Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data that we carry out, both as part of the provision of our services and in particular on our websites, in mobile applications, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

As of: September 11, 2024

Table of Contents

Preamble

Data Controller

Overview of Processing Activities

Legal Bases

Security Measures

International Data Transfers

General Information on Data Storage and Deletion

Data Subject Rights

Payment Procedures

Provision of the Online Offer and Web Hosting

Use of Cookies

Contact and Request Management

Chatbots and Chat Functions

Promotional Communication via Email, Mail, Fax, or Phone

Web Analysis, Monitoring, and Optimization

Online Marketing

Plug-ins and Embedded Features and Content

Changes and Updates

Data Controller

l

Email address: info@quantum-workflow.com

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and references the affected individuals.

Types of Data Processed

Basic data

Payment data

Contact data

Content data

Contract data

Usage data

Meta, communication, and procedural data

Log data

Categories of Affected Persons

Service recipients and clients

Interested parties

Communication partners

Users

Business and contractual partners

Purposes of Processing

Provision of contractual services and fulfillment of contractual obligations

Communication

Security measures

Direct marketing

Reach measurement

Tracking

Audience building

Organizational and administrative procedures

Feedback

Marketing

Profiles with user-related information

Provision of our online offer and user-friendliness

IT infrastructure

Promotion of sales

Business processes and economic procedures

Legal Bases

The relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6(1) Sentence 1 lit. a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.

Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR): The processing is necessary for the fulfillment of a contract to which the data subject is a party or to carry out pre-contractual measures at the request of the data subject.

Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR): The processing is necessary to protect the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not outweigh them.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the law on the protection against misuse of personal data in data processing (Federal Data Protection Act - BDSG). The BDSG contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission, as well as automated individual decision-making, including profiling. Furthermore, data protection laws of individual federal states may apply.

Note on the applicability of GDPR and Swiss Data Protection Act (DSG): These privacy notices serve both to inform according to the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that, due to the broader spatial application and comprehensibility, the terms of the GDPR are used. Specifically, instead of the terms "processing" of "personal data," "overriding interest," and "sensitive personal data" used in the Swiss DSG, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are applied. However, the legal meaning of the terms will continue to be determined according to the Swiss DSG within the framework of its applicability.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of technology, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure an appropriate level of security.

The measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transmission, securing of availability, and separation of the data. We have also established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data breaches. Furthermore, we take the protection of personal data into account when developing or selecting hardware, software, and procedures, following the principle of data protection through technology design and by default.

Securing Online Connections with TLS/SSL Encryption Technology (HTTPS): To protect users' data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user's browser (or between two servers), ensuring that the data is protected from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. If a website is secured by an SSL/TLS certificate, it is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is securely and encrypted transmitted.

International Data Transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if processing occurs within the use of third-party services or disclosure or transmission of data to other individuals, entities, or companies, this is only done in accordance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only occur if the data protection level is secured by other means, in particular, through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR). We will provide you with the basis for third-country transfers in the individual providers from the third country.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework" (DPF), the EU Commission recognized the data protection level as safe for certain companies from the USA under the adequacy decision of July 10, 2023. The list of certified companies and further information about the DPF can be found on the US Department of Commerce's website at Data Privacy Framework (in English). We will inform you within the privacy notices which service providers we use that are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the consents on which they are based are revoked, or there are no further legal grounds for processing. This applies in cases where the original processing purpose ceases to exist or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons will be archived accordingly.

Our privacy notices contain additional information about data storage and deletion specific to certain processing procedures.

If multiple retention periods or deletion deadlines are provided for certain data, the longest period is always decisive.

If a deadline does not explicitly start on a specific date and is at least one year long, it automatically begins at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships where data is stored, the event triggering the deadline is the effective date of termination or other termination of the legal relationship.

Data that is no longer required for its original purpose but must be stored due to legal provisions or other reasons will be processed exclusively for the reasons that justify its storage.

Additional notes on processing procedures, methods, and services:

Data Retention and Deletion: The following general periods apply to retention and archiving under German law:

10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the working instructions and other organizational documents necessary for their understanding, booking vouchers, and invoices (§ 147(3) i. V. m. (1) Nr. 1, 4 and 4a AO, § 14b(1) UStG, § 257(1) Nr. 1 u. 4, (4) HGB).

6 years: Other business documents: received trade or business letters, copies of dispatched trade or business letters, other documents relevant for taxation, such as hourly wage slips, operating accounting sheets, calculation documents, price labels, but also payroll accounting documents, as long as they are not already booking vouchers and cash receipts (§ 147(3) i. V. m. (1) Nr. 2, 3, 5 AO, § 257(1) Nr. 2 u. 3, (4) HGB).

3 years: Data necessary for considering potential warranty and compensation claims or similar contractual claims and rights, and related inquiries, based on past business experiences and usual industry practices, will be stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Data Subject Rights

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly those arising from Articles 15 to 21 of the GDPR:

Right to Object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of personal data concerning you, which is carried out on the basis of Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes, including profiling to the extent that it is related to such direct marketing.

Right to Withdraw Consent: You have the right to withdraw consents at any time.

Right of Access: You have the right to request confirmation as to whether data concerning you is being processed, as well as to request access to this data and additional information and a copy of the data in accordance with legal requirements.

Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.

Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted immediately or, alternatively, in accordance with legal requirements, to request a restriction of the processing of the data.

Right to Data Portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, in accordance with legal requirements, or to request its transmission to another data controller.

Right to File a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, particularly in the Member State of your habitual residence, workplace, or the place of the alleged violation if you believe that the processing of personal data concerning you violates the provisions of the GDPR.

Payment Procedures

As part of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers in addition to banks and credit institutions (collectively referred to as "payment service providers").

The data processed by the payment service providers includes basic data such as the name and address, bank details such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract-related, sum-related, and recipient-related information. The information is required to process the transactions. However, the entered data is processed only by the payment service providers and stored by them. This means we do not receive any account or credit card-related information, but only information confirming or rejecting the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit reference agencies. This transmission is intended for identity and credit checks. For this, we refer to the terms and conditions and the privacy notices of the respective payment service providers.

The business terms and privacy notices of the respective payment service providers, which can be accessed on their respective websites or transaction applications, apply to payment transactions. We also refer to these for further information and for exercising withdrawal, information, and other data subject rights.

Processed Data Types: Basic data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank account information, invoices, payment history); contract data (e.g., contract subject, term, customer category); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types used, and operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).

Data Subjects: Service recipients and clients; business and contractual partners; interested parties.

Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; business processes and economic procedures.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section.

Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR); legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Additional Notes on Processing Procedures, Methods, and Services:

PayPal: Payment services (technical connection of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Stripe: Payment services (technical connection of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; legal basis: contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/de/privacy.

Provision of the Online Offer and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

Processed Data Types: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types used, and operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons); log data (e.g., log files concerning logins or data retrievals or access times); content data (e.g., text or image messages and posts as well as information about them, such as author information or creation times).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Provision of our online offer and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; provision of contractual services and fulfillment of contractual obligations.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section.

Legal Bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Additional Notes on Processing Procedures, Methods, and Services:

Collection of Access Data and Log Files: Access to our online offer is recorded in the form of so-called "server log files." Server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, transmitted data volumes, messages about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, such as preventing server overloads (especially in the case of abusive attacks, so-called DDoS attacks) and ensuring the stability of the servers. Legal bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR). Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidence purposes is exempt from deletion until the respective incident is finally resolved.

Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, the recipients' and senders' addresses, as well as further information regarding email sending (e.g., the involved providers) and the content of the respective emails, are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails are generally not encrypted on the internet. Emails are usually encrypted during transport, but not (unless an end-to-end encryption method is used) on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission path of the emails between the sender and the receipt on our server. Legal bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Use of Cookies

Cookies are small text files or other memory markers that store information on devices and retrieve it from them. For example, to store the login status in a user account, the content of a shopping cart in an online shop, the content viewed, or the functions used of an online offer. Cookies can also be used for various purposes, such as the functionality, security, and convenience of online offers, as well as the creation of visitor flow analyses.

Notice on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Consent is particularly not required if the storage and retrieval of the information, including cookies, is strictly necessary to provide the users with a telemedia service (i.e., our online offer) they have explicitly requested. The revocable consent is clearly communicated to them and contains information about the respective cookie use.

Notice on Legal Bases for Data Protection: The legal basis for processing personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g., in a business-friendly operation of our online offer and its improvement) or, if this is necessary for the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations.

Storage Period: With regard to the storage period, the following types of cookies are distinguished:

Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves the online offer and closes their device (e.g., browser or mobile application).

Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored, and preferred content can be displayed directly when the user visits a website again. Similarly, the usage data collected using cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage period of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and that their storage period can be up to two years.

General Information on Withdrawal and Objection (Opt-out): Users can withdraw their consent at any time and, in accordance with legal requirements, object to the processing by means of their privacy settings in their browser.

Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).

Data Subjects: Users (e.g., website visitors, users of online services).

Legal Bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR); Consent (Art. 6(1) Sentence 1 lit. a) GDPR).

Additional Notes on Processing Procedures, Methods, and Services:

Processing of Cookie Data Based on Consent: We use a consent management solution where users' consent for the use of cookies or the procedures and providers mentioned within the consent management solution is obtained. This procedure serves to obtain, record, manage, and revoke consents, particularly regarding the use of cookies and similar technologies that store, retrieve, and process information on users' devices. In the context of this procedure, users' consent for the use of cookies and the associated data processing, including the specific processing and providers mentioned in the consent management procedure, is obtained. Users also have the option to manage and revoke their consents. The consent declarations are stored to avoid repeated inquiries and to provide proof of consent in accordance with legal requirements. Storage takes place on the server and/or in a cookie (so-called opt-in cookie) or using comparable technologies to assign the consent to a specific user or their device. Unless specific information is provided about the providers of consent management services, the following general notes apply: The storage period of the consent is up to two years. A pseudonymous user identifier is created, stored together with the time of consent, information about the scope of consent (e.g., concerning categories of cookies and/or service providers), and information about the browser, system, and the device used. Legal bases: Consent (Art. 6(1) Sentence 1 lit. a) GDPR).

Contact and Request Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and within the framework of existing user and business relationships, the data provided by the requesting persons will be processed as far as necessary to respond to the contact inquiries and any requested measures.

Processed Data Types: Basic data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts as well as information about them, such as author information or creation times); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types used, and operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).

Data Subjects: Communication partners.

Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via an online form); provision of our online offer and user-friendliness.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section.

Legal Bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR).

Additional Notes on Processing Procedures, Methods, and Services:

Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and handle the respective request. This usually includes information such as name, contact details, and potentially other information communicated to us and necessary for appropriate handling. We use this data exclusively for the stated purpose of contact and communication. Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR), legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Chatbots and Chat Functions

We offer online chats and chatbot functions as a communication option (collectively referred to as "chat services"). A chat is an online conversation conducted with a certain time proximity. A chatbot is software that answers user questions or informs them through messages. When you use our chat functions, we may process your personal data.

If you use our chat services within an online platform, your identification number within the respective platform will also be stored. We may also collect information about which users interact with our chat services and when. Furthermore, we store the content of your conversations via the chat services and log registration and consent processes to demonstrate them in accordance with legal requirements.

We inform users that the respective platform provider may find out that and when users are communicating with our chat services, as well as technical information about the users' device and, depending on their device settings, location information (so-called metadata) for optimizing the respective services and for security purposes. The metadata of the communication via chat services (i.e., for example, the information about who communicated with whom) may also be used by the platform providers for marketing purposes or to display advertising tailored to users, based on their terms, which we refer to for further information.

If users agree to receive regular notifications from a chatbot, they may unsubscribe from the notifications at any time in the future. The chatbot will inform users on how and with which terms they can unsubscribe from the messages. When unsubscribing from chatbot messages, users' data will be removed from the directory of message recipients.

We use the aforementioned information to operate our chat services, for example, to address users personally, to respond to their inquiries, to deliver requested content, and also to improve our chat services (e.g., to "teach" chatbots answers to frequently asked questions).

Processed Data Types: Contact data (e.g., postal and email addresses); content data (e.g., text or image messages and posts as well as information about them, such as author information); usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types used, and operating systems, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).

Data Subjects: Communication partners.

Purposes of Processing: Communication.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section.

Legal Bases: Consent (Art. 6(1) Sentence 1 lit. a) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR); Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Promotional Communication via Email, Mail, Fax, or Phone

We process personal data for the purposes of promotional communication, which can take place via various channels, such as email, phone, mail, or fax, in accordance with legal requirements.

Recipients have the right to withdraw consents given at any time or to object to promotional communication at any time.

After a withdrawal or objection, we store the data necessary to prove previous authorization for contacting or sending information for up to three years after the end of the year in which the withdrawal or objection took place, based on our legitimate interests. The processing of this data is limited to the purpose of defending against claims. Based on the legitimate interest in permanently observing the withdrawal or objection of users, we also store the data required to avoid a renewed contact (e.g., depending on the communication channel, the email address, phone number, name).

Processed Data Types: Basic data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts as well as information about them, such as author information or creation times).

Data Subjects: Communication partners.

Purposes of Processing: Direct marketing (e.g., by email or post); marketing; promotion of sales.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section.

Legal Bases: Consent (Art. 6(1) Sentence 1 lit. a) GDPR); Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offer and can include behavior, interests, or demographic information about the visitors, such as age or gender, as pseudonymous values. Using reach analysis, we can, for example, recognize at what time our online offer or its functions or content are used most frequently or invite reuse. Likewise, we can determine which areas need optimization.

In addition to web analysis, we may use test procedures to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles (i.e., data compiled for a usage process) may be created and information stored in a browser or device and then retrieved for these purposes. The collected information includes, in particular, the visited websites and the elements used there, as well as technical information such as the browser used, the computer system, and information about usage times. If users have agreed to the collection of their location data, this can also be processed.

In addition, the users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored within the framework of web analysis, A/B testing, and optimization procedures, but pseudonyms. This means that we and the providers of the software used do not know the actual identity of the users, but only the data stored in their profiles for the respective procedures.

Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, the users' data will be processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Processed Data Types: Usage data (e.g., page views and duration of stay, click paths, usage intensity and frequency, device types used, and operating systems); meta, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).

Data Subjects: Users (e.g., website visitors, users of online services).

Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (creating user profiles); provision of our online offer and user-friendliness.

Storage and Deletion: Deletion according to the information provided in the "General Information on Data Storage and Deletion" section. Storage of cookies of up to two years (unless otherwise stated, cookies and similar storage methods can be stored on users' devices for up to two years).

Security Measures: IP masking (pseudonymization of the IP address).

Legal Bases: Consent (Art. 6(1) Sentence 1 lit. a) GDPR); Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR).

Additional Notes on Processing Procedures, Methods, and Services:

Google Analytics: We use Google Analytics to measure and analyze the usage of our online offer based on a pseudonymous user identification number. This identification number does not contain any unique data such as names or email addresses. It serves to assign analysis information to a device to recognize which content users have accessed within one or more usage processes, what search terms they used, accessed again, or interacted with our online offer. The time of use and its duration are also stored, as well as the sources of users referring to our online offer and technical aspects of their devices and browsers. Pseudonymous profiles of users with information from the usage of different devices are created, whereby cookies can be used. Google Analytics does not log or store individual IP addresses for EU users. Analytics, however, provides broad geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU data traffic, IP address data is used solely for deriving geolocation data before it is immediately deleted. It is not logged, accessed, or used for further purposes. When Google Analytics collects measurement data, all IP lookups are conducted on EU-based servers before the traffic is forwarded to Analytics servers for processing. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: Consent (Art. 6(1) Sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; security measures: IP masking (pseudonymization of the IP address); Privacy Policy: https://policies.google.com/privacy; Data Processing Agreement: https://business.safety.google/adsprocessorterms/; legal basis for third-country transfers: Data Privacy Framework (DPF); Opt-out option (Opt-out plugin): https://tools.google.com/dlpage/gaoptout?hl=de, settings for displaying advertisements: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

Online Marketing

We process personal data for the purpose of online marketing, which may include the marketing of advertising spaces or the display of advertising and other content (collectively referred to as "content") based on potential user interests, as well as measuring their effectiveness.

For these purposes, so-called user profiles may be created and stored in a file (the "cookie") or similar methods used, through which the relevant information regarding the user for displaying the aforementioned content is stored. This may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information, such as the browser used, the computer system, and information on usage times and used functions. If users have agreed to the collection of their location data, these may also be processed.

Additionally, users' IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect the users. Generally, no clear user data (e.g., names or email addresses) is stored within the scope of online marketing but rather pseudonymous profiles. This means that we and the providers of online marketing methods do not know the actual identity of the users but only the data stored in their profiles.

The data in the profiles are usually stored in cookies or through similar methods. These cookies may be later read and analyzed on other websites that use the same online marketing methods to display ads, which can be enriched with additional data and stored on the online marketing provider’s server.

In rare cases, personal data may be associated with these profiles, especially if users are members of a social network whose online marketing methods we use, and the network links users' profiles with the aforementioned information. Users should also be aware that they may enter into additional agreements with providers, such as through consent when registering.

We generally only have access to summarized information about the success of our ads. However, in the context of conversion measurements, we may analyze which of our online marketing methods have led to a conversion, such as a contract with us. Conversion measurement is solely used for success analysis of our marketing measures.

Unless otherwise stated, assume that cookies used for online marketing may be stored for up to two years.

Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). For details about the use of cookies and similar tracking technologies, see the section on Cookies.

Opt-out: Users have the right to opt out of targeted advertising. They can manage their preferences in the settings of their browser or using opt-out mechanisms provided by third-party platforms such as:

Your Online Choices (Europe): https://www.youronlinechoices.eu

About Ads (USA): https://www.aboutads.info/choices

Processed Data Types: Usage data (e.g., pages viewed, time spent, click paths, interactions with ads); meta, communication, and procedural data (e.g., IP addresses, time data, identifiers).

Data Subjects: Users (e.g., visitors to websites and users of online services).

Purposes of Processing: Targeted marketing; reach measurement; creating user profiles based on behavior and interests.

Storage and Deletion: Cookies may be stored for up to 2 years, unless otherwise specified.

Security Measures: IP masking (pseudonymization of the IP address).

Plug-ins and Embedded Features and Content

We may embed functional and content elements provided by third parties in our online offer (e.g., videos, social media buttons). These third-party providers process users' data to deliver the embedded content and features.

Data is only transmitted to third parties when users interact with the embedded elements (e.g., play a video). The embedded elements also use IP addresses to deliver content to the user's browser, as IP addresses are essential for this.

Legal Bases: Data processing for embedding third-party content is based on users' consent (Art. 6(1) lit. a) GDPR) or our legitimate interests (Art. 6(1) lit. f) GDPR), such as providing user-friendly and efficient services.

Processed Data Types: Usage data (e.g., pages viewed, interactions with embedded content); meta, communication, and procedural data (e.g., IP addresses).