Privacy Policy

With the following privacy policy we would like to inform you which types of
your personal data (hereinafter also abbreviated as “data”) we process for
which purposes and in which scope. The privacy statement applies to all
processing of personal data carried out by us, both in the context of
providing our services and in particular on our websites, in mobile
applications and within external online presences, such as our social media
profiles (hereinafter collectively referred to as “online services”).

The terms used are not gender-specific.

Last Update: 2. July 2020

Controller

41Publishing GmbH
Bismarckstraße 32
71229 Leonberg
hello@downtown-mag.com
represented by Robin Schmitt & Max-Philip Schmitt entered in the
Commercial Register of Stuttgart Local Court under HRB 738884

Contact information of the data protection officer

ecolaw.de Gesellschaft für Datensicherheit & Datenschutz mbH represented
by the Managing Director Herrn Florian König Roseggerstraße 1 D-38440
Wolfsburg Tel. +49 (0)5361 27 29 293 Fax +49 (0)5361 27 29 296 Datenschutz (a)
ecolaw.de
www.ecolaw.de
registered in the Commercial Register of Braunschweig Local Court under HRB
203444

Overview of processing operations

The following table summarises the types of data processed, the purposes for
which they are processed and the concerned data subjects.

Categories of Processed Data

  • Inventory data (e.g. names, addresses).
  • Content data (e.g. text input, photographs, videos).
  • Contact data (e.g. e-mail, telephone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. websites visited, interest in content, access times).

Categories of Data Subjects

  • Prospective customers.
  • Communication partner (Recipients of e-mails, letters, etc.).
  • Users (e.g. website visitors, users of online services).
  • Participants in sweepstakes and competitions.

Purposes of Processing

  • Provision of our online services and usability.
  • Conversion Tracking.
  • Content Delivery Network (CDN).
  • Direct marketing (e.g. by e-mail or postal).
  • Conducting sweepstakes and contests.
  • Feedback (e.g. collecting feedback via online form).
  • Interest-based and behavioral marketing.
  • contact requests and communication.
  • Conversion tracking (Measurement of the effectiveness of marketing
    activities).
  • Profiling (Creating user profiles).
  • Remarketing.
  • Web Analytics (e.g. access statistics, recognition of returning visitors).
  • Security measures.
  • Targeting (e.g. profiling based on interests and behaviour, use of cookies).
  • Contractual services and support.
  • Managing and responding to inquiries.

Legal Bases for the Processing

In the following we inform you about the legal basis of the General Data
Protection Regulation (GDPR), on the basis of which we process personal data.
Please note that, in addition to the regulations of the GDPR, the national
data protection regulations may apply in your country or in our country of
residence or domicile. If, in addition, more specific legal bases are
applicable in individual cases, we will inform you of these in the data
protection declaration.

  • Consent (Article 6 (1) (a) GDPR) – The data subject has
    given consent to the processing of his or her personal data for one or more
    specific purposes.
  • Performance of a contract and prior requests (Article 6 (1) (b)
    GDPR)
    – Performance of a contract to which the data subject is party or in order
    to take steps at the request of the data subject prior to entering into a
    contract.
  • Pprotection of vital interests (Article 6 (1) (d) GDPR)
    Processing is necessary in order to protect the vital interests of the data
    subject or of another natural person.
  • Legitimate Interests (Article 6 (1) (f) GDPR) – Processing
    is necessary for the purposes of the legitimate interests pursued by the
    controller or by a third party, except where such interests are overridden
    by the interests or fundamental rights and freedoms of the data subject
    which require protection of personal data.

National data protection regulations in Germany: In addition
to the data protection regulations of the General Data Protection Regulation,
national regulations apply to data protection in Germany. This includes in
particular the Law on Protection against Misuse of Personal Data in Data
Processing (Federal Data Protection Act – BDSG). In particular, the BDSG
contains special provisions on the right to access, the right to erase, the
right to object, the processing of special categories of personal data,
processing for other purposes and transmission as well as automated individual
decision-making, including profiling. Furthermore, it regulates data
processing for the purposes of the employment relationship (§ 26 BDSG), in
particular with regard to the establishment, execution or termination of
employment relationships as well as the consent of employees. Furthermore,
data protection laws of the individual federal states may apply.

Security Precautions

We take appropriate technical and organisational measures in accordance with
the legal requirements, taking into account the state of the art, the costs of
implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, in order to ensure a level of security
appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality,
integrity and availability of data by controlling physical and electronic
access to the data as well as access to, input, transmission, securing and
separation of the data. In addition, we have established procedures to ensure
that data subjects’ rights are respected, that data is erased, and that we are
prepared to respond to data threats rapidly. Furthermore, we take the
protection of personal data into account as early as the development or
selection of hardware, software and service providers, in accordance with the
principle of privacy by design and privacy by default.

Transmission and Disclosure of Personal Data

In the context of our processing of personal data, it may happen that the data
is transferred to other places, companies or persons or that it is disclosed
to them. Recipients of this data may include, for example, payment
institutions within the context of payment transactions, service providers
commissioned with IT tasks or providers of services and content that are
embedded in a website. In such a case, the legal requirements will be
respected and in particular corresponding contracts or agreements, which serve
the protection of your data, will be concluded with the recipients of your
data.

Data Processing in Third Countries

If we process data in a third country (i.e. outside the European Union (EU),
the European Economic Area (EEA)) or the processing takes place in the context
of the use of third party services or disclosure or transfer of data to other
persons, bodies or companies, this will only take place in accordance with the
legal requirements.

Subject to express consent or transfer required by contract or law, we process
or have processed the data only in third countries with a recognised level of
data protection, which includes US processors certified under the “Privacy
Shield” or on the basis of special guarantees, such as a contractual
obligation through so-called standard protection clauses of the EU Commission,
the existence of certifications or binding internal data protection
regulations (Article 44 to 49 GDPR, information page of the EU Commission:
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Use of Cookies

Cookies are text files that contain data from visited websites or domains and
are stored by a browser on the user’s computer. A cookie is primarily used to
store information about a user during or after his visit within an online
service. The information stored can include, for example, the language
settings on a website, the login status, a shopping basket or the location
where a video was viewed. The term “cookies” also includes other technologies
that fulfil the same functions as cookies (e.g. if user information is stored
using pseudonymous online identifiers, also referred to as “user IDs”).

The following types and functions of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary
    cookies are deleted at the latest after a user has left an online service
    and closed his browser.
  • Permanent cookies: Permanent cookies remain stored even
    after closing the browser. For example, the login status can be saved or
    preferred content can be displayed directly when the user visits a website
    again. The interests of users who are used for range measurement or
    marketing purposes can also be stored in such a cookie.
  • First-Party-Cookies: First-Party-Cookies are set by
    ourselves.
  • Third party cookies: Third party cookies are mainly used by
    advertisers (so-called third parties) to process user information.
  • Necessary (also: essential) cookies: Cookies can be
    necessary for the operation of a website (e.g. to save logins or other user
    inputs or for security reasons).
  • Statistics, marketing and personalisation cookies: Cookies
    are also generally used to measure a website’s reach and when a user’s
    interests or behaviour (e.g. viewing certain content, using functions, etc.)
    are stored on individual websites in a user profile. Such profiles are used,
    for example, to display content to users that corresponds to their potential
    interests. This procedure is also referred to as “tracking”, i.e. tracking
    the potential interests of users. . If we use cookies or “tracking”
    technologies, we will inform you separately in our privacy policy or in the
    context of obtaining consent.

Information on legal basis: The legal basis on which we
process your personal data with the help of cookies depends on whether we ask
you for your consent. If this applies and you consent to the use of cookies,
the legal basis for processing your data is your declared consent. Otherwise,
the data processed with the help of cookies will be processed on the basis of
our legitimate interests (e.g. in a business operation of our online service
and its improvement) or, if the use of cookies is necessary to fulfill our
contractual obligations.

Retention period: Unless we provide you with explicit
information on the retention period of permanent cookies (e.g. within the
scope of a so-called cookie opt-in), please assume that the retention period
can be as long as two years.

General information on Withdrawal of consent and objection (Opt-Out): Respective of whether processing is based on consent or legal permission, you
have the option at any time to object to the processing of your data using
cookie technologies or to revoke consent (collectively referred to as
“opt-out”). You can initially explain your objection using the settings of
your browser, e.g. by deactivating the use of cookies (which may also restrict
the functionality of our online services). An objection to the use of cookies
for online marketing purposes can be raised for a large number of services,
especially in the case of tracking, via the websites
https://www.aboutads.info/choices/
and
https://www.youronlinechoices.com.
In addition, you can receive further information on objections in the context
of the information on the used service providers and cookies.

Processing Cookie Data on the Basis of Consent: Before we
process or have processed data within the context of the usage of cookies, we
ask the users for their consent, which can be revoked at any time. Before the
consent has not been given, we may use cookies that are necessary for the
operation of our online services.

  • Processed data types: Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).

Provision of online services and web hosting

In order to provide our online services securely and efficiently, we use the
services of one or more web hosting providers from whose servers (or servers
they manage) the online services can be accessed. For these purposes, we may
use infrastructure and platform services, computing capacity, storage space
and database services, as well as security and technical maintenance services.

The data processed within the framework of the provision of the hosting
services may include all information relating to the users of our online
services that is collected in the course of use and communication. This
regularly includes the IP address, which is necessary to be able to deliver
the contents of online services to browsers, and all entries made within our
online services or from websites.

Collection of Access Data and Log Files: We, ourselves or our
web hosting provider, collect data on the basis of each access to the server
(so-called server log files). Server log files may include the address and
name of the web pages and files accessed, the date and time of access, data
volumes transferred, notification of successful access, browser type and
version, the user’s operating system, referrer URL (the previously visited
page) and, as a general rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g. to avoid
overloading the servers (especially in the case of abusive attacks, so-called
DDoS attacks) and to ensure the stability and optimal load balancing of the
servers .

Content-Delivery-Network: We use a so-called “Content
Delivery Network” (CDN). A CDN is a service with whose help contents of our
online services, in particular large media files, such as graphics or scripts,
can be delivered faster and more securely with the help of regionally
distributed servers connected via the Internet.

  • Processed data types: Content data (e.g. text input,
    photographs, videos), Usage data (e.g. websites visited, interest in
    content, access times), Meta/communication data (e.g. device information, IP
    addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services).
  • Purposes of Processing: Content Delivery Network (CDN).
  • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

The cloud infrastructure of our website is operated by Amazon Web Services,
Inc. (Part of Amazon.com, Inc. 2021 Seventh
Ave, Seattle, Washington 98121, USA) and managed by Palely (4729 E. Sunrise
Dr. Suite 435, Tucson, Arizona 85718, USA). The server is located in Frankfurt
am Main, Germany. Both Amazon and Pagely are certified under the Privacy
Shield Agreement and thus offer a guarantee to comply with European data
protection law. (Amazon certificate, Pagely certificate). Detailed information
on the processed data and the subject of data protection can be found in
Amazon’s and
Pagely’s data
protection declarations.

For our e-mails we use a server operated by
ALL-INKL.COM – Neue Medien Münnich
(Hauptstraße 68, 02742 Friedersdorf, Germany). For more information, please
refer to the
privacy policy of ALL-INKL.COM.

Blogs and publication media

We use blogos or comparable means of online communication and publication
(hereinafter “publication medium”). Readers’ data will only be processed for
the purposes of the publication medium to the extent necessary for its
presentation and communication between authors and readers or for security
reasons. For the rest, we refer to the information on the processing of
visitors to our publication medium within the scope of this privacy policy.

Comment subscriptions: When users leave comments or other
contributions, their IP addresses may be stored based on our legitimate
interests. This is done for our safety, if someone leaves illegal contents
(insults, forbidden political propaganda, etc.) in comments and contributions.
In this case, we ourselves can be prosecuted for the comment or contribution
and are therefore interested in the author’s identity.

Furthermore, we reserve the right to process user data for the purpose of spam
detection on the basis of our legitimate interests.

On the same legal basis, in the case of surveys, we reserve the right to store
the IP addresses of users for the duration of the surveys and to use cookies
in order to avoid multiple votes.

The personal information provided in the course of comments and contributions,
any contact and website information as well as the content information will be
stored permanently by us until the user objects.

Gravatar Profile Pictures: We use the service Gravatar within
our on-line offer and in particular in the Blog.

Gravatar is a service where users can register and store profile pictures and
their e-mail addresses. If users leave contributions or comments with the
respective e-mail address on other online presences (especially in blogs),
their profile pictures can be displayed next to the contributions or comments.
For this purpose, the e-mail address provided by the users is transmitted to
Gravatar in encrypted form for the purpose of checking whether a profile is
stored for it. This is the only purpose of transmitting the email address and
it will not be used for other purposes, but deleted thereafter.

The use of Gravatar is based on our legitimate interests, as we use Gravatar
to offer authors of contributions and comments the opportunity to personalize
their contributions with a profile picture.

By displaying the images, Gravatar knows the IP address of the user, as this
is necessary for communication between a browser and an online service.

If users do not want a user image linked to their e-mail address to appear in
the comments at Gravatar, they should use an e-mail address which is not
stored at Gravatar for commenting. We would also like to point out that it is
also possible to use an anonymous e-mail address or no e-mail address at all
if users do not wish their own e-mail address to be sent to Gravatar. Users
can completely prevent the transmission of data by not using our comment
system.

  • Processed data types: Inventory data (e.g. names,
    addresses), Contact data (e.g. e-mail, telephone numbers), Content data
    (e.g. text input, photographs, videos), Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services).
  • Purposes of Processing: Contractual services and support,
    Feedback (e.g. collecting feedback via online form), Security measures,
    Managing and responding to inquiries, Provision of our online services and
    usability.
  • Legal Basis: Performance of a contract and prior requests
    (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR),
    Consent (Article 6 (1) (a) GDPR), Pprotection of vital interests (Article 6
    (1) (d) GDPR).

Services and service providers being used:

Contacting us

When contacting us (e.g. by contact form, e-mail, telephone or via social
media), the data of the inquiring persons are processed insofar as this is
necessary to answer the contact enquiries and any requested activities.

The response to contact enquiries within the framework of contractual or
pre-contractual relationships is made in order to fulfil our contractual
obligations or to respond to (pre)contractual enquiries and otherwise on the
basis of the legitimate interests in responding to the enquiries.

  • Processed data types: Inventory data (e.g. names,
    addresses), Contact data (e.g. e-mail, telephone numbers), Content data
    (e.g. text input, photographs, videos).
  • Data subjects: Communication partner (Recipients of
    e-mails, letters, etc.).
  • Purposes of Processing: contact requests and communication.
  • Legal Basis: Performance of a contract and prior requests
    (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

CRM system Reamaze

We use the CRM system “Reamaze“, from
Lantirn, Inc. 920 Saratoga Ave, Suite 213, San Jose, CA 95129, USA, in order
to process user inquiries faster and more efficiently (legitimate interest
according to Art. 6 para. 1 lit. f) GDPR). There is an order processing
contract pursuant to Art. 28 para. 3 p. 1 GDPR. Requests to our public e-mail
addresses are processed with Reamaze.

Lantirn Inc. is certified under the
Privacy Shield Agreement
and thus offers an additional guarantee of compliance with European data
protection law.

Lantirn uses the user data only for technical processing of the enquiries and
does not pass them on to third parties. The use of Reamaze requires at least a
valid e-mail address. Pseudonymous use is possible. During the processing of
service requests, it may be necessary to collect further data (name, address).
The use of Reamaze is optional and serves to improve and accelerate our
customer and user service.

If users do not agree to the collection and storage of data on Reamaze’s
external system, we offer alternative ways of contacting us via e-mail at
no-reamaze@downtown-mag.com, phone or mail.

For more information please refer to Reamaze’s
privacy policy.

Newsletter and Broadcast Communication

We send newsletters, e-mails and other electronic communications (hereinafter
referred to as “newsletters”) only with the consent of the recipient or a
legal permission. Insofar as the contents of the newsletter are specifically
described within the framework of registration, they are decisive for the
consent of the user. Otherwise, our newsletters contain information about our
services and us.

Double opt-in procedure: The registration to our newsletter
takes place in general in a so-called Double-Opt-In procedure. This means that
you will receive an e-mail after registration asking you to confirm your
registration. This confirmation is necessary so that no one can register with
external e-mail addresses.

The registrations for the newsletter are logged in order to be able to prove
the registration process according to the legal requirements. This includes
storing the login and confirmation times as well as the IP address. Likewise
the changes of your data stored with the dispatch service provider are logged.

Deletion and restriction of processing: We may store the
unsubscribed email addresses for up to three years based on our legitimate
interests before deleting them to provide evidence of prior consent. The
processing of these data is limited to the purpose of a possible defense
against claims. An individual deletion request is possible at any time,
provided that the former existence of a consent is confirmed at the same time.
In the case of an obligation to permanently observe an objection, we reserve
the right to store the e-mail address solely for this purpose in a blacklist.

Information on legal bases: The sending of the newsletter is
based on the consent of the recipients or, if consent is not required, on the
basis of our legitimate interests in direct marketing. Insofar as we engage a
service provider for sending e-mails, this is done on the basis of our
legitimate interests. The registration procedure is recorded on the basis of
our legitimate interests for the purpose of demonstrating that it has been
conducted in accordance with the law.

Contents: Information about us, our services, promotions and
offers.

Analysis and performance measurement: The newsletters contain
a so-called “web-beacon”, i.e. a pixel-sized file, which is retrieved from our
server when the newsletter is opened or, if we use a mailing service provider,
from its server. Within the scope of this retrieval, technical information
such as information about the browser and your system, as well as your IP
address and time of retrieval are first collected.

This information is used for the technical improvement of our newsletter on
the basis of technical data or target groups and their reading behaviour on
the basis of their retrieval points (which can be determined with the help of
the IP address) or access times. This analysis also includes determining
whether newsletters are opened, when they are opened and which links are
clicked. For technical reasons, this information can be assigned to the
individual newsletter recipients. It is, however, neither our endeavour nor,
if used, that of the shipping service provider to observe individual users.
The evaluations serve us much more to recognize the reading habits of our
users and to adapt our content to them or to send different content according
to the interests of our users.

The evaluation of the newsletter and the measurement of success is carried
out, subject to the express consent of the user, on the basis of our
legitimate interests for the purposes of using a user-friendly and secure
newsletter system which serves both our business interests and the
expectations of the user.

A separate objection to the performance measurement is unfortunately not
possible, in this case the entire newsletter subscription must be cancelled or
objected to.

  • Processed data types: Inventory data (e.g. names,
    addresses), Contact data (e.g. e-mail, telephone numbers),
    Meta/communication data (e.g. device information, IP addresses), Usage data
    (e.g. websites visited, interest in content, access times).
  • Data subjects: Communication partner (Recipients of
    e-mails, letters, etc.).
  • Purposes of Processing: Direct marketing (e.g. by e-mail or
    postal).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).
  • Opt-Out: You can cancel the receipt of our newsletter at
    any time, i.e. revoke your consent or object to further receipt. You will
    find a link to cancel the newsletter either at the end of each newsletter or
    you can otherwise use one of the contact options listed above, preferably
    e-mail.

Newsletter – ConvertKit

Our newsletter is distributed by “ConvertKit”, a newsletter-mailing platform
of the US provider ConvertKit, LLC, 505
W. Broad Street #602, Boise, ID 83702, P.O. Box 761, Boise, Idaho 83701, USA.
Their privacy policy can be
viewed here.

ConvertKit is certified under the
Privacy Shield Agreement
and thus offers a guarantee to comply with the European data protection
standards. The mailing service provider is assigned on the basis of our
legitimate interests in accordance with. Art. 6 para. 1 (f) GDPR and an Order
Processing Agreement in accordance with Art. 28 para. 3 p. 1 GDPR.

The mailing service provider may use the data of the recipients in
pseudonymous form, i.e. without assignment to a user, to optimise or improve
their own services, e.g. for the technical optimisation of shipping and the
presentation of newsletters or for statistical purposes. However, the service
does not use the recipient data of our newsletter to approach recipients
directly nor do they pass the information on to third parties.

Commercial communication by E-Mail, Postal Mail, Fax or Telephone

We process personal data for the purposes of promotional communication, which
may be carried out via various channels, such as e-mail, telephone, post or
fax, in accordance with the legal requirements.

The recipients have the right to withdraw their consent at any time or to
object to the advertising communication at any time.

After withdrawal or objection, we may store the data required to prove consent
for up to three years on the basis of our legitimate interests before we
delete them. The processing of these data is limited to the purpose of a
possible defense against claims. An individual deletion request is possible at
any time, provided that the former existence of a consent is affirmed.

  • Processed data types: Inventory data (e.g. names,
    addresses), Contact data (e.g. e-mail, telephone numbers).
  • Data subjects: Communication partner (Recipients of
    e-mails, letters, etc.).
  • Purposes of Processing: Direct marketing (e.g. by e-mail or
    postal).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).

Sweepstakes and Contests

We process the personal data of participants in We process personal data of
participants in competitions, contents, raffles, prize-draws or sweepstakes
(hereinafter referred to as “competitions”) only in compliance with the
relevant data protection regulations and if the processing is contractually
necessary for the provision, execution and handling of the competition, the
participants have consented to the processing or the processing serves our
legitimate interests (e.g. in the security of the competition or the
protection of our interests against misuse by possible recording of IP
addresses when submitting entries to the competition.

In the event that entries are published as part of the competitions (e.g. as
part of a vote or presentation of the competition entries, or the winner or
reporting on the competition), we would like to point out that the names of
participants may also be published in this context. The participants can
object to this at any time.

If the competitions take place within an online platform or a social network
(e.g. Facebook or Instagram, hereinafter referred to as “online platform”),
the usage and data protection provisions of the respective online platforms
also apply. In such cases, we would like to point out that we are responsible
for the information provided by the participants as part of the competition
and that we must be contacted with regard to the competitions.

The data of the participants will be deleted as soon as the competition has
ended and the data is no longer required to inform the winners or because
questions about the competition can be expected. In general, the data of the
participants will be deleted at the latest 6 months after the end of the
competition. Winners’ data can be retained for a longer period of time, e.g.
in order to answer questions about the prizes or to fulfil the prizes; in this
case, the retention period depends on the type of prize and is up to three
years for items or services, e.g. in order to be able to process warranty
claims. Furthermore, the participants’ data may be stored for longer, e.g. in
the form of coverage of the competition in online and offline media.

Insofar as data was collected for other purposes as part of the competition,
its processing and storage period shall be governed by the privacy information
for this use (e.g. in the case of registration for a newsletter as part of a
competition).

  • Processed data types: Inventory data (e.g. names,
    addresses), Content data (e.g. text input, photographs, videos).
  • Data subjects: Participants in sweepstakes and
    competitions.
  • Purposes of Processing: Conducting sweepstakes and
    contests.
  • Legal Basis: Performance of a contract and prior requests
    (Article 6 (1) (b) GDPR).

Surveys and Questionnaires

For the execution of surveys and competitions (especially our annual reader
survey) we primarily use the service “Typeform” of TYPEFORM S.L. (Carrer Bac de Roda, 163, 08018 Barcelona), Spain. You can
view the service provider’s
privacy policy here. The
service provider is assigned on the basis of our legitimate interests in
accordance with. Art. 6 para. 1 (f) GDPR and an Order Processing Agreement in
accordance with Art. 28 para. 3 p. 1 GDPR.

In addition to the answers to the questions of the survey, access data (e.g.
the processing time of the survey) is also stored. Access data includes the
name of the requested website, file, date and time of access, amount of data
transferred, report whether the site was successfully retrieved, browser type
and version, the user’s operating system, the referrer URL (the site visited
before coming to our site), the user’s IP address, and the requesting internet
service provider. The access data is already transferred to Typeform when the
survey is called up; the answers are not transferred until the survey is sent.
Further information on the data collected can be found in Typeform’s data
protection regulations and in the conditions of participation of the
respective survey.

Information on legal basis: If we ask the participants for
their consent to the processing of their data, this is the legal basis for the
processing, otherwise the processing of the participants’ data is based on our
legitimate interests in conducting an objective survey.

  • Processed data types: Contact data (e.g. e-mail, telephone
    numbers), Content data (e.g. text input, photographs, videos), Usage data
    (e.g. websites visited, interest in content, access times),
    Meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partner (Recipients of
    e-mails, letters, etc.), Users (e.g. website visitors, users of online
    services).
  • Purposes of Processing: contact requests and communication,
    Direct marketing (e.g. by e-mail or postal), Targeting (e.g. profiling based
    on interests and behaviour, use of cookies), Feedback (e.g. collecting
    feedback via online form).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).

Web Analysis and Optimization

Web analysis is used to evaluate the visitor traffic on our website and may
include the behaviour, interests or demographic information of users, such as
age or gender, as pseudonymous values. With the help of web analysis we can
e.g. recognize, at which time our online services or their functions or
contents are most frequently used or requested for repeatedly, as well as
which areas require optimization.

In addition to web analysis, we can also use test procedures, e.g. to test and
optimize different versions of our online services or their components.

For these purposes, so-called user profiles can be created and stored in a
file (so-called “cookie”) or similar procedures in which the relevant user
information for the aforementioned analyses is stored. This information may
include, for example, content viewed, web pages visited and elements and
technical data used there, such as the browser used, computer system used and
information on times of use. If users have consented to the collection of
their location data, these may also be processed, depending on the provider.

The IP addresses of the users are also stored. However, we use any existing IP
masking procedure (i.e. pseudonymisation by shortening the IP address) to
protect the user. In general, within the framework of web analysis, A/B
testing and optimisation, no user data (such as e-mail addresses or names) is
stored, but pseudonyms. This means that we, as well as the providers of the
software used, do not know the actual identity of the users, but only the
information stored in their profiles for the purposes of the respective
processes.

Information on legal basis: If we ask the users for their
consent to the use of third party providers, the legal basis of the processing
is consent. Furthermore, the processing can be a component of our
(pre)contractual services, provided that the use of the third party was agreed
within this context. Otherwise, user data will be processed on the basis of
our legitimate interests (i.e. interest in efficient, economic and recipient
friendly services). In this context, we would also like to refer you to the
information on the use of cookies in this privacy policy.

VG Word / Scalable Central measurement method: We use
“session cookies” from VG Wort, Munich, to measure access to texts in order to
determine the probability of their being copied. Session cookies are small
units of information that a provider stores in the main memory of the
visitor’s computer. A randomly generated unique identification number, a
so-called session ID, is stored in a session cookie. In addition, a cookie
contains information about its origin and the period of storage. Session
cookies cannot store other data. These measurements are carried out by Kantar
Germany GmbH according to the Scalable Central Measuring Method (SZM). They
help to determine the copy probability of individual texts for remuneration of
legal claims of authors and publishers. We do not collect personal data via
cookies.

With the Scalable Central Measurement Method, anonymous measurement values are
collected. The access number measurement uses alternatively a session cookie
or a signature, which is created from various automatically transmitted
information of your browser, for the recognition of computer systems. IP
addresses are only processed in anonymised form. The procedure was developed
in compliance with data protection. The sole aim of the procedure is to
determine the probability of individual texts being copied. At no time are
individual users identified. Their identity always remains protected. USers
will not receive any advertising via the system.

  • Processed data types: Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services).
  • Purposes of Processing: Web Analytics (e.g. access
    statistics, recognition of returning visitors), Targeting (e.g. profiling
    based on interests and behaviour, use of cookies), Conversion Tracking,
    Profiling (Creating user profiles).
  • Security measures: IP Masking (Pseudonymization of the IP
    address).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

Onlinemarketing

We process personal data for the purposes of online marketing, which may
include in particular the marketing of advertising space or the display of
advertising and other content (collectively referred to as “Content”) based on
the potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file
(so-called “cookie”) or similar procedure in which the relevant user
information for the display of the aforementioned content is stored. This
information may include, for example, content viewed, websites visited, online
networks used, communication partners and technical information such as the
browser used, computer system used and information on usage times. If users
have consented to the collection of their sideline data, these can also be
processed.

The IP addresses of the users are also stored. However, we use provided IP
masking procedures (i.e. pseudonymisation by shortening the IP address) to
ensure the protection of the user’s by using a pseudonym. In general, within
the framework of the online marketing process, no clear user data (such as
e-mail addresses or names) is secured, but pseudonyms. This means that we, as
well as the providers of online marketing procedures, do not know the actual
identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or similar
memorizing procedures. These cookies can later, generally also on other
websites that use the same online marketing technology, be read and analyzed
for purposes of content display, as well as supplemented with other data and
stored on the server of the online marketing technology provider.

Exceptionally, clear data can be assigned to the profiles. This is the case,
for example, if the users are members of a social network whose online
marketing technology we use and the network links the profiles of the users in
the aforementioned data. Please note that users may enter into additional
agreements with the social network providers or other service providers, e.g.
by consenting as part of a registration process.

As a matter of principle, we only gain access to summarised information about
the performance of our advertisements. However, within the framework of
so-called conversion measurement, we can check which of our online marketing
processes have led to a so-called conversion, i.e. to the conclusion of a
contract with us. The conversion measurement is used alone for the performance
analysis of our marketing activities.

Unless otherwise stated, we kindly ask you to consider that cookies used will
be stored for a period of two years.

Information on legal basis: If we ask users for their consent
(e.g. in the context of a so-called “cookie banner consent”), the legal basis
for processing data for online marketing purposes is this consent. Otherwise,
user data will be processed on the basis of our legitimate interests (i.e.
interest in the analysis, optimisation and economic operation of our online
services. In this context, we would also like to refer you to the information
on the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services), Prospective customers.
  • Purposes of Processing: Targeting (e.g. profiling based on
    interests and behaviour, use of cookies), Remarketing, Conversion Tracking,
    Interest-based and behavioral marketing, Profiling (Creating user profiles),
    Conversion tracking (Measurement of the effectiveness of marketing
    activities), Web Analytics (e.g. access statistics, recognition of returning
    visitors).
  • Security measures: IP Masking (Pseudonymization of the IP
    address).
  • Legal Basis: Consent (Article 6 (1) (a) GDPR), Legitimate
    Interests (Article 6 (1) (f) GDPR).
  • Opt-Out: We refer to the privacy policies of the respective
    service providers and the possibilities for objection (so-called “opt-out”).
    If no explicit opt-out option has been specified, it is possible to
    deactivate cookies in the settings of your browser. However, this may
    restrict the functions of our online offer. We therefore recommend the
    following additional opt-out options, which are offered collectively for
    each area: a) Europe:
    https://www.youronlinechoices.eu. b) Canada:
    https://www.youradchoices.ca/choices. c) USA:
    https://www.aboutads.info/choices. d) Cross-regional:
    https://optout.aboutads.info.

Services and service providers being used:

  • Google Tag Manager: Google Tag Manager is a solution with
    which we can manage so-called website tags via an interface and thus
    integrate other services into our online services. The Tag Manager itself
    (which implements the tags) does not process any personal user data. With
    regard to the processing of users’ personal data, reference is made to the
    information below regarding Google services. Service provider: Google
    Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent
    company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043,
    USA; Website:
    https://marketingplatform.google.com; Privacy Policy:
    https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing
    data in the USA):
    https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
  • Google Analytics
    This website uses functions of the web analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
    Google Analytics enables the website operator to analyze the behavior patterns of website visitors. To that end, the website operator receives a variety of user data, such as pages accessed, time spent on the page, the utilized operating system and the user’s origin. This data is assigned to the respective end device of the user. An assignment to a user-ID does not take place.
    Furthermore, Google Analytics allows us to record your mouse and scroll movements and clicks, among other things. Google Analytics uses various modeling approaches to augment the collected data sets and uses machine learning technologies in data analysis.
    Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (e.g., cookies or device fingerprinting). The website use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.
    The use of these services occurs on the basis of your consent pursuant to Art. 6(1)(a) GDPR and § 25(1) TTDSG. You may revoke your consent at any time.
    Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.
    Browser plug-in
    You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
    For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.
    Google Signals We use Google Signals. Whenever you visit our website, Google Analytics records, among other things, your location, the progression of your search and YouTube progression as well as demographic data (site visitor data). This data may be used for customized advertising with the assistance of Google Signal. If you have a Google account, your site visitor information will be linked to your Google account by Google Signal and used to send you customized promotional messages. The data is also used to compile anonymized statistics of our users’ online patterns.
    Contract data processing
    We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.
  • Google Ad Manager: We use the “Google Marketing Platform”
    (and services like “Google Ad Manager”) to place ads in the Google
    advertising network (e.g., in search results, in videos, on websites, etc.).
    The Google Marketing Platform” is characterised by the fact that ads are
    displayed in real time according to the presumed interests of the users.
    This allows us to display ads for and within our online services in a more
    targeted manner in order to present users only with ads that potentially
    match their interests. If, for example, a user is shown ads for products in
    which he is interested on other online offers, this is referred to as
    “remarketing”. Service provider: Google Ireland Limited, Gordon House,
    Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600
    Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:
    https://marketingplatform.google.com; Privacy Policy:
    https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing
    data in the USA):
    https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
  • Google Adsense with non-personalized ads: We use the Google
    Adsense service with non-personalized ads, which helps us to display ads
    within our online services and we receive a remuneration for their display
    or other use. ; Service provider: Google Ireland Limited, Gordon House,
    Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600
    Amphitheatre Parkway, Mountain View, CA 94043, USA; Website:
    https://marketingplatform.google.com; Privacy Policy:
    https://policies.google.com/privacy; Privacy Shield (Safeguarding the level of data protection when processing
    data in the USA):
    https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
  • Data transfer with Zapier: For the automated transfer of
    required user data between the various marketing tools (e.g. to transfer a
    newsletter registration via the reader survey to our mailing service
    provider ConvertKit or the transfer of shop orders to our shipping service
    provider), we use the software “Zapier
    from the provider Zapier, Inc. 548 Market St #62411, San Francisco,
    California 94104, USA. Zapier is used on the basis of our legitimate
    interests in accordance with Art. Art. 6 para. 1 (f) GDPR and an Order
    Processing Agreement is used in accordance with Art. 28 para. 3 p. 1 GDPR.
    Zapier is certified under the
    Privacy Shield Agreement
    and thus offers a guarantee to comply with the European data protection
    standards. You can view the
    service provider’s privacy policy here. The transferred user data includes answers from our reader surveys and
    other forms, names and e-mail addresses.
  • Promotions via Kickofflabs: For raffles and promotions, we
    use the software “Kickofflabs” from
    the provider KickoffLabs LLC, 4111 E Madison St #19, Seattle, Washington
    98112, USA. Kickofflabs is used on the basis of our legitimate interests in
    accordance with Art. Art. 6 para. 1 (f) GDPR and an Order Processing
    Agreement is used in accordance with Art. 28 para. 3 p. 1 GDPR. Kickofflabs
    is certified under the
    Privacy Shield Agreement
    and thus offers a guarantee to comply with the European data protection
    standards. You can view the
    service provider’s privacy policy here. The transferred user data includes answers from our reader surveys and
    other forms, names and e-mail addresses.

Profiles in Social Networks (Social Media)

We maintain online presences within social networks and process user data in
this context in order to communicate with the users active there or to offer
information about us.

We would like to point out that user data may be processed outside the
European Union. This may entail risks for users, e.g. by making it more
difficult to enforce users’ rights. With regard to US providers certified
under the Privacy Shield or offering comparable guarantees of a secure level
of data protection, we would like to point out that they thereby commit
themselves to comply with EU data protection standards.

In addition, user data is usually processed within social networks for market
research and advertising purposes. For example, user profiles can be created
on the basis of user behaviour and the associated interests of users. The user
profiles can then be used, for example, to place advertisements within and
outside the networks which are presumed to correspond to the interests of the
users. For these purposes, cookies are usually stored on the user’s computer,
in which the user’s usage behaviour and interests are stored. Furthermore,
data can be stored in the user profiles independently of the devices used by
the users (especially if the users are members of the respective networs or
will become members later on).

For a detailed description of the respective processing operations and the
opt-out options, please refer to the respective data protection declarations
and information provided by the providers of the respective networks.

Also in the case of requests for information and the exercise of rights of
data subjects, we point out that these can be most effectively pursued with
the providers. Only the providers have access to the data of the users and can
directly take appropriate measures and provide information. If you still need
help, please do not hesitate to contact us.

  • Processed data types: Inventory data (e.g. names,
    addresses), Contact data (e.g. e-mail, telephone numbers), Content data
    (e.g. text input, photographs, videos), Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services).
  • Purposes of Processing: contact requests and communication,
    Targeting (e.g. profiling based on interests and behaviour, use of cookies),
    Remarketing.
  • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Services and service providers being used:

Plugins and embedded functions and content

Within our online services, we integrate functional and content elements that
are obtained from the servers of their respective providers (hereinafter
referred to as “third-party providers”). These may, for example, be graphics,
videos or social media buttons as well as contributions (hereinafter uniformly
referred to as “Content”).

The integration always presupposes that the third-party providers of this
content process the IP address of the user, since they could not send the
content to their browser without the IP address. The IP address is therefore
required for the presentation of these contents or functions. We strive to use
only those contents, whose respective offerers use the IP address only for the
distribution of the contents. Third parties may also use so-called pixel tags
(invisible graphics, also known as “web beacons”) for statistical or marketing
purposes. The “pixel tags” can be used to evaluate information such as visitor
traffic on the pages of this website. The pseudonymous information may also be
stored in cookies on the user’s device and may include technical information
about the browser and operating system, referring websites, visit times and
other information about the use of our website, as well as may be linked to
such information from other sources.

Information on legal basis: If we ask users for their consent
(e.g. in the context of a so-called “cookie banner consent”), the legal basis
for processing is this consent. Otherwise, user data will be processed on the
basis of our legitimate interests (i.e. interest in the analysis, optimisation
and economic operation of our online services. We refer you to the note on the
use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g. websites visited,
    interest in content, access times), Meta/communication data (e.g. device
    information, IP addresses), Contact data (e.g. e-mail, telephone numbers),
    Content data (e.g. text input, photographs, videos), Inventory data (e.g.
    names, addresses).
  • Data subjects: Users (e.g. website visitors, users of
    online services), Communication partner (Recipients of e-mails, letters,
    etc.).
  • Purposes of Processing: Provision of our online services
    and usability, Contractual services and support, contact requests and
    communication, Direct marketing (e.g. by e-mail or postal), Targeting (e.g.
    profiling based on interests and behaviour, use of cookies), Interest-based
    and behavioral marketing, Profiling (Creating user profiles), Security
    measures, Managing and responding to inquiries.
  • Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR),
    Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior
    requests (Article 6 (1) (b) GDPR).

Services and service providers being used:

Erasure of data

The data processed by us will be erased in accordance with the statutory
provisions as soon as their processing is revoked or other permissions no
longer apply (e.g. if the purpose of processing this data no longer applies or
they are not required for the purpose).

If the data is not deleted because they are required for other and legally
permissible purposes, their processing is limited to these purposes. This
means that the data will be restricted and not processed for other purposes.
This applies, for example, to data that must be stored for commercial or tax
reasons or for which storage is necessary to assert, exercise or defend legal
claims or to protect the rights of another natural or legal person.

Further information on the erasure of personal data can also be found in the
individual data protection notices of this privacy policy.

Changes and Updates to the Privacy Policy

We kindly ask you to inform yourself regularly about the contents of our data
protection declaration. We will adjust the privacy policy as changes in our
data processing practices make this necessary. We will inform you as soon as
the changes require your cooperation (e.g. consent) or other individual
notification.

If we provide addresses and contact information of companies and organizations
in this privacy policy, we ask you to note that addresses may change over time
and to verify the information before contacting us.

Rights of Data Subjects

As data subject, you are entitled to various rights under the GDPR, which
arise in particular from Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right, on grounds arising from your
    particular situation, to object at any time to the processing of your
    personal data which is based on letter (e) or (f) of Article 6(1) GDPR ,
    including profiling based on those provisions.    Where personal data are processed for direct marketing purposes, you
    have the right to object at any time to the processing of the personal
    data concerning you for the purpose of such marketing, which includes
    profiling to the extent that it is related to such direct
    marketing.
  • Right of withdrawal for consents: You have the right to
    revoke consents at any time.
  • Right of access: You have the right to request confirmation
    as to whether the data in question will be processed and to be informed of
    this data and to receive further information and a copy of the data in
    accordance with the provisions of the law.
  • Right to rectification: You have the right, in accordance
    with the law, to request the completion of the data concerning you or the
    rectification of the incorrect data concerning you.
  • Right to Erasure and Right to Restriction of Processing: In
    accordance with the statutory provisions, you have the right to demand that
    the relevant data be erased immediately or, alternatively, to demand that
    the processing of the data be restricted in accordance with the statutory
    provisions.
  • Right to data portability: You have the right to receive
    data concerning you which you have provided to us in a structured, common
    and machine-readable format in accordance with the legal requirements, or to
    request its transmission to another controller.
  • Complaint to the supervisory authority: You also have the
    right, under the conditions laid down by law, to lodge a complaint with a
    supervisory authority, in particular in the Member State of your habitual
    residence, place of work or place of the alleged infringement if you
    consider that the processing of personal data relating to you infringes the
    GDPR.

Terminology and Definitions

This section provides an overview of the terms used in this privacy policy.
Many of the terms are drawn from the law and defined mainly in Article 4 GDPR.
The legal definitions are binding. The following explanations, on the other
hand, are intended above all for the purpose of comprehension. The terms are
sorted alphabetically.

  • Content Delivery Network (CDN): A “Content Delivery
    Network” (CDN) is a service with whose help contents of our online services,
    in particular large media files, such as graphics or scripts, can be
    delivered faster and more securely with the help of regionally distributed
    servers connected via the Internet.
  • Controller: “Controller” means the natural or legal person,
    public authority, agency or other body which, alone or jointly with others,
    determines the purposes and means of the processing of personal data.
  • Conversion Tracking: “Conversion Tracking” refers to a
    procedure by which the effectiveness of marketing measures can be
    determined. As a rule, a cookie is stored on the devices of the users within
    the websites on which the marketing measures are carried out and then called
    up again on the target website (e.g. this enables us to track whether the
    ads we placed on other websites were successful).
  • Conversion tracking: Conversion tracking is a method used
    to evaluate the effectiveness of marketing measures. For this purpose, a
    cookie is usually stored on the devices of the users within the websites on
    which the marketing measures take place and then called up again on the
    target website (e.g. we can thus trace whether the advertisements placed by
    us on other websites were successful).
  • IP Masking: IP masking is a method by which the last octet,
    i.e. the last two numbers of an IP address, are deleted so that the IP
    address alone can no longer be used to uniquely identify a person. IP
    masking is therefore a means of pseudonymising processing methods,
    particularly in online marketing.
  • Interest-based and behavioral marketing: Interest-related
    and/or behaviour-related marketing is the term used when potential user
    interest in advertisements and other content is predicted if possible. This
    is done on the basis of information on the previous behaviour of users (e.g.
    visiting and staying on certain websites, purchasing behaviour or
    interaction with other users), which is stored in a so-called profile. For
    these purposes cookies are usually used.
  • Personal Data: “personal data” means any information
    relating to an identified or identifiable natural person (“data subject”);
    an identifiable natural person is one who can be identified, directly or
    indirectly, in particular by reference to an identifier such as a name, an
    identification number, location data, an online identifier or to one or more
    factors specific to the physical, physiological, genetic, mental, economic,
    cultural or social identity of that natural person.
  • Processing: The term “processing” covers a wide range and
    practically every handling of data, be it collection, evaluation, storage,
    transmission or erasure.
  • Profiling: “Profiling” means any automated processing of
    personal data consisting in the use of such personal data to analyse,
    evaluate or predict certain personal aspects relating to a natural person
    (depending on the type of profiling, this includes information regarding
    age, gender, location and movement data, interaction with websites and their
    contents, shopping behaviour, social interactions with other people) (e.g.
    interests in certain contents or products, click behaviour on a website or
    the location). Cookies and web beacons are often used for profiling
    purposes.
  • Remarketing: Remarketing” or “retargeting” is the term
    used, for example, to indicate for advertising purposes which products a
    user is interested in on a website in order to remind the user of these
    products on other websites, e.g. in advertisements.
  • Targeting: Tracking” is the term used when the behaviour of
    users can be traced across several websites. As a rule, behavior and
    interest information with regard to the websites used is stored in cookies
    or on the servers of the tracking technology providers (so-called
    profiling). This information can then be used, for example, to display
    advertisements to users presumably corresponding to their interests.
  • Web Analytics: Web Analytics serves the evaluation of
    visitor traffic of online services and can determine their behavior or
    interests in certain information, such as content of websites. With the help
    of web analytics, website owners, for example, can recognize at what time
    visitors visit their website and what content they are interested in. This
    allows them, for example, to optimize the content of the website to better
    meet the needs of their visitors. For purposes of web analytics,
    pseudonymous cookies and web beacons are frequently used in order to
    recognise returning visitors and thus obtain more precise analyses of the
    use of an online service.

Words & Photos: Aaron Steinke