Privacy Policy

Status: June 18, 2024

Table of Contents

- Responsible party

- Overview of processing operations

- Relevant legal bases

- Security measures

- Transfer of personal data

- International data transfers

- General information on data storage and deletion

- Rights of the data subjects

- Performance of tasks under statutes or regulations

- Provision of the online service and web hosting

- Use of cookies

- Contact and inquiry management

- Promotional communication via email, mail, fax, or phone

- Presences in social networks (social media)

- Plug-ins and embedded functions as well as content

- Management, organization, and support tools

Responsible party

Data Protection Officer

Bundesstr. 8 20146 HH

Email address: high@herbalhub.club

Imprint: https://herbalhub.club/impressum
Registered association at the Hamburg District Court (VR 25753)

Overview of processing operations

The following overview summarizes the types of processed data and the purposes of their processing and refers to the data subjects.

Types of processed data:

- Inventory data.

- Payment data.

- Contact data.

- Content data.

- Contract data.

- Usage data.

- Meta, communication, and procedural data.

- Log data.

- Membership data.

Categories of data subjects:

- Communication partners.

- Users.

- Members.

Purposes of processing:

- Provision of contractual services and fulfillment of contractual obligations.

- Communication.

- Security measures.

- Direct marketing.

- Office and organizational procedures.

- Organizational and administrative procedures.

- Feedback.

- Marketing.

- Provision of our online offers and user-friendliness.

- Information technology infrastructure.

- Public relations.

- Sales promotion.

- Business processes and economic procedures.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data.

Please note that in addition to the GDPR provisions, national data protection regulations in your or our country of residence may apply. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of personal data concerning them for a specific purpose or purposes.

- Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - The processing is necessary for the fulfillment of a contract of which the data subject is a party, or for the performance of pre-contractual measures taken at the request of the data subject.

- Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

- Contract concerning membership (statute) (Art. 6 para. 1 sentence 1 lit. b) GDPR).

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection in Germany apply. This particularly includes the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific regulations regarding the right of access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transfer as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws may apply as well.

Notice on the applicability of GDPR and Swiss data protection law: These data protection notices serve to inform you according to the Swiss data protection law as well as the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader geographical application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss data protection law "processing" of "personal data", "overriding interest" and "particularly sensitive personal data", the terms used in the GDPR "processing" of "personal data" as well as "legitimate interest" and "special categories of data" are used. However, the legal meaning of the terms remains determined in the context of the applicability of the Swiss data protection law.

Security measures

We implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the varying probabilities of occurrence and the severity of the threat to the rights and freedoms of natural persons.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the related access, input, transfer, safeguarding availability, and separation of data. Furthermore, we have established procedures that ensure the exercise of rights of data subjects, the deletion of data, and responses to data breaches. We also consider the protection of personal data right at the stage of development or selection of hardware, software, as well as procedures in accordance with the principle of data protection through technology design and by default privacy-friendly settings.

Securing online connections through TLS/SSL encryption technology (HTTPS)

To protect the data of users transmitted over our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

Transfer of personal data

In the context of our processing of personal data, it may occur that this data is transmitted to other places, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers assigned to IT tasks or providers of services and content embedded in a website. In particular, we use Make.com and Mailchimp to manage and respond to contact inquiries. In such cases, we comply with the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data transfer within the organization: Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to it. If the data transfer is for administrative purposes, it is based on our legitimate business interests or is carried out if it is necessary to fulfill our contractual obligations or if there is consent from the data subject or legal permission.

International data transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or the processing occurs within the framework of utilizing services from third parties or disclosing or transferring data to other persons, places, or companies, this is only done in compliance with the legal requirements. Provided that the level of data protection in the third country has been recognized via an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. We specifically use the services of Make.com and Mailchimp, which process their data in the USA. We make sure that appropriate protective measures, such as standard contractual clauses, are implemented.

Moreover, data transfers take place only if the level of data protection is secured in another way, particularly through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), express consent or in the case of contractual or legally required transmission (Art. 49 para. 1 GDPR). Moreover, we will inform you of the conditions of cross-border data transfers with the individual providers from the third country, whereby the adequacy decisions are primarily applicable. Information on third country transfers and existing adequacy decisions can be obtained from the information offerings of the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission has recognized the level of data protection for certain US companies under the adequacy decision of July 10, 2023, as secure. You can find the list of certified companies and further information on the DPF on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in the framework of the privacy notices which service providers we use are certified under the Data Privacy Framework.

General information on data storage and deletion

We delete personal data that we process in accordance with the legal provisions as soon as the underlying consents are revoked or no further legal bases for processing exist. This includes cases where the original purpose of processing ceases to exist or the data is no longer needed. Exceptions to this regulation exist if legal obligations or specific interests require longer retention or archiving of data.

In particular, data that must be retained for commercial or tax reasons or whose storage is necessary for legal enforcement or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data that specifically applies to certain processing processes.

If there are multiple entries regarding the duration of retention or deletion of a date, the longest period shall apply.

If a period does not explicitly start on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the event that triggers the period is the date of the effectiveness of the termination or other ending of the legal relationship.

Data that is no longer required for the originally intended purpose, but is retained due to legal requirements or other reasons, will only be processed for the purposes justifying their retention.

Further information on processing processes, procedures, and services:

Retention and deletion of data: The following general time frames apply to retention and archiving pursuant to German law:

- 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as necessary work instructions and other organizational documents required for their understanding, accounting records, and invoices (§ 147 para. 3 in conjunction with para. 1 no. 1, 4, and 4a AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 and 4, sentence 4 HGB).

- 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents, as far as they are relevant for taxation, e.g., hourly wage slips, payroll sheets, calculation documents, price tags, but also payroll documents, as far as they are not already accounting records and cash register slips (§ 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, § 257 para. 1 no. 2 and 3, sentence 4 HGB).

- 3 years - Data necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experiences and common industry practices, will be retained for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of the data subjects

Rights of data subjects under the GDPR: You have various rights as a data subject under the GDPR, which result particularly from Art. 15 to 21 GDPR:

- Right to object: You have the right to object at any time to the processing of personal data concerning you, on grounds relating to your particular situation, which is processed based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.

- Right of withdrawal for consents: You have the right to withdraw consents that you have given at any time.

- Right to information: You have the right to demand confirmation as to whether personal data concerning you is being processed and to access this data as well as to receive further information and a copy of the data in accordance with the legal provisions.

- Right to rectification: You have the right to request, in accordance with the legal provisions, the completion of your personal data or the rectification of inaccurate personal data concerning you.

- Right to deletion and restriction of processing: You have the right to request, subject to the legal provisions, the immediate deletion of personal data concerning you or, alternatively, to request a restriction of the processing of personal data concerning you in accordance with the legal provisions.

- Right to data portability: You have the right to receive personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format or to request the transmission to another controller in accordance with the legal provisions.

- Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, your workplace, or the place of the alleged infringement if you believe that the processing of personal data concerning you infringes the provisions of the GDPR.

Performance of tasks under statutes or regulations

We process the data of our members, supporters, interested parties, business partners, or other individuals (collectively referred to as "data subjects") when we are in a membership or other business relationship with them and perform our tasks as well as being recipients of services and contributions. Furthermore, we process the data of data subjects based on our legitimate interests, e.g., when it concerns administrative tasks or public relations.

The data processed in this context, the type, scope, purpose, and necessity of their processing, are determined by the underlying membership or contractual relationship, from which the necessity for any data requirements arises (moreover, we point out required data).

We delete data that is no longer necessary for the provision of our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data as long as it is relevant in terms of business administration, as well as regarding any warranty or liability obligations based on our legitimate interests in their regulation. The necessity for the retention of the data is regularly reviewed; otherwise, the statutory retention obligations apply.

Types of processed data:

- Inventory data (e.g., full name, residential address, contact information, customer number, etc.)

- Contact data (e.g., postal and email addresses or phone numbers)

- Contract data (e.g., subject matter of the contract, duration, customer category)

- Membership data (e.g., personal data like name, age, gender, contact details (email address, phone number), membership number, information about membership fees, participation in events, etc.)

- Payment data (e.g., bank details, invoices, payment history)

- Content data (e.g., textual or graphic messages and posts as well as the relevant information regarding them, such as authorship or creation time)

Affected persons:

- Members

Purposes of processing:

- Communication

- Organizational and administrative procedures

- Business processes and economic procedures

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

- Contract concerning membership (statute) (Art. 6 para. 1 sentence 1 lit. b) GDPR)

- Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR)

Further information on processing processes, procedures, and services:

Member management: Processes that are necessary within the framework of member management include the acquisition and admission of new members, the development and implementation of strategies for member retention, and the assurance of effective communication with members. These processes involve careful recording and maintenance of member data, regular updating of member information, and management of membership fees, including invoicing and billing. Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Contract concerning membership (statute) (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Membership fee management: The processing activities required for the management of membership fees include recording the membership fee data after a member joins, tracking membership fee payments, and systematically updating the payment status, carrying out payment transactions, processing reminders for overdue payments, reconciling accounts in the context of receivables and payables, and maintaining corresponding books and records. Legal bases: Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR), Contract concerning membership (statute) (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Provision of the online service and web hosting

We process users' data to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the browser or device of the users.

Types of processed data:

- Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions)

- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

- Log data (e.g., log files concerning logins or retrieval of data or access times)

Affected persons:

- Users (e.g., website visitors, online service users)

Purposes of processing:

- Provision of our online services and user-friendliness

- Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.))

- Security measures

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Further information on processing processes, procedures, and services:

Collection of access data and log files: Access to our online offer is logged in the form of "server log files." Server log files may include the address and name of the called-up websites and files, date and time of the call-up, transmitted data volumes, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load and stability of the servers.

Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is necessary for evidential purposes is exempt from deletion until the final clarification of the respective incident.

Use of cookies

Cookies are small text files or other storage records that store and read information on end devices. For example, to store the login status in a user account, a shopping cart in an e-shop, the called-up content, or functions used from an online offer. Cookies can also be used for various matters, such as the functionality, security, and comfort of online offers and the creation of analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is particularly not necessary if storing and reading the information, including cookies, is strictly necessary to provide the telemedia service (i.e., our online offer) explicitly requested by the users. The revocable consent is clearly communicated to them and contains the information regarding the respective cookie usage.

Notes on data protection legal bases: The legal basis on which we process users' personal data using cookies depends on whether we ask them for consent. If users accept, the legal basis for the processing of their data is the declared consent. Otherwise, the data processed via cookies will be processed based on our legitimate interests (e.g., in operating our online services and improving its usability) or, if this is part of fulfilling our contractual obligations, when using cookies is necessary to meet our contractual obligations. We will clarify the purposes for which cookies are used in this privacy policy or within our consent and processing processes.

Storage duration: Regarding the storage duration, the following types of cookies are distinguished:

- Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application).

- Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. The data collected through cookies can also be used for measurement of reach. If we do not provide explicit information about the type and duration of cookies (e.g., in the context of obtaining consent), users should assume that these are permanent and that the storage duration can be up to two years.

General notes on withdrawal and objection (Opt-out): Users can withdraw their consent at any time and also declare an objection against the processing according to legal provisions, including through their browser's privacy settings.

Processed data types:

- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

Affected persons:

- Users (e.g., website visitors, users of online services)

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)

Further information on processing processes, procedures, and services:

Processing of cookie data based on consent: We use a consent management solution, where the consent of users is obtained for the use of cookies or for the processes and providers mentioned within the consent management solution. This procedure serves to obtain, log, manage, and withdraw consents, particularly concerning the use of cookies and similar technologies for storing, reading, and processing information on users' end devices.

As part of this process, users' consents for the use of cookies and the associated processing of information, including the specific processing and providers mentioned in the consent management procedure, are obtained. Users also have the option to manage and withdraw their consents.

The consent declarations are stored to avoid repeated inquiries and to provide proof of consent according to legal requirements. The storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using similar technologies to assign the consent to a specific user or their device. If there are no specific indications regarding the providers of consent management services, the following general notes apply:

The duration of storage of consent is up to two years. In doing so, a pseudonymous user identifier is created, which is stored together with the time of consent, details of the scope of consent (e.g., relevant categories of cookies and/or service providers) and information about the browser, system, and end device used. Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and inquiry management

When contacting us (e.g., by post, contact form, email, phone, or via social media) and within existing user and business relationships, the details of the inquiring persons are processed as far as necessary to respond to contact inquiries and any requested measures. To process contact inquiries, we use the services of Make.com and Mailchimp, which process and store the transmitted data. This is done exclusively for the purpose of responding to contact inquiries.

Processed data types:

- Inventory data (e.g., full name, residential address, contact information, customer number, etc.)

- Contact data (e.g., postal and email addresses or phone numbers)

- Content data (e.g., textual or graphic messages and posts as well as the relevant information regarding them, such as authorship or creation time)

- Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions)

- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

Affected persons:

- Communication partners

Purposes of processing:

- Communication

- Organizational and administrative procedures

- Feedback (e.g., collecting feedback via an online form)

- Provision of our online offers and user-friendliness

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

- Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR)

Further information on processing processes, procedures, and services:

Contact form: When contacting through our contact form, by email, or other communication methods, we process the personal data transmitted to us to respond to and handle the respective concern. This typically includes details such as name, contact information, and any additional information provided to us that is necessary for appropriate handling. We use this data exclusively for the stated purpose of contacting and communicating. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Promotional communication via email, mail, fax, or phone

We process personal data for promotional communication that can occur through various channels, e.g., email, phone, mail, or fax, in accordance with the legal provisions.

Recipients have the right to withdraw consents given at any time or to object to promotional communication at any time.

After withdrawal or objection, we retain the data necessary for proving previous authorization for contact or mailing for up to three years after the end of the year in which the withdrawal or objection occurred, based on our legitimate interests. The processing of this data is limited to the purpose of potential defense against claims. Based on the legitimate interest of permanently noting the users’ withdrawal or objection, we also retain the necessary data to prevent further contact (e.g., depending on the communication channel the email address, phone number, name).

Processed data types:

- Inventory data (e.g., full name, residential address, contact information, customer number, etc.)

- Contact data (e.g., postal and email addresses or phone numbers)

- Content data (e.g., textual or graphic messages and posts as well as the relevant information regarding them, such as authorship or creation time)

Affected persons:

- Communication partners

Purposes of processing:

- Direct marketing (e.g., via email or mail)

- Marketing

- Sales promotion

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.

We point out that user data may be processed outside the territory of the European Union. This can present risks for users, as the enforcement of user rights may be more difficult.

Furthermore, users' data is typically processed within social networks for market research and advertising purposes. For example, usage profiles may be created based on user behavior and associated interests. The latter may, in turn, be used to display advertisements within and outside of the networks that presumably meet users’ interests. Thus, cookies are usually stored on users' computers, in which usage behavior and users’ interests are stored. In addition, data in the usage profiles may also be saved independently of the devices used by the users (particularly if they are members of the respective platforms and logged in there).

For a detailed representation of the respective processing forms and objection options (Opt-out), we refer to the privacy policies and information of the operators of the respective networks.

Also, in case of information requests and the assertion of rights of data subjects, we would like to point out that these can be most effectively asserted with the providers. Only they have access to users' data and can take appropriate actions and provide information directly. However, should you need assistance, you can contact us.

Processed data types:

- Contact data (e.g., postal and email addresses or phone numbers)

- Content data (e.g., textual or graphic messages and posts as well as the relevant information regarding them, such as authorship or creation time)

- Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions)

Affected persons:

- Users (e.g., website visitors, online service users)

Purposes of processing:

- Communication

- Feedback (e.g., collecting feedback via an online form)

- Public relations

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Further information on processing processes, procedures, and services:

Instagram: Social network allowing the sharing of photos and videos, commenting and favoriting posts, sending messages, subscribing to profiles and pages. Service provider:

Meta Platforms Ireland Limited,

Merrion Road, Dublin 4,

D04 X2K5,

Ireland Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Website: https://www.instagram.com

Privacy Policy: https://privacycenter.instagram.com/policy/

Basis for third-country transfers: Data Privacy Framework (DPF)

Plug-ins and embedded functions as well as content

We integrate functional and content elements into our online offerings that are sourced from the servers of their respective providers (hereinafter referred to as "third parties"). This may include, for example, graphics, videos, or maps (collectively referred to as "content").

The integration always requires that the third-party providers of this content process the users' IP addresses, as they cannot send the content to their browser without the IP address. The IP address is therefore required for the display of this content or functions. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers may also employ so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on users' devices and may include technical information about the browser and operating system, referring websites, visit times, and other details on the use of our online services, but may also be connected to such information from other sources.

Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is the permission. Otherwise, users' data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we also want to refer you to the information on the use of cookies in this privacy policy.

Processed data types:

- Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions)

- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

Affected persons:

- Users (e.g., website visitors, online service users)

Purposes of processing:

- Provision of our online services and user-friendliness

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.)

Legal bases:

- Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Further information on processing processes, procedures, and services:

Google Fonts (sourced from Google Server): Sourcing fonts (and symbols) for technically secure, maintenance-free, and efficient use of fonts and symbols regarding their presentation and consideration of potential licensing restrictions.

The provider of the fonts is provided with the user's IP address so that the fonts can be made available in the user's browser. Technical data (language settings, screen resolution, operating system, hardware used) necessary for the provision of the fonts depending on the devices and technical environment are also transmitted. These data may be processed on a server of the font provider in the USA.

When visiting our online offer, the browsers of users send their browser HTTP requests to the Google Fonts Web API (i.e., a software interface for retrieving the fonts). The Google Fonts Web API makes the Cascading Style Sheets (CSS) of Google Fonts available to users, and then the fonts specified in the CCS are provided.

These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent, which describes the browser and operating system versions of the website visitors, as well as the referring URL (i.e., the website on which the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers and are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user-agent, and referring URL).

Access to this data is restricted and strictly controlled. The requested URL identifies the font families the user wishes to load. This data is logged so that Google can determine how often a particular font family is requested. In the Google Fonts Web API, the user agent must adapt the font to be generated for the respective browser type. The user agent is primarily logged for debugging and used to generate aggregated usage statistics that measure the popularity of font families.

This aggregated usage statistics are published on Google Fonts' "Analytics" page. Finally, the referring URL is logged so that the data can be used for the maintenance of production and to generate an aggregated report on the top integrations based on the number of font requests. Google claims to not use any of the information collected by Google Fonts to create end-user profiles or serve targeted ads.

Service provider:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

Website: https://fonts.google.com/

Privacy Policy: https://policies.google.com/privacy

Basis for third-country transfers: Data Privacy Framework (DPF)

Further information: https://developers.google.com/fonts/faq/privacy?hl=de

Management, organization, and support tools

We use services, platforms, and software from other providers (hereinafter referred to as "third parties") for the purposes of organization, administration, planning, and provision of our services. In selecting third-party providers and their services, we pay attention to the legal provisions.

In this context, personal data may be processed and stored on the servers of third parties. Various data may be affected, which we process in accordance with this privacy policy. This data may particularly include master data and contact data of users, data on transactions, contracts, other processes, and their contents.

To the extent that users are referred to the third parties or their software or platforms within the framework of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask you to observe the privacy notices of the respective third-party providers.

Processed data types:

- Content data (e.g., textual or graphic messages and posts as well as the relevant information regarding them, such as authorship or creation time)

- Usage data (e.g., page views and duration of stay, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and functions)

- Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons)

Affected persons:

- Communication partners

- Users (e.g., website visitors, online service users)

Purposes of processing:

- Provision of contractual services and fulfillment of contractual obligations

- Office and organizational procedures

Retention and deletion:

- Deletion in accordance with the information in the section "General information on data storage and deletion".

Legal bases:

- Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)