Privacy

Privacy Policy of Baufi24 Baufinanzierung GmbH

We, Baufi24 Baufinanzierung GmbH, take the protection of your personal data very seriously. When you visit our websites and or use our services, your personal data will be processed. We handle your personal data in accordance with the legal requirements of the relevant data protection laws, in particular the European General Data Protection Regulation (GDPR), as well as this privacy notice. This privacy notice applies to all services that we offer, in particular our digital services, our websites and our presence on social media platforms.

Our digital services may contain links to offerings of other third party providers for which this privacy notice does not apply.

1. Controller

1.1 Data Processing under Sole Responsibility

If you have registered or wish to register as a user on one of our websites, Baufi24 Baufinanzierung GmbH is responsible for the data processing carried out by us or on our behalf in the context of our websites and the services we offer. You can reach us at the following contact details:

Baufi24 Baufinanzierung GmbH

Kattrepelsbrücke 1

20095 Hamburg

datenschutz@baufi24.de

If you have any questions regarding data protection or wish to contact our Data Protection Officer, please write to us at the postal address mentioned above with the addition "Data Protection" or contact us via the email address: datenschutz@baufi24.de.

1.2 Joint Data Processing Responsibility

The companies of the Bilthouse Group also process personal data under joint responsibility within the meaning of Article 26 GDPR. This means that Bilthouse GmbH, Baufi24 Baufinanzierung GmbH, Hüttig & Rompf GmbH, FinLink GmbH, Bilthouse Service GmbH, creditweb GmbH, and Kredit24 GmbH, all located at Kattrepelsbrücke 1, 20095 Hamburg (collectively referred to as the “Parties”), have entered into an agreement on joint responsibility for data processing in accordance with Article 26 GDPR. It has been agreed that the Parties jointly process personal data to optimally handle and distribute customer inquiries within the Bilthouse Group. Baufi24, Hüttig & Rompf, and Creditweb each acquire customers for their own brand, but customers may be referred within the Bilthouse Group to ensure better, coordinated customer service and, if necessary, to respond to excess demand.

Furthermore, it has been agreed that each Party is independently responsible for the data processing it carries out, including all rights and obligations arising from it, such as handling data subject rights. Nevertheless, data subjects may contact any of the Parties at the above contact details with their concerns and claims at any time.

2. Purposes and legal bases of data processing

2.1 Data processing for the provision of our services

We process personal data to manage contractual relationships and, if necessary, to provide tailored contract offers. We collect and process personal data to the extent necessary for the provision of functionalities on our websites and/or for the execution of our contractual relationship. This includes, in particular, the email address, and, if applicable, the name or salutation chosen, to ensure that only registered persons have access to certain functions of our websites, to provide user-specific optimized services, and, if necessary, to communicate regarding the use of our services.

In addition, we process data relevant to the consulting process. The personal data we process and use in this context includes information/documents about the person, such as name, address, email address, telephone number, marital status, occupation, personal financial circumstances and liabilities, income and expenses; information/documents about the financing object or the use of the loan; information/documents about financing and processing, such as balance, interest, term, disbursement requirements, application status, processing status, as well as information/documents about follow-up financing, such as remaining balance, rate, interest rate at the end of the fixed-interest period(s), and the current financing bank.

For all forms, we only collect the personal data that is absolutely necessary for the initiation or execution of contractual relationships. The collection of data that is not absolutely necessary, but in which we are interested to optimize the fulfilment of purposes, is optional. In this case, you can decide voluntarily whether and which data we should receive.

The legal basis for data processing is Article 6(1)(b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

2.2 Data processing in the context of mortgage financing

For the preparation of your mortgage financing offer, we rely on a network of specialized advisors. This network is managed by companies within our corporate group, to whom we transmit the data you provide for the preparation of the offer. Based on the data we transmit, an advisor from the network will be identified to prepare your offer. For the advisor to prepare your offer and contact you, the data you entered on our website will be transmitted. You can find an overview of how your request is handled on this website: https://www.baufi24.de/finanzierungsablauf/.

The legal basis for data processing is Article 6(1)(b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

Your advisor will contact you after receiving the data to further support you with your project. He or she will act as a real estate loan broker. Your advisor uses specialized online services to determine the most suitable mortgage financing for you, which allow comparisons of financing options from more than 500 banks. This software is operated by third-party service providers, to whom your application data will be transmitted as necessary. Your advisor will provide you with the mandatory information required by Article 14 GDPR for these service providers.

The legal basis for the data processing for the preparation of the offer by your advisor is Article 6(1)(b) GDPR, as the advisor’s activity is based on your request and serves to prepare the conclusion of a contract for the mediation of mortgage financing.

If you instruct the advisor to continue supporting your financing project, the legal basis for the corresponding processing of your data is also Article 6(1)(b) GDPR, as it is necessary for the execution of the respective contract.

2.3 Data Processing in the context of the “apply for an instalment loan” function

If you use the “apply for an instalment loan” function, you are using a service provided by Kredit24 GmbH that is integrated into our websites. The privacy policies of Kredit24 apply to this service, available at Kredit24 GmbH Privacy Policy, as well as the privacy policies of the Europace marketplace, available at Europace Privacy Policy.

The legal basis for the data processing for the preparation of the financing offer is Article 6(1)(b) GDPR, as the data processing is carried out at your request and serves to prepare the conclusion of a contract for an instalment loan.

2.4 Data processing in the context of property search and disclosure to partner

If you wish to use our service ImmoPartner, it is necessary for you to provide us with the required data about the property you are seeking. We use this data to find suitable property offers for you. For this purpose, the data is anonymized and transmitted to our partners (e.g., real estate agents, developers, new construction sales organizations, construction companies) who provide these property offers.

The voluntary provision of personal data enables us to offer you content or services that, by their nature, can only be offered to users who provide us with their personal data and information about their property search.

With your consent, we will also transmit an anonymized copy of your financing certificate, which your personal advisor has created for you, to our partners. This is done to increase your chances of obtaining a property, as our partners thus receive information about your general creditworthiness. No personal data is transmitted to our partners. The service ImmoPartner is only offered as part of a personal consultation with one of our referred financing advisors. With your consent, we will contact you by email to send you the property offers received from our partners and to further support you with your project.

The legal basis for this use of your data is your consent in accordance with Article 6(1)(a) GDPR. Your consent can be revoked at any time with effect for the future. Revoking your consent does not affect the lawfulness of processing based on consent before its withdrawal.

2.5 Data processing in the context of online application

As part of our online application processes, we use a service provided by Byteplant GmbH Software Solutions & Consulting, Heilsbronner Str. 4, 91564 Neuendettelsau, Germany (“Byteplant”), to validate the telephone numbers entered. The verification is carried out solely for the purpose of checking whether the specified telephone number is technically reachable (so-called telephone validation). The entered number is transmitted to Byteplant, and a real-time check is performed. The verification is purely technical. No calls or personal contacts are initiated. Byteplant processes the telephone number exclusively for the purpose of validation and automatically deletes all personal data no later than 14 days after transmission. No storage or further use takes place. Further information can be found in the Byteplant Privacy Policy.

The use of the telephone validation service is based on your consent in accordance with Article 6(1)(a) GDPR or - if required for contract initiation - on Article 6(1)(b) GDPR. You can revoke your consent at any time with effect for the future.

2.6 Data processing in the context of the customer account

Upon creation of a customer account, we process the data you provide in order to manage the customer account and to enable you to use the services we offer in connection with your customer account.

In addition to the data you provide, further data may be processed depending on your use of our services in connection with your customer account. This may include, for example, calculation results for financing, financing inquiries and offers, property searches and evaluations, communication with us, as well as personal preferences.

The legal basis for data processing is Article 6(1)(b) GDPR, which permits the processing of data for the fulfilment of a contract or pre-contractual measures.

2.7 Data processing for communication purposes

In addition to contract data, we process communication data (name, address, telephone number, email address) to handle inquiries and/or to contact affected persons and/or to send (possibly automated) notifications in the context of our contractual services. Personal data that is communicated to us by email or via another communication channel that we provide is used only for correspondence with the data subject or only for the purpose for which the data was provided to us. Depending on the individual case, the following data may be processed. This can include in particular the name, first name, address, company if applicable, IP address if applicable and the date and time of sending if applicable.

The processing of this data is based on Article 6(1)(b) GDPR, provided that the communication is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling inquiries addressed to us (Article 6(1)(f) GDPR) or on consent (Article 6(1)(a) GDPR) if such consent has been obtained. You can revoke your consent at any time with effect for the future. Revocation can be declared via the settings in the consent management tool used, if applicable, or by email. The lawfulness of data processing carried out up to the point of revocation remains unaffected.

2.8 Email Newsletter/Advertising

If you would like to subscribe to an email newsletter offered by us, we require your email address and information that allows us to verify that you are the owner of the specified email address and that you agree to receive email notifications. If you give your consent not as a logged in user but via a publicly accessible form, we will send an email to the address you have provided with a confirmation link after your entry in order to complete the double opt in procedure. If you do not confirm your registration, your information will be blocked and automatically deleted after one month.

The only mandatory information for subscribing to the newsletter is your email address. The provision of any additional data that is marked separately is voluntary and is used to address you personally. In addition, we store your IP address and the times of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, where necessary, to clarify any possible misuse of your personal data. We do not collect any further data in this context. This data is used exclusively for sending the requested email notifications. If we use a processor for sending emails, we comply with the applicable data protection laws.

Data processing is based on your consent in accordance with Article 6(1)(a) GDPR. You can revoke your consent to receive email notifications at any time with effect for the future and unsubscribe from the respective newsletter. You can declare your revocation by clicking on the link provided in each email or by sending a message to us using the contact details provided in section 1. The lawfulness of data processing carried out up to the point of revocation remains unaffected.

2.9 Data transfer to and processing by third parties

Users of our services may have the opportunity to transmit data to third parties. This may occur in the context of contract fulfilment, for example, when making a consultation request, or based on consent. In such cases, it may be necessary to actively select whether personal data should be transmitted to the respective third party.

If, for example, you submit a consultation request through one of our websites, the data you provide will be transmitted to our relevant partners, who will be named in the context of the transmission or beforehand as part of the contract conclusion process. Each company is solely responsible for the data it enters, generates, and/or processes. If you have questions about how your data is handled by such a company, especially regarding data protection, please contact the respective company and refer to their privacy notices.

Third parties may, if applicable, use your data for subsequent contact and for the purposes specified in the context of your request or consent, e.g., for the purpose of advice or (pre-)contractual measures. The third party then acts as its own controller for the further processing of the data transmitted. Users must therefore assert their so-called data subject rights (see below), etc., directly with the respective third party.

If the processing of the aforementioned data is necessary for the initiation or execution of a contractual relationship, the legal basis is Article 6(1)(b) GDPR. Otherwise, the data processing is based on consent in accordance with Article 6(1)(a) GDPR. Consent given can be revoked at any time with effect for the future. A simple notification to us and/or, if applicable, to the respective third party is sufficient. The lawfulness of data processing carried out up to the point of revocation remains unaffected.

2.10 Cookies

We use cookies on some of our websites and apps in order to provide website specific services. Cookies are small text files that are stored on the user’s device and may contain data relating to the respective user in order to enable access to various functions. Cookies are stored on the device that is being used and may be read by us from there. As a result, you have control over the use of cookies. By changing your settings, you may be able to disable or restrict the transmission of cookies and, for example, reject third party cookies or cookies in general. However, if you disable cookies for our services, you may not be able to use all of the functions or services that we offer.

We use necessary cookies that are required in order to provide the services that we owe and to ensure the functionality of our services. The legal basis for setting these cookies is Section 25(2) No. 2 TDDDG. Any processing of personal data in this context is based on Article 6(1)(b) GDPR, which permits the processing of data for the performance of a contract or pre contractual measures, or on Article 6(1)(f) GDPR, which permits data processing to protect the legitimate interests of the controller, provided that the interests or fundamental rights and freedoms of the data subject do not override the controller’s interests. Our legitimate interest lies in ensuring the provision of the functionalities of our services.

For the use of other non essential cookies, we obtain your consent in advance. The setting of these cookies is then based on your consent in accordance with Section 25(1) TDDDG and any processing of personal data in this context is based on Article 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future. The lawfulness of the data processing carried out on the basis of your consent before its revocation remains unaffected.

2.11 Trustpilot

If f you allow us to request a review of our financing advice, we will send you an email at a later time. This email will contain a link to the relevant page of one of our partners, such as ausgezeichnet.org or trustpilot.com. You are not obligated to leave a review and you may revoke your consent at any time.

The legal basis for this processing is Article 6(1)(a) GDPR. The data that we require as proof that you agreed to receive the email will be deleted after the statutory retention period for such proof has expired. In the event of a revocation, we will immediately delete your consent and the associated personal data.

2.12 Google Analytics

On some of our websites, we may use Google Analytics, integrated via Google Tag Manager, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”), provided you have consented to this data processing. Google Analytics uses so-called “cookies,” text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server and stored there. This may also involve transmission to servers of Google LLC in the USA.

When you visit our website, we may assign you a so-called Client ID. This Client ID is newly assigned for each browser you use, unless the corresponding cookie is already stored in it. If you have a user account on our website, we also assign you a User ID and link it to your consent and the Client ID(s). Unlike the User ID, we cannot assign Client IDs to specific individuals without a user account. The IDs are stored using a cookie named _ga, which has a lifespan of 2 years. When you visit our website with your browser, this cookie is read by us to retrieve the ID(s) and restart the cookie’s lifespan. As soon as you log in to our website, we can link your previously pseudonymous Client IDs to your unique User ID, even if usage occurs across different browsers.

Using your pseudonymous Client ID or, where available, your personal User ID, we create personalized statistics with your consent in order to understand how you use our website. For this purpose, we use the following data. We use technical information about the browser and device used, such as language settings and screen resolution. We use information about the website or advertisement that led you to our website. We record whether you perform certain actions on our website, so called conversions, such as requesting a financing offer or opening a customer account. We also record your use of our website, for example which links are clicked, how long you stay on a particular page and from which website you leave our offer.

The evaluations created in this way allow us to understand how you use our website and which advertising measures are successful. This enables us to optimize our website, in particular its structure, content and functions, as well as our advertising measures and thus our business success. The personal reference of the data is stored for 14 months after your last use of our website. Data whose storage period has been reached is automatically deleted once a month.

Since IP anonymization is activated on our website when using Google Analytics, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google LLC server in the USA and shortened there. Google will use this information to evaluate your use of the respective website, compile reports on website activity, and provide other services related to website and internet usage to us.

Further information on terms of use and data protection can be found in the Google Analytics Terms of Service and in the Google Policies.

Important notice regarding data processing in the United States: The data protection standard in the USA is considered inadequate by the European Court of Justice, and there is a risk that your data may be processed by US authorities for monitoring and surveillance purposes without legal remedies.

The data processing described above is based on your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR in conjunction with Art. 49 (1) sentence 1 lit. a GDPR and, insofar as data stored on the device used is collected and processed, pursuant to § 25 (1) TDDDG. You can revoke your consent at any time with effect for the future - for example, via our Consent Management Tool or by contacting us at the contact details provided in Section 1. The lawfulness of processing carried out until revocation remains unaffected.

2.13 Property Valuation

For the automated valuation of real estate, we transmit property and location data, which may include the complete property address, to PriceHubble AG, Uraniastrasse 31, 8001 Zurich, Switzerland. PriceHubble processes this data exclusively on our behalf to calculate the market value of the property and does not disclose it to third parties.

The legal basis for this processing is Article 6 (1) (b) GDPR, as the valuation is carried out at your request and for the performance of pre-contractual measures.

2.14 Google Maps

On some of our websites, we may use the Google Maps map service via an API. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

To use the functions of Google Maps, it is necessary to store your IP address. This information is generally transmitted to a Google server in the United States and stored there. The provider of this website has no influence over this data transmission.

Further information on how Google handles user data can be found in Google’s privacy policy.

Important notice regarding data processing in the United States: According to the Court of Justice of the European Union, the level of data protection in the United States is considered insufficient. There is a risk that your data may be accessed and processed by U.S. authorities for monitoring and surveillance purposes and that you may not have effective legal remedies against such processing.

The data processing described above may take place based on your consent pursuant to Article 6 (1) sentence 1 (a) GDPR in conjunction with Article 49 (1) sentence 1 (a) GDPR and, insofar as data stored on the device you use is collected and processed, pursuant to Section 25 (1) TDDDG. You may withdraw your consent at any time with effect for the future—for example, via our Consent Management Tool or by contacting us using the contact details provided in Section 1. The lawfulness of the processing carried out prior to withdrawal remains unaffected.

2.15 Google Ads

On some of our websites, we may use Google Remarketing Tags, provided that you have consented to this data processing. These are services provided by Google that use cookies stored on your device to enable an analysis of your website usage. The information generated by the cookie about your use of this website is generally transmitted to and stored on a Google server, as described in the previous section; this may include transmission to servers of Google LLC in the United States. Google uses this information to evaluate your use of the website, compile reports on website activity for website operators, and provide other services related to website and internet usage. Google may also transfer this information to third parties where required by law or where third parties process this data on Google’s behalf. Third-party providers, including Google, display advertisements on websites across the Internet. Third-party providers, including Google, use stored cookies to serve ads based on a user’s previous visits to this website. Google will under no circumstances associate your IP address with other data held by Google. You can object to the collection and storage of data at any time with effect for the future. You may deactivate Google’s use of cookies by visiting the page for disabling Google advertising. Please note, however, that doing so may prevent you from using all functions of this website to their full extent. Further information about terms of use and data protection can be found in the Terms of Service for Google Analytics and in Google’s Privacy Policies.

2.16 Microsoft Advertising / Bing Ads

On some of our websites, we use Microsoft Advertising, formerly Bing Ads, a web analytics service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”), for website analysis, provided you have given your consent for this data processing. In this context, Microsoft sets a cookie on your device if you have accessed our website via a Microsoft advertisement. Microsoft and we can thereby recognize that someone clicked on one of our ads and was redirected to one of our pre-defined target pages. Additionally, Microsoft may use cross-device tracking to follow user behaviour across multiple electronic devices, enabling the display of personalized advertising on Microsoft websites and in Microsoft apps. We only receive the total number of users who clicked on a Bing Ads advertisement and were subsequently redirected to the respective target page. Microsoft collects, processes, and uses information via the cookie to create pseudonymized usage profiles. These usage profiles are used to analyse visitor behaviour and to serve advertisements. According to Microsoft, no personal information identifying the user is processed.

Further information regarding data protection and the cookies used by Microsoft and Bing Ads can be found in the Microsoft Privacy Statement and on Microsoft’s website under Microsoft Advertising Policies and Agreements.

The data processing described above is carried out, where applicable, based on your consent under Article 6(1)(a) GDPR in conjunction with Article 49(1)(a) GDPR, and insofar as data stored on your device is collected and processed under Section 25(1) TDDDG. You may withdraw your consent at any time with effect for the future—e.g., via our Consent Management Tool or by sending a message to the contact details provided in Section 1. The lawfulness of any processing carried out prior to the withdrawal remains unaffected.

2.17 Microsoft Clarity

On some of our websites, we use the web analytics software Microsoft Clarity provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052 6399, USA. Microsoft Clarity helps us understand how visitors interact with our websites and allows us to optimize the user experience. For example, it provides insights into how much time users spend on specific pages and which links or areas are clicked most frequently. On the basis of these insights, we can better tailor our digital offerings to the needs of our visitors.

Microsoft Clarity uses cookies and other technologies to collect information about the behaviour of visitors and about their devices. In particular, this includes the IP address of the device, screen size, device type, information about the browser used and the geographic location at country level. This information is stored by Microsoft Clarity in a pseudonymized user profile. Neither Microsoft Clarity nor we use this information to identify individual users and it is not combined with other personal data. Further information can be found in the Microsoft Clarity Privacy Policy within the Microsoft Privacy Statement as well as on Microsoft’s website under Microsoft Advertising Policies and Agreements.

Data is also processed in the United States by Microsoft in the context of Microsoft Clarity. Important notice regarding data processing in the United States: According to the Court of Justice of the European Union, the level of data protection in the United States is considered insufficient. There is a risk that your data may be accessed and processed by U.S. authorities for monitoring and surveillance purposes and that you may not have effective legal remedies against such processing.

Provided that data subjects have consented to the use of Microsoft Clarity by us and the associated data processing, the storage of cookies in the context of Microsoft Clarity and the processing of personal data, in particular for the analysis of usage behaviour, takes place on the basis of this consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR in conjunction with Art. 49 (1) sentence 1 lit. a GDPR and §25 (1) TDDDG. Data subjects may withdraw their consent at any time with effect for the future by adjusting the settings in our Consent Management Tool. The lawfulness of data processing carried out on the basis of consent prior to withdrawal remains unaffected by such withdrawal.

2.18 Data processing in the context of our Facebook company page & Facebook Pixel

We operate a company page (fan page) on the social network facebook.com (“Facebook”) of Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. For operating the Facebook fan page, we share joint responsibility with Facebook within the meaning of Art. 26 GDPR. The agreement on joint responsibility can be found in the so-called Facebook Controller Addendum.

The type and scope of information you provide to Facebook, the associated purposes of data processing by Facebook, its lawfulness, as well as information on exercising your rights can be found in Meta’s Privacy Policy.

We receive so-called page insights from Facebook for our page. Page insights are aggregated data that allow us to gain insights into how people interact with our page. The generation and provision of these Page Insights is carried out under Facebook’s responsibility, and we have no influence over them. This also applies to data processing that is carried out exclusively for Facebook’s purposes. Facebook also assumes all obligations under the GDPR with regard to the processing of insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR).

The purpose of processing the data provided by Facebook on our part is the statistical evaluation of the use of our fan page. This enables us, for example, to determine preferred visiting and posting times of our users and to use this information to optimize our posts and our fan page. In addition, we process personal data that you have made publicly available on Facebook (e.g., real names in the user profile) as well as data directly related to activities on our fan page (e.g., posts, likes, tags), also for the purpose of communicating with you.

We also use Facebook Pixel for conversion measurement. This allows us to track the behaviour of visitors to our online activities when they are redirected to our offers by clicking on a Facebook ad. In this way, we can evaluate the effectiveness of our Facebook ads for statistical and market research purposes and optimize future advertising measures. The data collected in this context is anonymous to us, and we cannot draw any conclusions about the identity of the users concerned. However, the data is stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy. This enables Facebook to display advertisements on Facebook pages as well as outside of Facebook. We, as the page operator, cannot influence this use of the data. You can deactivate the remarketing function “Custom Audiences” in the Facebook advertising preferences. To do this, you must be logged in to Facebook.

The legal basis for data processing is Art. 6 (1) sentence 1 lit. b GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures, insofar as the data is processed in accordance with Facebook’s terms of use; otherwise, insofar as we have data protection responsibility, Art. 6 (1) sentence 1 lit. f GDPR, which permits the processing of data to safeguard the legitimate interests of the controller, provided that the interests or fundamental rights and freedoms of the data subject do not override these interests. Our interest lies in providing content and communicating with Facebook users as well as improving the reach and effectiveness of our posts.

Please assert your rights to access, rectification, erasure, restriction of processing, and data portability of your stored Insights data directly against Facebook, as Facebook has assumed the corresponding obligations:

Meta Platforms Ireland Limited

4 Grand Canal Square

Dublin 2, Ireland

Facebook/Meta Privacy Policy

2.19 Data Processing in the Context of Our LinkedIn Company Page

We operate a company page on the social network linkedin.com, which is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”), and receive so-called Page Analytics from LinkedIn. We are jointly responsible with LinkedIn for the operation of the LinkedIn company page within the meaning of Article 26 GDPR.

The type and scope of information processed or provided by LinkedIn, the related purposes of data processing by LinkedIn, the lawfulness of such processing, and information on exercising data subject rights can be found in LinkedIn’s privacy policy and the agreement on joint responsibility. Page Analytics consists of aggregated data that allow us to understand how users interact with our pages. The generation and provision of these Page Analytics are the responsibility of LinkedIn, and we have no influence over them. LinkedIn assumes all obligations under the GDPR regarding the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR, and Articles 32 to 34 GDPR).

The purpose of processing of the data provided by LinkedIn on our part is the statistical evaluation of the use of our company page. This enables us, for example, to determine preferred visiting and posting times and to use these insights to optimize our posts and our company page. In addition, we process personal data you have made publicly available on LinkedIn (e.g., real names in the user profiles) as well as data directly related to activities on our company page (e.g., posts, likes, comments, tags), also for the purpose of communication.

The legal basis for the above data processing is Article 6(1)(a) GDPR. If the relevant consent has been given to LinkedIn, it can be withdrawn at any time with effect for the future directly with LinkedIn. If consent has been granted to us, it can be withdrawn at any time with effect for the future by contacting us. Otherwise, the legal basis for our data processing is Article 6(1)(f) GDPR, which allows processing to safeguard legitimate interests of the controller, provided that the interests or fundamental rights and freedoms of the data subject do not override these interests. Our legitimate interest lies in providing content and communicating with LinkedIn users, as well as in improving the reach and effectiveness of our posts.

Rights to access, rectification, erasure, restriction of processing, and data portability of stored Insights data can be exercised directly with LinkedIn, as LinkedIn has assumed the corresponding obligations:

LinkedIn Ireland Unlimited Company

Wilton Place

Dublin 2

Ireland

LinkedIn Privacy Policy

2.20 Data processing with HubSpot

We use the software HubSpot from the eponymous software company in the USA, with the following branch in Ireland: HubSpot, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland (hereinafter “HubSpot”). HubSpot is a software solution for managing and implementing digital inbound marketing as well as customer relationship management (CRM). Upon granting your consent, HubSpot sets a cookie (see above) via your browser. This enables, in particular, the collection and processing of your previous and subsequent website visits. Further information on cookies and their general functionality can be found in the Cookies section within this Privacy Policy. For more information, please refer to the Terms of Service of HubSpot Inc. and the Privacy Policy of HubSpot Inc. Additional details on the functionality of HubSpot’s specific tracking cookies are available in the, HubSpot’s knowledge base.

We may also use HubSpot’s services to interact with visitors to our website and to determine which of our company’s offerings are of interest to them. All collected information is used exclusively to optimize our marketing. Using HubSpot, we may send automated email notifications to registered users, such as welcome messages, and - if applicable and after appropriate consent - newsletters about our services and/or current promotions. For this purpose, the following data may be processed, if and to the extent provided: first name, last name, email address, and telephone number. The information is stored on HubSpot servers, including servers in the USA. As our data processor, HubSpot is contractually obliged to handle your sensitive data in a secure and GDPR-compliant manner. This is ensured using so-called Standard Contractual Clauses (SCCs). Detailed provisions are contained in the HubSpot Data Processing Agreement.

The processing of personal data is based on your consent pursuant to Article 6(1)(a) GDPR in conjunction with Article 49(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. The lawfulness of any processing carried out prior to the withdrawal remains unaffected. If the processing of the above data is necessary to initiate or perform a contractual relationship, the legal basis is Article 6(1)(b) GDPR.

2.21 Data processing in the context of WhatsApp

If you have expressly consented to this, we will also contact you via WhatsApp (WhatsApp Business Platform) provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, in order to inform you about selected topics such as service notices, updates on your request or, where you have given separate consent, promotional information.

For this purpose, we process your mobile phone number, proof of your opt in including the relevant time stamps and IP or device logs, delivery and interaction metadata and the content of the messages that you send to us. The messages are delivered via a European business provider.

The legal basis for this data processing is your consent in accordance with Article 6(1)(a) GDPR and, where the processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract, Article 6(1)(b) GDPR. You may withdraw your consent at any time with effect for the future. The withdrawal does not affect the lawfulness of the processing carried out on the basis of your consent before its withdrawal.

2.22 Log Files

Each time our websites are accessed, usage data is transmitted by the respective web browser and stored in log files, the so-called server log files. The data records stored in this context include the following information: browser type and version, operating system used, referrer URL, time of the server request, and a truncated IP address.

These data cannot be assigned to specific individuals. No merging of these data with other data sources takes place. We reserve the right to retrospectively review these data if we become aware of specific indications of unlawful use.

The legal basis for this data processing is Art. 6(1)(f) GDPR, which permits the processing of data to safeguard the legitimate interests of the controller, provided that the interests or fundamental rights and freedoms of the data subject do not override these interests.

2.23 Data Processing to Safeguard Legitimate Interests

We also process your data when it is necessary to safeguard legitimate interests of ours or of third parties. This may particularly be the case to ensure IT security and IT operations, including support requests, to be able to reconstruct and substantiate facts in the event of legal disputes, or, among other purposes, to statistically analyse usage.

The legal basis for this data processing is Art. 6(1)(f) GDPR. We have a legitimate interest in the data processing described above.

2.24 Cloudflare

To secure this website and optimize loading times, Cloudflare is used as a CDN ("Content Delivery Network"). The provider is Cloudflare Inc., 665 3rd St. #200, San Francisco, CA 94107, USA (hereinafter referred to as "Cloudflare"). As a result, all requests are necessarily routed through their servers and consolidated into non-deactivatable statistics. According to Cloudflare, the collected raw data is usually deleted within 4 hours, and at the latest within 72 hours. Further information can be found in Cloudflare’s Privacy Policy.

Data processing is carried out based on our legitimate interest according to Art. 6(1)(f) GDPR. Our interest lies in the secure and efficient provision of our online offerings as well as in protection against unauthorized access and attacks on our IT infrastructure. The use of Cloudflare serves these purposes as a technical security service provider (in particular as a CDN and for DDoS protection). Where consent is required for certain functions in individual cases, we obtain it separately via our Consent Management Tool. Withdrawal can be made via the corresponding settings in our Consent Management Tool. The legality of data processing that has already taken place remains unaffected by the withdrawal.

2.25 Data Processing for Advertising Purposes

If your data is used for advertising purposes for services or products offered by us and/or, where applicable, by our cooperation partners, we will obtain your consent or we will advertise to you because we already have a contractual relationship with you and you receive this information from us as an existing customer.

If, as an existing customer, you do not wish to receive further information about our services, a simple notification to us is sufficient to stop this type of communication. Otherwise, data processing is carried out on the basis of your consent (Art. 6 (1) sentence 1 lit. a GDPR). You may withdraw your consent at any time with effect for the future. The lawfulness of data processing carried out prior to withdrawal remains unaffected.

2.26 Data Processing for Market and Opinion Research

We may also use your data for market and opinion research purposes. Naturally, we use such data exclusively in anonymized form for statistical evaluations and solely for our company’s internal purposes. Your responses to surveys will not be shared with third parties or published.

2.27 Other Data processing based on your consent

In certain circumstances, we may request your consent to the processing of your personal data. The provision of such consent, as well as the related data processing, is entirely voluntary. You will not experience any disadvantages should you choose to withhold or withdraw your consent.

Data processing in this context is carried out based on your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. Withdrawal of consent may be communicated to us in an informal manner. The lawfulness of data processing carried out prior to the withdrawal remains unaffected.

2.28 Data processing for compliance with legal obligations

In addition, we process your data to comply with legal obligations (e.g. regulatory requirements, commercial and tax law retention and documentations obligations).

The legal basis for this data processing is Article 6 (1) (c)GDPR, which permits processing necessary for compliance with a legal obligation.

2.29 Data processing in the context of applications

You can submit job applications to for positions at our company via our websites or using the contact details provided there. If you transmit personal data to us during your application, whether through this channel or otherwise, we will process your data for the purpose of reviewing, handling, and responding to your application, and, where applicable, for the preparation of an employment relationship.

The legal basis for this data processing is either Article 6(1)(b) GDPR, which permits the processing of data for the purpose of deciding on the establishment and performance of an employment relationship, or - if you have given your consent - Article 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. A simple notification by email is sufficient for this purpose. The lawfulness of the data processing carried out prior to the withdrawal remains unaffected.

2.30 Use of artificial intelligence (AI) in communication

To support our employees and to improve the quality and consistency of our communication, we use applications based on artificial intelligence, including in particular ChatGPT by OpenAI, Microsoft Copilot, Google Gemini for Workspace, and Claude by Anthropic. These tools may be used, for example, for drafting emails, preparing text templates, or summarizing existing content.

The use of these AI applications is strictly limited to supportive purposes and is subject to clear restrictions: the tools only access content to which our employees themselves have access. No fully automated decision-making takes place; all AI-generated content is reviewed by our employees before it is further used or transmitted.

The legal basis for this processing is our legitimate interest pursuant to Article 6 (1) sentence 1 (f) GDPR. This interest lies particularly in increasing the efficiency of internal processes and ensuring more consistent responses to inquiries. The potential impact on the rights and freedoms of data subjects has been carefully assessed. As no automated individual decisions are made and appropriate organizational measures have been implemented - including specific internal AI usage policies, employee training, and data protection controls - our interests prevail in this context.

Of course, we ensure a fair, transparent, and privacy-compliant use of AI tools. Personal data is only processed where necessary and in line with the purposes set out in this data protection notice.

2.31 Data transfers to third countries

For various services used on our website with your consent or for the processing of data (e.g. for advertising purposes), you will find in this data protection notice a warning that data may be transferred to third countries.

What does this mean?

When data is transferred to a third country, your personal data leaves the territorial scope of the GDPR. In some cases, the level of data protection in the third country may not meet the requirements of the GDPR. For some countries, such as Switzerland, there is an adequacy decision. According to the European Commission, these countries provide a level of data protection equivalent to that of the GDPR and are therefore considered safe for data protection purposes. For other countries, particularly the United States, no such adequacy decision exists, as these countries do not provide a level of data protection comparable to that required by the GDPR. Therefore, when data is transferred to a third country, your personal data may be transferred to a country where the data protection level does not comply with the GDPR.

What does this mean for your personal data?

In a collaborative economy, many companies rely on service providers to process personal data. In other cases, large corporations such as Google, Amazon, Facebook, or Apple have numerous entities in different countries, which often use shared IT infrastructure rather than operating entirely independently. For example, a company based in Ireland may use services provided by its parent company in the United States. In such cases, either personal data is transferred to the U.S., or the U.S. parent company gains access to data stored in the EU.

Under the GDPR, this is permitted using so-called Standard Contractual Clauses (SCCs), which contractually obliges the partner company, e.g. the U.S. parent company, to comply with the GDPR’s data protection requirements, even if they would not otherwise apply. The goal is to ensure a contractual level of protection equivalent to that of the GDPR, ensuring that data subjects are not disadvantaged compared to data processing within the EU.

However, contracts only bind the parties involved - not third parties, such as government authorities. Therefore, in some countries, e.g. the U.S., public authorities may have legal right to access personal data of EU citizens, even if this violates their rights. Such access may be extensive, potentially covering all your data processed there. It may occur without judicial oversight, without your knowledge, and without the possibility of legal recourse. In addition, your data subject rights under the GDPR (such as access or erasure) may not exist or may not be enforceable in these cases. The data obtained could also be combined with other data about you from different sources to create a profile.

Such possible use of your data may, but does not necessarily, lead to disadvantages for you. Since public authorities in third countries are not subject to EU or German law, it is not possible to specify exactly what disadvantages may arise. These could, for example, be of an economic or political nature. In some cases, you could be denied entry into a country, or the data could be used in foreign criminal proceedings. In individual cases, such disadvantages could be significant.

What is the level of risk for me?

We cannot provide a general assessment of how high the risks are in individual cases. The main factors depend on which service or company gains access to your data in connection with your use of our website, and which personal data are affected. In our view, data processing in third countries on our website occurs only in connection with advertising services such as those provided by Google, Microsoft, or Facebook. The data concerned typically includes information such as which website you visited, when and for how long, your approximate access location, the device or software (browser, app) used, and any interactions you performed on the website that are transmitted to the service provider (e.g. the purchase of a product after clicking on an advertisement). For more details, please refer to the privacy notices of the respective service providers, which are linked in this privacy notice under the relevant sections.

You should carefully consider whether giving your consent and allowing a potential data transfer to a third country creates a situation that you find uncomfortable or unacceptable. In that case, please do not give your consent to the use of such services.

You will not suffer any disadvantages if you do not give your consent.

If you choose not to consent to the use of certain or all services or the storage of cookies, you will not experience any disadvantages when using our website. All our offers are available to our customers under the same conditions, regardless of whether consent has been given. Of course, you may withdraw any consent given at any time with effect for the future.

3. Recipients of personal data

Your personal data will only be disclosed or otherwise transferred to third parties if this is necessary for the purpose of contract performance or billing, if you have previously given your consent, or if there is a legal basis for such disclosure.

Where we engage third-party service providers to carry out and manage data processing activities, the provisions of the GDPR are complied with. Service providers that support us in delivering our services to you include, among others, hosting providers, email service providers, and payment service providers.

4. Duration of data storage

In principle, we delete your data as soon as it is no longer required for the purposes described above, unless temporary retention remains necessary. We retain your data where statutory documentation and retention obligations apply, arising from the German Commercial Code (Handelsgesetzbuch) and the German Fiscal Code (Abgabenordnung). The statutory retention periods under these laws can be up to ten full years. In addition, we retain your data for as long as claims may be asserted against our company (the statutory limitation periods range from three to up to thirty years). Where we process data for the performance of a contract, we store such data at least for the duration of the respective contract and thereafter until no claims arising from it can be asserted against us. Even after this period, it may be that we continue to process data originally stored for contract performance based on a legitimate interest, provided the purpose has changed. Data collected based on legitimate interests will be stored until the legitimate interest no longer exists, the balancing of interests leads to a different outcome, or a valid objection to the respective data processing has been raised and we have no other legal grounds to continue the processing.

5. Data security

Your personal data is securely transmitted to us using encryption. We use the SSL (Secure Socket Layer) encryption protocol for this purpose. You can recognize an encrypted connection by the change in the browser’s address bar from „http://” to „https://” and by the padlock icon displayed in your browser bar. In addition, we protect our websites and other systems through technical and organizational measures against loss, destruction, unauthorized access, alteration, or dissemination of your data by unauthorized persons.

6. Rights of data subjects

You have the right at any time to obtain free information about your personal data stored by us, including its origin, recipients, and the purpose of processing. You may also have the right to rectification, erasure, or restriction of processing. For this purpose and any further questions regarding personal data, you may contact us at any time using the contact details provided in Section 1. You may also have the right to request the restriction of processing and the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format.

If you have given us consent to process personal data for specific purposes, you may withdraw this consent at any time with effect for the future. Where we process your data based on legitimate interests, you have the right to object to such processing on grounds relating to your particular situation. If we cannot demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if we process your data for direct marketing purposes, we will cease such processing (Article 21 GDPR).

Furthermore, you have the right to lodge a complaint with a data protection supervisory authority.