Privacy and data protection



This Privacy Policy informs you about the type, scope and purpose of the processing of personal data
(hereinafter referred to as “Data”) within our on-line offer, the websites, functions and contents related
to this and external on-line presences, such as our social media profiles (hereinafter jointly referred to
as “Web Presence”). With regard to the terms used herein, such as “processing” or “controller”, we refer
to the definitions under Art. 4 of the General Data Protection Regulation (GDPR).

Controller
Wolf-D Koch, Managing Director
Lupine Lighting Systems GmbH
Im Zwiesel 9
92318 Neumarkt
E-mail: wolf@lupine.de
Link to the legal notice: https://www.lupine-shop.com/de/impressum

Types of data processed:

  • inventory data (e.g. names, addresses);
  • contact data (e.g. e-mail address, phone numbers);
  • content data (e.g. text input, photographs, videos);
  • usage data (e.g. accessed web pages, interest in contents, access times);
  • meta/communication data (e.g. device information, IP addresses).
  • Categories of data subjects

Visitors and users of the Web Presence (hereinafter collectively referred to “Users”)

Purpose of the processing
  • provision of the Web Presence, its functions and contents.
  • responding to contact requests and communication with Users;
  • security measures;
  • coverage measurements/marketing activities;

Terms used:

“Personal Data” means any information relating to an identified or identifiable natural person (hereinafter
referred to as “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier, such as a name, an identification number, location data, an on-line
identifier (e.g. cookies), or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed in relation to Personal Data, whether
or not by automatic means. The term has a broad meaning and encompasses virtually any type of data processing.

“Pseudonymisation” means the Processing of Personal Data in such ways that Personal Data can no longer be
attributed to specific Data Subjects without using additional information, provided such additional information
is kept separately and subject to technical and organisational measures which ensure that Personal Data is not
attributed to an identified or identifiable natural person.

“Profiling” means any automated Processing of Personal Data which consists in using such Personal Data to evaluate
certain personal aspects relating to natural persons, in particular to analyse or predict aspects relating to that natural
person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location
or change of location.

“Controller” means a natural or legal person, public authority, agency or other body individually or jointly with
others determining the purposes and means for processing Personal Data.

“Processor"
means a natural or legal person, public authority, agency or other body processing Personal Data on
behalf of the Controller.


Relevant legal bases

In accordance with Art. 13 of the GDPR, we inform you about the legal bases of data processing by us. Should a
privacy policy fail to indicate the legal basis, the following applies: the legal basis for obtaining consents is point (a)
of Art. 6(1) and Art. 7 of the GDPR; the legal basis for processing to render our services, executing contracts and
responding to enquiries is point (b) of Art. 6(1) of the GDPR; the legal basis for processing to fulfil our legal obligations
is point (c) of Art. 6(1) of the GDPR; and the legal basis for processing to protect our legitimate interests is point (f)
of Art. 6(1) of the GDPR. In the event that a Data Subject’s or another natural person’s vital interests make it necessary
to process Personal Data, point (d) of Article 6(1) of the GDPR serves as the legal basis.


Security measures

Pursuant to Art. 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope,
context and the purposes of the Processing, but also the risk of varying likelihood and severity for the rights and freedoms
of natural persons, we take appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring Data confidentiality, integrity and availability by controlling physical access
to the Data and entry, transfer, assurance of availability and segregation of the Data. We also established procedures to ensure
the exercise of the Data Subjects’ rights, Data erasure and responses to Data compromise. Furthermore, we take Personal
Data protection into account as early as when developing or selecting hardware, software and processes, in accordance with
the principle of data protection by design and by default (Art. 25 of the GDPR).


Cooperation with data processors and third parties

If, in the course of our processing activities, we disclose, transfer to or otherwise grant other natural and legal persons
(data processors or third parties) access to the Data, we do so only based on legal permissions (e.g. if Data transfer to third
parties, e.g. payment service providers, is necessary for contract performance pursuant to point (b) of Art. 6(1) of the
GDPR), if you consented to this, if a legal duty exists or if this is based on our legitimate interests (e.g. when engaging agents,
web hosts, etc.).

If we commission third parties with processing Data on the basis of a so-called “data processing agreement”, we do so based
on Art. 28 of the GDPR.


Transfers to third countries

If we process Data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if
Data is processed in third countries due to using third-party services, disclosing and/or transferring Data to third parties,
this occurs only to fulfil our (pre-)contractual obligations, based on your consent, a legal obligation or our legitimate
interests. Subject to legal or contractual permissions, we process or have Data processed in a third country only if the
special requirements of Art. 44 et seq. of the GDPR are met. This means that Processing is carried out, for example, based
on special guarantees, such as the official recognition of data protection levels corresponding to those of the EU
(e.g. the “Privacy Shield for the US), or compliance with officially recognised special contractual obligations (so-called
"Standard Contractual Clauses").


Rights of data subjects

You have the right to request a confirmation as to whether Data in question is being processed, a right of Data access
and a right to additional information and a Data copy in accordance with Art. 15 of the GDPR.

Under Art. 16 of the GDPR, you have the right to request your Personal Data to be completed or incorrect Personal
Data to be corrected.

In accordance with Art. 17 of the GDPR, you have the right to demand that Data in question be erased without delay,
or alternatively, in accordance with Art. 18 of the GDPR, to demand restriction of the Data processing.

You have the right to request, in accordance with Art. 20 of the GDPR, that you be provided with Personal Data you
submitted to us and to request that this Data be transferred to other controllers.

You also have the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 of the GDPR.


Right of revocation

You have the right to withdraw given consents in accordance with Art. 7(3) of the GDPR with effect for the future.


Right of objection

You may object to future Personal Data Processing in accordance with Art. 21 of the GDPR at any time. Such objection
may be made in particular to the Processing for direct advertising purposes.


Cookies and the right to object to direct advertising

“Cookies” are small files stored on the Users’ computers. These cookies can store different types of information.
The primary purpose of a cookie is to store information about a User (and/or the device on which the cookie is stored)
during or after his/her access to a website. Temporary cookies, also called “session cookies” or “transient cookies”,
are cookies which are deleted after a User leaves a web presence and closes his/her browser. This type of cookie might
store, for example, the shopping cart contents of an on-line shop or the logon status. “Permanent” or “persistent”
cookies means cookies which remain on the computer even after the browser is closed. For example, this makes it
possible to store the logon status if Users visit the website again after several days. Likewise, such cookies might
store the Users’ interests to use this for coverage measurements or marketing purposes. “Third-party cookies” are cookies
which providers other than the controller operating the web presence offer (the term of “first-party cookies” is used if
the controller’s cookies are used only).

We may use temporary and permanent cookies and will explain this in our Privacy Policy.

If Users do not want cookies to be stored on their computers, they are requested to deactivate the corresponding option
in their browser system settings. Stored cookies can be deleted by changing the browser system settings. Exclusion of
cookies may lead to functional restrictions of this Web Presence.

General objection to the use of cookies fulfilling on-line marketing purposes is possible for a large number of services,
especially in the case of tracking, via the US website at http://www.aboutads.info/choices/ or the EU website at
http://www.youronlinechoices.com/. Furthermore, storage of cookies can be prevented by deactivating them in the browser
settings. Please note that, in this case, not all the functions of this Web Presence can be used.


Data erasure

The Data we process will be erased or its processing will be restricted in accordance with Art. 17 and Art. 18 of the GDPR.
Unless expressly stated in this Privacy Policy, Data we store will be deleted as soon as it is no longer required for its intended
purpose and erasure is not contrary to any statutory retention obligations. If the Data is not erased because it is required for
other and legally permissible purposes, its processing will be restricted. This means that the Data is blocked and will not be
processed for other purposes. This applies to, including, without limitation, Data which must be retained for commercial or
tax law reasons.

Pursuant to legal requirements in Germany, Data is stored in particular for 10 years in accordance with sec. 147 para. 1 of the
AO [Abgabenordnung – German Fiscal Code], sec. 257 para. 1 nos. 1 and 4, para. 4 of the HGB [Handelsgesetzbuch – German
Commercial Code] (books; records; management reports; accounting receipts; trading books; taxation-relevant documents etc.)
and 6 years in accordance with sec. 257 para. 1 nos. 2 and 3, para. 4 of the HGB (commercial letters).

According to legal requirements in Austria, Data is stored in particular for 7 years pursuant to sec. 132 para. 1 of the BAO
[Bundesabgabenordnung – Austrian Federal Fiscal Code] (accounting records; receipts/invoices; accounts; receipts; business
papers; revenue and expenses statements etc.), for 22 years in connection with real property and for 10 years in the case
of documents related to electronic services or telecommunications/radio/television broadcasting services provided to non-
entrepreneurs in EU Member States based on the Mini One Stop Shop (MOSS) optional scheme.

 

Business-related processing

In addition, we process

  • contract data (e.g. subject matter of the contract, term, customer category);
  • payment data (e.g. bank details, payment history) of our (potential) customers and business partners to provide contractual,
    customer care, marketing, advertising and market research services.


 

Order processing in the online shop; customer account

We process our customers’ Data in the context of the web shop ordering process to enable them to choose and purchase the
selected products and services, to pay for them and to have them delivered and/or provided.

The Data processed includes inventory, communication, contract and payment data, with Data Subjects affected by the
Processing including our (potential) customers and other business partners. The Data is processed to provide contractual
services within the framework of web shop operation, invoicing, delivery and customer services. We use session cookies
to store the shopping cart contents and permanent cookies to store the logon status.

The Processing is based on points (b) (purchase order execution) and (c) (legally required storage) of Art. 6(1) of the GDPR.
Information marked as required is necessary for justification and contract fulfilment. We disclose the Data to third parties only
within the context of deliveries and payments or within the scope of legal permissions and obligations towards legal advisors
and public authorities. The Data is processed in third countries only if this is necessary for fulfilling the contract (e.g. at the customer’s
request upon delivery or payment).

Users have the option to create a user account in which they can particularly see a list of their orders. During registration,
required mandatory data is communicated to the Users. User accounts are not public and cannot be indexed by search engines.
If Users cancelled their user accounts, their user account data will be erased, unless retention is necessary for commercial or
tax reasons in accordance with point (c) of Art. 6(1) of the GDPR. Until the time of erasure, user account data will not be erased,
but subsequently archived, in the event of a legal obligation. Users are responsible for making data back-ups before contract
termination if the contract was cancelled.

In the context of registration, renewed log-on and use of our on-line services, we store the IP address and the time of the User’s
respective actions. Storage is based on our legitimate interests and on the Users’ interest in protection against abuse and other
types of unauthorised use. In principle, this Data is not passed on to third parties, unless this is necessary for asserting our claims
or unless there is a legal obligation to do so in accordance with point (c) of Art. 6(1) of the GDPR.

The Data is erased after legal warranty and comparable obligations expired, with the need for Data storage being checked once
every three years. In the case of legal archiving obligations, the Data is erased once these obligations no longer apply (6 years under
commercial law; 10 years under tax law).

 

External payment service providers

We engage external payment service providers on whose platforms Users and we can execute payment transactions (these service
providers include (links to the privacy policies added): Paypal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full);
Klarna (https://www.klarna.com/de/datenschutz/); Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/);
Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/); Visa (https://www.visa.de/datenschutz);
Mastercard (https://www.mastercard.de/de-de/datenschutz.html);
American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html).

In the context of contract performance, we engage payment service providers based on point (b) of Art. 6(1) of the GDPR. Furthermore,
we engage external payment service providers based on our legitimate interests pursuant to point (f) of Art. 6(1) of the GDPR in order
to offer our Users effective and secure payment options.

The Data processed by payment service providers includes inventory data, such as the name and address, bank data, such as account
or credit card numbers, passwords, TANs, checksums, contract data, total amounts and recipient-related data. This information is
required to carry out the transactions. However, the data provided is only processed by and stored with payment service providers.
This means that we are provided with no account or credit card information, but only information which includes a payment confir-
mation or rejection. Under certain circumstances, payment service providers might transmit this Data to credit bureaus. The purpose
of such transmission consists in identity and credit standing checks. In this regard, we refer to the payment service providers’ terms
and conditions and privacy policies.

Payment transactions are subject to the respective payment service providers’ terms and conditions and privacy policies which can
be accessed on the respective websites and/or payment applications. We refer to them also for further information and the assertion
of revocation, information and other data subject rights.

 

Administration; financial accounting; office organisation; contact management

We process Data in the context of managing and organising our operations, financial accounting activities and compliance with
legal obligations, such as archiving. In doing so, we process the same Data we process when providing our contractual services.
The Processing is based on points (c) and (f) of Art. 6(1) of the GDPR. Customers, prospects, business partners and website visitors
are affected by the Processing. The purpose of and our interest in the Processing consist in administration, financial accounting,
office organisation and data archiving, i.e., tasks which serve continuation of our business activities, performance and service provision.
Data erasure regarding contractual services and communications complies with the information given for these processing activities.

In doing so, we disclose or transmit Data to the tax authorities, advisors, such as tax consultants or auditors, and to other fee offices
and payment service providers.

Furthermore, we store information on suppliers, organisers and other business partners based on our business interests, e.g. for the
purpose of contacting them at a later date. This Data, most of which is relates to the Company, is generally stored permanently.

 

Business analyses and market research

To cost-efficiently operate our business and to be able to recognise market trends and the requests of our contractual partners and
Users, we analyse the Data we have on business transactions, contracts, enquiries, etc. In this regard, we process inventory,
communication, contract, payment, usage and metadata based on point (f) of Art. 6(1) of the GDPR, with Data Subjects including contract
partners, prospects, customers, visitors and Users of our Web Presence.

We perform these analyses for business evaluation, marketing and market research purposes. In doing so, we may take into account
the profiles of registered Users, including details regarding, for example, the services they used. The analyses help us to increase the
user-friendliness and to optimise both our offer and business profitability. The analyses results are exclusively used by us and will not
be disclosed to third parties, unless we performed anonymous analyses containing summarised values only.

If these analyses or profiles are personal, they will be erased or made anonymous upon cancellation by the User or two years after
contract conclusion. In addition, we prepare anonymous macro-economic analyses and general trend analyses wherever possible.

 

Registration function

Users can create a user account. Within the scope of registration, mandatory Data is communicated to the Users and processed based
on point (b) of Art. 6(1) of the GDPR for the purpose of providing the user account. Processed Data particularly includes log-on
information (name, password and an e-mail address). Data entered for registration serves user account usage and the purpose of that.

Users can be informed by e-mail about information relevant to their user account, such as technical changes. If Users closed their
user accounts, data relating to the user accounts will be erased, unless legal data retention obligations exist. Users are responsible for
making data back-ups before contract termination if the contract was cancelled. We are entitled to irretrievably erase all user data
stored during the term of the contract.

In the context of using our registration/log-on function and the user account, we store the IP address and the time of the respective user
action. Storage is based on our legitimate interests and on the Users’ interest in protection against abuse and other types of unauthorised
use. In principle, this Data is not passed on to third parties, unless this is necessary for asserting our claims or unless there is a legal
obligation to do so in accordance with point (c) of Art. 6(1) of the GDPR. The IP addresses are anonymised or deleted after 7 days at the latest.

 

Comments and posts

If users leave comments or other posts, their IP addresses may be stored for 7 days based on our legitimate interests as defined in
point (f) of Art. 6(1) of the GDPR. This is done for our security, in case someone leaves comments and posts containing illegal contents
(insults, forbidden political propaganda etc.). In this case, we ourselves might be sued because of the comment or post, which is
why we are interested in the identity of the author.

Furthermore, we reserve the right, based on our legitimate interests pursuant to point (f) of Art. 6(1) of the GDPR, to process the
Users’ information for spam detection purposes.

On the same legal basis, we reserve the right, in the case of surveys, to store the Users’ IP addresses and to use cookies until the survey
is completed to avoid multiple votes.

Data provided in the context of comments and contributions will be permanently stored by us until the User objects to this.

 

Comment subscriptions

Users may subscribe to follow-up comments if they give their consent pursuant to point (a) of Art. 6(1) of the GDPR. Users will receive
an e-mail confirmation to verify that they are the owners of the e-mail they provided. Users can unsubscribe from ongoing comment
subscriptions at any time. The e-mail confirmation includes instructions as to how they can withdraw their consent. To show that Users
gave their consent, we store the time of subscription along with the User’s IP address and erase this data once Users unsubscribe.

You can unsubscribe from our subscription at any time, that is, withdraw your consent to this. Before erasing them, we may store
unsubscribed e-mail addresses for up to three years based on our legitimate interests to prove that consent was previously given.
The Processing of this Data is limited to the purpose of a possible defence against claims. Individual erasure requests are possible
at any time, provided that there is evidence of a consent having been granted in the past.

 

Contacting us

When contacting us (e.g. via the contact form, e-mail, telephone or social media), we process the User’s details for the purpose of handling
the contact request and its processing pursuant to point (b) of Art. 6(1) of the GDPR. The Users’ details can be stored in a customer relationship
management system (“CRM System”) or similar enquiry organisation systems.

We erase the requests if they are no longer necessary. We review the need for storage once every two years; furthermore, the legal storage
obligations apply.

 

Newsletter

Based on the below information, we inform you about the contents of our newsletter, the registration, delivery and statistical evaluation
procedure and your rights of objection. By subscribing to our Newsletter, you agree to reception and the procedures described above.

Newsletter contents: We send newsletters, e-mails and other electronic notifications containing promotional information (hereinafter
“Newsletter”) only based on the recipients’ consent or a legal permission. Insofar as the Newsletter contents are specifically described
during the subscription process, the Users’ consent depends on them. In addition, our Newsletters contain information about our
services and the Company.

Double opt-in and logging: Subscription to our Newsletter is based on the so-called double opt-in procedure. This means that, after
registration, you will receive an e-mail asking you to confirm your subscription. This confirmation is necessary to prevent subscriptions
by using foreign e-mail addresses. Subscriptions to the Newsletter will be logged to prove the subscription process in accordance with
legal requirements. This includes the storage of registration and confirmation times and that of the IP address. Likewise, changes to your
Data stored with the delivery service provider will be logged.

Credentials: To subscribe to the Newsletter, it is sufficient to enter your e-mail address. As an option, we ask you to enter a name to
personally address you in the Newsletter.

Newsletter delivery and related performance measurement are based on the recipients’ consent pursuant to point (a) of Art. 6(1) and
Art. 7 of the GDPR in conjunction with sec. 7 para. 2 no. 3 of the German Act Against Unfair Competition [UWG – Gesetz gegen den
unlauteren Wettbewerb] or, if no consent is required, on our legitimate interests in direct marketing pursuant to point (f) of Art. 6(1) of the
GDPR in conjunction with. sec. 7 para. 3 of the UWG.

Subscription process logging is based on our legitimate interests according to point (f) of Art. 6(1) of the GDPR. Our interest is using a
user-friendly, secure newsletter system which both serves our commercial interest and meets the expectations of the Users, but which
also makes it possible for us to show that consents were given.

Cancellation/withdrawal – You can unsubscribe from our Newsletter at any time, that is, withdraw your consent to this. You find a
link to cancel Newsletter receipt at the end of each Newsletter. Before erasing them, we may store unsubscribed e-mail addresses for
up to three years based on our legitimate interests to prove that consent was previously given. The Processing of this Data is limited
to the purpose of a possible defence against claims. Individual erasure requests are possible at any time, provided that there is evidence
of a consent having been granted in the past.

 

Newsletter – Mailchimp

The newsletter is delivered by “MailChimp”, a newsletter delivery platform operated by Rocket Science Group, LLC, 675 Ponce De Leon
Ave NE #5000, Atlanta, GA 30308, United States. The delivery service provider’s privacy policy is available at https://mailchimp.com/legal/privacy/.
The Rocket Science Group, LLC, d/b/a MailChimp, is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with
the European data protection level (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The delivery service
provider is used based on our legitimate interests pursuant to point (f) of Art. 6(1) of the GDPR and a processing agreement pursuant to
Art. 28(3) sent. 1 of the GDPR.

The delivery service provider can use the recipients’ data in a pseudonymous form, i.e. without allocation to a User, for optimising or
improving their own services, e.g. for the technical optimisation of the dispatch and the presentation of the Newsletter, or for statistical
purposes. The delivery service provider does not use the Data to contact you or to pass on the Data to third parties.

 

Newsletter – performance measurement

The Newsletters contain so-called “web beacons”, i.e., files with the size of a pixel which is called off from our server when opening
the Newsletter or, if we engage a delivery service provider, being called off from their servers. Within the scope of this call-off, technical
information, such as information on the browser and your system, your IP address and the time of the call-off, are initially collected.

This information is used for technical services improvement based on technical data or the definition of target groups and their reading
behaviour based on their call-off locations (identifiable with the help of the IP address) or the access times. Statistical surveys also include
a determination of whether Newsletters are opened, when they are opened and which links readers click on. For technical reasons,
identification of individual Newsletter recipients is possible based on this information; however, it is neither our intention nor, if engaged,
that of delivery service providers to monitor individual Users. Instead, we use these evaluations to understand the Users’ reading habits,
to adapt our contents to them or to send different contents according to their interests.

Unfortunately, separate withdrawal for performance measurements is not possible; in this case, Newsletter subscription must be
cancelled as a whole.

 

Hosting and e-mail delivery

The hosting services we use are used to provide the following services: infrastructure and platform services; computing capacity; storage
space and database services; e-mail delivery; security services; and technical maintenance services we use for the purpose of operating
this Web Presence.

We and/or our hosting provider process inventory, contact, content, contract, usage, communication and metadata of customers, prospects
and visitors of this Web Presence based on our legitimate interests in efficiently and securely providing this Web Presence pursuant to point (f)
of Art. 6(1) of the GDPR in conjunction with Art. 28 of the GDPR (conclusion of processing agreement).

 

Collection of access data and log files

We or, rather, our hosting provider collect(s) Data on all accesses to servers on which the services are hosted based on our legitimate
interests within the meaning of point (f) of Art. 6(1) of the GDPR (so-called “server log files”). Access data includes the name of the website
called up, file, date and time of the call-up, amount of data transmitted, notification of the successful call-up, browser type and version,
the User’s operating system, referrer URL (the last website visited beforehand), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. for the clarification of abuses or fraud) for a maximum of 7 days and deleted thereafter.
Data which needs be retained for longer periods to secure evidence is exempt from erasure until the final clarification of the respective incident.

 

Google Analytics

We use Google Analytics, a web analytics service provided by Google, LLC (“Google”), based on our legitimate interests (i.e. interest
in the analysis, optimisation and cost-efficient operation of our Web Presence within the meaning of point (f) of Art. 6(1) of the GDPR).
Google uses cookies. Information generated by the cookie concerning the Users’ use of this Web Presence is usually transmitted to
and stored on a Google server in the United States.

Google is certified under the Privacy Shield Agreement and thereby guarantees compliance with European data protection law
(https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to evaluate the use of our Web Presence by the Users, compile reports on Web Presence
activity and provide us with other services relating to Web Presence activity and internet usage. Pseudonymous usage profiles for Users
might be created from the processed Data.

We use Google Analytics only if IP anonymisation is enabled. This means that Google shortens the Users’ IP addresses within the territory
of the EU Member States or other EEA contracting states. Only in exceptional cases will the full IP address be transferred to and shortened
on a Google server located in the US.

The IP address transmitted by the User’s browser is not combined with other Google data. Users can prevent cookies from being stored
by setting their browser software accordingly; Users can also prevent the data generated by the cookie and related to their Web Presence
use from being transferred to and processed by Google by downloading and installing the browser plug-in available at the following link:
http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on data use by Google, setting and objection options, please refer to Google’s privacy policy (https://policies.google.com/
technologies/ads) and to the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Personal Data of the Users will be erased or anonymised after 14 months.

 

Social media presences

We operate on-line presences on social networks and platforms to be able to communicate with all customers, prospects and Users
active thereon and to inform them about our services. When calling up the respective networks and platforms, the respective operators’
terms and conditions and their data processing policies apply.

Unless otherwise indicated in our Privacy Policy, we process our User’s data to the extent they communicate with us within the
framework of social networks and platforms, e.g. by publishing postings on our on-line presences or sending messages to us.

 

Integration of third-party services and content

We use third-party contents or service offers within our Web Presence based on our legitimate interests (i.e. an interest in the analysis,
optimisation and cost-efficient operation of our Web Presence within the meaning of point (f) of Art. 6(1) of the GDPR) to integrate their
contents and services, e.g. videos or fonts (hereinafter uniformly referred to as “Contents”).

It is always necessary that third-party Contents providers are aware of the Users’ IP address because they would be unable to send
Contents to the Users’ browser without disposing of the IP address. The IP address is, therefore, required for displaying these Contents.
We try to use only such Contents whose respective providers use the IP address only for Contents delivery. Third-party providers may
also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be
used to evaluate information, such as visitor traffic on a webpage. Pseudonymous information may also be stored in cookies on the
User’s device and contain, among other things, technical browser/operating system information, referral websites, access times and
other information on the use of our Web Presence, and this may be combined with such information from other sources.

 

Vimeo

We can use videos available on the “Vimeo” platform operated by Vimeo, Inc, Attention: Legal Department, 555 West 18th Street New
York, New York 10011, United States. Privacy policy: https://vimeo.com/privacy. We point out that Vimeo may use Google Analytics and
therefore refer to the privacy policy (https://www.google.com/policies/privacy) and the opt-out options for Google Analytics
(http://tools.google.com/dlpage/gaoptout?hl=de) or Google’s settings for data use for marketing purposes (https://adssettings.google.com/.).

 

Youtube

We integrate videos published on the “YouTube” platform operated by Google, LLC, 1600 Amphitheatre Parkway, Mountain View,
CA 94043, United States. Privacy policy: https://www.google.com/policies/privacy/; opt-out: https://adssettings.google.com/authenticated.

 

Google Maps

We integrate maps provided by “Google Maps”, a service operated by Google, LLC, 1600 Amphitheatre Parkway, Mountain View,
CA 94043, United States. The Data processed may include, in particular, IP addresses and location data of Users, which, however,
will not be collected without their consent (usually given based on the mobile device settings). This data may be processed in
the United States. Privacy policy: https://www.google.com/policies/privacy/; opt-out: https://adssettings.google.com/authenticated.

 

Use of Facebook social plug-ins

Based on our legitimate interests (i.e. interest in analysis, optimisation and cost-efficient operation of our Web Presence within
the meaning of point (f) of Art. 6(1) of the GDPR), we use social plug-ins (“Plug-ins”) of facebook.com, a social network operated by
Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The plug-ins can display
interaction elements or contents (e.g. videos, graphics or text posts), and they can be identified by one of the Facebook logos
(a white “f” on a blue tile; the “Like” term or a “Thumbs Up” sign) or they are marked by adding “Facebook Social Plug-in”.
You can find a list of the Facebook social plug-ins and their appearance here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield Agreement and thereby guarantees compliance with European data protection law
(https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

If a User makes use of a Web Presence function which contains such a plug-in, his/her device establishes a direct connection with
Facebook’s servers. The plug-in contents are directly transferred to the User’s device and, on this basis, included into the Web Presence.
In doing so, usage profiles of Users might be created from the processed Data. Therefore, we have no control over the extent of the
data which Facebook collects by using this plug-in and we therefore inform Users based on our level of knowledge.

By integrating the plug-ins, Facebook is informed that a User accessed the corresponding Web Presence. If the User is logged on to
Facebook, Facebook can make a connection between the visit and his/her Facebook account. If Users interact with the plug-ins,
for example by activating the “Like” button or posting a comment, the relevant information is directly transmitted from your device
to and stored on a Facebook server. If a User is no member of Facebook, it is still possible for Facebook to obtain and store his/her
IP address. According to Facebook, they only store an anonymised IP address in Germany.

To establish the purpose and extent of data collection, further processing and use of Data by Facebook, but also the corresponding
rights and setting options for the protection of the Users’ privacy, they can refer to Facebook’s privacy policy at https://www.facebook.com/
about/privacy/.

If a User is a Facebook member and does not want Facebook to collect Data about him/her via this Web Presence and connect this
to his/her membership data stored with Facebook, he/she must log off of Facebook and delete his/her cookies before using our
Web Presence. Further settings and objections to the use of data for advertising purposes are possible by changing the Facebook
profile settings at https://www.facebook.com/settings?tab=ads, via the US website at http://www.aboutads.info/choices/ or via
the EU website at http://www.youronlinechoices.com/. Settings are made independent of the platform, i.e. they are applied to all
devices, such as desktop computers or mobile devices.

Created with the help of datenschutz-generator.de provided by the lawyer Dr Thomas Schwenke