Privacy Policy

Data Subjects

This privacy policy is addressed to all individuals who visit this website. All personal designations used refer to all genders and gender identities, including but not limited to diverse, female, and male. Any personal designation should be understood as including the suffix "(m/f/d)".

Controller

The controller responsible for the processing described herein is:
Greator GmbH, Brüsseler Str. 89–93, 50672 Cologne, Germany
Phone: +49 221 82829797
Fax: +49 (0)221 – 9543235
Email: impressum@greator.com
Managing Directors: Dr. med. Stefan Frädrich and Alexander Müller
External Data Protection Officer: Attorney Dr. Stephan Gärtner –

Rights of the Data Subjects

  1. Data subjects have the following rights regarding their stored personal data:
    • Right of access
    • Right to rectification of inaccurate data
    • Right to erasure of data where there is no longer a legal basis for retention
    • Right to restriction of processing
    • Right to data portability
      Furthermore, data subjects have the right to lodge a complaint with the supervisory authority responsible for the controller.
  2. If data processing is based on the data subject’s consent, they have the right to withdraw this consent at any time with future effect. This can be done by informal communication to one of the contact details listed above.
  3. If data processing is based on a legitimate interest under Art. 6(1)(f) GDPR, data subjects may object to this processing at any time. If the objection is justified, processing will be terminated. If the legitimate interest lies in direct marketing, the objection is always deemed justified.

Transfers to Countries Outside the European Union

  1. If personal data is transferred to entities outside the European Union, the controller must provide additional safeguards in accordance with Articles 44 et seq. of the GDPR.
  2. If the controller refers to an adequacy decision in the privacy policy, this means that the receiving entity is located in a country, region, or specific sector that the European Commission has deemed to provide an adequate level of data protection. The safeguard is then based on Article 45 GDPR.
  3. If the controller refers to EU Standard Contractual Clauses, this means the recipient has contractually agreed to comply with EU data protection principles. The safeguard is based on Article 46 GDPR.
  4. If the controller refers to Binding Corporate Rules, this means that the competent supervisory authority has approved the data transfer. The safeguard is based on Article 47 GDPR.
  5. If the controller refers to the explicit consent of the data subjects regarding data transfers to a country outside the European Union, this means that the data subjects have given informed consent despite being made aware of the associated risks. The safeguard is then based on Article 49(1)(a) GDPR.
    In this context, we draw your attention to the following risks:
    • The United States, the Republic of India, and the Russian Federation do not have codified data protection laws equivalent to the GDPR.
    • Governmental authorities in those countries have broad access rights to personal data, without applying the proportionality principle found in EU law.
    • There is no effective legal recourse available for EU citizens in these countries.
    • In the People's Republic of China, this applies even more severely, as there is essentially no legal protection for EU citizens.
  6. The above statements are made purely as a precaution and only apply if and to the extent that this is specifically mentioned elsewhere in this privacy policy.

Additional Notes

  1. Automated Decision-Making
    No automated decision-making, including profiling, takes place.
  2. Legal Obligation
    A legal obligation to process data only exists if this is explicitly stated in reference to Article 6(1)(c) GDPR.

General Principles of Data Processing

  1. When data subjects use this website for informational purposes only, meaning they access the site without otherwise interacting with it, the following data is collected by the controller (as technically necessary to display the website):
    • IP address
    • Date and time of the request
    • Time zone difference to Greenwich Mean Time (GMT)
    • Content of the request (specific page)
    • Access status/HTTP status code
    • Amount of data transferred
    • Referring website
    • Browser
    • Operating system and its interface
    • Language and version of the browser software
    Purpose: To display the website
    Legal basis: Article 6(1)(f) GDPR, whereby the legitimate interest arises from the purpose stated above.
  2. After the website is accessed for informational purposes only, the data will be deleted.
    Purpose: Fulfillment of a legal obligation (Article 5(1)(a) and (e) GDPR)
    Legal basis: Article 6(1)(c) GDPR.

Data Processing Based on Legitimate Interest

  1. In addition to the general data processing described above, the controller processes data based on legitimate interests in accordance with Article 6(1)(f) GDPR.
  2. The following processing operations are based on legitimate interest:

Promotional Communication with Contractual Partners

The controller processes the email address and name of the data subjects to send them useful information via email at regular or irregular intervals. Additionally, the controller stores the information that a contractual relationship exists or has existed between the parties to demonstrate the legitimate interest.

Legitimate interest: The fact that a contractual relationship exists between the controller and the data subject and that promotional communication via email is reasonably expected in this context. This is supported by Recital 47(7) of the GDPR.

Data processed:

  • Email address
  • Name
  • Status data related to the contractual relationship

Right to object:
Data subjects may object to this processing at any time by informal notice to the controller (contact details can be found at the beginning of this policy or in the legal notice). No costs will be incurred other than transmission costs according to basic rates.

Rights Management and Legal Support

If data subjects assert any type of claims against the controller, the data will be processed as follows:

  1. The controller receives and stores all related data.
  2. The controller uses this data to review the claim and, if necessary, consults external legal counsel.
  3. If the claim is justified, the controller takes action accordingly; otherwise, the data is used to inform the data subject.
  4. The controller retains this data for three years from December 31 of the calendar year in which step 3 occurred.

Legitimate interest:

  • Steps 1–3: The interests of both parties to resolve claims and avoid penalties
  • Step 4: The controller's need to defend against civil, administrative, or criminal claims during the statutory limitation period under §§ 193, 195 BGB

Data processed:

  • Name
  • Contact details
  • Communication content

External Web Hosting

To publish this website, the controller uses third-party providers for storage and delivery. These service providers necessarily receive some data from the data subjects.

Legitimate interest: The controller’s right to public representation.

Data processed:

  • IP address
  • Date and time of the request
  • Time zone difference to GMT
  • Requested content (specific page)
  • HTTP status code
  • Amount of data transferred
  • Referring website
  • Browser
  • Operating system and its interface
  • Language and browser version
  • Communication and interaction data (where applicable)

User Reviews

Data subjects may review the controller or its products/services via this website. The following three processes apply:

a. Review Plugin Display
When users click on the plugin, the fact that they are on this website and that they clicked on the plugin is transmitted to both the controller and a third-party provider. The web server stores certain access data (e.g., IP address, date/time, data volume, requesting provider). This data is not evaluated and is overwritten shortly after the session ends.

b. Submission of Review
When users submit a review, the third-party provider processes the data to display the review and for other purposes they are required to disclose.

c. Transmission of Review Data to Controller
After submission, the third-party provider sends the controller the name, email address (if provided), and customer ID associated with the transaction.

Purpose and legitimate interest: To provide users with a voluntary, non-contractual opportunity to leave independent feedback and to verify whether a review is tied to an actual contract.

Data processed:

  • Name
  • Review content
  • Verification status of the contractual relationship

Note: For steps b and c, the controller is not the data controller under Article 4(7) GDPR. The respective review platform is responsible for providing information on the legal basis.

Affiliate Marketing (Active)

The controller may recommend third-party products and/or services to visitors of this website. If data subjects are redirected via a link, plugin, or other means to a recommended merchant or service provider, the controller processes this information and may receive a commission from the referred merchant or service provider.

Purpose: Documentation of successful referrals with the aim of receiving commission
Legitimate interest: The financial interest in referral-based compensation

Data processed:

  • Statistical information about users required for delivering advertisements
    (this includes all data already collected during basic website use, such as IP address, browser type, date/time of access, referring page)
  • Redirection status (i.e., whether and how the user followed a referral link)

Data Processing in Connection with Contracts

  1. In addition to the general data processing, the controller processes the data of website visitors to initiate, fulfill, and/or terminate contracts.

Legal basis:

  • Generally Article 6(1)(b) GDPR
  • For employees (including applicants): Article 88 GDPR in conjunction with § 26(1) BDSG 2018
  1. The following processing activities are included:

Forms

The controller provides form tools on the website. These facilitate communication between the data subject and the controller. Input is recorded and transmitted.

Data processed:

  • Content, type, method, and scope of entries into the respective form

Payment

When users initiate actions on the website intended to result in a paid contract (e.g., selecting products or checking checkboxes), they are forwarded to a payment provider. The provider receives, executes, and confirms the transaction to the controller.

Data processed:

  • Payment status

Resellers

In some cases, products or services are provided by third-party resellers. In these cases, the reseller is the controller. The controller processes data received from the reseller to fulfill the contract.

Data processed:

  1. Whether and for how long the service/product is used
  2. When the contractual relationship ends

Appointment Scheduling

The website may offer an integrated appointment scheduling tool. Users can view available time slots and select one. The controller is then notified by the tool.

Data processed:

  • Name
  • Email address
  • Selected appointment date/time

Recruiting

Applicants may submit job applications through the website or other contact channels. The controller processes application data to:

  1. Review and assess applications
  2. Take internal notes
  3. Coordinate with relevant departments
  4. Document hiring decisions
  5. Arrange and track interviews or trial workdays
  6. Issue employment contracts or send rejections
  7. Carry out onboarding activities
  8. (If consented) Store applicant data in a talent pool

Data processed:

  • All application data
  • All related communication content

Login Area

Users may register for an internal area of the website. The controller collects registration data and logs interactions within the area.

Data processed:

  1. Registration information
  2. Login data
  3. Actions taken within the internal area
  4. Logout status

Automated Contract-Related Communication

In the context of contract initiation, execution, or termination, parts of the communication are automated.

Controller processes:

  1. Data input by the data subject when initiating a contract
  2. Contract-related communication (especially email)
  3. Delivery of products/services
  4. Enforcement of rights and responses to data subject requests

Data processed:

  • Contact and order details
  • Payment data (if applicable)
  • Delivery data
  • Rights management and related communications

Data Processing Based on Consent

  1. In addition to the general data processing, the controller processes data based on the consent of the data subjects.

Legal basis:

  • Article 6(1)(a) GDPR
  • For employees (including applicants): Article 88 GDPR in conjunction with § 26(2) BDSG 2018
  1. The following processing activities apply:

User Behavior Analysis

Cookies are used to analyze user behavior on the website. Cookies are text files stored on users’ devices that allow the analysis of website usage. The insights gained are used to create reports and improve user experience and offerings.

Data processed:

  • Cookie-based interaction data (e.g. sequence of interactions, duration of visit)

Social Media / Networks

The controller uses social media platforms and networks. The controller does not have full knowledge of the data collected by these platforms, nor their processing purposes, retention periods, or deletion procedures.

When data subjects visit the controller's social media pages or ads, these platforms may:

  • Create usage profiles
  • Use data for advertising, market research, and website customization

Right to object:
Data subjects may object to profiling by contacting the respective platform directly.

Purpose (where influenceable):

  • Present the controller or brand
  • Analyze interactions with company/product pages
  • Enable (possibly promotional) communication

Where interaction analysis is conducted, the controller and platform operator may be joint controllers under Article 26 GDPR. Otherwise, platforms act as processors under Article 28 GDPR.

If data subjects hold a profile with the respective platform, their consent under Article 6(1)(a) GDPR (granted to the platform) also serves as legal basis.

Data processed:

  • Cookie/pixel-based interaction data
  • Possibly name, email, communication data

Video Playback

A video player tool is used to show videos on the website or through the controller’s media channels. When a video is played, both the provider and the controller log this action to later serve relevant content or ads.

Data processed:

  • Cookie-based data such as:
    1. That the website (and specific subpage) was visited
    2. That a specific video was played

Promotional Emails

With consent, the controller sends useful, promotional emails (newsletters) on a regular or irregular basis. Upon signup, data subjects provide their information and confirm via double opt-in.

Data processed:

  • Voluntarily submitted data (usually name and email)
  • Opt-in status (to document consent)
  • Possible opt-out information

Map Display

The website may include a map showing directions. Upon accessing the relevant page, data is transmitted to both the controller and the map service provider. The map is only displayed after prior consent.

Data processed:

  • Website usage data
  • IP address
  • Possibly address entered for route planning

Turing Test (CAPTCHA)

To prevent abuse, a Turing test tool (e.g. CAPTCHA) is used. Users must solve a small task (e.g. type distorted letters or select images). The inputs are analyzed to determine if the action was made by a human.

Data processed:

  • Input data (e.g. form entries, click behavior)

Transfer of Data to Robbins Research International

If consent is given, the controller transfers the following data to Robbins Research International Inc. (USA) for advertising purposes:

  • First name
  • Last name
  • Email address

Legal basis:
Article 49(1)(a) GDPR – Explicit consent to the transfer to a third country for marketing purposes.

Data Processing to Fulfill a Legal Obligation

  1. In addition to the general data processing, the controller processes data to comply with legal obligations.

Legal basis:
Article 6(1)(c) GDPR

  1. The following processing activities are included:

Retention of Contract-Related Data

If the controller collects data for the purpose of initiating, fulfilling, or terminating contracts, they are required to store all tax-relevant data for a minimum of six years. In some cases, data must be stored for ten years.
The retention period begins in the year the document was created.

Purpose: Fulfillment of legal retention requirements pursuant to § 147 AO (German Fiscal Code)

Retention of Consent Evidence

If the controller processes data based on consent, they store the data proving consent for three years, starting from the date consent is withdrawn or the related processing ends—whichever occurs first.

Purpose: Fulfillment of the documentation obligation under

  • Article 7(1) GDPR
  • In conjunction with Article 5(2) GDPR
  • Retention period based on § 31(2)(1) OWiG and Article 83(4,5) GDPR

Double Opt-In Procedure

To obtain consent for promotional emails, the controller uses a double opt-in procedure. This means:

  • After signing up, the user receives a confirmation email requesting their consent.
  • If the confirmation is not received within 30 days, the data is blocked and deleted after one month.
  • Additionally, the controller stores the IP addresses and timestamps of registration and confirmation.

Purpose:
To document consent and detect possible misuse of personal data.
Legal basis:
Article 7(1) and Article 5(1) GDPR – The controller is legally obligated to document valid consent.

Processors and Third Parties Receiving Data

The following third-party providers receive access to personal data of website visitors in the course of the aforementioned data processing:

Third-party provider:
The web hosting provider used is "AWS" by Amazon Web Services EMEA SARL (Luxembourg – EU), which has also been commissioned in accordance with Article 28 GDPR. Further information on the nature of data processing by this third-party provider is available here:
https://aws.amazon.com/de/websites/getting-started/
It cannot be ruled out that the parent company Amazon Web Services, Inc. (USA) may access data (e.g. for maintenance purposes). However, this does not conflict with the commissioning, as Amazon Web Services, Inc. (USA) has committed to compliance with the EU Standard Contractual Clauses.

Third-party provider:
Additionally, a Content Delivery Network (CDN) is used. A CDN allows the controller to achieve additional performance gains. The content is duplicated across multiple data centers and thus distributed worldwide. This enables users who are geographically distant from the actual hosting provider to experience fast loading times.
The CDN used is "Cloudflare" by Cloudflare, Inc. (USA).
The fact that this provider is located outside the EU does not preclude its use, as the provider has committed to compliance with the EU Standard Contractual Clauses.

Third-party provider:
The tool "Trustpilot" by Trustpilot A/S (Denmark – EU) is used.
Further information on how this third-party provider processes data is available here:
https://de.legal.trustpilot.com/for-reviewers/guidelines-for-reviewers

Third-party provider:
The controller uses the form and chatbot tool as well as the online marketing tool "HubSpot" by HubSpot, Inc. (USA), which has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:

The fact that this provider is located outside the European Union does not preclude its use. The processing of personal data via the form occurs only if data subjects consent to the associated transfer of data to the USA in accordance with Article 49(1)(a) GDPR.

Third-party provider:
The form tool "Typeform" by Typeform, SL (Spain – EU) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://www.typeform.com/product/

Third-party provider:
The payment service "PayPal" provided by PayPal (Europe) S.à r.l. et Cie, S.C.A. (Luxembourg – EU) is used.
Before using this payment service, data subjects must create their own account with the provider. For this purpose, they provide the provider with the necessary data.
If, after registering, they interact with service providers – such as the controller here – who accept payments via PayPal, they authorize the provider to transfer money to the controller.
In doing so, the provider naturally receives information about the data subject’s purchasing behavior. Therefore, the provider acts not as a processor acting on instructions, but as an independent payment service provider for the data subjects.

Further information on the nature of data processing by this third-party provider is available here:
https://www.paypal.com/de/home

In particular, the following data is processed by the controller:

  1. Information that the data subject uses this service
  2. Information on whether, in what amount, and at what time the data subject makes a payment
  3. Personal data and account information necessary to carry out the transaction
  4. Personal data that the controller requires for the resolution of disputes and for fraud investigation and prevention

Items 2, 3, and 4 are transmitted to the controller by the provider.

Third-party provider:
The payment service “SOFORT” is provided by SOFORT GmbH (Germany – EU).
If, in the context of the contractual relationship between the data subject and the controller, a payment by the data subject is due, they are redirected to the website of this provider, where they enter the credentials required for online banking.
The provider then checks whether the account has sufficient funds (account coverage check) and whether other SOFORT transactions have been successfully carried out from this account in the last 30 days.
If the verification is positive, the provider forwards the payment instruction released by the data subject in electronic form to the bank and informs the controller of the successful submission of the transfer.
In this context, the provider acts not as a processor acting on instructions, but as the payment service provider of the data subjects.

Further information on the nature of data processing by this third-party provider is available here:
https://www.klarna.com/sofort

The controller processes in particular the following data:

  1. Information that the data subject uses this service
  2. Information on whether, in what amount, and at what time the data subject makes a payment

This notification includes only the data from the transfer form (name, account number, bank code, payment reference, transfer amount) as well as the date (with time) and the transaction ID selected by the controller (e.g., order number).
For SEPA transfers and if, depending on the bank, BIC and IBAN are required to submit the transfer into the online banking account of the data subject, the confirmation also contains BIC and IBAN.
The information in item 2 is provided to the controller by the provider.

Third-party provider:
The payment service “Stripe” is provided by Stripe Payments Europe, Ltd. (Ireland – EU), which has been commissioned in accordance with Article 28 GDPR.
Stripe Payments Europe, Ltd. is a subsidiary of Stripe, Inc., based in the United States.
Stripe Payments Europe, Ltd. is subject to European data protection law.

Further information on the nature of data processing by this third-party provider is available here:
https://stripe.com/de/payments

In particular, the following data is processed by the controller:

  1. Information that the data subject uses this service
  2. Information on whether, in what amount, and at what time the data subject makes a payment
  3. Personal data and account information necessary to carry out the transaction
  4. Personal data that the controller requires for the resolution of disputes and for fraud investigation and prevention

Items 2, 3, and 4 are transmitted to the controller by the provider.

Third-party provider:
The reseller Digistore24 GmbH (Germany – EU) is used.
Further information on the nature of data processing by this third-party provider is available here:
https://www.digistore24.com/de/vendors

Third-party provider:
The reseller ELOPAGE GmbH (Germany – EU) is used.
Further information on the nature of data processing by this third-party provider is available here:
https://elopage.com/reseller

Third-party provider:
The scheduling tool “HubSpot” is used, provided by HubSpot, Inc. (USA), which has been commissioned in accordance with Article 28 GDPR.
Further information on the nature of data processing by this third-party provider is available here: https://www.hubspot.de/products/sales/schedule-meeting

The fact that this provider is located outside the EU does not preclude its use, as the provider has committed to compliance with the EU Standard Contractual Clauses.

Third-party provider:
The recruiting tool “Personio – Recruiting” by Personio GmbH (Germany – EU) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://www.personio.de (under the “Features” tab)

Third-party provider:
In the context of automation, the interface tool “Zapier” by Zapier, Inc. (USA) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://zapier.com/how-it-works

In short: With Zapier, the controller is able to connect applications so that customer and prospect data can be exchanged automatically between different applications.
The fact that the provider is located outside the European Union does not preclude its use, as the provider has committed to compliance with the EU Standard Contractual Clauses.

Third-party provider:
In connection with the analysis of user behavior, the analytics tool “Google Analytics” by Google Ireland Ltd. (Ireland – EU) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://support.google.com/analytics/answer/9306384?hl=de

It should be noted that the IP address is shortened by the provider within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a server of the provider in the USA and shortened there. The IP address transmitted by the browser within the scope of this tool is not merged with other data by the provider.

The tool is also used for cross-device analysis of visitor flows, which is carried out via a User ID.
Data subjects can deactivate cross-device analysis in their customer account under "My Data", "Personal Data".

For information purposes, it is noted that this tool is used with the “_anonymizeIp()” extension.
As a result, IP addresses are further processed in shortened form, and personal identifiability is thus excluded.
To the extent that data collected about the data subjects is personal, this reference is immediately eliminated and the personal data is thus promptly deleted.

The fact that data is transferred to the USA, potentially in cooperation with Google LLC (USA), does not preclude this processing. This is because the processing of personal data only occurs if the data subjects have consented to the associated data transfer to the USA (see Article 49(1)(a) GDPR).

Third-party provider:
In connection with the analysis of user behavior, the central management tool “Google Tag Manager” by Google Ireland Ltd. (Ireland – EU) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://marketingplatform.google.com/intl/de/about/tag-manager/

It should be noted: This tool enables the controller to structure and simplify the integration of various codes and services on this website.
The tool itself implements the tags or triggers the tags that are embedded via it.
When a tag is triggered, the provider may also process personal data.

It cannot be ruled out that the provider transmits data to a server in a third country.
Nevertheless, this does not preclude the processing, as the data transfer to the USA, potentially in cooperation with Google LLC (USA), only occurs if the data subjects have consented to the associated data transfer (see Article 49(1)(a) GDPR).

Third-party provider:
In connection with the analysis of user behavior, the analytics tool “Mouseflow” by Mouseflow ApS (Denmark – EU) is used.
This provider has been commissioned in accordance with Article 28 GDPR.
Further information on how this third-party provider processes data is available here:
https://mouseflow.com/de/features/

Third-party provider:
The social network “Facebook” by Meta Platforms Ireland Limited (Ireland – EU) is used. It cannot be ruled out that personal data is transmitted to or integrated with the parent company, Meta Platforms Inc. (USA). To the extent that the controller and the provider of the aforementioned social network or medium are jointly responsible, the agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum. This document contains all information on the scope of responsibility and task distribution. In all other cases, the social network provider or medium has been commissioned under Article 28 GDPR. Further information on how this third-party provider processes data is available here: https://www.facebook.com/business/gdpr.

The use of this provider does not preclude data transfer to or integration with the U.S.-based parent company. However, the processing of personal data via this tool only occurs if the data subjects have consented to this data transfer to the USA (see Article 49(1)(a) GDPR)—as far as the controller is directing the data processing. If the provider of the social network or medium independently controls the processing (for example, if data subjects visit the social network independently of an action on this website), then no transfer by the controller to the USA occurs, and the controller does not need to provide additional guarantees under Articles 44 ff. GDPR. In such cases, any relationship between the controller and the social network provider may only be one pursuant to Article 26 GDPR.

The controller also maintains a corporate and/or product page with this provider, which is linked on this website. If data subjects click this link (i.e., the link to the corporate or product page), they are directed to the controller’s profile.

The controller has embedded a plugin of the aforementioned social network or medium. If data subjects click this plugin, they are directed to the controller’s profile. The controller uses the so-called two-click solution. This means that after the initial click, no personal data is transmitted to the plugin provider. The provider is identifiable by the plugin’s design (e.g., through a logo). The controller enables data subjects to communicate directly with the plugin provider via the button. Only when they click the marked field and activate it, is the provider informed that the data subjects have visited this website. Only then is personal data transmitted to the provider and possibly stored or transmitted to the USA. This data transmission occurs regardless of whether the data subjects have an account with the plugin provider and are logged in. If they are logged in, their data collected by the controller is directly assigned to their provider account. It is advisable for data subjects to log out of the social network after using it—and particularly before activating the button—to avoid association with their profile.

The controller uses the Facebook Pixel. This is an analytics tool that allows the controller to measure the effectiveness of advertising. It is generally used to understand and track user actions on a website. The controller implemented the pixel by including the pixel code in the website’s header. When data subjects visit the website and perform an action (e.g., complete a purchase), the pixel is triggered and the action is reported. This enables the controller to know when such actions occur and to analyze them. Extended matching is also used, which is covered by the data subject’s consent. The pixel also allows personal data (e.g., first name, last name, email address, etc.) to be transmitted to the provider and enriched with existing tracking data. Thus, it is possible to collect data about data subjects who do not use this social medium or who are not logged in during their website visit. Consequently, data subjects are tracked via this social medium. Additional information about how this third-party provider processes data is available here: https://de-de.facebook.com/business/help/742478679120153?id=1205376682832142.

The controller uses Facebook Ads. Using this tool’s advertising features (so-called FacebookAds), the controller can draw attention to its offerings via the social network or medium. The controller can evaluate the success of individual ad measures in relation to campaign data. It seeks to present ads that are of interest to data subjects, to make the website more engaging, and to ensure fair ad cost calculation. These advertising materials are delivered by the provider. If data subjects arrive at this website via an ad presented by the provider, a cookie is stored on their device. These cookies are not meant to personally identify data subjects. The following analytical values are usually stored with the cookie: Unique Cookie-ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), opt-out flags (indicating that the user no longer wishes to be addressed). When using this tool, the data subject’s browser automatically establishes a direct connection to the provider’s server. The controller has no influence on the extent and further use of data collected via this tool. However, the controller shares its knowledge: through the integration of this tool’s advertising features, the provider obtains information that data subjects have accessed the relevant part of this website or clicked an ad by the controller. If data subjects are registered with a service of the provider, their visit can be associated with their account. Even if they are not registered or not logged in, the provider might still determine and store their IP address. Data subjects can prevent participation in this tracking in several ways: (1) via browser settings, especially by blocking third-party cookies, or (2) by disabling cookies. Further information on how this tool processes data is available here: https://de-de.facebook.com/business/ads.

Furthermore, the controller uses the so‑called Facebook Custom Audience. In this process, it uploads data (usually email addresses), only after obtaining consent, to its Facebook Custom Audience. This enables the controller, when the data subjects visit the provider’s social network or medium, to show them interest-based ads. The process is as follows: the controller uploads the contact data (usually email address) to the provider. The provider checks if data subjects are registered using these contact details. If not, the data is not added to the custom audience (a kind of database the controller maintains via the provider). If yes, the data is added to the controller’s custom audience. When data subjects later visit the social network or medium, the controller has the ability to present interest-based ads. Further details on data processing by this provider are available here: https://de-de.facebook.com/business/help/341425252616329?id=2469097953376494.

Third-Party Provider:
The social network “Instagram” is operated by Meta Platforms Ireland Limited (Ireland – EU). However, it cannot be excluded that data may be transferred to or processed by its parent company, Meta Platforms Inc. (USA).
In cases where the controller and the provider of the social network or medium presented here act as joint controllers, the relevant agreement can be found at: https://www.facebook.com/legal/terms/page_controller_addendum. This agreement contains all information on the scope of application and the division of responsibilities. In all other cases, the provider of the social network or medium has been commissioned pursuant to Article 28 GDPR.
Further information about how this third-party provider processes data can be found at: https://help.instagram.com/519522125107875.
The use of this third-party provider is not precluded by the possibility that the parent company located in the United States might be involved in data processing or data transfers. This is because the processing of personal data via this tool only takes place when data subjects consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR). This consent is obtained by the controller insofar as they control the processing of the data.
If the provider of the social network or medium presented here is the party controlling the processing (for example, when data subjects visit the social network independently of any action on this website), then no transfer of data by the controller takes place. In such cases, the controller does not need to provide additional safeguards within the meaning of Articles 44 ff. GDPR. In these cases, the relationship between the controller and the provider of the social network may at most constitute a joint controllership under Article 26 GDPR.

The controller also operates a company or product page on this provider’s platform, which is linked from this website. If users click on this link (i.e. the link to the company or product page), they are redirected to the controller’s profile.

The controller has integrated a plugin of the social network or medium presented here into this website. If users click on this plugin, they will be redirected to the controller’s profile. The controller uses the so-called “two-click solution.” This means that initially, no personal data will be transmitted to the provider of the plugin. The provider can be identified by the design of the plugin (e.g., through its logo). The controller enables users to interact directly with the provider of the plugin by clicking the button. Only when users click the designated area and thus activate the plugin will the provider receive information that the user has visited this website. Only then will the above-mentioned data be transmitted.
By activating the plugin, personal data of the users is transmitted to the provider, and may be stored in the USA or transferred there. This data transfer takes place regardless of whether the user has an account with the provider or is logged in. If the user is logged in, the data collected by the controller will be directly associated with the account the user maintains with the provider. It is advisable to regularly log out of any social network after use, and especially before activating such buttons, in order to avoid having interactions linked to the user's profile.

The controller uses “InstagramAds.” With the help of the advertising tools offered by this platform, the controller can draw attention to their offers within the social network or medium presented here. Based on campaign data, they can determine the effectiveness of individual advertising measures. The goal is to show users advertisements that are relevant to them, to make this website more engaging, and to ensure fair billing of advertising costs. These advertisements are delivered by the provider.
If users are directed to this website via an ad displayed by this provider, a cookie is stored on the user's device by the tool. These cookies are not intended to personally identify the user. Typically, the following analytics values are stored in relation to the cookie: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (a flag indicating that the user no longer wishes to be targeted).
Due to the implementation of this tool, the user's browser automatically establishes a direct connection to the provider’s server.
The controller has no influence on the scope and further use of the data that is collected through this tool. However, the controller does share their current knowledge: by embedding the advertisements of this tool, the provider receives the information that the user has accessed the relevant part of this website or clicked on an ad from the controller.
If the user is registered with a service from this provider, the visit can be linked to their account. Even if the user is not registered or logged in, it is possible that the provider may still determine and store their IP address.
Users can prevent participation in this tracking process in various ways: for example, by adjusting their browser settings – specifically, suppressing third-party cookies will prevent them from receiving ads from third-party providers – or by disabling cookies altogether.
Further information about how this third-party provider processes data is available here: https://business.instagram.com/advertising/

Third-Party Provider:
The social network “LinkedIn” is operated by LinkedIn Ireland Unlimited Company (Ireland – EU). However, it cannot be ruled out that data may be transferred to or processed by its parent company, LinkedIn Corporation (USA).
Further information about how this third-party provider processes data can be found at: https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv.
The use of this third-party provider is not precluded by the possibility that the parent company located in the United States might be involved in data processing or data transfers. This is because the processing of personal data via this tool only takes place when data subjects consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR). This consent is obtained by the controller insofar as they control the processing of the data.
If the provider of the social network or medium presented here controls the processing (for example, when users visit the social network independently of any interaction with this website), then no transfer of data by the controller takes place. In such cases, the controller is not required to provide any additional guarantees pursuant to Articles 44 ff. GDPR. In such a case, the relationship between the controller and the social network provider may at most constitute a joint controllership under Article 26 GDPR.

The controller also operates a company or product page on this provider’s platform, which is linked from this website. If data subjects click on this link (i.e., the link to the company or product page), they will be redirected to the controller’s profile.

The controller has embedded a plugin from the provider of the social network or medium presented here on this website. If users click on this plugin, they are redirected to the controller’s profile. The controller uses the so-called “two-click solution.” This means that initially, no personal data is transmitted to the plugin provider. The provider can be identified by the appearance of the plugin (e.g., via its logo). The controller enables users to interact directly with the plugin provider via the button. Only when users click on the designated area and thus activate the plugin does the provider receive information that the users have accessed this website. Only then are the aforementioned data transmitted.
By activating the plugin, personal data of the users are transmitted to the provider and may be stored or further transferred to the USA. This data transfer occurs regardless of whether users have an account with the provider or are logged in. If users are logged in, the data collected by the controller will be directly associated with the user’s account with the provider. It is advisable to log out of social networks regularly after use – and especially before activating such buttons – in order to avoid linking interactions with the user’s profile.

The controller uses “LinkedInAds.” With the advertising tools provided by this platform, the controller can draw attention to their offers within the social network or medium presented here. Based on campaign data, the controller can assess the effectiveness of individual advertising measures. The aim is to show users advertisements that are relevant to them, to make this website more engaging for them, and to enable fair calculation of advertising costs. These ads are delivered by the provider.
If users are directed to this website via an ad presented by this provider, a cookie is placed on the user's device by the tool. These cookies are not intended to personally identify users. Typically, the following analytical values are stored with the cookie: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (a flag indicating that the user no longer wishes to be targeted).
As a result of using the tool, the user’s browser automatically establishes a direct connection with the provider’s server.
The controller has no influence over the scope and further use of the data collected by the use of this tool. However, the controller shares their knowledge: by embedding this tool’s advertising materials, the provider receives the information that the users have accessed the relevant part of this website or clicked on an ad from the controller.
If users are registered with a service from the provider, the visit may be assigned to their account. Even if users are not registered or logged in, there is still the possibility that the provider will obtain and store their IP address.
Users can prevent participation in this tracking process in various ways: by adjusting their browser software settings – in particular, blocking third-party cookies will result in users not receiving third-party ads – or by disabling cookies altogether.
Further information about how this third-party provider processes data is available here: https://business.linkedin.com/de-de/marketing-solutions/ads

Third-Party Provider:
The social network "Xing" is operated by New Work SE (Germany – EU).
More information on how this third-party provider processes personal data is available at: https://privacy.xing.com/de.

The controller also operates a company and/or product page on this platform, which is linked from this website. If users click on this link (referring to the company or product page), they are redirected to the controller’s profile.

Third-Party Provider:

The social network "Twitter" is operated by Twitter International Company (Ireland – EU). However, it cannot be ruled out that data may be transferred to or processed by its parent company, Twitter, Inc. (USA).
Further details on how this third-party provider processes data can be found at: https://twitter.com/privacy.

The use of this third-party provider is not precluded by the possibility that the parent company located in the United States might be involved in the processing of personal data. This is because processing via this tool only occurs if data subjects consent to the corresponding transfer of their data to the USA (cf. Article 49(1)(a) GDPR). This consent is obtained by the controller, insofar as the controller manages the data processing.
If the provider of the social network or medium controls the processing (for example, if users visit the platform independently of any interaction with this website), no data transfer by the controller to the USA takes place. In that case, the controller is not required to provide any further guarantees in accordance with Articles 44 et seq. GDPR. The relationship between the controller and the social network provider may then be considered a joint controllership under Article 26 GDPR.

The controller also operates a company or product page on this platform, which is linked on this website. If data subjects click this link (referring to the company or product page), they are redirected to the controller’s profile.

Third-Party Provider:

The social network "Pinterest" is operated by Pinterest Europe Ltd. (Ireland – EU). However, it cannot be ruled out that data may be transferred to or processed by its parent company, Pinterest Inc. (USA).
Further information about how this third-party provider processes data is available at: https://policy.pinterest.com/privacy-policy.

The use of this third-party provider is not precluded by the possibility that the parent company located in the United States might be involved in the data processing. This is because the processing of personal data via this tool only occurs when data subjects consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR). This consent is obtained by the controller, insofar as they control the processing of data.
If the provider of the social network or medium controls the processing (e.g., if users visit the social network independently of any interaction with this website), then there is no data transfer by the controller to the USA. Therefore, the controller is not required to provide any additional guarantees under Articles 44 et seq. GDPR. The relationship between the controller and the social network provider may in that case constitute a joint controllership under Article 26 GDPR.

The controller also operates a company or product page on this platform, which is linked on this website. If data subjects click this link (referring to the company or product page), they are redirected to the controller’s profile.

Third-Party Provider:

The social network "TikTok" is jointly provided by TikTok Technology Limited (Ireland – EU) and TikTok Information Technologies UK Limited (United Kingdom of Great Britain and Northern Ireland). However, the providers’ privacy policy states that data may also be shared with other companies within their “corporate group,” without specifying which companies are included. Therefore, despite public statements to the contrary, it cannot be ruled out that data may be processed by companies in the United States and/or the People’s Republic of China—particularly by the parent company, Beijing Bytedance Technology Ltd. (People’s Republic of China).

Where the controller and the providers of the social network or medium are jointly responsible for processing, a joint controllership agreement pursuant to Article 26 GDPR has been established. In all other cases, the provider of the social network or medium has been engaged as a processor in accordance with Article 28 GDPR.
Further information about how these third-party providers process data can be found at: https://www.tiktok.com/legal/privacy-policy-eea?lang=en.

The use of this third-party provider is not precluded by the fact that a transfer of data to the USA or the People’s Republic of China cannot be ruled out. This is because the processing of personal data via this tool only occurs if the data subjects give their explicit consent to the transfer of data to the USA or China (cf. Article 49(1)(a) GDPR). This consent is obtained by the controller, insofar as the controller manages the data processing.
If the providers of the social network or medium control the processing (e.g., when users visit the platform independently of any interaction with this website), no data transfer by the controller to third countries takes place, and thus the controller is not required to provide any further guarantees under Articles 44 et seq. GDPR. In such cases, the relationship between the controller and the provider may be considered a joint controllership under Article 26 GDPR.

The controller also operates a company or product page on this platform, which is linked on this website. If data subjects click on this link (referring to the company or product page), they are redirected to the controller’s profile.

The controller has embedded a plugin from the aforementioned provider of the social network or medium on this website. If users click on this plugin, they will be redirected to the controller’s profile. The controller uses what is known as the “two-click solution.” This means that initially, no personal data is transferred to the provider of the plugin simply by visiting the website. The provider can be identified by the design of the plugin (e.g., by its logo). The controller allows users to communicate directly with the plugin provider via the button. Only when users click on the marked field and activate it, does the provider receive the information that the user has accessed this website. Only then will the data referred to above be transmitted. By activating the plugin, personal data of the data subjects is transferred to the aforementioned provider and may be stored or processed in the USA. This transfer of data occurs regardless of whether the user has an account with the provider and is logged in. If they are logged in, the data collected by the controller may be directly associated with the account the data subject has with the provider. It is advisable to log out of social networks regularly—especially before activating the plugin—to avoid linking information to your profile.

The controller uses the "TikTok Pixel." This is an analytics tool that allows the controller to measure the effectiveness of advertisements. It is typically used to understand and track user actions on a website. The controller has implemented the pixel on this website by embedding the pixel code in the website’s header. When users visit the site and perform an action (e.g., completing a purchase), the pixel is triggered and this action is reported. This way, the controller learns when a user has completed an action and can evaluate it accordingly.

Additionally, the controller uses the so-called “Advanced Matching,” which is also covered by the user’s consent. The pixel allows data subjects’ personal information (such as first name, last name, email address, etc.) to be transmitted to the providers and enriched with existing tracking data. This makes it possible to collect data from users who do not use this social network or who are not logged into it at the time of their website visit. As a result, the data subjects can be tracked via the social network.
Further information on how this provider processes data is available at: https://www.tiktokforbusinesseurope.com/de/resources/install-tiktok-pixel/.

The controller also uses "TikTok Ads." With this tool’s advertising formats, the controller can draw attention to its offerings within the framework of the social network or medium. Based on the advertising campaign data, the controller can determine the success of individual advertising efforts. The aim is to display ads that are of interest to users, make this website more engaging for them, and ensure a fair calculation of advertising costs.

These advertising assets are delivered by the aforementioned provider. If users arrive on this website via an ad presented by this provider, a cookie will be stored on the user's device. These cookies are not intended to personally identify users. Typically, the following data is stored for analysis: the unique cookie ID, the number of ad impressions per placement (frequency), the last impression (relevant for post-view conversions), and opt-out information (an indication that the user no longer wishes to be targeted). Due to the use of this tool, the user's browser automatically establishes a direct connection with the provider’s server. The controller has no influence over the scope or further use of the data collected through this tool but shares what is known:
By integrating these advertising assets, the provider receives the information that users have accessed the corresponding part of this website or clicked on an ad. If users are registered with a service provided by this provider, the visit can be associated with their account. Even if users are not registered or logged in, it is still possible that the provider may obtain and store their IP address.

Users can prevent participation in this tracking process in several ways:

  • By adjusting the settings of their browser software—especially by blocking third-party cookies, which prevents them from receiving ads from third-party providers,
  • Or by disabling cookies entirely.

More information about how this third-party provider processes data can be found at: https://ads.tiktok.com/i18n/home.

Third-Party Provider:

The social network "Google"—specifically the tool "Google Ads"—is used, operated by Google Ireland Ltd. (Ireland – EU), which has been commissioned in accordance with Article 28 GDPR. However, it cannot be ruled out that data may be transferred to or processed by the parent company, Google LLC (USA).
Further information about the processing practices of this third-party provider is available at: https://ads.google.com.

The use of this third-party provider is not precluded by the possibility that the parent company located in the United States may be involved in data processing. This is because the processing of personal data only occurs when data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

In this context, the controller places advertisements (so-called “ads”) in the search engine provided by Google. When data subjects interact with the controller (e.g., by visiting this website), the controller may—upon consent—mark them via cookies as suitable recipients of ads. If the users later visit the social medium in question, they may be recognized, and the above-mentioned ads may be displayed to them.

The purpose of this processing is to present the controller, analyze usage behavior in relation to interactions with this website, and communicate with users (including for advertising purposes) via the social network or medium. These advertising assets are delivered by Google through so-called “ad servers.” For this, the controller uses ad server cookies, which allow the measurement of specific parameters such as ad impressions or user clicks.

If users arrive at this website via a Google ad, a cookie is stored on their device by Google Ads. These cookies generally expire after 30 days and are not intended to personally identify the user. The cookie typically stores the following analytical values: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (a marker indicating that the user no longer wishes to be targeted). These cookies allow Google to recognize the user’s internet browser. If a user visits certain pages of this website and the cookie stored on their computer has not yet expired, Google and the controller can recognize that the user clicked on the ad and was redirected to this site.

Due to the use of marketing tools, the user's browser automatically establishes a direct connection to Google's server.

Users can prevent participation in this tracking process in several ways:

a) by adjusting their browser settings (in particular, blocking third-party cookies will prevent them from receiving ads from third parties);
b) by disabling cookies for conversion tracking by setting their browser to block cookies from the domain “www.googleadservices.com” (see https://www.google.de/settings/ads), though this setting will be deleted when cookies are cleared.

Third-Party Provider:

The social network "Google"—specifically the tool "Google Remarketing"—is also used, operated by Google Ireland Ltd. (Ireland – EU), which has been commissioned in accordance with Article 28 GDPR. However, it cannot be ruled out that data may be transferred to or processed by the parent company, Google LLC (USA).
Further information about how this third-party provider processes data is available at: https://support.google.com/google-ads/answer/2453998?hl=en.

The use of this third-party provider is not precluded by the fact that a data transfer to the USA cannot be ruled out. Processing via this tool only occurs if the data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

In this context, the controller places advertisements (so-called “ads”) in the search engine provided by Google. When data subjects interact with the controller (e.g., by visiting this website), the controller may—upon consent—mark them via cookies as suitable recipients of ads. If the users then access the relevant social medium, they may be recognized and shown the aforementioned ads.

The purpose is to present the controller, analyze usage behavior regarding interaction with this website, and communicate with users (including advertising) via the social network or medium. These advertising assets are delivered by Google through so-called “ad servers.” To do this, the controller uses ad server cookies to measure specific parameters such as ad impressions or user clicks.

If users arrive at this website via a Google ad, a cookie is stored on their device by Google Ads. These cookies generally expire after 30 days and are not intended to personally identify the user. The cookie typically stores the following values for analytical purposes: unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (marking that the user no longer wishes to be targeted). These cookies allow Google to recognize the user’s internet browser. If a user visits specific pages of this website and the cookie on their computer has not yet expired, Google and the controller can recognize that the user clicked on the ad and was redirected to this site.

Due to the use of marketing tools, the user's browser automatically establishes a direct connection to Google's server.

Users can prevent participation in this tracking process in several ways:

a) by adjusting their browser settings (in particular, blocking third-party cookies will prevent them from receiving ads from third parties);
b) by disabling cookies for conversion tracking by setting their browser to block cookies from the domain “www.googleadservices.com” (see https://www.google.de/settings/ads), though this setting will be deleted when cookies are cleared.

Third-Party Provider:

The video playback tool “YouTube,” operated by Google Ireland Ltd. (Ireland – EU), is used and has been commissioned in accordance with Article 28 GDPR. However, it cannot be ruled out that data may be transferred to or processed by the parent company, Google LLC (USA). The use of this third-party provider is not precluded by the possibility that the parent company located in the United States may be involved. This is because the processing of personal data only occurs when data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

Specifically, plugins from the YouTube video portal are embedded on this website. Each time a page containing one or more YouTube video clips is accessed, a direct connection is established between the user's browser and a YouTube server. These videos are embedded in “enhanced privacy mode.” No data about users is transmitted to YouTube unless they actively play the videos. Only when they start playback are the data referred to above transmitted. The controller has no influence over this data transmission.

If users are logged into a Google account and wish to prevent YouTube from associating their activity with their profile, they must log out before activating the video. YouTube stores user data as usage profiles and uses them for purposes of advertising, market research, and/or the customized design of its website. Such evaluations are carried out in particular—even for users who are not logged in—to provide targeted advertising and to inform other users of the social network about users’ activities on the controller’s website. Users have the right to object to the creation of such user profiles, and must contact YouTube to exercise this right.

Further details on the purpose and scope of data collection and processing by YouTube can be found in their privacy policy, where users can also find additional information on their rights and how to configure settings to protect their privacy:
https://www.google.de/intl/en/policies/privacy

The controller also operates a company profile on this platform, which is linked from this website. When users click on the link (i.e., the one to the company page), they are redirected to the controller’s YouTube channel.

Third-Party Provider:

The video playback tool “Vimeo,” operated by Vimeo, LLC (USA), is also used and has been commissioned in accordance with Article 28 GDPR. The use of this third-party provider is not precluded by the possibility that data may be transferred to the USA. This is because the processing of personal data only occurs when data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

Specifically, plugins from the Vimeo video portal are embedded on this website. Each time a page containing one or more video clips is accessed, a direct connection is established between the user's browser and a Vimeo server. These videos are embedded in “enhanced privacy mode.” No data about users is transmitted to Vimeo unless they actively play the videos. Only when playback starts are the data mentioned above transmitted. The controller has no influence over this data transmission.

Users have the right to object to the creation of such user profiles and must contact Vimeo directly to exercise this right. Further information about the purpose and scope of data collection and processing by Vimeo can be found in Vimeo’s privacy policy. There, users will also find additional information about their rights and settings options to protect their privacy:
https://vimeo.com/privacy

The controller also operates a company profile on this platform, which is linked from this website. When users click on the link (i.e., the one to the company page), they are redirected to the controller’s Vimeo channel.

Third-Party Provider:

The interface tool “Zapier,” provided by Zapier, Inc. (USA), is used in connection with process automation and has been commissioned in accordance with Article 28 GDPR. Further information about how this third-party provider processes data can be found here: https://zapier.com/how-it-works. In short: Zapier enables the controller to connect different applications so that customer and prospect data can be automatically exchanged between them. The fact that this provider is located outside the European Union does not preclude the processing. This is because the processing of personal data only takes place if the data subjects have consented to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

Third-Party Provider:

The mapping service “Google Maps,” provided by Google Ireland Ltd. (Ireland – EU), is used and has been commissioned in accordance with Article 28 GDPR. However, it cannot be ruled out that data may be transferred to or processed by the parent company, Google LLC (USA). Detailed information on how this third-party provider processes data can be found here: https://support.google.com/maps/answer/7576020?hl=de#null. The specific data transferred in each case also depends on whether data subjects are using this website while logged into a Google account. More detailed information on data transfer and usage can be found here: https://policies.google.com/privacy?hl=de. The use of this third-party provider is not precluded by the possibility that the parent company located in the United States may be involved. This is because the processing of personal data only occurs when data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

Third-Party Provider:

The tool “Google reCAPTCHA,” provided by Google Ireland Ltd. (Ireland – EU), is used and has been commissioned in accordance with Article 28 GDPR. However, it cannot be ruled out that data may be transferred to or processed by the parent company, Google LLC (USA). Further details on how this third-party provider processes data can be found here. The use of this third-party provider is not precluded by the possibility that the parent company located in the United States may be involved. This is because the processing of personal data only occurs when data subjects have given their consent to the associated transfer of their data to the USA (cf. Article 49(1)(a) GDPR).

Third-Party Provider:

The WordPress cookie consent plugin “Borlabs Cookie,” developed by Benjamin A. Bornschein (Germany – EU), is used. More information on how this third-party provider processes data can be found here.