Privacy Policy
In this privacy policy, we inform you about the processing of personal data when using our website or platform.
Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the device you are using.
1. Responsible Person and Contact Person
The contact person and so-called data controller for the processing of your personal data within the meaning of the United Kingdom General Data Protection Regulation (UK GDPR) when you visit this website is
Fotografen Online Service GmbH
Hausvogteiplatz 12
10117 Berlin
Phone: +49 (0) 30 364 288 950
E-mail: privacy@gotphoto.com
If you have any questions about data protection in connection with our services or the use of our website, you can contact our data protection officer at any time. He can be contacted at the above postal address and at the email address provided (please indicate “c/o data protection officer” in the subject line). We would like to point out that any messages sent and content shared, when using this email address, are not exclusively viewed by our data protection officer. If you wish to exchange confidential information, we would ask you to contact us directly via this email address as a first step before sharing any further information.
2. Data Processing on our Website
2.1 Accessing our Website / Technical Information
Each time you use our website, we collect technical information that your browser automatically transmits to enable you to visit the website. This technical information consists of the so-called HTTP header information, including the user agent, and includes in particular
- IP address of the requesting device,
- Method (e.g. GET, POST), date and time of the request,
- Address of the requested website and path of the requested file,
- if applicable, the previously accessed website/file (HTTP referrer),
- Information about the browser and operating system used,
- Version of the HTTP protocol, HTTP status code, size of the delivered file,
- Request information such as language, type of content, encoding of content, character sets,
- If applicable, the user name applied for authentication in the case of directory password protection.
The processing of this technical information is absolutely necessary to enable your visit of the website, to ensure the permanent functionality and security of our systems and to maintain our website. The technical information is temporarily stored in internal log files for the purposes described above, limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal access that jeopardises the stability and security of our website. For these storage purposes your IP address will be anonymised immediately.
The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f UK GDPR reflecting our legitimate interest in enabling website access and the permanent functionality and security of our systems. The automatic transmission of the technical information and the log files developed from it does not constitute access to the information in the end device within the meaning of regulation 6 PECR. Otherwise, such access to information in the end device would be strictly necessary.
2.2 Contact
You have several options to contact us. These include email, telephone, our contact form and our live chat. In this context, we process data exclusively for the purpose of communicating with you.
The legal basis is Art. 6 para. 1 sentence 1 lit. b UK GDPR, insofar as your information is required to initiate or execute a contract with you, and otherwise Art. 6 para. 1 sentence 1 lit. f UK GDPR reflecting our legitimate interest to communicate with you based on your enquiry. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of regulation 6 para. 4 lit. b PECR.
We only make promotional telephone calls if you have given your consent. If you are not an existing customer, we will only send you promotional emails on the basis of your consent. The legal basis in these cases is Art. 6 para. 1 sentence 1 lit. a UK GDPR.
The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need this data to fulfil contractual or legal obligations (see section 7 “Storage period”).
2.2.1 Contact Form
The contact form, which can be accessed via our Help Centre (https://help.gotphoto.com/hc/de), is provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States, who process your data on our behalf. We have a data processing agreement in place with Freshworks Inc. In the event that personal data is transferred to the US or other third countries, we have implemented standard contractual clauses with Freshworks Inc. in accordance with Art. 46 para. 2 lit. c UK GDPR.
Further information on data protection can be found here: https://www.freshworks.com/legal/.
2.2.2 Live Chat (HubSpot)
Our live chat, which is used to improve communication with website visitors, is provided by HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland (“HubSpot”).
In order to answer live enquiries, the chat content you provide is collected and stored for the duration of the chat. We only collect your email address and telephone number, if you voluntarily provide them to us and give us permission to contact you subsequently. The chat will be deleted immediately as soon as the chat conversation has ended.
We have concluded a data processing agreement with HubSpot. The data collected in this context may be transferred by HubSpot to HubSpot, Inc. in the US. HubSpot, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active.
Further information can be found in HubSpot’s privacy policy.
2.3 Registration for Photographers
You have the option to register for a user account in order to use the full range of functionalities of our software and to operate a photography online shop via our platform.
The data fields first and last name, the selection criteria (professional or amateur photographer or photo order), email address, telephone number (optional), desired domain or shop name must be provided by you. Registration is not possible without the provision of this data.
For the operation of the online shop we collect further data if this is necessary for the fulfilment of the contract. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. b UK GDPR.
2.4 Orders
Photographers have the option to order software licences or physical products in our online shop. During the ordering process we collect the mandatory information required to fulfil the contract:
- First name and surname,
- Email address,
- Telephone number,
- Billing and shipping address.
The legal basis for processing is Art. 6 para. 1 sentence 1 lit. b UK GDPR.
2.5 Newsletter
You have the option to subscribe to our newsletter, in which we regularly inform you about webinars, new guides, innovations to our products and promotions.
We use the so-called double opt-in procedure for the subscription to our newsletter, i.e. we will only send you newsletters by email, if you click on a link in our notification email, thereby confirming that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by email or letter) is also sufficient for this purpose. The legal basis for processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR.
2.6 Advertising to Existing Customers by Email
If you register for a user account or make a purchase from us, we will also use your contact details to send you further information about our products and services by email (“existing customer advertising”). This may include news, promotions and offers as well as feedback and other surveys.
The legal basis for this data processing is Art. 6 para. 1 lit. f UK GDPR, according to which data processing is permitted to safeguard legitimate interests.
You can object to the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the contact details given above (e.g. by email or letter) without incurring any costs other than the transmission costs according to the basic rates.
2.7 Surveys
You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.
The legal basis for data processing as part of the survey is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. We base the sending of the surveys on Art. 6 para. 1 lit. f UK GDPR, reflecting our legitimate interest in customising and continuously improving our services.
You can object to receiving a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter) without incurring any costs other than the transmission costs according to the basic rates.
2.8 Contests
In the context of contests, we use your data for the purpose of organising the contest and notifying the winners. Detailed information can be found in the terms and conditions for the respective contest. The legal basis for processing is the contest contract in accordance with Art. 6 para. 1 sentence 1 lit. b UK GDPR.
2.9 Job Applications
You can apply for open job positions by email or via our career portal. The purpose of data collection is the selection of applicants for the possible establishment of an employment relationship. In order to process your application, we collect the data you provide (usually: first and last name; email address; application documents such as references and CV; earliest possible starting date for the job; channel through which you became aware of the job advertisement; telephone number; salary expectations). We would like to point out that confidentiality cannot be guaranteed if application documents are sent by email without encryption.
Ashby, Inc, 49 Geary Street, Suite 411, San Francisco, CA, 94108, United States, is providing our career portal and managing applications. We have concluded a data processing contract with the provider. The transfer of data to the US takes place on the basis of standard data protection clauses. The provider’s privacy policy can be accessed here: https://www.ashbyhq.com/resources/privacy.
The legal basis for the processing of your application documents is Art. 6 para. 1 lit. b UK GDPR.
We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is required for the employment relationship and to comply with statutory regulations.
If we reject your application, we will store your application data for a maximum of three months following the rejection, unless you give us your consent to store it for longer. If you have given us explicit consent, we will store your data in our pool of applicants for a further twelve months after the end of the application process in order to identify any other interesting positions for you and to contact you again if necessary. After this period, the data will be deleted. You can revoke this consent at any time for the future by sending us an email to jobs@fotograf.de.
3. Use of Tools on the Website
This website uses various services and applications (collectively “tools”) that are provided either by us or by third parties.
The tools we use are listed below organised by category. We inform you about the providers of the tools, the collection of data and the transfer of data to third parties. We also explain to you in which cases we must obtain your voluntary consent to use the tools and how you can revoke this consent once given.
In the event that the information in the consent banner contradicts the information in this privacy policy, the information in this privacy policy shall take precedence.
3.1 Technologies Used
Some of the tools used on this website use technologies to store or access information on your device:
- Cookies: Information stored in the browser, consisting of a cookie name, a value, the storing domain and an expiry date. So-called session cookies are deleted after the session, while other cookies are deleted after the specified expiry date. Cookies can also be removed manually.
- Local Storage / Session Storage: Information stored in the browser, consisting of a name and a value. Information in session storage is deleted after the session, while information in local storage has no expiry date and remains stored. Information in local and session storage can also be removed manually.
- Fingerprints: Profile stored by a service, created on the basis of automatically transmitted connection information (“passive fingerprinting”) and/or by retrieving the information through scripts (“active fingerprinting”) (in particular IP address, information about end user device, browser, plugins/add-ons, operating system, language, time zone, scripts, fonts, screen resolution, time of access). Fingerprints make it possible to recognise visitors. They cannot be prevented completely. However, active fingerprinting can be reduced or prevented by blocking scripts. In this case, however, most services will no longer work.
- Pixel/ web beacon: A graphic automatically loaded by a service which makes it possible to recognise visitors or, for example, to determine when an email has been opened. Similar to fingerprints, information can be retrieved and profiles can be created. The use of pixels can be prevented by blocking images in emails.
Information about the cookies we use can be found in our cookie declaration at https://app.gotphoto.co.uk/cookie_declaration. This cookie declaration is automatically generated by Usercentrics.
3.2 Legal Basis and Revocation
3.2.1 Legal Basis
We use tools strictly necessary for the operation of our website on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f UK GDPR to customise the use of our website and to make it more convenient and as time-saving as possible. In certain cases, these tools may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. b UK GDPR. Access to and storage of information on your device is absolutely necessary in these cases and is carried out based on Regulation 6 para. 4 lit. b Privacy and Electronic Communications Regulations (PECR).
We use all other tools, in particular those for marketing purposes, on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. In these cases, access to and storage of information on your device is subject to consent and takes place based on Regulation 6 par. 2 PECR. These tools will only process your data, if we have received your consent in advance.
Any transfer of personal data to third countries is associated with certain risks. Please read Section 6 (“Data transfer to third countries”). For each provider in question, we will inform you whether a) an adequacy decision exists for the third country, b) standard contractual clauses or c) other guarantees have been put in place. If you have given your consent for the use of certain tools, we will (also) use this consent to transfer the data processed by the tools to third countries.
3.2.2 Obtaining Your Consent
We use the Cookiebot tool from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Usercentrics”) to obtain and manage your consent. The tool generates a consent banner that informs you about the data processing on our website and gives you the opportunity to consent to all, individually elected or no data processing when using optional tools. This banner appears the first time you visit our website and when you call up the selection of your settings again in order to change them or revoke your consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookies or information in Usercentrics’ local storage have been deleted or have expired.
When you visit our website, your consent or revocation, your IP address, information about your browser, your device and the time of your visit are transmitted to Usercentrics. Usercentrics also stores the necessary information on your device in order to retain the consents and revocations you have given. If you delete your cookies or information in local storage, we will ask you for your consent again when you visit the site at a later date.
Data processing by Usercentrics is necessary to provide you with the legally required consent management and to fulfil our documentation obligations. The legal basis for the use of Usercentrics is Art. 6 para. 1 sentence 1 lit. f UK GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out based on Regulation 6 para. 4 lit. b PECR.
3.2.3 Revoking Your Consent or Changing Your Selection
You can revoke your consent given for certain tools at any time. To do so, click on the following button:
By clicking the button you can also change the selection of tools you wish to consent to and obtain additional information on the tools used. Alternatively, you can revoke your consent for the use of certain tools directly with the provider.
3.3 Essential Tools
We use certain tools to enable the basic functions of our website (“essential tools”). Without these tools, we would not be able to provide our service. Therefore, essential tools are used without consent. The legal basis for the implementation of essential tools is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f UK GDPR or the fulfilment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 para. 1 sentence 1 lit. b UK GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is based on Regulation 6 para. 4 lit. b PECR.
3.3.1 Google Tag Manager
Our website uses Google Tag Manager, a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).
Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by Google Tag Manager with your consent.
The legal basis is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our legitimate interest to easily integrate and manage several tags on our website.
Google collects information about the tags integrated through our website for the purpose of ensuring stability and functionality for the use of Google Tag Manager, but generally no personal data is collected, in particular no data about user behaviour, the IP address or the pages visited.
We have concluded a data processing agreement with Google Ireland Limited. The data collected in this context may be transmitted by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
Further information can be found in Google’s privacy policy.
3.3.2 Zendesk (HelpCentre)
We use the web widget from Zendesk, Inc, 989 Market Street, San Francisco, CA 94103, United States (“Zendesk”) for our HelpCentre.
In our HelpCentre you can, for example, ask questions about our services, the website or our company and leave us a comment.
When using Zendesk, the IP address of the device and the address of the subpage from which you access Zendesk are recorded.
The legal basis is Art. 6 para. 1 sentence 1 lit. b UK GDPR, insofar as the data is required to answer your enquiry in the context of the initiation or execution of a contract, and otherwise Art. 6 para. 1 sentence 1 lit. f UK GDPR, covering our legitimate interest in communicating with (potential) customers and providing rapid access to our employees.
The data collected in this context may be transferred to Zendesk, Inc. in the US. Zendesk, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TOjeAAG&status=Active.
Further information can be found in Zendesk’s privacy policy.
3.4 Functional Tools
We also use optional tools to improve the user experience on our website and to offer you more functions (“functional tools”). Although these are not absolutely essential for the basic functionality of the website, they can bring significant benefits to visitors, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels.
The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. To revoke your consent, see 3.2.3: “Revoking your consent or changing your selection”. In these cases, access to and storage of information in your device is subject to consent and takes place based on Regulation 6 par. 2 PECR.
In the event that personal data is transferred to the US or other third countries, your consent also expressly extends to the transfer of data (Art. 49 para. 1 sentence 1 lit. a UK GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.
3.4.1 FIN AI Chatbot
Our website uses FIN, a service provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).
FIN is an AI chatbot that uses sophisticated AI language models to automatically solve customer service issues. The AI chatbot understands complex queries, asks clarifying questions and fully converses with the user.
The following information is processed: any personal data contained in questions, data, content or information submitted by you during each conversation with FIN.
The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR.
The data collected in this context may be processed by Intercom in the US. Intercom, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TNQvAAO&status=Active
FIN uses OpenAI as a sub-processor of any personal data submitted to FIN. Any processing of personal data by OpenAI is governed by a data processing agreement in place between Intercom and OpenAI. OpenAI is based in the US and any international transfer of personal data from Intercom to OpenAI is covered by the relevant and up-to-date Standard Contractual Clauses for international transfers under UK GDPR.
OpenAI has activated zero retention for all customer inputs and outputs. As a result, the inputs and outputs will not be stored by OpenAI. OpenAI is contractually prohibited from using customer data to improve or train its AI model.
3.5 Analysis Tools
In order to improve our website, we use optional tools for statistical recording and analysis of general user behaviour based on access data (“analysis tools”). We also use analysis services to analyse the use of our various marketing channels.
The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. To revoke your consent, see 3.2.3: “Revoking your consent or changing your selection”. In these cases, access to and storage of information in your device is subject to consent and takes place based on Regulation 6 par. 2 PECR.
3.5.1 Google Universal (Google Analytics)
Our website uses Google Analytics, a service provided in Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (together “Google”).
Google Analytics uses JavaScript and pixels to read information on your device, as well as cookies to store information on your device. Google Analytics serves to evaluate your usage behaviour and improve our website. We will process the information obtained to analyse your use of the website and to compile reports on website activity for the website operator. The data collected in this context may be transmitted by Google to a server in the US and stored there.
We have chosen the following data protection settings for Google Analytics:
- IP anonymisation (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity);
- Automatic deletion of old logs/limitation of storage duration;
- Deactivated Measurement Protocol;
- Deactivated cross-page tracking (Google signals);
- Deactivated data sharing with other Google products and services.
The following data is processed by Google Analytics:
- IP address;
- Referrer URL (previously visited page);
- Pages accessed (date, time, URL, title, length of visit);
- Downloaded files;
- Clicked links to other websites;
- If applicable, achievement of certain goals (conversions);
- Technical information: Operating system; browser type, version and language; device type, make, model and resolution;
- Approximate location (country and, if applicable, city, based on anonymised IP address).
We have concluded a data processing agreement with Google Ireland Limited. The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
Further information can be found in Google’s privacy policy.
3.5.2 Hotjar
Our website uses Hotjar, a web analysis service provided by Hotjar Ltd, Elia Zammit Street 3, St Julians STJ 1000, Malta (“Hotjar”).
Hotjar is used to create so-called heat maps. Heat maps graphically display statistics about mouse movements and clicks on our site in order to analyse our website with regard to user behaviour. This enables us to recognise frequently used functions of our website and to further improve the site. However, your IP address is truncated before the usage statistics are analysed so that no conclusions can be drawn about your identity. In addition to mouse movements and clicks, information about the operating system, browser, incoming and outgoing links, geographical origin, resolution and type of device are analysed for statistical purposes. This information is pseudonymous and is not passed on to third parties by us or Hotjar. Data entered by you in form fields on our website is hidden and not recorded by Hotjar.
The following information is set and read by Hotjar in the local storage:
- “hjActiveViewportIds”, “hjViewportId”: Usage analysis, storage of the visitor ID.
Further information can be found in Hotjar’s privacy policy.
Hotjar also offers the option of objecting to data processing by Hotjar cookies in general for the future using the “Do Not Track” function of browsers. You can find out how to activate this function at: https://www.hotjar.com/policies/do-not-track/.
3.5.3 HubSpot
Our website uses an analysis tool from Hubspot. This tool can be used to analyse visitors’ interactions with our website. In particular, the IP address, the geographical location, the type of browser, the duration of your visit and the websites accessed are processed.
The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR.
We have concluded a data processing agreement with HubSpot. The data collected in this context may be transferred by HubSpot to HubSpot, Inc. in the US. HubSpot, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TN8pAAG&status=Active.
Further information can be found in HubSpot’s privacy policy.
3.5.4 Microsoft Clarity
Our website uses Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States (“Microsoft”).
Clarity is a behavioral analysis tool that captures how you use and interact with our website through metrics, heatmaps, and session replay. In order to do so, the following information is processed: IP-address, location, browser information, visited website and subpages, date and time of access to the website, clicks, scrolls and mouse movements. Clarity assigns each user a unique user ID and uses tracking technologies to determine online activity. We use this information for site optimization and advertising.
The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR.
The data collected in this context will be processed by Microsoft in the US. Microsoft Corporation has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active
For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-gb/privacystatement.
3.6 Marketing Tools
We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when you use our website is used for interest-based advertising. By analysing and evaluating this access data, we are able to show you personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.
In the following section, we would like to explain these technologies and the providers used for this in more detail. The data collected may include in particular
- the IP address of the device;
- the information of a cookie or in local storage or session storage;
- the device identifier of mobile devices (e.g. device ID, advertising ID);
- Referrer URL (previously visited page);
- Pages accessed (date, time, URL, title, length of visit);
- Downloaded files;
- Clicked links to other websites;
- If applicable, achievement of certain goals (conversions);
- Technical information: Operating system; browser type, browser version and browser language; device type, device make, device model and device resolution;
- Approximate location (country and city, if applicable).
However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about individuals.
3.6.1 Meta- Pixel (formerly Facebook- Pixel)
Our website uses the Meta-Pixel service for marketing purposes, which is offered outside the US and Canada by Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland and in the US and Canada by Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, United States (together “Meta Platforms”).
We use Meta-Pixel to analyse the general use of our website and to track the effectiveness of Facebook advertising (“conversion tracking”). We also use Meta-Pixel to display personalised advertising messages based on your interest in our products (“retargeting”). This also involves target group remarketing through custom audiences.
Meta Platforms processes data that the service collects via JavaScript, cookies and other technologies on our website. This includes in particular
- HTTP header information such as information about the browser used (e.g. user agent, language);
- Information on events such as “page view”, other object properties and buttons clicked by visitors to the website;
- Online identifiers such as IP addresses and, where provided, Facebook business-related identifiers or device IDs (such as advertising IDs for mobile operating systems) and information on the status of deactivation/restriction of ad tracking.
Meta Platforms acts as our processor for matching, measurement and analysis services, in particular for analysing the use of our website, matching user IDs and creating reports on our advertising campaigns. We have concluded a data processing agreement with Meta Platforms.
The data collected in this context may be transferred by Meta Platforms Ireland Limited to Meta Platforms Inc. in the US. Meta Platforms Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active.
In addition, we and Meta Platforms are jointly responsible for the processing of event data for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery and the personalisation of functions and content when using Meta-Pixel. The mutual obligations were set out in a joint contract, which can be accessed at the following address: https://www.facebook.com/legal/controller_addendum.
Meta Platforms also processes the event data for the protection and security of Meta Platforms’ products, for research and development purposes and to maintain the integrity of the products and improve them.
If you are a member of Facebook or Instagram and have allowed Meta Platforms to do so via the privacy settings of your account, Facebook or Instagram may also link the information collected about your visit to our website to your member account and use it for targeted advertising. You can view and change the privacy settings of your Facebook profile at any time: https://www.facebook.com/settings/?tab=ads. You can prevent the linking of data collected outside Instagram for the display of personalised advertising in Instagram as described here: https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE.
If you have not consented to the use of Meta-Pixel, Meta Platforms will only display generic adverts that are not selected based on the information collected about you on this website.
Further information, e.g. regarding joint responsibility and contact details, can be found in Meta Platforms’ privacy policy, in particular for the social networks Facebook and Instagram: https://www.facebook.com/about/privacy/.
3.6.2 Google Ads
Our website uses the Google Ads service, which is offered in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).
Applying Google Ads Conversion Tracking we define customer actions (such as clicking on an ad, page views, downloads) that are recorded and analysed. We use Google Ads Remarketing to show you individualised advertising messages for our products on Google partner websites. Both services use cookies, JavaScript, pixels and other technologies for this purpose.
The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.
If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 3.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.
Further information can be found here:
- in the notice on data use: https://policies.google.com/technologies/ads;
- in Google’s privacy policy: https://policies.google.com/privacy.
3.6.3 Google AdSense
Our website uses the service Google AdSense, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland in Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (“Google”) in all other geographic areas.
Google AdSense enables the placement of adverts on third-party sites and is based on an algorithm that selects the adverts displayed on third-party sites to match the content of the respective third-party site. This allows an interest-based approach to visitors (“targeting”), which is implemented by generating individual user profiles. When you visit our website, your use is analysed and evaluated for this purpose. Each time a subpage is accessed, data is automatically transmitted to Google for the purposes of online advertising, generating advertising revenue and billing commissions. In the process, Google obtains knowledge of personal data, such as your IP address, which Google uses, among other things, to trace the origin of visitors and clicks on adverts. For this purpose, Google AdSense uses cookies, which are stored on your device, and pixels, which establish a connection to the Google server.
The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.
If you have not consented to the use of Google AdSense, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 3.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.
Further information can be found here:
- in the notice on data use: https://policies.google.com/technologies/ads;
- in Google’s privacy policy: https://policies.google.com/privacy.
3.6.4 Google Marketing Platform and Ad Manager (formerly DoubleClick)
Our website uses Google Marketing Platform and Google Ad Manager, services provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (together “Google”).
These services use cookies and other technologies to show you adverts that are relevant to you. The use of the services enables Google and its partner websites to display adverts based on previous visits to our or other websites on the Internet.
Google may transfer the data collected in this context for analysis to a server in the US and store the data there. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US:
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.
If you have not consented to the use of Google Marketing Platform and Ad Manager, Google will only display generic advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 3.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.
Further information can be found here:
- in the notice on data use: https://policies.google.com/technologies/ads;
- in Google’s privacy policy: https://policies.google.com/privacy.
3.6.5 Microsoft Advertising (formerly Bing Ads)
Our website uses Microsoft Advertising, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). Microsoft uses JavaScript, cookies and local storage to present you with adverts that are relevant to you. The use of these technologies enables Microsoft and its partner websites to display adverts based on previous visits to our or other websites on the Internet. Microsoft may transfer the data collected in this context for analysis to a server in the US and store the data there.
The following information in the Local Storage is stored and read by Microsoft Advertising:
- “_uetsid”: Session ID;
- “_uetvid”: Recognition of visitors, usage analysis, display of personalised advertising;
- “_uetsid_exp”, “_uetvid_exp”: Information about the expiry date of the information in Local Storage.
The data collected in this context may be transferred by Microsoft Ireland Operations Limited to Microsoft Corporation in the US. Microsoft Corporation has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000KzNaAAK&status=Active.
In addition to revoking your consent (see 3.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate the personalised ads in Microsoft Advertising or in the settings for ads in your Microsoft account:
- Personalised ads: https://about.ads.microsoft.com/de-de/ressourcen/richtlinien/personalisierte-anzeigen;
- Settings for displays: https://account.microsoft.com/privacy/ad-settings/signedout.
Further information can be found in Microsoft’s privacy policy: https://privacy.microsoft.com/en-gb/privacystatement.
3.7 External Media
We also use external media in the form of embedded videos.
Unless otherwise stated, the legal basis for this is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR, which you give via the consent banner or via a banner (“overlay”) placed over the respective tool itself.
In these cases, access to and storage of information in the device is subject to consent and takes place based on Regulation 6 par. 2 PECR.
3.7.1 Wistia
We use the service for hosting and embedding videos from Wistia, Inc., 120 Brookline Street, Cambridge, Massachusetts 02139, US on our website.
Wistia collects data about video usage by the visitor, e.g. how much of the video was viewed, at what point the video was paused or whether it was continued at another point, how many videos were viewed and how often they were viewed. The IP address, device class (desktop, mobile), operating system, browser, embedded URL (page on which the video is played), internet provider, location, region and country, session start time (date and time of the first video view per video) are processed.
The following information is stored in the Local Storage:
- “wistia-video-progress”: Saves whether the user has viewed embedded content;
- “Wistia”: Storage of actions performed on the website.
The data collected in this context may be transferred to Wistia, Inc. in the US. Wistia, Inc. has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2z3d0000000k55AAA&status=Active.
Further information can be found in Wistia’s privacy policy.
4. Online Presences in Social Networks
We maintain an online presence on social networks in order to communicate with customers and interested parties and to provide information about our services. User data is generally processed by the relevant social networks for market research and advertising purposes. This allows the creation of user profiles based on the interests of users. Cookies and other identifiers are stored on the devices of the data subjects for this purpose. Based on these user profiles, adverts are placed, for example within the social networks as well as on third-party websites.
For our online presences we may have access to information such as statistics on the use of such online presences provided by the social networks. These statistics are aggregated and may contain demographic information (e.g. age, gender, region), data on the interaction with our online presence (e.g. likes) and the posts and content distributed. Statistics may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can be used to adapt the design, and optimise our activities and content for our audience. Please refer to the list below for details and links to the social network data that we can access as the operator of the online presence. The collection and use of these statistics are generally subject to joint responsibility.
The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 lit. b UK GDPR, in order to stay in contact with and inform our customers, and to take pre-contractual steps with interested parties.
If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This can be done via direct messages or posted contributions. Communication via the social network is subject to the responsibility of the social network as a messenger and platform service. Content-related communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. As soon as we transfer personal data from you to our own systems or process it further, we are independently responsible for the data processing and this is done to perform pre-contractual activities or to fulfil a contract in accordance with Art. 6 Para. 1 lit. b UK GDPR.
The legal basis for the data processing carried out by the social networks can be found in the data protection information of the respective social network. The links below will also provide you with further information on the respective data processing and the options to object.
We would like to point out that data protection requests can be made most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. If you contact us with your request, we will forward your enquiry to the provider of the social network.
Below is a list with information on the social networks where we have an online presence:
- Facebook, Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland
- Operation of the Facebook fan page under joint responsibility on the basis of an agreement on joint processing of personal data (so-called Page Insights addendum regarding the controller)
- Information on the processed Page Insights data and how to contact us in the event of data protection enquiries: https://www.facebook.com/legal/terms/information_about_page_insights_data
- Privacy policy: https://www.facebook.com/about/privacy/
- Opt-out: https://www.facebook.com/settings?tab=ads and
http://www.youronlinechoices.com
- Instagram, Meta Platforms Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland
- Instagram Business account on the basis of an agreement on joint processing of personal data (so-called Page Insights addendum regarding the controller): https://www.facebook.com/legal/terms/page_controller_addendum
- Information on the processed Page Insights data and how to contact us in the event of data protection enquiries:
https://www.facebook.com/legal/terms/information_about_page_insights_data
- Privacy policy: https://help.instagram.com/519522125107875
- Opt-out (declaration): https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE
- YouTube, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
- Privacy policy: https://policies.google.com/privacy
- Opt-out: https://www.google.com/settings/ads
- Twitter/ X, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland
- Privacy policy: https://twitter.com/de/privacy
- Opt-out: https://twitter.com/settings/account/personalization
- LinkedIn, LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
- Operation of the LinkedIn company page under joint responsibility on the basis of an agreement on the joint processing of personal data (so-called Page Insights Joint Controller Addendum)
- Information on the processed Page Insights data and how to contact us in the event of data protection enquiries: https://legal.linkedin.com/pages-joint-controller-addendum
- Privacy policy: https://www.linkedin.com/legal/privacy-policy
- Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
- Xing/Kununu, XING SE, Am Strandkai 1, 20457 Hamburg
- Privacy policy/ opt-out: https://privacy.xing.com/de/datenschutzerklaerung
5. Disclosure of Data
The data collected by us will only be passed on if:
- you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR,
- the disclosure is necessary for the assertion, exercise or defence of legal claims pursuant to Art. 6 para. 1 sentence 1 lit. f UK GDPR and there is no reason to assume that you have an overriding interest in the non-disclosure of your data,
- we are legally required to pass on data in accordance with Art. 6 para. 1 sentence 1 lit. c UK GDPR or
- necessary in accordance with Art. 6 para. 1 sentence 1 lit. b UK GDPR for the performance of a contract to which you are a party or to take steps prior to a contract at your request.
Data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular, photo labs, data centres that host our website and store our databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfil their specific tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.
In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings, if necessary.
6. Data Transfer to Third Countries
As previously disclosed in this privacy policy, we use services whose providers may be located or process personal data in so-called third countries (outside the European Union, the European Economic Area and the UK), i.e. countries whose level of data protection does not correspond to that of the European Union, the European Economic Area and the UK. If this is the case and the European Commission and the UK Government have not issued an adequacy decision for these countries (Art. 45 UK GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union and the International Data Transfer Addendum (to the European Commission’s Standard Contractual Clauses for International Data Transfers) or binding internal data protection regulations.
Where this is not possible, we base the transfer of data on exceptions under Art. 49 UK GDPR, in particular your express consent or the necessity of the transfer for the fulfilment of a contract or for the implementation of pre-contractual measures.
If a transfer to a third country is planned and no adequacy decision or suitable guarantees exist, there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. We will provide you with specific information, when requesting your consent via the consent banner.
7. Storage Period
In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need to retain the data as evidence for civil law claims (until the statutory limitation period expires) or due to statutory retention obligations.
In accordance with the statutory limitation period, claims expire at the earliest three years from the end of the year in which the business relationship with you ends. For evidence purposes, we must retain contract data for that long.
Thereafter, we still have to store some of your personal data for accounting reasons. We are obliged to comply with statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified for the retention of documents are between two to ten years.
8. Your Data Subject Rights
You the following data subject rights:
- Right to revoke your consent;
- Right to object to the processing of your personal data (Art. 21 UK GDPR);
- Right to obtain information whether and/or which personal data is processed by us (Art. 15 UK GDPR);
- Right to obtain rectification of your incorrect personal data stored by us (Art. 16 UK GDPR);
- Right to obtain erasure of your personal data (Art. 17 UK GDPR);
- Right to obtain restriction of processing of your personal data (Art. 18 UK GDPR);
- Right to data portability of your personal data (Art. 20 UK GDPR);
- Right to lodge a complaint with the Information Commissioner’s Office (Art. 77 UK GDPR).
To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.
Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, beyond this period if there is a reason to assert, exercise or defend legal claims. The legal basis is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our interest to defend ourselves against any civil law claims pursuant to Art. 82 UK GDPR, the avoidance of fines pursuant to Art. 83 UK GDPR and the fulfilment of our accountability obligation pursuant to Art. 5 para. 2 UK GDPR.
You have the right to revoke your consent at any time. As a result, we will no longer process your data based on this consent. The revocation of consent does not affect the lawfulness of processing your data before the revocation of your consent.
If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right to object and we will comply with your wishes. You do not need to give any reasons.
If you would like to exercise your right of cancellation or objection, simply send an informal message to the contact details above.
Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right, for example, with a supervisory authority in the state of your place of residence, your place of work or the place of the alleged infringement. The competent supervisory authority in the UK is:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.
9. Changes to the Privacy Policy
We occasionally update this privacy policy, for example when we customise our website or when legal or regulatory requirements change.
Updated: January 2024