types of storage identifiers that store information on end devices and read information from them. For example, to store login status in a user account, shopping cart contents in an e-shop, accessed content, or used functions in an online offering. Cookies can also be used for various purposes such as functionality, security, user-friendliness of online offerings, and analyzing visitor flows.

Consent information: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not legally required. Consent is not required, particularly if storing and reading information (including cookies) is strictly necessary to provide users with a telemedia service they explicitly requested (i.e., our online offering). Essential cookies generally include those for display and functionality of the website, load balancing, security, storing user preferences and options, or similar purposes necessary to provide core and auxiliary functions. The revocable consent is clearly communicated to users and includes information on the use of each cookie.

Legal basis information: The legal basis on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis is their consent. Otherwise, the data processed via cookies is based on our legitimate interests (e.g., for the business operation and usability of our online offering) or, if necessary for the fulfillment of our contractual obligations, when cookies are essential to meet those obligations. We provide details about cookie purposes in this privacy policy or as part of our consent and processing procedures.

Storage duration: The following types of cookies are distinguished in terms of storage duration:

• Temporary cookies (session cookies): These are deleted at the latest after a user leaves the online offering and closes their device (e.g., browser or app).
• Permanent cookies: These remain stored even after the device is closed. For example, login status or preferred content may be remembered when the user revisits a website. Data collected via cookies may also be used for reach measurement. Unless otherwise specified, users can assume cookies are permanent and may be stored for up to two years.

General information on withdrawal and objection (“opt-out”): Users may revoke their consents at any time and object to processing according to legal requirements. Among other methods, users may restrict the use of cookies via their browser settings (which may limit our website’s functionality). Objections to cookies used for online marketing can also be declared at https://optout.aboutads.info and https://www.youronlinechoices.com.

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR), Consent (Art. 6(1)(a) GDPR).

Further information on processing procedures, methods, and services:

• Processing of cookie data based on consent: We use a cookie consent management system through which user consents for cookie usage and related processing and providers are obtained, managed, and revoked. Consent declarations are stored to avoid repetitive prompts and to demonstrate compliance. Storage can occur server-side and/or in a cookie (so-called opt-in cookie or similar technology) to associate consent with a user or their device. Unless otherwise stated, the consent storage duration may be up to two years. A pseudonymous user ID is stored along with the time of consent, scope of consent (e.g., cookie categories and/or providers), and browser, system, and device data. Legal basis: Consent (Art. 6(1)(a) GDPR).
• BorlabsCookie: Cookie consent management; provider: hosted on own servers or systems under own data protection responsibility; website: https://de.borlabs.io/borlabs-cookie/. Additional information: A unique user ID, language, types of consent, and the time of consent are stored server-side and in the user’s device cookie.

Business Services

We process data of our contractual and business partners, such as customers and prospects (collectively referred to as “contractual partners”), within the scope of contractual and comparable legal relationships, as well as related measures and communication (including pre-contractual), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. This includes, in particular, obligations to provide agreed services, any update obligations, and remedies in case of warranty or other performance issues. Additionally, we process the data to safeguard our rights and for administrative tasks and business organization associated with these obligations. We also process the data based on our legitimate interest in proper and economically efficient business operations and in implementing security measures to protect our contractual partners and our business from misuse, data threats, trade secrets exposure, and infringements on rights (e.g., involving telecommunications, transport or auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). We only disclose data to third parties to the extent necessary for the above purposes or to comply with legal obligations. Any further processing—e.g., for marketing purposes—is described in this privacy policy.

We inform our contractual partners about the required data for the above purposes before or during data collection—e.g., through online forms, special markings (e.g., colors), symbols (e.g., asterisks), or in person.

We delete the data after expiration of legal warranty and similar obligations, generally after four years, unless the data is stored in a customer account or required by law for archiving. Statutory retention periods include 10 years for tax-relevant documents and accounting records (e.g., ledgers, inventories, opening balances, annual financial statements, work instructions, and organizational documentation) and 6 years for commercial and business correspondence (received and sent). The retention period starts at the end of the calendar year in which the last entry was made or the document was created.

If we use third-party providers or platforms to provide our services, their terms and privacy policies apply in the relationship between users and the respective providers.

• Types of data processed: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., contract subject, duration, customer category); Usage data (e.g., visited websites, content interest, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, consent status).
• Data subjects: Customers; Prospects; Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Security measures; Contact inquiries and communication; Office and organizational procedures; Management and response to inquiries.
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Online Offering and Web Hosting

We process user data in order to provide our online services. For this purpose, we process the user’s IP address, which is necessary to deliver the content and features of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., visited websites, content interest, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, consent status); Content data (e.g., entries in online forms).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of IT systems and devices, e.g., computers, servers); Security measures.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods, and services:

• Hosting on own/dedicated server infrastructure: We use servers operated by us along with storage space, computing power, and software to provide our online offering.Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in server log files. These logs may include the address and name of retrieved web pages and files, date and time of access, data volumes, success messages, browser type and version, user operating system, referrer URL (previously visited site), IP addresses, and the requesting provider. Server log files are used for security purposes (e.g., preventing server overloads, especially from DDoS attacks) and to ensure server load distribution and stability.
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data retained for evidence purposes is excluded from deletion until the incident is fully clarified.
• Email transmission and hosting: Our hosting services also include the sending, receiving, and storage of emails. For this, sender and recipient addresses, additional metadata (e.g., involved providers), and email contents are processed. Data may also be processed to detect spam. Note: Emails on the internet are generally not end-to-end encrypted. While they are often encrypted during transmission, they are not encrypted on the sending and receiving servers unless specific end-to-end encryption is used. We cannot take responsibility for the transmission route between sender and our server.
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Request Management

When you contact us (e.g., by mail, contact form, email, telephone, or via social media) or within the context of existing user and business relationships, we process the information provided by the inquiring individuals to the extent necessary to respond to the inquiries and any requested measures.

• Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, consent status).
• Data subjects: Communication partners.
• Purposes of processing: Inquiries and communication; Management and response to requests; Feedback (e.g., collecting feedback via online forms); Provision of our online offering and user experience.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further information on processing procedures, methods, and services:

• Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to handle the request.
  Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletter”) only with the recipients’ consent or legal permission. Where the content of a newsletter is specifically described as part of the sign-up process, it is decisive for user consent. Otherwise, our newsletters include information about our services and ourselves.

To sign up for our newsletters, usually only your email address is required. However, we may request your name to personalize the greeting or other information necessary for the purpose of the newsletter.

Double Opt-In Procedure: Subscription to our newsletter takes place via a double opt-in procedure. That means you will receive an email after signing up in which you are asked to confirm your registration. This confirmation is necessary to ensure no one can register using someone else’s email address. Newsletter subscriptions are logged to prove the sign-up process complies with legal requirements, including the time of registration and confirmation and the IP address. Changes to the data stored with the dispatch provider are also logged.

Deletion and restriction of processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove previously given consent. This data is only processed to defend against potential claims. A deletion request can be made at any time if former consent is confirmed. In the case of a permanent objection, we reserve the right to store the email address in a blocklist for this purpose only.

The registration process is logged on the basis of our legitimate interests to demonstrate that it was carried out properly. If we commission a service provider to send emails, this is based on our legitimate interest in an efficient and secure mailing system.

Content:

Information about us, our services, promotions, and offers.

• Types of data processed: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, consent status).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal basis: Consent (Art. 6(1)(a) GDPR).
• Opt-out: You can unsubscribe from our newsletter at any time, i.e., revoke your consent or object to further receipt. A link to unsubscribe is included at the end of each newsletter, or you may use one of the contact options above—preferably email.

Web Analytics, Monitoring and Optimization

Web analysis (also referred to as “audience measurement”) serves to evaluate the visitor flows of our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of audience measurement, we can, for example, recognize at what times our online offering or its functions or content are most frequently used or invite reuse. We can also identify which areas require optimization.

In addition to web analysis, we may employ testing procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e., data summarized into a usage process, can be created for these purposes, and information can be stored in a browser or on a device and read from it. The collected information includes, in particular, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data with us or with the providers of the services we use, location data may also be processed.

Users’ IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored within the scope of web analysis, A/B testing, and optimization, but rather pseudonyms. That is, neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.

• Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Audience measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creation of user profiles).
• Security Measures: IP masking (pseudonymization of IP address).
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing procedures, methods, and services:

• Matomo: Matomo is software used for web analysis and audience measurement purposes. When using Matomo, cookies are generated and stored on the users’ devices. The data collected through the use of Matomo are processed only by us and not shared with third parties. The cookies are stored for a maximum period of 13 months: https://matomo.org/faq/general/faq_146/; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Data deletion: The cookies have a storage duration of a maximum of 13 months.

Online Marketing

We process personal data for the purposes of online marketing, which may include, in particular, the marketing of advertising spaces or the display of advertising and other content (collectively referred to as “content”) based on potential user interests, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (known as a “cookie”) or similar procedures are used, through which information relevant to the display of the aforementioned content is stored about the user. This information may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the computer system used, and information about usage times and used functions. If users have consented to the collection of their location data, these may also be processed.

Users’ IP addresses are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored within the framework of online marketing procedures, but rather pseudonyms. That is, neither we nor the providers of the online marketing procedures know the actual identity of the users, only the information stored in their profiles.

The information in the profiles is usually stored in cookies or using similar procedures. These cookies can later generally also be read on other websites that use the same online marketing procedure, analyzed for the purpose of displaying content, and supplemented with additional data and stored on the server of the online marketing procedure provider.

In exceptional cases, clear data may be assigned to the profiles. This is the case, for example, when users are members of a social network whose online marketing procedure we use and the network links the users’ profiles with the aforementioned information. We ask you to note that users may make additional agreements with the providers, for example, by giving consent during registration.

We generally only have access to aggregated information about the success of our advertisements. However, we can check within the framework of so-called conversion measurements which of our online marketing procedures have led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, please assume that the cookies used are stored for a period of two years.

• Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status); event data (Facebook) (“event data” are data that can be transmitted to Facebook via Facebook Pixel (via apps or other means) and relate to individuals or their actions; the data include, for example, information about visits to websites, interactions with content, functions, app installations, product purchases, etc.; the event data are processed for the purpose of creating target groups for content and advertising information (custom audiences); event data do not include the actual content (such as written comments), login information, or contact information (i.e., no names, email addresses, and phone numbers). Event data are deleted by Facebook after a maximum of two years, and the target groups created from them are deleted when our Facebook account is deleted).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Audience measurement (e.g., access statistics, recognition of returning visitors); tracking (e.g., interest-/behavior-based profiling, use of cookies); marketing; profiles with user-related information (creation of user profiles); conversion measurement (measurement of the effectiveness of marketing measures); target group formation; provision of our online offering and user-friendliness.
• Security Measures: IP masking (pseudonymization of IP address).
• Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
• Opt-out options: We refer to the privacy notices of the respective providers and the opt-out options provided by the providers (so-called “opt-out”). If no explicit opt-out option is specified, there is the possibility to disable cookies in your browser settings. However, this may restrict the functionality of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for respective regions:

  Europe: https://www.youronlinechoices.eu
  Canada: https://www.youradchoices.ca/choices
  USA: https://www.aboutads.info/choices
  Global: https://optout.aboutads.info

Further information on processing procedures, methods, and services:

• Facebook Ads: Placement of advertisements within the Facebook platform and evaluation of ad results; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; basis for third-country transfer: EU-US Data Privacy Framework (DPF); opt-out option: We refer to the privacy and advertising settings in the user’s profile on the Facebook platforms, as well as Facebook’s consent procedures and contact options for exercising information and other data subject rights, as described in Facebook’s privacy policy; further information: User event data, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and target group formation based on the joint responsibility agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly includes the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

• Instagram Ads: Placement of advertisements within the Instagram platform and evaluation of ad results; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); website: https://www.instagram.com; privacy policy: https://instagram.com/about/legal/privacy; basis for third-country transfer: EU-US Data Privacy Framework (DPF); opt-out option: We refer to the privacy and advertising settings in the user’s profile on the Instagram platform, as well as Instagram’s consent procedures and contact options for exercising information and other data subject rights in Instagram’s privacy policy; further information: User event data, i.e., behavioral and interest information, is processed for the purposes of targeted advertising and target group formation based on the joint responsibility agreement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which particularly includes the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Social Media Presence

We maintain online presences within social networks and, in this context, process users’ data in order to communicate with users active there or to offer information about us.

Please note that users’ data may be processed outside the European Union. This may pose risks to users, for example, because it could make it more difficult to enforce users’ rights.

Furthermore, user data is typically processed for market research and advertising purposes within social networks. For example, usage behavior and resulting user interests may be used to create user profiles. These profiles may, in turn, be used to display advertisements both within and outside the networks that presumably match users’ interests. For these purposes, cookies are usually stored on users’ devices, which store the usage behavior and interests of the users. In addition, data may be stored in the user profiles regardless of the devices used by the users (especially if users are members of the respective platforms and logged in).

For detailed information about the respective processing methods and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Also, in the case of information requests and the assertion of data subject rights, we point out that these are best exercised directly with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. However, if you need assistance, you may contact us.

• Types of data processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, consent status).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Contact requests and communication; feedback (e.g., collecting feedback via online form); marketing.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods, and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);Website : https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy/.

Plugins and Embedded Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include graphics, videos, or maps (hereinafter collectively referred to as “content”).

Integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only content whose respective providers use the IP address solely for content delivery. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to analyze visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users’ devices and include technical information about the browser and operating system, referring websites, visit time, and further usage information about our online offering, as well as be linked with such information from other sources.

• Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, time information, identification numbers, consent status).
• Data Subjects: Users (e.g., website visitors, users of online services).
• Purposes of Processing: Provision of our online offering and user-friendliness; marketing; profiling (creation of user profiles).
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing procedures, methods, and services:

• Google Fonts (served from Google servers): Retrieval of fonts (and icons) for the purpose of technically secure, maintenance-free, and efficient use of fonts and icons with regard to currentness, load times, consistent display, and consideration of licensing restrictions. The user’s IP address is communicated to the provider so that fonts can be displayed in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, used hardware) necessary for delivering fonts depending on the device and technical environment are transmitted. These data may be processed on a Google server in the USA – when users visit our online offering, their browsers send HTTP requests to the Google Fonts Web API to retrieve the CSS and fonts. These requests include (1) the IP address, (2) the requested URL, and (3) HTTP headers including the User-Agent and referrer URL. IP addresses are neither logged nor stored by Google. Only request details are logged in aggregate for debugging and analytics. Google states it does not use this data to create user profiles or serve targeted ads.
  Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
  Website: https://fonts.google.com/
  Privacy policy: https://policies.google.com/privacy
  International data transfer basis: EU-US Data Privacy Framework (DPF)
  More information: https://developers.google.com/fonts/faq/privacy?hl=en
• Instagram Plugins and Content
  Instagram plugins and content – This may include content such as images, videos, texts, and buttons that allow users to share content from this online offering within Instagram.
  We are jointly responsible with Meta Platforms Ireland Limited for the collection or receipt (but not the further processing) of “event data” that Facebook collects via Instagram features (e.g., embedding functions for content) executed on our online offering, or that Facebook receives in the context of such transmission, for the following purposes:
  a) Displaying content and advertising information likely to correspond to the interests of users;
  b) Delivering commercial and transactional messages (e.g., contacting users via Facebook Messenger);
  c) Improving ad delivery and personalizing features and content (e.g., improving recognition of content or ad information likely to correspond to user interests).
  We have entered into a specific agreement with Facebook (“Controller Addendum”, available at:
  https://www.facebook.com/legal/controller_addendum),
  which defines in particular which security measures Facebook must observe (see:
  https://www.facebook.com/legal/terms/data_security_terms)
  and in which Facebook has agreed to respect data subject rights (i.e., users can direct information or deletion requests directly to Facebook).
  Note:
  When Facebook provides us with metrics, analyses, and reports (which are aggregated, i.e., do not contain any information about individual users and are anonymous to us), this processing does not fall under joint controllership but is instead governed by a data processing agreement (“Data Processing Terms”: https://www.facebook.com/legal/terms/dataprocessing),
  the Data Security Terms (https://www.facebook.com/legal/terms/data_security_terms),
  and—regarding processing in the U.S.—by Standard Contractual Clauses (“Facebook-EU Data Transfer Addendum”:
  https://www.facebook.com/legal/EU_data_transfer_addendum).
  User rights (especially rights to access, erasure, objection, and to lodge complaints with competent supervisory authorities) are not restricted by these agreements with Facebook.
  Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland
  Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)
  Website: https://www.instagram.com
  Privacy Policy: https://instagram.com/about/legal/privacy/