Privacy Policy
In this privacy policy, we inform you about the processing of personal data when using our website. Personal data is information that relates to an identified or identifiable person. This includes, in particular, details that allow conclusions to be drawn about your identity, such as your name, your telephone number, your address, or email address. Statistical data that we collect, for example, during a visit to our website and that cannot be linked to you, do not fall under the definition of personal data.
3. Use of tools on the website
1. Person responsible and contact
Contact person and so-called responsible party for the processing of your personal data when visiting this website in the sense of the General Data Protection Regulation (GDPR) is the
Bridgemaker GmbH
Linienstraße 86
10119 Berlin
Email: privacy@bridgemaker.com
For all questions regarding data protection in connection with our products and services or the use of our website, you can also contact our data protection officer at any time. He/She can be reached at the above postal address as well as at the email address provided earlier (Keyword: “to the attention of the data protection officer”). We expressly point out that when using this email address, the contents are not exclusively noticed by our data protection officer. If you wish to exchange confidential information, please initially request direct contact via this email address.
2. Data processing on our website
2.1 Accessing our website / Connection data
When you use our website (which is displayed via Framer), we process connection data that your browser automatically transmits to enable your visit to the website. This connection data includes the so-called HTTP header information, including the user agent, and particularly includes:
IP address of the requesting device;
Method (e.g., GET, POST), date and time of the request;
Address of the requested website and path of the requested file;
if applicable, the previously requested website/file (HTTP referrer);
Information about the browser and operating system used;
Version of the HTTP protocol, HTTP status code, size of the delivered file;
Request information such as language, type of content, content encoding, character sets;
Cookies stored on the device for the requested domain.
Processing this connection data is necessary to enable the visit to the website, ensure the continuous functionality and security of our systems, and to generally maintain our website administratively. The connection data is also temporarily stored in internal log files for the aforementioned purposes, restricted to the absolute minimum content needed, to identify and address the cause in the event of repeated accesses or accesses with criminal intent that threaten the stability and security of our website. The legal basis for this processing is Article 6(1)(b) GDPR, provided that the page view occurs in the context of the initiation or execution of a contract, and otherwise Article 6(1)(f) GDPR due to our legitimate interest in enabling the website access as well as ensuring the continuous functionality and security of our systems. However, the automatic transmission of connection data and the resulting log files does not constitute access to the information on the device in the sense of the implementation laws of the ePrivacy Directive of EU member states, in Germany § 25 TTDSG. Moreover, it would be absolutely necessary anyway. The log files are stored and subsequently anonymized. Exceptionally, individual log files and IP addresses are retained for a longer period to prevent further attacks from this IP address in the event of cyber-attacks and/or to pursue legal action against the attackers.
2.2 Contact
Every time you use our website (which is displayed via Framer), we process connection data that your browser automatically transmits in order to enable your visit to the website. This connection data includes so-called HTTP header information, including the user agent, and specifically includes:
IP address of the requesting device;
Method (e.g., GET, POST), date and time of the request;
Address of the requested website and path of the requested file;
possibly the previously accessed website/file (HTTP referer);
Information about the browser and operating system used;
Version of the HTTP protocol, HTTP status code, size of the delivered file;
Request information such as language, type of content, encoding of content, character sets;
cookies stored on the device for the requested domain.
Processing this connection data is necessary to allow the visit to the website, to ensure the long-term functionality and security of our systems, and to generally maintain our website administratively. The connection data is also temporarily and content-wise limited to the essentials in internal log files for the purposes described above, to find the cause and take action in the event of repeated calls or calls with criminal intent, which jeopardize the stability and security of our website. The legal basis for this processing is Art. 6 Para. 1 lit. b GDPR, provided that the page view occurs in the context of establishing or executing a contract, and otherwise Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in enabling the website access and the long-term functionality and security of our systems. However, the automatic transmission of the connection data and the resulting log files do not constitute access to information on the end device as understood by the implementation laws of the ePrivacy directive of EU member states, in Germany § 25 TTDSG. Nevertheless, it would be absolutely necessary in any case. The log files are stored and subsequently anonymized. Exceptionally, individual log files and IP addresses are retained for longer to prevent further attacks from this IP address in the case of cyber attacks and/or to take action against the attackers through criminal prosecution.
2.3 Use of ChatGPT in the provision of the Business Model – AI service
If you want to use our artificial intelligence offer to find answers to your business problem, your data, as described in 2.2.2, will be processed in the ChatGPT Business tool. For this purpose, data is forwarded to the service provider OpenAI, which is offered to individuals from the European Economic Area and Switzerland by OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland, and to all other individuals by OpenAI, L.L.C., 3180 18th Street, San Francisco, California 94110, USA. For more information about the ChatGPT Business tool used, please find it here: https://openai.com/de/policies/eu-terms-of-use and https://openai.com/enterprise-privacy. Please note that the ChatGPT tool provided by the service provider OpenAI is an artificial intelligence. However, with the Business version of the tool that we use, any training of the tool with your data is prohibited. The legal basis for this processing is Art. 6 para. 1 lit. b GDPR, as far as your information is required to answer your inquiry or to initiate or execute a contract, and otherwise Art. 6 para. 1 lit. f GDPR, to facilitate the provision of the service. We will only contact you for advertising purposes if you have given your consent for this. The data will be stored by ChatGPT until the purposes are achieved and no (legal) retention periods stand in the way.
2.4 Applications
You can apply for open positions through our applicant management system provided by our processor Personio (Personio GmbH, Rundfunkplatz 4, 80335 Munich, Germany), which you can access via our careers page. The purpose of data collection is to select applicants for a possible establishment of an employment relationship. For the acceptance and processing of your application, we collect the following data in particular:
First and last name;
Email address;
Phone number;
Application documents (e.g. certificates, CV);
Date of earliest possible job entry;
Salary expectations.
Mandatory fields are marked with an asterisk (*). The legal basis for processing your application data is Art. 6 para. 1 lit. b and Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG. We store your personal data upon receipt of your application. If we accept your application and it leads to an employment relationship, we will store your application data for as long as it is necessary for the employment relationship and as long as legal regulations require storage. If we reject your application, we will store your application data for a maximum of six months after the rejection of your application, unless you provide us with your consent for longer storage. If you have separately given us your consent in accordance with Art. 6 para. 1 lit. a GDPR, we will store your data transmitted as part of the application in our pool of applicants for another twelve months after the recruitment process has ended, in order to identify any further interesting positions for you and to possibly contact you again. After the expiration of the deadline, the data will be deleted. You can revoke this consent at any time with effect for the future.
3. Use of tools on the website
3.1 Technologies used
This website uses various services and applications (collectively referred to as "tools"), which are either provided by us or by third parties. These include, in particular, tools that use technologies to store or access information on the end device:
Cookies: information stored on the end device, consisting in particular of a name, a value, the storing domain, and an expiration date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the set expiration date. Cookies can also be removed manually.
Web Storage (Local Storage / Session Storage): information stored on the end device, consisting of a name and a value. Information in session storage is deleted after the session, whereas information in local storage has no expiration date and remains stored as a rule, unless a deletion mechanism has been established (e.g. storage of local storage with a time entry). Information in local and session storage can also be removed manually.
JavaScript: programming codes (scripts) embedded in or called by the website, which, for example, set cookies and web storage or actively collect information from the end device or the behaviour of the visitors. JavaScript can be used for "active fingerprinting" and the creation of usage profiles. JavaScript can be blocked by a setting in the browser, but then most services may not function properly.
Pixels: tiny graphics automatically loaded by a service, which can enable the recognition of visitors through the automatic transmission of the usual connection data (in particular IP address, information about browser, operating system, language, address accessed, and time of access) and, for example, determine the opening of an email or the visit of a website. Using pixels allows for "passive fingerprinting" and the creation of usage profiles. The use of pixels can be prevented, for example, by blocking images, such as in emails, although this will greatly limit the display.
Using these technologies and also through the simple connection established on a page, so-called "fingerprints" can be created, i.e. usage profiles that can recognize visitors even without the use of cookies or web storage. Fingerprints based on the connection cannot be completely prevented manually. Most browsers are set by default to accept cookies, to execute scripts, and to display graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you completely block the storage of cookies, the display of graphics, and the execution of scripts, our services will likely not function or not function smoothly. Below we list the tools we use, categorized, while informing you in particular about the providers of the tools, the storage duration of cookies or information in local storage and session storage, as well as the transfer of data to third parties. It will also be explained when we obtain your voluntary consent for the use of the tools and how you can revoke this consent. Should – even with the greatest care – the information in the consent banner contradict those in this privacy policy, the information in this privacy policy shall take precedence.
3.2 Legal basis and withdrawal
3.2.1 Legal Basis
3.2.2 Obtaining Your Consent
3.2.3 Withdrawal of Your Consent or Change of Your Selection
You can withdraw your consent for certain tools, that is, for the storage and access to information on the device, the processing of your personal data, and the transfer of your data to third countries, at any time with effect for the future. To do this, click the button on the right side at the end of the website. There you can also change the selection of the tools for which you wish to give consent, as well as obtain additional information about the tools used. Alternatively, you can assert your withdrawal directly with the provider of certain tools.
3.3 Necessary Tools
We use certain tools to enable the basic functions of our website (“necessary tools”). This includes, for example, tools for preparing and displaying website content, for managing and integrating tools, for providing payment processing services, for fraud detection and prevention, and for ensuring the security of our website. Without these tools, we could not provide our service. Therefore, necessary tools are used without consent. The legal basis for necessary tools is the necessity to fulfill our legitimate interests pursuant to Art. 6 (1) lit. f GDPR in providing the respective basic functions and operating our website. In cases where providing the respective website functions is necessary to fulfill a contract or to carry out pre-contractual measures, the legal basis for data processing is Art. 6 (1) lit. b GDPR. Access to and storage of information on the end device is absolutely necessary in these cases and is based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (2) TTDSG. In case personal data is transferred to third countries (such as the USA), we refer, in addition to the information provided below, to Section 6 (“Data transfer to third countries”).
3.3.1 Google reCAPTCHA
Our website uses the Google reCAPTCHA service, which is offered for users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”).
reCAPTCHA prevents automated software (so-called bots) from performing abusive activities on the website, i.e., it checks whether the inputs made actually come from a human. To do this, reCAPTCHA uses JavaScript and stores cookies and information in Local Storage on your device. Specifically, the following data is processed:
Referrer URL (address of the page from which the visitor came);
IP address;
Cookies set by Google;
Snapshot of the browser window;
User input behaviour (e.g., answering the reCAPTCHA question, input speed in form fields, order of selection of input fields by the user, number of mouse clicks);
Technical information: browser type, browser plugins, browser size and resolution, date, language setting, rendering instructions (CSS), and scripts (JavaScript).
For this purpose, the following cookies may be set and read by reCAPTCHA: “_GRECAPTCHA” (6 months). In addition, the following cookies are also embedded and stored in Local Storage to distinguish between humans and robots: “rc::d-15#”, “rc::a” (permanent), “rc::b” (for the duration of the session), “rc::c” (for the duration of the session), “rc::f” (permanent). Furthermore, Google reads the cookies of other Google services like Gmail, Search, and Analytics. If you do not wish this association with your Google account, it is necessary for you to log out of Google before accessing a page where we have integrated Google reCAPTCHA. The data mentioned is transmitted to Google in encrypted form. Google’s evaluation determines how the Captcha is displayed on the site. The use of reCAPTCHA is statistically evaluated. According to Google, your data is not used for personalized advertising. The legal basis is the necessity to fulfill a contract or to carry out pre-contractual measures according to Art. 6 (1) lit. b GDPR, for example, in the context of registering a user account, using a contact form, or subscribing to a newsletter. Google reCAPTCHA serves to protect IT security, ensure the stability of our website, and prevent abuse. Part of the data may also be processed on servers in the USA. In case personal data is transferred to the USA or other third countries, this occurs based on Art. 49 (1) sentence 1 lit. b GDPR, to enable the fulfillment of a contract with you or to carry out pre-contractual measures. For more information, please refer to Section 6 (“Data transfer to third countries”).
Further information can be found:
in Google’s privacy policy: https://policies.google.com/privacy;
in Google’s terms of service: https://policies.google.com/terms
3.4 Analysis Tools
To improve our website, we use optional tools to recognize visitors as well as for the statistical collection and analysis of general usage behavior based on access data ("analytics tools"). We also use analytics services to evaluate the usage of our various marketing channels. The collected usage information is aggregated and enables us to understand the usage habits of our visitors. This serves to adapt and optimize the design of our website and to make the user experience more pleasant. The legal basis for the analytics tools is – unless otherwise specified – your consent according to Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the end device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. For revocation of your consent, see 3.2.3: "Revocation of your consent or change of your selection". In the event that personal data is transferred to third countries (such as the USA), your consent explicitly also covers the transfer of data (Art. 49 para. 1 lit. a GDPR). Please refer to section 6 ("Data transfer to third countries") for the associated risks.
3.4.1 Google Analytics 4
Our website then uses the service Google Analytics 4 ("Google Analytics"), which is offered for individuals from Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other individuals by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google"). Google Analytics uses JavaScript and pixels to read information on your end device, as well as cookies to store information on your end device. This serves to analyze your usage behavior and improve our website. We will process the obtained information to evaluate your use of the website and to compile reports on website activities for the website operators. The data generated in this context may be transferred to and stored on a server in the USA by Google for evaluation. In its evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of data. This is particularly for predictive metrics on future behavior of visitors based on structured event data, such as predicted revenue, purchase probability and churn probability. The predictive metrics can also be used for predictive target groups. You can learn more about this at: https://support.google.com/analytics/answer/9846734. In addition, Google Analytics 4 models conversions where there is not enough data available to optimize evaluation and reports. Information on this can be found at: https://support.google.com/analytics/answer/10710245. Data evaluations are carried out automatically using artificial intelligence or based on specific individually defined criteria. More information can be found at: https://support.google.com/analytics/answer/9443595.
The following privacy settings have been made in Google Analytics:
IP anonymization (truncation of the IP address before evaluation);
Automatic deletion of old visit logs by limiting the retention period to 2 months;
No reset of the retention period with new activity;
Deactivation of the collection of exact location and position data;
Deactivation of the collection of exact device data;
Deactivated advertising function (including audience remarketing through GA Audience);
Deactivated remarketing;
Deactivated cross-device and cross-site tracking (Google Signals);
Deactivated data sharing with other Google products and services, benchmarking, technical support, account manager.
The following data is processed by Google Analytics:
IP address;
User-ID, Google-ID (Google Signals) and/or device ID;
Referrer URL (previously visited page);
Pages visited (date, time, URL, title, duration of visit);
Events and activities (e.g., scroll activity, downloaded files, clicked links to other websites, interaction with videos and forms, search queries);
if applicable, achievement of certain goals (conversions);
Technical information: Operating system; browser type, version and language; device type, brand, model and resolution;
Approximate location (country and possibly city, based on anonymized IP address).
Google Analytics sets the following cookies for the indicated purpose with the respective retention period:
"_ga" (2 years), "_gid" (24 hours): Recognition and differentiation of visitors through a User-ID;
"_ga_[GA-ID]" (2 years): Retention of the information of the current session;
"_gac_gb_[GA-ID]" (90 days): Storage of campaign-related information and possibly linking with Google Ads conversion tracking;
if applicable, "IDE" (390 days): Recognition and differentiation of visitors through a User-ID, capturing interactions with ads, displaying personalized ads.
For more information about cookies from Google Analytics 4, see: https://support.google.com/analytics/answer/11397207?hl=en.
The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the end device is then based on the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementation Decision (EU) 2021/914, Module 3) in accordance with Art. 46 para. 2 lit. c GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49 para. 1 lit. a GDPR. More information can be found in Google's privacy policy: https://support.google.com/analytics/answer/6004245.
3.5 Marketing Tools
We also use optional tools for advertising purposes ("marketing tools"). Some of the access data generated while using our website is used to create usage profiles, which particularly store your usage behavior, the ads you viewed or clicked on, and the classification into advertising categories, interests and preferences that arise from this. By analyzing and evaluating this access data, we can present you with personalized advertising, meaning advertising that corresponds to your actual interests and needs, on our website and on the websites and services of other providers. In doing so, we also analyze your usage behavior to recognize you again on other pages and address you personally based on your use of our site (so-called retargeting). Furthermore, we evaluate the effectiveness and success of our advertising campaigns (in particular so-called conversions and leads). Marketing tools also include optional tools from social networks that serve to share posts and content across these networks ("social media plugins"). The legal basis for the marketing tools is your consent in accordance with Art. 6 para. 1 lit. a GDPR, which you provide via the consent banner or when using the respective tool by allowing its use via an overlay banner. Access to and storage of information on the end device then occurs on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. For the withdrawal of your consent, see 3.2.3: "Withdrawal of your consent or change of your selection." In the event that personal data is transferred to third countries (such as the USA), your consent expressly also extends to the data transfer (Art. 49 para. 1 lit. a GDPR). Please find the associated risks in section 6 ("Data transfer to third countries").
In the following section, we would like to explain these technologies and the providers involved in more detail. The collected data may include in particular:
the IP address of the device;
the information of a cookie and in local or session storage;
the device ID of mobile devices (e.g. device ID, advertising ID);
Referrer URL (previously visited page);
Accessed pages (date, time, URL, title, duration of stay);
Downloaded files;
Clicked links to other websites;
if applicable, achievement of specific goals (conversions);
Technical information: operating system; browser type, version and language; device type, brand, model and resolution;
Approximate location (country and possibly city).
The collected data is, however, stored exclusively in a pseudonymous form, so that no direct conclusions can be drawn about individuals.
3.5.1 HubSpot
Our website uses services from HubSpot Ireland Limited at 2nd Floor 30 North Wall Quay, Dublin 1, Ireland ("Hubspot") to incorporate cookies via "gstatic" or Google reCAPTCHA.
The following cookies are stored in local storage to distinguish between humans and robots:
"rc::d-15#" (permanent): distinction between human and robot;
"rc::a" (permanent): distinction between human and robot;
"rc::b" (for the duration of the session): distinction between human and robot;
"rc::c" (for the duration of the session): distinction between human and robot;
"rc::f" (permanent): distinction between human and robot.
Furthermore, for more information about cookies, please refer to HubSpot's website: https://knowledge.hubspot.com/de/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser and to Cloudfare's website: https://support.cloudflare.com/hc/en-us/articles/200170156-Understanding-the-Cloudflare-Cookies. The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the end device then occurs on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. We have entered into a data processing agreement with HubSpot. The data collected in this regard may be transferred by HubSpot to a server in the USA and stored there. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with HubSpot (Implementing Decision (EU) 2021/914, Module 2) in accordance with Art. 46 para. 2 lit. c GDPR. Additionally, we also obtain your express consent in accordance with Art. 49 para. 1 lit. a GDPR for the transfer of your data to third countries. For more information, please refer to HubSpot's privacy policy: https://legal.hubspot.com/privacy-policy.
3.5.2 Typeform
Our website uses the Typeform service from Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona, Spain ("Typeform"). Typeform is used to provide engaging forms and surveys through which we collect information about you, realize email notification sign-ups, or conduct surveys on specific topics. Mandatory fields have been marked accordingly. Once you press the submit button, your data will be transmitted to us and Typeform. Typeform uses scripts that access information on your end device, as well as cookies that are stored on your end device. Your data is stored on servers in the USA.
The following data is processed by Typeform:
IP address;
Your data entered in the form;
Technical information about your device, your browser, your operating system, and your selected language;
Access information about the accessed page, the previously visited page, and the time of the visit;
Usage data through the evaluation of information, particularly from cookies and scripts.
Typeform sets and reads the following cookies:
"AWSALBTG" (7 days) and "AWSALBTGCORS" (7 days): registers which server cluster serves the visitor. This is used in conjunction with load balancing to optimize user experience;
"ld:#:$diagnostics" (permanent): Monitoring website performance for statistical purposes;
"visitorId" (2 years): maintains user status across page requests.
"cookie_support" (for the duration of the session): saves your selection of whether you accept or reject analytical cookies.
The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information on the end device then occurs on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. We have entered into a data processing agreement with Typeform. To the extent that Typeform engages processors with their registered office outside the EU or transfers or stores the data in third countries (such as the USA), Typeform has established adequate guarantees such as standard contractual clauses. Additionally, we also obtain your express consent in accordance with Art. 49 para. 1 lit. a GDPR for the transfer of your data to third countries. For more information, please refer to Typeform's privacy policy: https://admin.typeform.com/to/dwk6gt/.
4. Online presences on social networks
We maintain online presences in social networks to communicate with customers and interested parties, among other things, and to inform them about news from Bridgemaker. User data is usually processed by the respective social networks for market research and advertising purposes. Usage profiles can be created based on the interests of users. For this purpose, cookies and other identifiers are stored on users' computers. Based on these usage profiles, advertising can be displayed within social networks as well as on third-party websites. As part of the operation of our online presences, we may have access to information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may contain, in particular, demographic information (e.g., age, gender, region, country) and data on interactions with our online presences (e.g., likes, subscriptions, shares, views of images and videos) and the posts and content disseminated there. They may also provide insight into the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to adapt the design of our activities and content on the online presence and optimize it for our audience. For details and links to the data from the social networks that we can access as operators of the online presences, please refer to the list below. The collection and use of these statistics is usually subject to joint responsibility. If applicable, the corresponding agreement is listed below. The legal basis for data processing is Art. 6 Para. 1 lit. f GDPR, based on our legitimate interest in effectively informing users and communicating with users, or Art. 6 Para. 1 lit. b GDPR to stay in contact with our customers and inform them as well as to carry out pre-contractual measures with future customers and interested parties.
If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. Furthermore, the social network may allow us to contact you. This can be done, for example, via direct messages or through posted entries. The substantive communication over the social network and the processing of the content data are the responsibility of the social network as the messenger and platform service. As soon as we transfer or further process personal data from you into our own systems, we are independently responsible for this, and this is done for the purpose of carrying out pre-contractual measures and fulfilling a contract in accordance with Art. 6 Para. 1 lit. b GDPR.
The legal basis for the data processing carried out by the social networks under their own responsibility can be found in the data protection notices of the respective social network. You can also find more information on the respective data processing and the options for objection under the links below.
We would like to point out that data protection inquiries are most efficiently addressed to the respective provider of the social network, as only these providers have access to the data and can directly take appropriate measures. Below is a list with information on the social networks on which we operate online presences:
Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Operation of the Facebook fan page under joint responsibility based on an agreement on joint processing of personal data (so-called Page Insights Addendum regarding the controller): https://www.facebook.com/legal/terms/page_controller_addendum
- Information about the processed Page Insights data and the contact possibility in case of data protection inquiries: https://www.facebook.com/legal/terms/information_about_page_insights_data
- Privacy policy: https://www.facebook.com/about/privacy/
- Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.
Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Instagram Business Account based on an agreement on joint processing of personal data (so-called Page Insights Addendum regarding the controller): https://www.facebook.com/legal/terms/page_controller_addendum
- Information about the processed Page Insights data and the contact possibility in case of data protection inquiries: https://www.facebook.com/legal/terms/information_about_page_insights_data
- Privacy policy: https://help.instagram.com/519522125107875
- Opt-Out (Statement): https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE
Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
- Privacy policy: https://policies.google.com/privacy
- Opt-Out: https://www.google.com/settings/ads.
Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
- Privacy policy: https://twitter.com/de/privacy
- Opt-Out: https://twitter.com/personalization.
Xing/Kununu (New Work SE, Am Strandkai 1, 20457 Hamburg)
- Privacy policy/ Opt-Out: https://privacy.xing.com/de/datenschutzerklaerung.
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
- Operation of the LinkedIn company page under joint responsibility based on an agreement on the joint processing of personal data (so-called Page Insights Joint Controller Addendum): https://legal.linkedin.com/pages-joint-controller-addendum
- Information about the processed Page Insights data and the contact possibility in case of data protection inquiries: https://legal.linkedin.com/pages-joint-controller-addendum
- Privacy policy: https://www.linkedin.com/legal/privacy-policy
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
5. Sharing of data
Data that we collect will generally only be shared if:
You have given your explicit consent in accordance with Article 6(1)(a) of the GDPR,
the sharing is necessary for the assertion, exercise or defence of legal claims in accordance with Article 6(1)(f) of the GDPR and there is no reason to assume that you have an overriding legitimate interest in not sharing your data,
we are legally obliged to share under Article 6(1)(c) of the GDPR, particularly if this is required due to official requests, court orders and legal proceedings for enforcement, or
it is legally permissible and necessary for the performance of contractual relationships with you or for the execution of pre-contractual measures that are carried out at your request in accordance with Article 6(1)(b) of the GDPR.
Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include in particular data centres that host our website and databases, software providers, IT service providers that maintain our systems, agencies, market research firms, group companies, and consulting firms. If we share data with our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and contracted by us. They are contractually bound to our instructions, have appropriate technical and organisational measures to protect the rights of the data subjects, and are regularly monitored by us. A current list of the service providers we use includes Slicemedia and Magic Design. Furthermore, data may be shared in connection with official requests, court orders, and legal proceedings when it is necessary for enforcement purposes.
6. Data transmission to third countries
As explained in this privacy policy, we use services whose providers are partially located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, meaning countries whose level of data protection does not match that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision for these countries (Art. 45 GDPR), we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. This includes, among other things, the standard contractual clauses of the European Union or binding internal data protection regulations. Where this is not possible, we base the data transfer on exceptions under Art. 49 GDPR, particularly your explicit consent or the necessity of the transfer for the performance of a contract or for conducting pre-contractual measures. If a transfer to a third country is planned and no adequacy decision or suitable guarantees are in place, it is possible and there is a risk that authorities in the respective third country (e.g., intelligence services) may gain access to the transmitted data in order to collect and analyze it, and that enforcement of your rights as a data subject cannot be guaranteed. When obtaining your consent through the cookie banner, you will also be informed about this. If your personal data is transferred to a company in the USA that is currently certified under the EU-U.S. Data Privacy Framework of June 10, 2023, the transfer will take place in this case based on the adequacy decision for the USA according to Art. 45 GDPR.
7. Retention period
In principle, we only store personal data for as long as is necessary to fulfil the purposes for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidential purposes for civil claims or due to legal retention obligations. For evidential purposes, we will retain contract data for three years from the end of the year in which our business relationship with you ends. Any claims become time-barred after the statutory limitation period at the earliest at this point. Even after that, we may still have to keep your data for accounting reasons. We are obliged to do so due to statutory documentation requirements, which may arise from the Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act, and the Securities Trading Act. The stipulated retention periods for documents range from two to ten years.
8. Your rights, in particular the right of withdrawal and objection
You have the rights set out in Articles 7(3), 15 to 21, and 77 of the GDPR, provided that the relevant legal conditions are met:
Right to withdraw your consent (Article 7(3) GDPR);
Right to object to the processing of your personal data (Article 21 GDPR);
Right to access your personal data processed by us (Article 15 GDPR);
Right to rectify any inaccurate personal data stored by us (Article 16 GDPR);
Right to deletion of your personal data (Article 17 GDPR);
Right to restrict the processing of your personal data (Article 18 GDPR);
Right to be informed about the recipients upon request (Article 19(2) GDPR);
Right to data portability of your personal data (Article 20 GDPR);
Right to lodge a complaint with a supervisory authority (Article 77 GDPR).
To exercise the rights described here, you can contact us at the contact details mentioned above at any time. This also applies if you would like to receive copies of guarantees to demonstrate an adequate level of data protection. If the relevant legal conditions are met, we will comply with your data protection request. Your inquiries regarding the exercise of data protection rights and our responses will be stored for documentation purposes for up to three years, and in individual cases also beyond that for the assertion, exercise, or defence of legal claims. The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against possible civil claims under Article 82 GDPR, avoiding fines under Article 83 GDPR, and fulfilling our accountability obligations under Article 5(2) GDPR.
You have the right to withdraw your consent at any time. This means that we will no longer continue the data processing based on that consent in the future. The legality of processing carried out on the basis of your consent until the withdrawal is not affected by the withdrawal of consent. To the extent that we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons related to your particular situation. If the objection concerns processing for direct marketing purposes, you have a general right to object, which will be implemented by us without the need to provide reasons. If you wish to exercise your right of withdrawal or objection, a simple informal notification to the contact details mentioned above is sufficient.
Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can exercise this right at a supervisory authority in the Member State of your residence, your workplace, or the location of the alleged infringement. In Berlin, our location, the competent supervisory authority is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin.
9. Changes to the Privacy Policy
We occasionally update this privacy policy, for example when we adapt our website or when legal or regulatory requirements change.
Version: 2.0 / Date: 08 February 2024