Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to briefly as “data”) we process, for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of the provision of our services and in particular on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”). The terms used are not gender-specific. Last updated: 25 August 2025

Table of contents

Controller

projx GmbH
Josef-Felder-Straße 53, D-81241 Munich, Germany
Phone: +49 (0) 89 232 412 16
E-mail: info [@] projx.de
Managing Directors: Ivan Zagorchev, Peter Petridis
Register court: Local Court of Munich | HRB 207001

Legal notice of LuxJobs: https://en.luxjobs.de/impressum/

Overview of processing activities

The following overview summarises the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data
  • Contact data
  • Content data
  • Usage data
  • Meta, communication and procedural data

Categories of data subjects

  • Communication partners
  • Users

Purposes of processing

  • Communication
  • Reach measurement
  • Tracking
  • Audience building
  • Organisational and administrative procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online offering and user-friendliness

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If, in individual cases, more specific legal bases are relevant, we will inform you of these in the privacy policy.
  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, in particular, special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making including profiling. In addition, data protection laws of the individual federal states may apply.

National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Austria. These include, in particular, the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains, in particular, special provisions on the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making.

Relevant legal bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data on the basis of the Federal Act on Data Protection (hereinafter “Swiss DPA”). Unlike the GDPR, the Swiss DPA generally does not require a specific legal basis to be named for the processing of personal data, and the processing of personal data is lawful if it is carried out in good faith, is lawful and proportionate (Art. 6 paras. 1 and 2 Swiss DPA). In addition, we only collect personal data for a specific purpose that is recognisable to the data subject and only process it in a way that is compatible with that purpose (Art. 6 para. 3 Swiss DPA).

Note on the applicability of the GDPR and the Swiss DPA: These data protection notices serve both to provide information in accordance with the Swiss DPA and in accordance with the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader territorial scope and for ease of understanding, the terminology of the GDPR is used. In particular, instead of the terms “processing” of “personal data”, “overriding interest” and “particularly sensitive personal data” used in the Swiss DPA, the terms “processing” of “personal data”, “legitimate interest” and “special categories of data” used in the GDPR are applied. However, the legal meaning of the terms will, in the context of the Swiss DPA, continue to be determined in accordance with the Swiss DPA.

Security measures

In accordance with the legal requirements and taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input into, transfer of, securing of availability of and separation of the data. Furthermore, we have implemented procedures that ensure the exercise of data subjects’ rights, the deletion of data and reactions to data threats. In addition, we already take into account the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default. Shortening of IP addresses: Where IP addresses are processed by us or by the service providers and technologies we use and the processing of a full IP address is not required, the IP address will be shortened (also referred to as “IP masking”). In this process, the last two digits or the last part of the IP address after a dot are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly impede the identification of a person on the basis of their IP address.

Transfer of personal data

In the context of our processing of personal data, it may occur that such data is transmitted to other entities, companies, legally independent organisational units or persons or disclosed to them. Recipients of this data may include, for example, service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International data transfers

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of the use of services of third parties or the disclosure or transfer of data to other persons, entities or companies (which can be recognised by the postal address of the respective provider or where this privacy policy explicitly refers to data transfers to third countries), such transfer is always carried out in accordance with the legal requirements. For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised by an adequacy decision of the EU Commission dated 10 July 2023 as a secure legal framework. In addition, we have concluded standard contractual clauses with the respective providers that comply with the requirements of the EU Commission and set out contractual obligations to protect your data. This dual protection ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the standard contractual clauses serve as additional safeguards. Should changes occur in the context of the DPF, the standard contractual clauses act as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes. For each individual service provider, we will inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). For data transfers to other third countries, appropriate safeguards apply, in particular standard contractual clauses, explicit consents or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of personal data abroad: In accordance with the Swiss DPA, we only disclose personal data abroad if an adequate level of protection for the data subjects is ensured (Art. 16 Swiss DPA). If the Federal Council has not determined an adequate level of protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we take alternative security measures. For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised by Switzerland as a secure legal framework by an adequacy decision dated 7 June 2024. In addition, we have concluded standard data protection clauses with the respective providers that have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations to protect your data. This dual protection ensures comprehensive protection of your data: The DPF forms the primary layer of protection, while the standard data protection clauses serve as additional safeguards. Should changes occur in the context of the DPF, the standard data protection clauses act as a reliable fallback option. In this way, we ensure that your data remains adequately protected even in the event of political or legal changes. For each individual service provider, we will inform you whether they are certified under the DPF and whether standard data protection clauses are in place. The list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). For data transfers to other third countries, appropriate safeguards apply, including international treaties, specific guarantees, standard data protection clauses approved by the FDPIC or internal data protection regulations that have been recognised in advance by the FDPIC or a competent data protection authority of another country.

General information on data storage and deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or there are no further legal bases for processing. This applies in cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions exist where legal obligations or special interests require a longer retention or archiving period. In particular, data that must be retained for commercial or tax law reasons or whose retention is necessary for legal prosecution or for the protection of the rights of other natural or legal persons must be archived accordingly. Our data protection notices contain additional information on the retention and deletion of data, which apply specifically to certain processing activities. If multiple retention periods or deletion deadlines are specified for a piece of data, the longest period is always decisive. Data that is no longer required for the original purpose, but is retained due to legal requirements or other reasons, will only be processed for the reasons that justify its retention. Retention and deletion of data: The following general retention periods apply to storage and archiving under German law:
  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets as well as the work instructions and other organisational documents necessary for their understanding (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
  • 8 years – Booking receipts, such as invoices and cost receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
  • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents, insofar as they are relevant for taxation, such as timesheets, internal cost allocation sheets, calculation documents, price labels, but also payroll documents, insofar as they are not already booking receipts, and till receipts (§ 147 para. 1 nos. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).
  • 3 years – Data required to take into account potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and common industry practice, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).
Retention and deletion of data: The following general retention periods apply to storage and archiving under Austrian law:
  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, booking receipts and invoices as well as all necessary work instructions and other organisational documents (Federal Fiscal Code (BAO § 132), Austrian Commercial Code (UGB §§ 190–212)).
  • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters and other documents, insofar as they are relevant for taxation. These include, for example, timesheets, internal cost allocation sheets, calculation documents, price labels and payroll documents, insofar as they are not already booking receipts and till receipts (Federal Fiscal Code (BAO § 132), Austrian Commercial Code (UGB §§ 190–212)).
  • 3 years – Data required to take into account potential warranty and damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and common industry practice, is stored for the duration of the regular statutory limitation period of three years (§§ 1478, 1480 ABGB).
Retention and deletion of data: The following general retention periods apply to storage and archiving under Swiss law:
  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, booking receipts and invoices as well as all necessary work instructions and other organisational documents (Art. 958f of the Swiss Code of Obligations (CO)).
  • 10 years – Data that is necessary to take into account potential damage claims or similar contractual claims and rights, as well as to process related enquiries, based on previous business experience and common industry practice, is stored for the period of the statutory limitation period of ten years, unless a shorter period of five years is applicable in certain cases (Art. 127, 130 CO). After five years, claims become time-barred for rent, lease and interest payments as well as other periodic payments, for the delivery of foodstuffs, for catering and hotel debts, for work carried out by tradespeople, for the retail sale of goods, for medical treatment, for professional services of lawyers, legal agents, attorneys and notaries, and from the employment relationship of employees (Art. 128 CO).

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular those set out in Art. 15 to 21 GDPR:
  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. e or f GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of such data for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to such data and further information and a copy of the data in accordance with the legal provisions.
  • Right to rectification: You have the right, in accordance with the legal provisions, to obtain the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with the legal provisions, to obtain the erasure of personal data concerning you without undue delay or, alternatively, to obtain restriction of processing in accordance with the legal provisions.
  • Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format or to transmit those data to another controller in accordance with the legal provisions.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
Rights of data subjects under the Swiss DPA: As a data subject, you have the following rights under the Swiss DPA, subject to the legal requirements:
  • Right of access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to receive the information necessary to enable you to exercise your rights under this Act and to ensure transparent data processing.
  • Right to data handover or transfer: You have the right to request the handover of your personal data that you have provided to us in a commonly used electronic format.
  • Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
  • Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that personal data concerning you be erased or destroyed.

Use of cookies

The term “cookies” is used to describe functions that store information on users’ end devices and read such information from them. Cookies can be used for a variety of purposes, for example to ensure the functionality, security and convenience of online offerings as well as to create analyses of visitor flows. We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. Where consent is not required, we rely on our legitimate interests. This is the case where the storage and reading of information is essential in order to provide explicitly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be revoked at any time. We provide clear information about the scope of use and which cookies are used. To manage the cookies and similar technologies used (tracking pixels, web beacons etc.) and the related consents, we use the consent tool “Real Cookie Banner”. You can find details on how “Real Cookie Banner” works at https://devowl.io/de/rcb/datenverarbeitung/. The legal bases for the processing of personal data in this context are Art. 6 para. 1 lit. c GDPR and Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the management of the cookies and similar technologies used and of the consents related to them. The provision of personal data is neither contractually required nor necessary for the conclusion of a contract. You are not obliged to provide personal data. If you do not provide personal data, we are unable to manage your consents. Notes on data protection legal bases: Whether we process personal data using cookies depends on whether consent has been given. If consent has been given, this serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures. Storage period: With regard to the storage period, the following types of cookies are distinguished:
  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left an online offering and closed their end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored after the end device has been closed. For example, the login status can be stored and preferred content displayed directly when a user revisits a website. Likewise, user data collected using cookies can be used for reach measurement. Unless we provide explicit information about the type and storage duration of cookies (e.g. in connection with obtaining consent), you should assume that they are permanent and that the storage period can be up to two years.
General information on withdrawal and objection (opt-out): Users can withdraw any consent they have given at any time and may also object to processing in accordance with the legal requirements, including by using the privacy settings of their browser.
  • Types of data processed: Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Further information on processing operations, procedures and services:
  • Processing of cookie data based on consent: We use a consent management solution in which users’ consent to the use of cookies or to the procedures and providers specified in the consent management solution is obtained. This procedure serves to obtain, record, manage and withdraw consents, in particular with regard to the use of cookies and comparable technologies that are used to store, read and process information on users’ end devices. As part of this procedure, users’ consents to the use of cookies and the associated processing of information, including the specific processing operations and providers mentioned in the consent management procedure, are obtained. Users also have the option of managing and revoking their consents. The consent declarations are stored in order to avoid a renewed query and to be able to provide proof of consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a specific user or their device. Unless specific information is provided regarding the providers of consent management services, the following general information applies: The duration of storage of consent is up to two years. A pseudonymous user identifier is created which is stored together with the time of consent, information on the scope of the consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, system and end device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and request management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and in the context of existing user and business relationships, we process the details of the persons making the enquiry, insofar as this is necessary to respond to the contact requests and any requested measures.
  • Types of data processed: Inventory data (e.g. full name, home address, contact details, customer number, etc.); contact data (e.g. postal and e-mail addresses or telephone numbers); content data (e.g. textual or visual messages and contributions and the information relating to them, such as details of authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; organisational and administrative procedures; feedback (e.g. collecting feedback via online form). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).
Further information on processing operations, procedures and services:
  • Contact form: When you contact us via our contact form, by e-mail or other means of communication, we process the personal data transmitted to us in order to answer and process the respective request. This usually includes information such as your name, contact details and any further information that you provide to us and that is required for proper processing. We use this data exclusively for the stated purpose of contacting you and communicating with you; Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web analytics, monitoring and optimisation

Web analytics (also referred to as “reach measurement”) serves to evaluate the visitor flows of our online offering and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognise at what time our online offering or its functions or content are used most frequently or invite repeat use. Likewise, we can identify which areas require optimisation. In addition to web analytics, we may also use testing procedures to test and optimise different versions of our online offering or its components. Unless otherwise stated below, profiles, i.e. data summarised into a usage process, may be created for these purposes and information stored in a browser or on an end device and then read out. The information collected includes, in particular, the websites visited and the elements used there as well as technical information such as the browser used, the computer system employed and information on usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, location data may also be processed. In addition, users’ IP addresses are stored. However, we use an IP masking procedure (i.e. pseudonymisation by shortening the IP address) to protect users. Generally, no clear user data (such as e-mail addresses or names) is stored in the context of web analytics, A/B testing and optimisation, but rather pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures. Notes on legal bases: Where we ask users for their consent to the use of third-party providers, consent is the legal basis for data processing. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.
  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles). Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
  • Google Analytics: We use Google Analytics to measure and analyse the use of our online offering on the basis of a pseudonymous user identification number. This identification number does not contain any unique data such as names or e-mail addresses. It is used to assign analytical information to an end device so that it can be recognised which content users have accessed within a single or across several usage sessions, which search terms they have used, whether they have accessed our online offering again or interacted with it. The time and duration of use as well as the sources from which users are referred to our online offering and technical information about their end devices and browsers are also stored. A pseudonymous profile of users is created with information from the use of various devices, for which cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. However, Analytics provides coarse geographical location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, the IP address data is only used to derive geolocation data before it is immediately deleted. It is not logged, is not accessible and is not used for other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking (pseudonymisation of the IP address); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms), Switzerland – Data Privacy Framework (DPF), standard contractual clauses (https://business.safety.google/adsprocessorterms); Opt-out options: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertising: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing as well as processed data).

Online marketing

We process personal data for the purposes of online marketing, including, in particular, the marketing of advertising space or the display of advertising and other content (collectively referred to as “content”) based on potential interests of users and the measurement of their effectiveness. For these purposes, user profiles are created and stored in a file (the so-called “cookie”) or similar procedures are used by which information relevant for the display of the aforementioned content is stored about the user. This may include, for example, the content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system employed and usage times and functions used. If users have consented to the collection of their location data, this may also be processed. In addition, users’ IP addresses are stored. However, we use available IP masking procedures (i.e. pseudonymisation by shortening the IP address) to protect users. Generally, no clear user data (such as e-mail addresses or names) is stored as part of the online marketing procedures, but pseudonyms. This means that we, as well as the providers of the online marketing procedures, do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures. The information in the profiles is usually stored in the cookies or using similar procedures. These cookies can later generally also be read on other websites that use the same online marketing procedure and analysed for the purpose of displaying content and supplemented with further data and stored on the server of the provider of the online marketing procedure. In exceptional cases, clear data may be assigned to the profiles, primarily when users are, for example, members of a social network whose online marketing procedure we use and the network associates the user profiles with the aforementioned information. We ask you to note that users may make additional arrangements with the providers, for example by giving their consent during registration. We generally only receive access to aggregated information about the success of our advertisements. However, in the context of so-called conversion measurements, we can determine which of our online marketing procedures have led to a so-called conversion, i.e. for example to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures. Unless otherwise stated, please assume that cookies used may be stored for a period of two years. Notes on legal bases: Where we ask users for their consent to the use of third-party providers, consent is the legal basis for data processing. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy. Notes on withdrawal and objection: We refer you to the privacy notices of the respective providers and the objection options (so-called “opt-out”) specified for the providers. If no explicit opt-out option has been stated, you have the possibility to disable cookies in your browser settings. However, this may restrict functions of our online offering. We therefore additionally recommend the following opt-out options, which are offered collectively for each region: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.
  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behaviour-based profiling, use of cookies); audience building; marketing. Profiles with user-related information (creating user profiles).
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
  • Security measures: IP masking (pseudonymisation of the IP address).

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (hereinafter collectively referred to as “content”). The integration always requires that the third-party providers of this content process the users’ IP address, as they would not be able to send the content to users’ browsers without the IP address. The IP address is therefore required for the display of this content or functions. We endeavour to only use content whose respective providers use the IP address solely for the provision of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the users’ devices and may contain, among other things, technical information on the browser and operating system, referring websites, time of visit and other information on the use of our online offering and may also be linked with information from other sources. Notes on legal bases: Where we ask users for their consent to the use of third-party providers, consent is the legal basis for data processing. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.
  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions). Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”. Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods can be stored on users’ devices for a period of two years).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing operations, procedures and services:
  • Integration of third-party software, scripts or frameworks (e.g. jQuery): We integrate software into our online offering that we retrieve from the servers of other providers (e.g. function libraries that we use to display or improve the user-friendliness of our online offering). The respective providers collect the users’ IP address and may process it for the purpose of transmitting the software to the users’ browser as well as for security purposes and to evaluate and optimise their offering – We integrate software into our online offering that we retrieve from the servers of other providers (e.g. function libraries that we use to display or improve the user-friendliness of our online offering). In this process, the respective providers collect the users’ IP address and may process it for the purpose of transmitting the software to the users’ browser as well as for security purposes and to evaluate and optimise their offering; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Google Fonts (hosted on our own server): Provision of font files for a user-friendly display of our online offering; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Google Fonts (retrieved from Google server): Retrieval of fonts (and icons) for the purpose of technically secure, maintenance-free and efficient use of fonts and icons with regard to their up-to-dateness and loading times, their uniform display and compliance with possible licence restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of the fonts in accordance with the devices used and the technical environment. This data may be processed on a server of the provider of the fonts in the USA – When visiting our online offering, users’ browsers send their browser HTTP requests to the Google Fonts Web API (i.e. a software interface for retrieving the fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the internet, (2) the requested URL on the Google server and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of website visitors, as well as the referrer URL (i.e. the web page on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analysed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families that the user wants to load. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must adjust the font that is generated for each browser type. The user agent is primarily logged for debugging and used to generate aggregate usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and to generate an aggregate report on top integrations based on the number of font requests. According to Google, none of the information collected by Google Fonts is used to create profiles of end users or to serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF). Further information: https://developers.google.com/fonts/faq/privacy?hl=de.
  • Font Awesome (hosted on our own server): Display of fonts and icons; Service provider: Font Awesome icons are hosted on our server, no data is transmitted to the Font Awesome provider; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).