Privacy policy

Introduction

Data protection declarations are often difficult to read. We understand that. And we want to do things differently. With our privacy policy, we want to provide users with an easy-to-understand explanation of how processes personal data. To this end, we have clearly structured our privacy policy for users and show users for each topic whether and how we process the personal data of users.

In this privacy policy, we explain to users whether and how we process personal data. Here we describe to users all processing operations that are carried out by us, by third-party services commissioned by us or integrated into or by other third parties on our behalf in the context of the use of our website, our app, our software, our marketplace, our social media profiles and the functions available at (hereinafter also referred to collectively as “services”).

1. general

The protection of personal data and privacy is extremely important to us. That is why we want to offer users comprehensive transparency regarding the processing of personal data (GDPR) and the storage of information on the user’s end device (TDDDG). Because only if the processing of personal data and information is comprehensible to users as data subjects are they sufficiently informed about the scope, purposes and benefits of the processing.

This privacy policy applies to all processing of personal data carried out by us and to the storage of information on end devices. It therefore applies both to the provision of services in our services and within external online presences, such as our social media profiles.

Person responsible

The controller within the meaning of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other data protection regulations is

Hereinafter referred to as “controller” or “we”.

2. general information on data processing

2.1 Processing of personal data

Personal data (hereinafter also referred to as “data”) is individual information about personal or factual circumstances of an identified or identifiable natural person.

Individual details about personal or factual circumstances are, for example, the following data, whereby clarifies that not all of this data must also be processed by our services:

• Personal data – name, age, marital status, date of birth
• Communication data – address, telephone number, e-mail address
• Account data – account number, credit card number
• Geodata – IP address & location data

The “processing” of personal data includes, for example, the following measures:

• Collection – The collection of data via contact forms, by e-mail or through processes and services used by us
• Transmission – The transmission of data to our service providers, integrated services or other third parties
• Storage – The storage of data in our databases or on our servers
• Change – The change of data due to changes of name, place of residence or details in our services
• Deletion – The deletion of data when we are no longer authorized to process it

2.2 Legal basis for the processing of personal data

We only process personal data within the legally permissible limits. We are obliged to do so by law . In particular the GDPR. This obliges us to always be able to base data processing operations on a legal basis. These legal bases are standardized in Art. 6 para. 1 GDPR. Below we list all the legal bases on which we base the processing of personal data.

• Consent – Art. 6 para. 1 lit. a GDPR: Data is processed if users have actively consented to this processing, e.g. by means of an “opt-in”, after having been adequately informed by us about the scope and purposes of the processing. If users withdraw their consent or have not given their consent, we do not (or no longer) process our users’ data for purposes for which we require consent.
• To fulfill a contract – Art. 6 para. 1 lit. b: Data is processed if it is necessary for the fulfillment of a contract between us or for the implementation of pre-contractual measures. If the processing is no longer necessary for the fulfillment of the contract, we will no longer process the personal data of users.
• Fulfillment of a legal obligation . Art. 6 para. 1 lit. c GDPR: Data is processed if this processing is necessary to fulfill a legal obligation to which we as the controller are subject.
• Legitimate interest – Art. 6 para. 1 lit. f GDPR: Data is processed if this is necessary to safeguard a legitimate interest on our part and does not outweigh the interests or fundamental rights and freedoms of users with regard to the protection of data.

Personal data is only processed by us for clear purposes (Art. 5 para. 1 lit. b GDPR). As soon as the purpose of the processing no longer applies, the personal data of users will be deleted or protected by technical and organizational measures (e.g. by pseudonymization).

The same applies to the expiry of a prescribed storage period, subject to cases in which further storage is necessary for the conclusion or performance of a contract. In addition, may be subject to a legal obligation to store the data for a longer period or to disclose it to third parties (in particular to law enforcement authorities) . In other cases, the storage period and type of data collected as well as the type of data processing depends on which functions the user uses in the individual case. We are also happy to provide users with information about this in individual cases, in accordance with Art. 15 GDPR.

2.3 We process these categories of data

Data categories are in particular the following data:

• Master data (e.g. names, addresses, dates of birth),
• Contact data (e.g. e-mail addresses, telephone numbers, messenger services),
• Content data (e.g. text entries, photographs, videos, contents of documents/files),
• Contract data (e.g. subject matter of the contract, terms, customer category),
• Payment data (e.g. bank details, payment history, use of other payment service providers),
• Usage data (e.g. history in our services, use of certain content, access times),
• Connection data (e.g. device information, IP addresses, URL referrer).

2.4 We take these security measures

In accordance with the legal requirements and taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to rights and freedoms, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring that our users’ data is stored and processed confidentially, with integrity and available at all times. Furthermore, the security measures that we implement include controls on access to data and access, input, disclosure, securing availability and separation of data from other natural persons. Furthermore, we have set up procedures that ensure the exercise of data subject rights (see section 3), the deletion of data and reactions in the event of a risk to our users’ data. Furthermore, we already take the protection of personal data into account when developing our software and through procedures that comply with the principle of data protection through technology design and data protection-friendly default settings.

2.5 How we transfer or disclose personal data to third parties

As part of our processing of personal data, this data may be transmitted to other bodies, companies, legally independent organizational units or persons or disclosed to . These third parties may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that we have integrated into our services, . If we transfer or disclose the personal data of users to third parties, we observe the legal requirements and in particular conclude corresponding contracts or agreements with the recipients of data that serve the protection of data.

2.6 How a third country transfer takes place

If this privacy policy states that we transfer the personal data of users to a third country, i.e. a country outside the EU or the EEA, the following applies. A third country transfer will only take place in accordance with the legal requirements. We assure users that has a contractual or legal authorization to transfer and process data in the third country concerned . In addition, we only have our users’ data processed by service providers in third countries that we consider to have a recognized level of data protection. This means, for example, that there is a corresponding adequacy decision between EU and the country in which we transfer the personal data of users.

Alternatively, e.g. if there is no adequacy decision, a third country transfer will only take place if contractual obligations between us and the service provider in the third country exist through so-called standard contractual clauses of the EU Commission and further technical security precautions have been taken to ensure an adequately equivalent level of protection to that in the EU or the service provider in the third country can provide data protection certifications and data of our users are only processed in accordance with internal data protection regulations (Art. 44 to 49 GDPR. Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de) .

As part of the so-called “Data Privacy Framework” (“DPF”), the EU Commission has recognized the level of data protection for certain companies from the USA as secure as part of the adequacy decision of 10.07.2023. Users can find a list of certified companies and further information on the DPF on the US Department of Commerce website at https://www.dataprivacyframework.gov/ . As part of this privacy policy, we inform users which of the services we use are certified under the Data Privacy Framework.

2.7 Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as the consent given for processing is revoked or other permissions cease to apply (e.g. if the purpose of processing this data no longer applies or it is not required for the purpose). Unless the data are erased because they are necessary for other legally permissible purposes, their processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes.

This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

As part of this privacy policy, we may provide information on the deletion and retention of data that applies specifically to the respective processing operations.

2.8 Storage of and access to data on the user’s end device

If we do not obtain consent from users, the storage of or access to information on the user’s end device is carried out in accordance with Section 25 (2) No. 2 of the German Act on Data Protection and Protection of Privacy in Telecommunications and Digital Services (TDDDG), as the storage of and access to this information is absolutely necessary in order to provide the desired functions of our services at . If we obtain consent for this, the legal basis is Section 25 (1) TDDDG.

Our services use cookies, tokens or other technologies that may be stored on end devices and without which the provision of our services would not be possible.

Cookies, tokens or other technologies are generally text files that are stored on the user’s end device and can be read by us and third parties when our services are accessed. Many of the technologies mentioned above contain their own ID. Such an ID is a unique identifier of the respective technology used.

User consists of a character string through which websites and servers can be assigned to the specific internet browser or to the specific service or end device used, in which cookies, tokens or other technologies have been stored. This enables the operators of websites and analysis services to identify users as users and distinguish them from others.

2.9 Order processing

If we use external service providers to process data, these are carefully selected and commissioned by us . If the services provided by these service providers are order processing within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly monitored. Our order processing contracts comply with the strict requirements of Art. 28 GDPR and the requirements of the German data protection authorities.

3. rights of data subjects

If personal data of our users are processed, they are data subjects within the meaning of the GDPR and users are entitled to the following rights vis-à-vis the controller:

3.1 Right to information

Users can request confirmation from the controller as to whether personal data concerning users is being processed by us.

If such processing has taken place, users can request the following information from the controller:

• the purposes for which the personal data are processed;
• the categories of personal data that are processed;
• the recipients or categories of recipients to whom the personal data concerning the user has been or will be disclosed;
• the planned duration of storage of the personal data concerning the user or, if specific information on this is not possible, criteria for determining the storage period;
• the existence of a right to rectification or erasure of personal data concerning the user, a right to restriction of processing by the controller or a right to object to such processing;
• the existence of a right of appeal to a supervisory authority;
• all available information about the origin of the data if the personal data is not collected from the data subject;
• the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
• Users have the right to request information as to whether the personal data concerning them is transferred to a third country or to an international organization. In this context, users may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

3.2 Right to rectification

Users have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning users is incorrect or incomplete. The controller shall carry out the rectification without undue delay.

3.3 Right to restriction of processing

Under the following conditions, users may request the restriction of the processing of personal data concerning them:

• if users contest the accuracy of the personal data concerning them for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and users refuse the erasure of the personal data and instead request the restriction of the use of the personal data;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the user for the establishment, exercise or defense of legal claims, or
• if users have objected to processing pursuant to Art. 21 (1) GDPR and it has not yet been established whether the legitimate grounds of the controller override those of the user.
• If the processing of personal data concerning the user has been restricted, this data – apart from its storage – may only be processed with consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, users will be informed by the controller before the restriction is lifted.

3.4 Right to erasure

3.4.1

Users may request the controller to erase the personal data concerning them without undue delay, and the controller is obliged to erase this data without undue delay where one of the following grounds applies:

• The personal data concerning users are no longer necessary for the purposes for which they were collected or otherwise processed.
• Users withdraw consent on which the processing is based according to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR, and where there is no other legal ground for the processing.
• Users object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or users object to the processing pursuant to Art. 21 (2) GDPR.
• The personal data concerning the user has been processed unlawfully.
• The deletion of personal data concerning users is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject.
• The personal data concerning users were collected in relation to information society services offered in accordance with Art. 8 para. 1 GDPR.

3.4.2

If the controller has made the personal data concerning users public and is obliged to erase them in accordance with Article 17(1) GDPR, , the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that users, as data subjects, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.4.3

The right to erasure does not exist if the processing is necessary

• to exercise the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR;
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in para. 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
• for the assertion, exercise or defense of legal claims.

3.5 Right to information

If users have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, is obliged to communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort .

Users have the right to be informed about these recipients by the controller.

3.6 Right to data portability

Users have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format. In addition, users have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and the processing is carried out by automated means.

In exercising this right, users also have the right to have the personal data concerning them transmitted directly from one controller to another, where technically feasible. The freedoms and rights of other persons must not be impaired by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

3.7 Right of objection

Users have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, , which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning the user unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of our users or for the establishment, exercise or defense of legal claims.

Where personal data concerning users are processed for direct marketing purposes, users have the right to object at any time to processing of personal data concerning users for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If users object to processing for the purposes of direct marketing, the personal data relating to users will no longer be processed for these purposes.

Users have the possibility, in connection with the use of information society services – notwithstanding Directive 2002/58/EC – to exercise the right to object by means of automated procedures using technical specifications.

3.8 Right to revoke the declaration of consent under data protection law

Users have the right to revoke a declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The processing is lawful until revocation – the revocation therefore only affects the processing after receipt of the revocation.

Users can declare their revocation informally by post or e-mail. The processing of personal data will then no longer take place, subject to permission by another legal basis. If this is not the case, our users’ data must be deleted immediately after revocation in accordance with Art. 17 para. 2 GDPR. The right to withdraw consent subject to the above-mentioned conditions is guaranteed.

The revocation is to be sent to:

3.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, users have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if users consider that the processing of personal data relating to users infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

3.10 Automated decisions in individual cases including profiling

Automated decisions in individual cases, including profiling, do not take place.

3.11 Notification obligations of the controller

If the personal data of users have been disclosed to other recipients (third parties) on legal grounds, we will inform them of any rectification, erasure or restriction of processing of personal data (Art. 16, Art. 17 (1) and Art. 18 GDPR). The notification obligation does not apply if it involves a disproportionate effort or is impossible. We will also inform users about the recipients upon request.

4. information on the cookies and other technologies used

We use cookies or other technologies to provide and evaluate our services and to use the evaluated data for marketing purposes. Cookies are, for example Small text files that contain data from websites or domains visited and are stored on a device (computer, tablet or smartphone). When users access a website at , the cookie stored on a device sends information to the person who placed the cookie.

4.1 How we use cookies and other technologies

We want users to be able to make an informed decision for or against the use of cookies and other technologies that are not absolutely necessary for the technical features of the services. Therefore, in the event that we use cookies and other technologies, which require consent, we enable users to make a voluntary decision when they visit our services for the first time and then permanently in appropriate settings to choose which cookies and other technologies users allow.

It is always the case that functional cookies and other technologies are mandatory for visiting our services and are therefore already permitted via our default settings. Statistics and marketing cookies and other technologies are optional. Users can allow them by consenting to the setting of these cookies and other technologies in the consent banner . Alternatively, users can reject statistics and marketing cookies and other technologies.

4.2 Storage duration of cookies and other technologies

If we do not provide users with explicit information on the storage period of cookies and other technologies (e.g. as part of the consent banner), users can assume that the storage period can be up to two years. If cookies and other technologies have been set on the basis of consent, users have the option at any time to revoke their consent or to object to the processing of data by cookies/technologies (collectively referred to as “opt-out”).

5. data processing in connection with the use of our services

The use of our services and all their functions involves the processing of personal data. We explain to users exactly how this happens here.

5.1 Informational use of our services

Accessing our services for purely informational purposes requires the processing of the following personal data and information: Device type and device version, operating system used, IP address of the end device with which users access our services and the time at which our services are accessed. All this information is automatically transmitted by to a device if users have not configured it in such a way that transmission of the information is suppressed.

This personal data is processed for the purpose of ensuring the functionality and optimization of our services and to ensure the security of our information technology systems. These purposes are also legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR, so the processing is carried out on a legal basis.

5.2 Use by or after registration

5.2.1 Registration

In addition to the purely informational use of our services, users have the option of registering for our services and using our entire offering. Here we process in particular master data and contact data such as name, e-mail address and password. In addition, we automatically process connection data such as date, device information and IP address.

Some processing steps may also be carried out by third-party providers. Data processing by third-party providers is carried out in accordance with the conditions of the relevant data protection declarations. In the case of data processing with third-party providers, this may constitute order processing within the meaning of Art. 28 GDPR. This is subject to strict legal requirements, which we comply with in the course of our contractual agreements with our processors.

Use during or after registration and login and the associated data processing operations may differ from purely informational use. The collection of this data associated with a profile is carried out for the purpose of verifying the status and the associated fulfillment of our contractual obligations towards users. These are legitimate purposes in accordance with Art. 6 para. 1 lit. b GDPR.

If consent is required for the processing procedure, we will obtain this at the appropriate point (e.g. via the opt-in option in a consent banner when using our service for the first time). If users have any further questions, we are happy to answer them within the scope of the right to information in accordance with Art. 15 para. 1 GDPR.

5.2.2 Setting up and using a user account

Users can create a user account in our services in order to make use of our services and their functions. When users do this, the personal data they enter there is transmitted to us by the end device and stored in our information technology systems. The IP address and the time of registration are also stored.

When users log in to their user account, our service stores tokens on their end device to enable them to remain logged in – even if they have to reload our services in the meantime . By creating a user account, users can use the functions of our services.

The processing operations associated with the creation of a user account serve the purpose of being able to assign future usage processes and to be able to access the entire range of our services . When ordering any products or booking services, the processing of data also serves the execution of the contract and is therefore earmarked and required in accordance with Art. 6 para. 1 lit. b GDPR.

The storage of the IP address and time of registration is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why processing is also lawful under Art. 6 para. 1 lit. f GDPR.

The personal data entered by users is stored until this data is deleted from the user account or, at the latest, until the user account is completely deleted from .

Contrary to this, we only process certain personal data of users if we have a legal or contractual authorization to do so. This is the case, for example, if we are permitted to retain contract or payment data even after the user account has been deleted for billing or other reasons that are necessary for the proper processing of our contractual relationship.

5.3 Functions of our services

Depending on registration, the functions listed at www.agencyflow.io are available to users. We make all of the functions listed there available to users so that they can utilize the full scope of our services, depending on the model booked, and so that we can achieve the best result for them in our collaboration. We only forward the data entered by users to authorized third parties and process them to fulfill the contractual relationships entered into with users, in particular to fulfill the user contract that users have concluded for the use of our services. Therefore, the legal basis for the processing of data results from Art. 6 para. 1 lit. b GDPR.

5.4 Member spot

We use the services of Memberspot to display and provide the functions in our services. Memberspot is a platform that enables the creation of individually configured membership areas. We use Memberspot to provide our protected member area and to conduct online courses and digital training courses.

The recipient of the data is Memberspot GmbH, Rilkestr. 26, 71642 Ludwigsburg, Germany. The categories of data concerned are all data mentioned in Section 2.3. The legal basis for the use of Memberspot and the processing of data for the aforementioned purposes is Art. 6 para. 1 lit. b GDPR.

Insofar as usage and log data is also processed, this is done on the basis of our legitimate interest in the secure, stable and functional operation of the member area in accordance with Art. 6 para. 1 lit. f GDPR. Further information on data processing by Memberspot can be found in the provider’s privacy policy: https://www.memberspot.de.

5.5 Chat and messaging system

We give users of our services the opportunity to get in touch with other users via integrated chat and message functions, to exchange information and, if necessary, to initiate contracts and conclude . The categories of data processed here are master data, contact data and, where applicable, content data, contract data and payment data.

We transmit this data to the person contacted by users to the extent that users themselves approve the transmission of data or integrate this data into messages. In addition, obtains information about the time and parties involved in a contact via our chat and message functions.

The use of the chat and message functions is an essential part of our services, therefore the processing of data serves the execution of the contract, is therefore earmarked and necessary in accordance with Art. 6 para. 1 lit. b GDPR.

The storage of the IP address and time of use of our chat and message functions is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why the processing is also lawful under Art. 6 para. 1 lit. f GDPR.

The personal data entered by users will be stored by us until the profile is deleted, and beyond that only for as long as processing is necessary for any fulfillment of the contract . We do not intend to pass on data to other third parties.

5.6 Community function

With our services, we give users the opportunity to view the publications of other users, to comment on them and to make public contact with others. Processed data categories are master data, contact data if applicable and content data if applicable. We publish this data in our publicly accessible areas.

The use of the community function is an essential part of our services, therefore the processing of the data serves the execution of the contract, is therefore earmarked and necessary in accordance with Art. 6 para. 1 lit. b GDPR.

The storage of the IP address and time of use of our community function is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why the processing is also lawful under Art. 6 (1) (f) GDPR.

The personal data entered by users is stored by us until the profile is deleted, and beyond that only for as long as processing is necessary to fulfill the contract and as far as technically possible. We do not intend to pass on data to other third parties.

6. communication services

6.1 Contact form / contact by e-mail

We process the personal data of users that users provide to us when contacting us for the purpose of responding to an inquiry, an email or a callback request. The processed data categories are master data, contact data, content data, possibly usage data, connection data and possibly contract data.

In individual cases, we forward this data to companies affiliated with us or third parties who are permitted to process this data to process orders and bookings as agreed. The legal basis of the processing depends on the purpose of the contact.

By making an inquiry in the contact form or by contacting us by e-mail, users declare that they wish to receive answers or information on certain topics. Users also leave their data for this purpose. We answer an inquiry as requested and process our users’ data for this purpose. Therefore, the authorization to process data is based on Art. 6 para. 1 lit. b GDPR, as we process it to answer an inquiry and thus to fulfill the contract.

6.2 Reporting illegal content in accordance with the Digital Services Act

We process data of our users that is made available to us by users in the context of reporting illegal content. The processed data may fall into any of the data categories listed in section 2.3. We process this data to check the reported content for illegality and derive the resulting legal obligations, such as blocking, deletion, criminal prosecution. The legal basis for the processing of data transmitted to us in the context of reports of illegal content follows from Art. 6 para. 1 lit. c GDPR. Due to the provisions of the EU Digital Services Act, we are legally obliged to check illegal content and take appropriate measures.

6.3 Online communication tools

We use the online communication tools to conduct telephone conferences, customer meetings, online meetings, video conferences and/or webinars (hereinafter: “online meetings”). The scope of data processing depends on the specific purpose for which we organize the online meeting and what data users provide before or when participating in an “online meeting”.

The categories of data taken into account here are master data, contact data, content data, usage data if applicable, connection data and contract data if applicable. The recipients of the data are the providers of online communication tools integrated by us and listed below.

Our legal basis for the use of online communication tools results from Art. 6 para. 1 lit. b GDPR (fulfillment of contract), provided that the online meeting takes place on the basis of contractual negotiations or on the basis of a request expressed by users, e.g. in the context of establishing contact. With the online communication tools we have integrated, we want to completely digitalize communication between us.

Provider of the online communication tools we use

“Notion Meets”

6.4 Artificial intelligence

We use artificial intelligence services (“AI services”) in our services. AI services offer us the opportunity to provide our services with state-of-the-art quality and individual accuracy, which is particularly valuable for our relationship with each other. The AI services enable us to provide users with an intelligent system as part of the data processing for the provision of our services, which processes all interactions in our services in which the AI services are integrated in the most efficient and useful way for users.

The purpose of data processing by the AI services is thus to provide such an advanced system that enables us to always provide the best possible services for users. The processed data categories are master data, contact data, content data, possibly usage data, connection data and possibly contract data.

Provider of the AI services we use

ChatGPT

Memberspot GmbH

6.5 Polls and surveys with Notion Forms

We use the “Notion Forms” tool to conduct surveys and polls. Notion Forms is a service provided by Notion Labs, Inc, 2300 Harrison Street, San Francisco, CA 94110, USA. The categories of data processed are generally contact data, master data and content data.

Further information on data processing by Notion can be found here: https://www.notion.com/de/help/gdpr-at-notion.

7. payment processing

We offer various payment methods for processing payment claims. We use the payment service providers described below for this purpose. We do this for the purpose of providing our services properly and in line with requirements. In this context, processed data includes usage data, connection data, master data, payment data, contact data or contract data, such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sum and recipient-related information.

Payment Service Provider

Stripe

If users opt for a payment method from the payment service provider Stripe, payment processing is carried out via the payment service provider Stripe Payments Europe Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we pass on the information provided during the ordering process together with the information about an order (name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Art. 6 para. 1 lit. b GDPR. Further information on Stripe’s data protection can be found at the URL https://stripe.com/de/privacy#translation.

Stripe reserves the right to carry out a credit check on the basis of mathematical-statistical procedures in order to safeguard its legitimate interest in determining the user’s ability to pay. Users can object to this processing of data at any time by sending a message to Stripe or the commissioned credit agencies. However, Stripe may still be entitled to process the personal data of users if this is necessary for contractual payment processing.

Invoice processing with MOCO

We use the cloud-based software MOCO to create quotations and invoices and to manage customer, project and billing data. The recipient of the data is hundertzehn GmbH, In der Weid 15, 8122 Binz, Switzerland. Processed data may originate from all data categories mentioned in section 2.3.

Further information on data processing by MOCO can be found in the provider’s privacy policy: https://www.mocoapp.com/unternehmen/datenschutz.

8. hosting

8.1 Provision of our services

In order to provide our services to users, we use the services of a hosting provider, Memberspot GmbH. Our services are accessed from the servers of this hosting provider. For these purposes, we use the infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services of the web hosting provider.

The processed data includes all data that users enter in the course of using and communicating in connection with their visit to our services or that is collected from users (e.g. IP address). Our legal basis for using a hosting provider to provide our services results from Art. 6 para. 1 lit. f GDPR (legitimate interest).

8.3 Collection of access data and log files

We ourselves (or our hosting provider) collect data on every access to the server (server log files). The server log files may include the address and name of the services and files accessed, the date and time of access, the amount of data transferred, notification of successful access, device type and version, operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and to ensure the utilization of the servers and their stability. Our legal basis for using a hosting provider to collect access data and log files results from Art. 6 para. 1 lit. f GDPR (legitimate interest).

9. transactional mails

Active Campaign

We use the services of Active Campaign to send transactional emails as part of the use of our services. Active Campaign is a service that can be used to organize and analyze the sending of transactional emails, among other things.

The provider of Active Campaign and therefore the recipient of the data is ActiveCampaign, LLC, 150 N. Michigan Ave Suite 1230, Chicago, IL, US, USA. Users can find more information in Active Campaign’s privacy policy at: https://www.activecampaign.com/privacy-policy/.

10. profiles on social media websites

We maintain profiles on the websites of social networks on the Internet and process personal data in this context in order to communicate with the users active there or to offer information about us. We would like to point out to users that our users’ data may be processed outside the European Union when they visit our profiles. The operators of the respective social networks are responsible for this.

Instagram

We operate a profile for our company on Instagram. When you visit our Instagram profile, Meta can evaluate the usage behavior and provide us with information obtained from this (“Insights”). The page insights are used for the purpose of economic optimization and needs-based design of our website/services. The recipient of the data is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as joint controller pursuant to Art. 26 GDPR. Meta provides information about data subject rights at: https://privacycenter.instagram.com/policy.

LinkedIn

We operate a profile for our company on LinkedIn. When you visit and use our LinkedIn profile, LinkedIn can evaluate the usage behavior and provide us with information obtained from this. The recipient of the data is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, as joint controller pursuant to Art. 26 GDPR. LinkedIn provides information on data subject rights at: https://de.linkedin.com/legal/privacy-policy.

YouTube

We operate a channel about our company on YouTube. When you visit and use our YouTube channel, Notion can evaluate the usage behavior and provide us with information obtained from this. The recipient of the data is Notion Ireland Ltd, Gordon House, Barrow Street Dublin 4 Ireland, as joint controller pursuant to Art. 26 GDPR. YouTube provides information about data subject rights at: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines.