Privacy Policy

This privacy policy informs you about the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the websites, functions and content connected with it, as well as external online presences such as our social media profiles (hereinafter jointly referred to as “online offering”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

Types of data processed

• Master data (e.g. names, addresses).
• Contact data (e.g. email, phone numbers).
• Content data (e.g. text entries, photographs, videos).
• Usage data (e.g. websites visited, interest in content, access times).
• Meta/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of processing

• Provision of the online offering, its functions and content.
• Responding to contact requests and communicating with users.
• Security measures.
• Reach measurement / marketing.

Terms used

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); a natural person is regarded as identifiable who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal bases for our data processing. Where the legal basis is not stated in this privacy policy, the following applies: the legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; the legal basis for processing in order to fulfil our services and carry out contractual measures as well as to respond to enquiries is Art. 6(1)(b) GDPR; the legal basis for processing in order to fulfil our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing in order to safeguard our legitimate interests is Art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person make processing of personal data necessary, Art. 6(1)(d) GDPR serves as the legal basis.

Security measures

In accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we take appropriate technical and organisational measures in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as the access to, input, disclosure, availability and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subjects’ rights, the deletion of data and a response to data breaches. We also take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in line with the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit data to them or otherwise grant them access to the data, this is only done on the basis of a legal permission (e.g. where transmitting the data to third parties such as payment service providers is necessary for the performance of the contract pursuant to Art. 6(1)(b) GDPR), where you have consented, where a legal obligation provides for this, or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

Where we commission third parties to process data on the basis of a so-called “data processing agreement”, this is done on the basis of Art. 28 GDPR.

Transfers to third countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or disclosing or transmitting data to third parties, this is only done in order to fulfil our (pre-)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests.

Subject to legal or contractual permissions, we process or have data processed in a third country only where the special conditions of Art. 44 et seq. GDPR are met. That is, processing takes place, for example, on the basis of special guarantees, such as the officially recognised determination of a level of data protection corresponding to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).

Rights of data subjects

You have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to request the completion of the data concerning you or the rectification of inaccurate data concerning you.

In accordance with Art. 17 GDPR, you have the right to request that data concerning you be erased without undue delay or, alternatively, in accordance with Art. 18 GDPR, to request a restriction of the processing of the data.

You have the right to request that the data concerning you which you have provided to us be received in accordance with Art. 20 GDPR and to request its transmission to other controllers.

You also have the right, in accordance with Art. 77 GDPR, to lodge a complaint with the competent supervisory authority.

Right of withdrawal

You have the right to withdraw consent given in accordance with Art. 7(3) GDPR with effect for the future.

Right to object

You can object at any time to the future processing of the data concerning you in accordance with Art. 21 GDPR. The objection may in particular be made against processing for direct marketing purposes.

Cookies and right to object to direct marketing

“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offering and closes their browser. Such a cookie can, for example, store the contents of a shopping cart in an online shop or a login status.

Cookies that remain stored even after the browser is closed are referred to as “permanent” or “persistent”. For example, the login status can be stored if users visit the offering after several days. Likewise, such a cookie can store the interests of users, which are used for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by providers other than the controller operating the online offering (otherwise, if they are only the controller’s cookies, they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and explain this in our privacy policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Excluding cookies can lead to functional restrictions of this online offering.

A general objection to the use of cookies used for online marketing purposes can be declared for a large number of services, especially in the case of tracking, via the US-American site aboutads.info/choices or the EU site youronlinechoices.com.

Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please note that in this case not all functions of this online offering may be usable.

You can withdraw your consent to cookies at any time or adjust your settings to call up the cookie settings again.

Deletion of data

The data processed by us is deleted or its processing restricted in accordance with Art. 17 and 18 GDPR. Unless expressly stated within this privacy policy, the data stored by us is deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with statutory retention obligations.

If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

In accordance with statutory requirements in Germany, retention takes place in particular for 10 years pursuant to §§ 147(1) AO, 257(1) no. 1 and 4, (4) HGB (books, records, management reports, accounting documents, commercial books, documents relevant for taxation, etc.) and for 6 years pursuant to § 257(1) no. 2 and 3, (4) HGB (commercial letters).

In accordance with statutory requirements in Austria, retention takes place in particular for 7 years pursuant to § 132(1) BAO (accounting documents, receipts/invoices, accounts, vouchers, business papers, statement of income and expenditure, etc.), for 22 years in connection with real estate, and for 10 years for documents relating to electronically supplied services, telecommunications, radio and television services provided to non-entrepreneurs in EU member states and for which the Mini One Stop Shop (MOSS) is used.

Business-related processing

In addition, we process contract data (e.g. subject matter of the contract, term, customer category) and payment data (e.g. bank details, payment history) of our customers, prospects and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.

Agency services

We process the data of our customers within the scope of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.

In doing so, we process master data (e.g. customer master data such as names or addresses), contact data (e.g. email, phone numbers), content data (e.g. text entries, photographs, videos), contract data (e.g. subject matter of the contract, term), payment data (e.g. bank details, payment history), usage and metadata (e.g. in the context of the evaluation and success measurement of marketing measures). As a rule, we do not process special categories of personal data, except where these are components of a commissioned processing.

Data subjects include our customers, prospects and their customers, users, website visitors or employees as well as third parties. The purpose of processing is the provision of contractual services, billing and our customer service. The legal bases of the processing arise from Art. 6(1)(b) GDPR (contractual services), Art. 6(1)(f) GDPR (analysis, statistics, optimisation, security measures). We process data that is necessary for the establishment and fulfilment of the contractual services and point out the necessity of providing it.

Disclosure to external parties only takes place where this is necessary within the scope of an order. When processing the data provided to us within the scope of an order, we act in accordance with the instructions of the client and the statutory requirements of a commissioned processing pursuant to Art. 28 GDPR and do not process the data for any purposes other than those of the order.

We delete the data after the expiry of statutory warranty and comparable obligations. The necessity of retaining the data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiry (6 years pursuant to § 257(1) HGB, 10 years pursuant to § 147(1) AO). In the case of data disclosed to us by the client within the scope of an order, we delete the data in accordance with the specifications of the order, generally after the end of the order.

Newsletter

With the following information, we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures and your rights to object. By subscribing to our newsletter, you agree to receive it and to the procedures described. Content of the newsletter: we send newsletters, emails and other electronic notifications with promotional information (hereinafter “newsletter”) only with the consent of the recipients or a legal permission.

Where the contents of the newsletter are specifically described upon registration, they are decisive for the consent of the users. Otherwise, our newsletters contain information about our services and us. Double opt-in and logging: registration for our newsletter takes place in a so-called double opt-in procedure. That is, after registration you receive an email asking you to confirm your registration.

This confirmation is necessary so that no one can register with someone else’s email address. Registrations for the newsletter are logged in order to be able to prove the registration process in accordance with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Likewise, changes to your data stored with the dispatch service provider are logged. Registration data: to register for the newsletter, it is sufficient to provide your email address.

Optionally, we ask you to provide a name for the purpose of personal address in the newsletter. The dispatch of the newsletter and the associated success measurement take place on the basis of the consent of the recipients pursuant to Art. 6(1)(a), Art. 7 GDPR in conjunction with § 7(2) no. 3 UWG or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6(1)(f) GDPR in conjunction with § 7(3) UWG.

The logging of the registration procedure takes place on the basis of our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our interest is directed at the use of a user-friendly and secure newsletter system which serves both our business interests and the expectations of the users and also allows us to prove consent. Cancellation/withdrawal: you can cancel the receipt of our newsletter at any time, i.e. withdraw your consent.

You will find a link to cancel the newsletter at the end of each newsletter. We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to prove a consent previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of a consent is confirmed at the same time.

Google Tag Manager

Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any personal data of users. With regard to the processing of users’ personal data, reference is made to the following information on the Google services. Usage policy: google.com/intl/de/tagmanager/use-policy.html.

Google Analytics

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offering within the meaning of Art. 6(1)(f) GDPR), we use Google Analytics, a web analytics service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about users’ use of the online offering is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement and thereby offers a guarantee to comply with European data protection law (privacyshield.gov).

Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on the activities within this online offering and to provide us with further services associated with the use of this online offering and internet usage. In doing so, pseudonymous usage profiles of the users may be created from the processed data.

We use Google Analytics only with IP anonymisation activated. This means that the IP address of the users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by means of an appropriate setting of their browser software; users can also prevent the collection of the data generated by the cookie and relating to their use of the online offering by Google, as well as the processing of this data by Google, by downloading and installing the browser plug-in available under the following link: tools.google.com/dlpage/gaoptout.

You can find further information on data use by Google, settings and objection options in Google’s privacy policy (policies.google.com/technologies/ads) as well as in the settings for the display of advertisements by Google (adssettings.google.com).

The personal data of users is deleted or anonymised after 14 months.

Responsible expert for data processing: Michael Zhao (zhao@trustfactory.de)

Google Fonts

We integrate the fonts (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Privacy policy: google.com/policies/privacy

Opt-out: adssettings.google.com

Online appointment scheduling via Calendly

On our website we use the service Calendly for the simple, fast and uncomplicated scheduling of appointments. The provider is Calendly LLC, 115 E Main St, Ste A1B, Buford, GA 30518, USA.

Purpose of data processing: When you book an appointment via the integrated Calendly tool on our website, the data you enter into the form is transmitted to Calendly. This generally includes your name, your email address, the chosen appointment and, where applicable, your phone number and further details about your request that you provide in the form. This data is used exclusively for the organisation and conduct of the appointment.

Legal basis: The data processing takes place on the basis of Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures), insofar as the appointment serves the initiation or performance of a contract. Otherwise, the processing takes place on the basis of our legitimate interest in efficient appointment management and customer communication pursuant to Art. 6(1)(f) GDPR.

Data transfer to the USA: Through the use of this service, data may be transferred to the USA. Calendly is an active participant in the EU–US Data Privacy Framework (DPF). This means that the company has committed to comply with European data protection standards, and the transfer is considered secure on this basis.

Storage period: The data remains stored with us or in Calendly’s system until the purpose for storing the data no longer applies (e.g. after a completed appointment), you request us to delete it, or you withdraw your consent to storage. Mandatory statutory retention provisions remain unaffected.

You can find further information on data protection at Calendly in the provider’s privacy policy at: calendly.com/de/privacy