Privacy Policy

Note: This English translation is provided for your convenience and information purposes only. Only the German original version of this privacy policy (Datenschutzerklärung) is legally binding.

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Last updated: April 6, 2026

Table of Contents

Controller

Dr. med. Marian Howaldt
Bleichenbrücke 10
20354 Hamburg
Germany

E-mail address: info@urohamburg.de

Phone: +49 40 743 250 616

Imprint: https://urohamburg.de/en/imprint/

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Log data.

Special categories of data

  • Health data.

Categories of data subjects

  • Service recipients and clients.
  • Employees.
  • Interested parties.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Patients.
  • Third parties.

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Office and organizational procedures.
  • Organizational and administrative procedures.
  • Content Delivery Network (CDN).
  • Feedback.
  • Marketing.
  • Provision of our online offer and user-friendliness.
  • Information technology infrastructure.
  • Financial and payment management.
  • Sales promotion.
  • Business processes and economic procedures.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

  • Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Protection of vital interests (Art. 6 (1) (d) GDPR) – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Legitimate interests (Art. 6 (1) (f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Processing of special categories of personal data relating to health, occupation, and social security (Art. 9 (2) (h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.
  • Consent to the processing of special categories of personal data (Art. 9 (2) (a) GDPR) – The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
  • Processing of special categories of personal data to protect vital interests (Art. 9 (2) (c) GDPR) – Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission as well as automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and Swiss FADP: This privacy notice serves to provide information under both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, please note that due to their broader territorial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms “processing” of “personal data”, “overriding interest”, and “sensitive personal data” used in the Swiss FADP, the terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” used in the GDPR are employed. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss FADP within the scope of its applicability.

Security measures

We implement appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input, transmission, securing of availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data endangerment. Moreover, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. If a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is transmitted securely and encrypted.

Transmission of personal data

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units, or persons. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

General information on data storage and deletion

We delete personal data processed by us in accordance with the statutory provisions as soon as the underlying consents are revoked or no further legal bases for the processing exist. This applies to cases where the original purpose of processing ceases to apply or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the pursuit of legal claims or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data specific to certain processing operations.

If there are multiple specifications regarding the retention period or deletion deadlines for a piece of data, the longest period is always decisive. Data that is no longer kept for its originally intended purpose, but due to legal requirements or other reasons, is processed by us exclusively for the reasons that justify its retention.

Retention and deletion of data: The following general deadlines apply for retention and archiving under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the working instructions and other organizational documents required to understand them (§ 147 (1) No. 1 in conjunction with (3) of the German Fiscal Code (AO), § 14b (1) of the Value Added Tax Act (UStG), § 257 (1) No. 1 in conjunction with (4) of the German Commercial Code (HGB)).
  • 8 years – Accounting vouchers, such as invoices and cost receipts (§ 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO as well as § 257 (1) No. 4 in conjunction with (4) HGB).
  • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents insofar as they are relevant for taxation, e.g., timesheets, operating accounting sheets, calculation documents, price tags, but also payroll accounting documents, provided they are not already accounting vouchers and cash register strips (§ 147 (1) No. 2, 3, 5 in conjunction with (3) AO, § 257 (1) No. 2 and 3 in conjunction with (4) HGB).
  • 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries based on past business experiences and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 of the German Civil Code – BGB).

Start of deadline at the end of the year: If a deadline does not expressly begin on a specific date and amounts to at least one year, it starts automatically at the end of the calendar year in which the event triggering the deadline occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the time at which the termination or other termination of the legal relationship becomes effective.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to revoke consents given at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right, in accordance with the legal requirements, to request the completion of the data concerning you or the correction of the inaccurate data concerning you.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to demand that data concerning you be deleted without delay, or alternatively, in accordance with legal requirements, to demand a restriction of the processing of the data.
  • Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
  • Complaint to a supervisory authority: In accordance with the legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Further information on processing operations, procedures, and services:

  • Eterno (Online appointment booking and practice management): We use the “Eterno” service of Eterno Health GmbH for online appointment scheduling, digital medical history taking, and our practice administration. When you book an appointment via our website, your entered data (e.g., name, contact details, appointment requests, and, if applicable, health-related data) is transmitted to the servers of Eterno Health GmbH and processed there. The use of this service serves the efficient and secure organization of our practice workflow as well as user-friendly appointment booking. The legal bases for processing are Art. 6 (1) (b) GDPR (performance of a contract or pre-contractual measures), with regard to special categories of personal data (health data) your explicit consent pursuant to Art. 9 (2) (a) GDPR, and our legitimate interest in efficient practice administration pursuant to Art. 6 (1) (f) GDPR. We have concluded a Data Processing Agreement (DPA) with Eterno Health GmbH in accordance with Art. 28 GDPR, which ensures that your data is processed only according to our instructions and in compliance with the strict requirements of the GDPR. Hosting and data processing take place certified (ISO 27001) in Germany; Service provider: Eterno Health GmbH, Schicklerstraße 5-7, 10179 Berlin, Germany; Website: https://eterno.health. Privacy Policy: https://www.eterno.health/dokumente/datenschutzerklarung.

Business services

We process personal data of our contractual and business partners, such as customers, clients, interested parties, suppliers, and other cooperation partners (collectively referred to as “contractual partners”), for the initiation, implementation, and execution of contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken upon request, as well as communication in connection with the respective contractual relationship.

The processing serves in particular to fulfill our main and secondary contractual obligations. These include the provision of the agreed services, any updating and information obligations, the handling of warranty and other service disruptions, the processing of revocations, terminations of continuing obligations, reversals, refunds, and the processing of other contract-related declarations and inquiries. This covers both one-off contracts and ongoing contractual relationships.

In particular, we process inventory data such as name, address, and, if applicable, company name, contact data such as e-mail address and telephone number, contract and service data such as the subject matter of the contract, contract term, order or process number, usage and performance data, payment and billing data, as well as communication content and histories. If necessary, we also process data disclosed or transmitted to us in the context of executing an order.

Furthermore, we process the data to protect our rights and to fulfill legal obligations. This includes, in particular, commercial and tax law retention obligations, documentation obligations, and, if applicable, proof and accountability obligations. In addition, processing takes place on the basis of our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners from misuse, endangerment of data, secrets, and other legal assets. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other vicarious agents, insofar as this is necessary for contract execution or to fulfill legal obligations.

Personal data is only passed on to third parties to the extent necessary for the fulfillment of the contract, the implementation of pre-contractual measures, the safeguarding of legitimate interests, or the fulfillment of legal obligations. We will inform you separately within the scope of this privacy policy about processing that goes beyond this, in particular for marketing purposes.

We inform the contractual partners of which data is required in individual cases in the context of data collection, for example in online forms through corresponding marking or in personal contact.

The data is deleted as soon as it is no longer required for the aforementioned purposes and there are no legal retention obligations precluding deletion. Statutory retention periods, particularly under commercial and tax law, may require longer storage. Data transmitted in the context of a specific order will be deleted after the order is completed and any retention periods have expired, provided there are no further legal or contractual obligations to store the data.

The legal basis for the processing is Art. 6 (1) (b) GDPR for the implementation of pre-contractual measures and for the fulfillment of the respective contractual relationship, as well as Art. 6 (1) (c) GDPR for the fulfillment of legal obligations. Insofar as the processing is based on legitimate interests, it is carried out on the basis of Art. 6 (1) (f) GDPR. Insofar as the processing is based on Art. 6 (1) (f) GDPR, it is carried out to safeguard our legitimate interests in proper and efficient business organization, the internal administration and documentation of business transactions, the enforcement and defense of legal claims, the ensuring of IT and data security, the prevention of misuse and fraud, and the economic management and further development of our business operations. These interests consist in particular in guaranteeing secure and legally compliant business operations as well as in safeguarding our entrepreneurial capacity to act.

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and e-mail addresses or telephone numbers); Contract data (e.g., subject matter of the contract, term, customer category).
  • Special categories of personal data: Health data.
  • Data subjects: Service recipients and clients; Interested parties; Business and contractual partners; Patients.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures; Business processes and economic procedures.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR); Legal obligation (Art. 6 (1) (c) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR); Protection of vital interests (Art. 6 (1) (d) GDPR); Processing of special categories of personal data relating to health, occupation, and social security (Art. 9 (2) (h) GDPR); Consent to the processing of special categories of personal data (Art. 9 (2) (a) GDPR); Processing of special categories of personal data to protect vital interests (Art. 9 (2) (c) GDPR).

Further information on processing operations, procedures, and services:

  • Medical and healthcare services: We process the data of our patients in order to provide our treatment services to them and to bill for them. The procedures that are part of the processing of patient data and serve its purposes include: patient admission and administration, taking of medical history, diagnosis, therapy planning and implementation, conducting medical tests and examinations, prescribing medications and treatments, patient consultation and education, documentation and administration of medical data, coordination with other doctors and medical professionals, billing of medical services, compliance with medical quality standards and guidelines.
    The data processed, its nature, scope, purpose, and the necessity of its processing are determined by the underlying contractual and patient relationship and are communicated to the patients in good time.
    In the course of our activities, we process information relating to the health of our patients as special categories of personal data. This is done either within the framework of preventive health care or to protect the vital interests of the patients. In all other situations, we obtain the express consent of the patients for the processing of these special categories of personal data.
    If necessary for the performance of our contract, for the protection of vital interests, or if legally required (e.g., to fulfill social security obligations and reporting obligations), or if patient consent has been obtained, we disclose or transmit patient data to third parties or agents, such as authorities, medical institutions, laboratories, billing centers, as well as in the area of IT, office, or comparable services, while complying with professional regulations.
    Your data will be retained for as long as is necessary for the provision of our services and any follow-up care. The retention period is generally ten years, but may differ in special cases due to special regulations, e.g., the requirements of the Radiation Protection Act; Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Protection of vital interests (Art. 6 (1) (d) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR), Processing of special categories of personal data relating to health, occupation, and social security (Art. 9 (2) (h) GDPR), Consent to the processing of special categories of personal data (Art. 9 (2) (a) GDPR), Processing of special categories of personal data to protect vital interests (Art. 9 (2) (c) GDPR).

Business processes and procedures

Personal data of service recipients and clients – including customers, clients, or in special cases clients, patients or business partners as well as other third parties – is processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business workflows in areas such as customer management, sales, payment transactions, accounting, and project management.

The recorded data serves to fulfill contractual obligations and to efficiently organize operational processes. This includes the processing of business transactions, the management of customer relationships, the optimization of sales strategies, and the ensuring of internal accounting and financial processes. In addition, the data supports the safeguarding of the rights of the controller and promotes administrative tasks and the organization of the company.

Personal data may be passed on to third parties if this is necessary to fulfill the aforementioned purposes or legal obligations. Upon expiration of statutory retention periods or if the purpose of the processing ceases to exist, the data will be deleted. This also includes data that must be stored for a longer period due to tax law and statutory documentation obligations.

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and e-mail addresses or telephone numbers); Content data (e.g., text or image messages and posts as well as the information relating to them, such as details on authorship or time of creation); Contract data (e.g., subject matter of the contract, term, customer category); Log data (e.g., log files concerning logins or the retrieval of data or access times); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, times, identification numbers, persons involved).
  • Special categories of personal data: Health data.
  • Data subjects: Service recipients and clients; Interested parties; Communication partners; Business and contractual partners; Third parties; Users (e.g., website visitors, users of online services); Patients; Employees (e.g., salaried employees, applicants, temporary staff, and other employees).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures; Business processes and economic procedures; Communication; Marketing; Sales promotion; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Financial and payment management.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR); Legitimate interests (Art. 6 (1) (f) GDPR); Legal obligation (Art. 6 (1) (c) GDPR).

Further information on processing operations, procedures, and services:

  • Patient management: Procedures required as part of patient management include, for example, the acquisition and admission of new patients, the development of strategies to promote patient retention, as well as ensuring effective patient communication and appointment scheduling. In addition, comprehensive patient service is provided. These procedures also include the keeping and administration of patient files, the secure documentation of medical procedures, and ensuring the confidentiality and integrity of patient data. Furthermore, the transfer of patient information to other medical institutions or specialists is regulated. Procedures are implemented for the secure and data protection-compliant deletion of patient data as soon as it is no longer needed or statutory retention periods have expired; Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
  • Contact management and contact maintenance: Procedures required as part of the organization, maintenance, and securing of contact information (e.g., setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, performing backups and restores of contact data, training employees in the effective use of contact management software, regular review of the communication history, and adjusting contact strategies); Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
  • General payment transactions: Procedures required for the execution of payment transactions, the monitoring of bank accounts, and the control of payment flows (e.g., creation and checking of bank transfers, processing of direct debit transactions, checking of account statements, monitoring of incoming and outgoing payments, return debit management, account reconciliation, cash management); Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
  • Financial accounting and taxes: Procedures required for the recording, administration, and control of financially relevant business transactions as well as for the calculation, reporting, and payment of taxes (e.g., account assignment and booking of business transactions, preparation of quarterly and annual financial statements, execution of payment transactions, handling of the dunning process, account reconciliation, tax consulting, preparation and submission of tax returns, handling of tax affairs); Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legal obligation (Art. 6 (1) (c) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).
  • Marketing, advertising, and sales promotion: Procedures required in the context of marketing, advertising, and sales promotion (e.g., market analysis and target group determination, development of marketing strategies, planning and execution of advertising campaigns, design and production of advertising materials, online marketing including SEO and social media campaigns, event marketing and trade fair participation, customer loyalty programs, sales promotion measures, performance measurement and optimization of marketing activities, budget management, and cost control); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Providers and services used in business operations

In the course of our business operations, we use additional services, platforms, interfaces, or plug-ins from third-party providers (short “Services”) in compliance with legal requirements. Their use is based on our interests in the proper, lawful, and economic management of our business operations and our internal organization.

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and e-mail addresses or telephone numbers); Content data (e.g., text or image messages and posts as well as the information relating to them, such as details on authorship or time of creation); Contract data (e.g., subject matter of the contract, term, customer category).
  • Special categories of personal data: Health data.
  • Data subjects: Patients; Service recipients and clients; Interested parties; Business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfillment of contractual obligations; Office and organizational procedures; Business processes and economic procedures.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

  • Doctolib: Online appointment booking with doctors and medical facilities, administration of doctor appointments, digital health record for storing personal health information, reminders of upcoming appointments; Service provider: Doctolib GmbH, Mehringdamm 51, 10961 Berlin, Germany; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://doctolib.de. Privacy Policy: https://doctolib.legal/privacy-policy-B2C-DE.

Provision of the online offer and web hosting

We process the users’ data in order to be able to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the contents and functions of our online services to the user’s browser or terminal device.

  • Processed data types: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, times, identification numbers, persons involved); Log data (e.g., log files concerning logins or the retrieval of data or access times); Content data (e.g., text or image messages and posts as well as the information relating to them, such as details on authorship or time of creation).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of our online offer and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Content Delivery Network (CDN).
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

  • Provision of online offer on rented storage space: For the provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise procure from a corresponding server provider (also called “web hoster”); Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).
  • Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files”. Server log files can include the address and name of the retrieved web pages and files, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider. Server log files can be used, on the one hand, for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempted from deletion until the respective incident has been finally clarified.
  • Hetzner: Services in the field of provision of information technology infrastructure and related services (e.g., storage space and/or computing capacities); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.hetzner.com; Privacy Policy: https://www.hetzner.com/de/rechtliches/datenschutz. Data Processing Agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
  • Cloudflare: Content Delivery Network (CDN) – A service through which contents of an online offer, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).

Contact and inquiry management

When contacting us (e.g., by post, contact form, e-mail, telephone, or via social media) as well as within the framework of existing user and business relationships, the details of the inquiring persons are processed to the extent necessary to answer the contact inquiries and any requested actions.

  • Processed data types: Contact data (e.g., postal and e-mail addresses or telephone numbers); Content data (e.g., text or image messages and posts as well as the information relating to them, such as details on authorship or time of creation); Meta, communication, and procedural data (e.g., IP addresses, times, identification numbers, persons involved).
  • Data subjects: Communication partners.
  • Purposes of processing and legitimate interests: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness.
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR).

Further information on processing operations, procedures, and services:

  • Contact form: When contacting us via our contact form, by e-mail, or other communication channels, we process the personal data transmitted to us to answer and process the respective request. This usually includes details such as name, contact information, and, if applicable, other information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contacting and communicating; Legal bases: Contract performance and pre-contractual requests (Art. 6 (1) (b) GDPR), Legitimate interests (Art. 6 (1) (f) GDPR).

Cloud services

We use software services accessible via the Internet and executed on the servers of their providers (so-called “cloud services”, also referred to as “Software as a Service”) for the storage and management of content (e.g., document storage and management, exchange of documents, content, and information with certain recipients, or publication of content and information).

In this context, personal data may be processed and stored on the servers of the providers to the extent that these are part of communication processes with us or are otherwise processed by us as outlined in this privacy policy. This data may include, in particular, master data and contact data of users, data relating to transactions, contracts, other processes, and their contents. The providers of the cloud services also process usage data and metadata, which are used by them for security purposes and service optimization.

If we provide forms or other documents and content for other users or publicly accessible websites using the cloud services, the providers may store cookies on users’ devices for the purposes of web analysis or to remember user settings (e.g., in the case of media control).

  • Processed data types: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Contact data (e.g., postal and e-mail addresses or telephone numbers); Content data (e.g., text or image messages and posts as well as the information relating to them, such as details on authorship or time of creation); Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
  • Data subjects: Interested parties; Communication partners; Business and contractual partners.
  • Purposes of processing and legitimate interests: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
  • Retention and deletion: Deletion in accordance with the information in the section “General information on data storage and deletion”.
  • Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR).

Further information on processing operations, procedures, and services:

  • Nextcloud (Hosting on own server): Cloud storage service where the operation and storage of the processed data take place on a server managed by us; Service provider: Nextcloud GmbH, Hauptmannsreute 44a, 70192 Stuttgart, Germany; Legal bases: Legitimate interests (Art. 6 (1) (f) GDPR); Website: https://nextcloud.com/de/. Privacy Policy: https://nextcloud.com/de/privacy/.

Changes and updates

We ask you to inform yourself regularly about the content of our privacy policy. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and we ask you to check the information before contacting them.

Definitions of terms

This section provides an overview of the terms used in this privacy policy. Insofar as the terms are legally defined, their legal definitions apply. The following explanations, on the other hand, are primarily intended to facilitate understanding.

  • Employees: Employees are persons who are in an employment relationship, whether as an employee, salaried worker, or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It entails the employer’s obligation to pay the employee remuneration, while the employee performs his or her work. The employment relationship includes various phases, including the establishment, in which the employment contract is concluded, the execution, in which the employee carries out his or her work, and the termination, when the employment relationship ends, whether by dismissal, termination agreement, or otherwise. Employee data is all information that relates to these persons and is in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank data, working hours, holiday entitlements, health data, and performance appraisals.
  • Inventory data: Inventory data comprises essential information necessary for the identification and administration of contractual partners, user accounts, profiles, and similar assignments. This data may include, inter alia, personal and demographic details such as names, contact information (addresses, telephone numbers, e-mail addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling unambiguous assignment and communication.
  • Content Delivery Network (CDN): A “Content Delivery Network” (CDN) is a service through which contents of an online offer, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet.
  • Content data: Content data comprises information generated in the course of creating, editing, and publishing content of all kinds. This category of data can include texts, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the actual content, but also includes metadata providing information about the content itself, such as tags, descriptions, author information, and publication dates.
  • Contact data: Contact data is essential information that enables communication with individuals or organizations. It includes, among other things, telephone numbers, postal addresses, and e-mail addresses, as well as means of communication such as social media handles and instant messaging identifiers.
  • Meta, communication, and procedural data: Meta, communication, and procedural data are categories containing information about the way data is processed, transmitted, and managed. Metadata, also known as data about data, comprises information that describes the context, origin, and structure of other data. It can include details on file size, creation date, author of a document, and modification histories. Communication data captures the exchange of information between users via various channels, such as e-mail traffic, call logs, messages in social networks, and chat histories, including the individuals involved, timestamps, and transmission routes. Procedural data describes the processes and workflows within systems or organizations, including workflow documentation, logs of transactions and activities, as well as audit logs used to track and verify operations.
  • Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information highlighting how users utilize applications, which features they prefer, how long they stay on certain pages, and the paths they take to navigate through an application. Usage data can also include frequency of use, timestamps of activities, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
  • Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Log data: Log data is information about events or activities logged in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used to analyze system issues, monitor security, or generate performance reports.
  • Controller: The “controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, be it collection, evaluation, storage, transmission, or deletion.
  • Contract data: Contract data is specific information relating to the formalization of an agreement between two or more parties. It documents the conditions under which services or products are provided, exchanged, or sold. This data category is essential for the administration and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may encompass start and end dates of the contract, the nature of the agreed services or products, pricing agreements, payment terms, termination rights, renewal options, and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is crucial for clarifying rights and obligations, enforcing claims, and resolving disputes.
  • Payment data: Payment data encompasses all information required to process payment transactions between buyers and sellers. This data is critical for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction dates, verification numbers, and billing information. Payment data can also include information on payment status, chargebacks, authorizations, and fees.