April, 2024 We (Empion GmbH) are pleased that you are visiting our website. The protection and security of your personal information when using our website is very important to us. Therefore, we would like to inform you here about which of your personal data we collect when you visit our website and for what purposes they are used. Personal data refers to individual information about personal or factual circumstances of a specific or identifiable natural person (data subject), such as name, address, email addresses, user behavior. These are data with which we can identify you. In addition, you will also find occasional information here about data processing processes outside of this website (e.g., video conferences or newsletters). A. Data Controller The responsible party for the processing of personal data within the meaning of the EU General Data Protection Regulation (GDPR) is: Empion GmbH Dircksenstraße 47 10178 Berlin E-mail: info@empion.de Data Protection Officer heyData GmbH Schützenstr. 5 10627 Berlin telephone: 02452 / 99 33 11 E-mail: datenschutz@empion.de B. General This privacy policy fulfills the legal requirements for transparency in the processing of personal data. These are all information relating to an identified or identifiable natural person. This includes, for example, information such as your name, your age, your address, your telephone number, your date of birth, your email address, your IP address, or user behavior when visiting a website. Information that we cannot (or only with disproportionate effort) relate to your person, e.g., through anonymization, are not personal data. The processing of personal data (e.g., collection, querying, use, storage, or transmission) always requires a legal basis and a defined purpose. Stored personal data will be deleted as soon as the purpose of processing has been achieved and there are no legitimate reasons for further storage of the data. We will inform you about the specific storage periods or criteria for storage in the individual processing operations. Regardless, we store your personal data in individual cases for the assertion, exercise, or defense of legal claims and in the presence of legal retention obligations. C. Information according to Art. 13 GDPR This information is intended for customers, interested parties, suppliers, and employees. Your personal data will be processed by us for the following purposes: ● To fulfill our contractual obligations to you (Art. 6 para. 1 lit. b GDPR). ● To perform pre-contractual duties (Art. 6 para. 1 lit. b GDPR). ● To respond to inquiries (Art. 6 para. 1 lit. b GDPR). ● If you have given us consent to process your personal data for specific purposes (such as receiving our newsletter), the data processing is based on your consent (Art. 6 para. 1 lit. a GDPR). ● To fulfill legal obligations to which our company is subject (Art. 6 para. 1 lit. c GDPR). ● To the extent necessary, we also process your data to safeguard our legitimate interests, in particular to assert legal claims and defense in legal disputes or to ensure IT security, for consultation with and data exchange with credit agencies to determine credit and default risks, for direct advertising and market research if you have not objected to the use of your data for this purpose, for business management measures and the further development of services and products, for product and sales optimization measures, for risk management, for the prevention or investigation of criminal offenses (Art. 6 para. 1 lit. f GDPR). D. Categories of recipients of personal data Within our company, only those employees have access to the data who absolutely need it to fulfill their tasks (need-to-know principle). Individual processes and services are carried out by carefully selected and data protection-compliant service providers who are based within the EEA. If service providers commissioned by us have access to personal data when performing their services, data processing agreements according to Art. 28 para. 3 GDPR have been concluded with them. E. Duration of data storage The data processed by us will be stored for the duration of the existence and settlement of the contractual relationship as well as in compliance with legal retention periods. These are in particular commercial and tax retention obligations under the German Commercial Code (HGB) and the Fiscal Code (AO). The regular retention or documentation periods thereafter amount to up to ten years. If there is no contractual relationship, we process the data only for as long as the specific purpose requires. F. Your Rights as a Data Subject As a data subject, you have the following rights regarding the personal data concerning you, which you can assert by email to datenschutz@empion.de: If you have given us your explicit consent to the processing of your personal data, you can revoke this consent at any time free of charge with effect for the future. Your revocation does not affect the legality of the processing of your personal data up to that point or the legality of such processing for which another legal basis exists. ● You have the right, according to Art. 15 GDPR, to request information about the personal data we process about you. In particular, you can request information about the purposes of processing, the categories of personal data processed, the categories of recipients to whom your data have been or will be disclosed, the planned storage duration, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details. You can also request that we provide you with a copy of the data stored about you. ● You have the right, according to Art. 16 GDPR, to demand the immediate correction of inaccurate or completion of your personal data stored by us. ● You have the right, according to Art. 17 GDPR, to demand the deletion of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims. ● You have the right, according to Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is contested by you, if the processing is unlawful but you oppose its erasure, if we no longer need the data but you require it for the establishment, exercise, or defense of legal claims, or if you have objected to processing pursuant to Art. 21 GDPR. ● You have the right, according to Art. 20 GDPR, to receive your personal data that you have provided to us and to request its transmission to another controller where technically feasible, based on your consent or for the performance of a contract (right to data portability). ● You have the right, according to Art. 77 GDPR, to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority at your usual place of residence or work or our registered office. Right to Object If we process your personal data based on legitimate interests pursuant to Art. 6(1) sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons arising from your particular situation or the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without specifying any particular situation. G. Cookies Cookies are small text files that are sent by us to the browser of your device during your visit to our websites and are stored there. Alternatively, information can also be stored in the local storage of your browser. Some functions of our website cannot be offered without the use of cookies or local storage (technically necessary cookies). Other cookies, however, enable us to carry out various analyses, so that, for example, we can recognize the browser you are using when you visit our website again and transmit various information to us (non-essential cookies). With the help of cookies, we can, among other things, make our website more user-friendly and effective for you by tracking your use of our website and determining your preferred settings (e.g., country and language settings). If third parties process information through cookies, they collect the information directly through your browser. Cookies do not cause any damage to your device. They cannot execute programs and do not contain viruses. We provide information about the respective services for which we use cookies in the individual processing operations. Detailed information about the cookies used can be found in the cookie settings or in the consent manager of this website. H. Data processing in detail Below, we inform you about the individual processing operations, the scope and purpose of data processing, the legal basis, the obligation to provide your data, and the respective storage period. There is no automated decision-making in individual cases, including profiling. 1. Provision of the website - log files When you access and use our website, we collect the personal data that your browser automatically transmits to our server. The following information is temporarily stored in a so-called logfile: ● IP address of the requesting computer ● Date and time of access ● Name and URL of the accessed file ● Website from which access is made (referrer URL) ● Browser used and, if applicable, the operating system of your computer and its interface, as well as the name of your access provider ● Language and version of the browser software ● Time zone difference to Greenwich Mean Time (GMT) ● Content of the request (specific page) ● Access status/HTTP status code ● Amount of data transmitted ● Website from which the request originates The storage of the IP address for the duration of the session is necessary to display our websites to you. The processing of the other data is particularly for ensuring the permanent functionality and security of our websites and information technology systems. The legal basis for processing this data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest in processing the data is to achieve the purposes mentioned. The logfiles are stored for a period of 30 days and then deleted unless they need to be retained for a longer period exceptionally for tracing an identified attack. Our website is not hosted by ourselves but by a service provider who processes the aforementioned data on our behalf in accordance with Art. 28 GDPR. 2. Contact form Type and scope of processing When you send us inquiries (e.g., via contact form, email, or telephone), we store all data resulting from this (e.g., name, email address, subject of the inquiry, etc.). We need this data to process your inquiry and to be able to answer follow-up questions. We do not disclose this data without your consent. Purpose and legal basis The processing of this data is based on Art. 6 para. 1 lit. b GDPR if your inquiry is related to the fulfillment of a contract or is necessary for the performance of pre-contractual measures. Otherwise, the processing is based on our legitimate interest in effectively processing inquiries directed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if you have given it beforehand. Storage period We delete your data after the purpose has been fulfilled. We store certain data until the statutory limitation periods (usually three years) and/or statutory retention periods, such as those from tax and commercial law (usually up to ten years), have expired. 3. Contacting for applicants Type and scope of processing You have the opportunity to apply to us on our website (e.g., via email, by post, or via online application form). Purpose and legal basis ● During the application process, we process the following categories of data: ● Personal contact and identification data: e.g., name, first name, academic degree, gender, email address, address, and telephone number ● Data about your professional qualifications, such as school and education degrees, language skills, as well as your place of study or training, certificates ● If you send us your resume, we process the data provided therein, such as photos of you or the presence of a driver's license ● Any other data provided by you as part of the application Your application documents are sent to the contact person mentioned in the job advertisement and are internally forwarded to other decision-makers and employees responsible for the application process. Your data is processed by us to determine whether you are suitable for employment with us within the framework of the applicant selection process. The legal basis for data processing is § 26 para. 1 BDSG and Art. 6 para. 1 lit. b GDPR (contract initiation). Information voluntarily provided by you beyond the required extent is processed based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in being able to respond to your application as effectively as possible. If you provide information for which we have no legal basis for processing in individual cases, we will not process it. Storage period If an employment relationship is established with you, we will continue to process your data for the purposes of the employment relationship in accordance with a separate privacy policy, which you will receive from us. If no employment relationship is established with you, we generally store your data for a period of six months from the date of the rejection letter sent to you. After that, your application documents will be deleted. Only those persons internally have access to your data who need it for the stated purposes. These are primarily the responsible partners, responsible HR employees, and all persons who are necessarily involved in the applicant selection process. Inclusion in the applicant pool As part of the application process, we offer applicants the opportunity to be included in our "Talent Pool" for a period of 12 months based on consent within the meaning of Art. 6 para. 1 lit. a GDPR. The application documents in the talent pool are processed solely in the context of future job postings and employee searches and will be destroyed at the latest after the deadline has expired. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process, and they can revoke this consent at any time for the future. If you receive an offer of employment with us and accept it as part of the application process, we will store the personal data collected during the application process for the duration of the employment relationship at least. 4. Processing of Personal Data within the Empion SaaS Recruiting Platform Our Empion SaaS Recruiting Platform ("Platform") is a platform for matching potential employees with companies registered with us ("Customers"). Users can register on our platform and create their own applicant profile. Through our platform, users are matched with potential employers and suggested accordingly. Users can decide in their profile settings whether their application documents should be automatically transmitted to every suggested employer or whether user confirmation should be obtained before each transmission. Purpose and Legal Basis: When you register as a user with us, your personal data will be processed by us for the following purposes: ● Creation of a user profile on our platform ● Forwarding to potential employers who may be suitable as employers ● Selection of job offers suitable for users For this purpose, the following categories of data will be processed from you: ● Personal contact and identification data: e.g., name, first name, academic degree, gender, email address, address, and telephone number ● Data regarding your professional qualifications, such as educational background, language skills, as well as your study or training location, certificates ● If available: photo ● Responses to the questionnaire ● Data on professional preferences: e.g., salary expectations, desired job profile When you register on our platform, you enter into a user agreement with us. The processing of your personal data is therefore carried out to fulfill a contractual obligation; the legal basis is Art. 6 para. 1 lit. b GDPR. Data Origin; Registration: Your personal data either come from yourself because you have communicated or uploaded them to us via the platform. Alternatively, we may receive your data from LinkedIn. You can use your LinkedIn account for registration. The provider of this platform is LinkedIn Ireland Unlimited Company ("LinkedIn"), Wilton Place, Dublin 2, Ireland. To register with LinkedIn, you must enter your account data (LinkedIn username and password). LinkedIn will identify you and confirm your identity to our website. Additionally, you must accept our terms of use. When you log in with LinkedIn, we may use certain information on your account to complete your profile with us. You decide on this within your LinkedIn security settings, which you can find here: https://www.linkedin.com/help/linkedin/answer/a1337839/ihre-konto-und-datenschutzeinstellungen-verwalten-ubersicht?lang=de. The possibility of registering with LinkedIn is voluntary; the associated data processing is based on our legitimate interest in enabling our users to have a simple registration process (Art. 6 para. 1 lit. f GDPR). Regardless of our processing, LinkedIn independently processes data, which you can learn more about at https://de.linkedin.com/legal/privacy-policy?. We use an interface (API) provided by the third-party provider Proxycurl LLC, 1603 Capitol Ave. Ste. 310 A144 Cheyenne, WY 82001 USA; https://nubela.co/proxycurl/linkedin, for the integration of LinkedIn. We have concluded an agreement with Proxycurl for data processing on our behalf in accordance with Art. 28 GDPR and the EU Standard Contractual Clauses. Data Transfers to Customers; Joint Responsibility: We transmit your data to potential employers who have registered as customers on our platform. This data transfer only takes place if you have consented to the transmission to the respective customer. From a data protection perspective, our customers are responsible for the data processing in the event of data transmission. For these purposes, we conclude an agreement with our customers for the joint processing of personal data pursuant to Art. 26 GDPR. The contents of this data protection agreement can be found in the "Data Protection" section of our terms and conditions (https://empion.io/agb). Essentially, we have agreed with our customers that you can contact us or the customer at any time regarding data protection inquiries. Storage Duration: We store your data on the platform as long as you are registered with us. You can delete your account at any time – in this case, your personal data will also be deleted. However, to fulfill legal retention periods and in the event of legal disputes, we may retain your data even after deletion of your account for the duration of the relevant retention periods and statutory limitation periods. In no case, however, will data be transferred to customers or processed by us after the deletion of the account. Our customers can view your application documents on the platform for a period of six months after the completion of the respective application process. After that, the customers no longer have access to your application documents. 5. Cultural Analysis If you register as a commercial customer for your company with us, we will create an analysis of the overall corporate culture ("Cultural Analysis"). The Cultural Analysis is carried out using a digital questionnaire provided to the employees of the customer company via a link, which is filled out by the employees without mentioning their names. Essentially, the following data is processed as part of the Cultural Analysis: gender, age group, workplace location, department, work mode (hybrid, remote, office), language, leadership. However, since we do not collect names, these are usually not personal data of the employees. However, since in individual cases, identification of the employees could theoretically be possible based on this information, we treat the data as personal data within the meaning of the GDPR. Furthermore, by providing the link to the questionnaire, the IP address of the employees is processed for purely technical reasons. The IP address is processed by us solely for the purpose of providing the questionnaire and is deleted after 14 days. The legal basis for this processing of personal data within the Cultural Analysis is our legitimate interest (Art. 6 para. 1 lit. f GDPR). Our legitimate interest is to provide our customers with the best possible results on our platform through the Cultural Analysis. The interests of the employees are adequately taken into account, particularly by conducting the surveys without naming names and by taking no measures to identify the employees. 6. Use of Google Analytics This website uses features of the web analytics service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics allows the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, time spent on the site, operating systems used, and the user's origin. This data may be aggregated by Google into a profile that is assigned to the respective user or their device. Furthermore, we may record your mouse and scroll movements and clicks using Google Analytics, among other things. Google Analytics also uses various modeling approaches to supplement the collected data and employs machine learning technologies in data analysis. Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about the use of this website is usually transferred to a Google server in the USA and stored there. The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analyzing user behavior in order to optimize both its website offering and its advertising. If consent has been requested (e.g., consent to store cookies), the processing will be carried out exclusively on the basis of § 25 para. 1 TTDSG, Art. 6 para. 1 lit. a GDPR; consent can be revoked at any time. The data transfer to the USA is based on the European Commission's Standard Contractual Clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/. IP anonymization We have activated the IP anonymization function on this website. As a result, your IP address will be truncated by Google within member states of the European Union or other parties to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be sent to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website usage and internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. Browser Plugin You can prevent Google from collecting and processing your data by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. For more information on how Google Analytics handles user data, please refer to Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de. Data processing We have concluded a data processing agreement with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics. Storage duration Data stored by Google at the user and event level, which are linked to cookies, user IDs (e.g., User ID), or advertising IDs (e.g., DoubleClick cookies, Android advertising ID), are anonymized or deleted after 14 months. For details, please refer to the following link: https://support.google.com/analytics/answer/7667196?hl=de 7. Presences on social media platforms Data processing by social networks We operate publicly accessible profiles on social media platforms. The specific social networks used by us are listed below. Social networks such as Facebook, Twitter, etc., can generally comprehensively analyze your user behavior. By visiting our social media presences, the following data protection-relevant processing operations are triggered: If you are logged into your social media account and visit our profile, the operator of this social media platform can track this visit. Regardless, the operator may process your data (e.g., IP address) even if you are not logged into your account or do not have an account at all. The operator compiles this data into user profiles that contain your preferences and interests. These profiles are used for personalized advertising within and outside the respective social media presence. If you have an account with the respective social network, personalized advertising may be displayed on all devices on which you are logged in or have been logged in. Additional processing operations may be carried out by the operators of the social media portals, over which we have no influence. For details, please refer to the terms of use and privacy policies of the respective social media portals. Legal basis Our social media appearances aim to ensure the broadest possible presence on the Internet in accordance with Art. 6 para. 1 lit. f GDPR. Additionally, we pursue our legitimate interests in a diverse external representation of our company and the use of an effective information channel for improving our external presentation and communication with you. The analysis processes carried out by the operators of social networks may be based on different legal bases, which the respective providers are to specify. If you have given a platform operator consent to data processing, Art. 6 para. 1 lit. a GDPR is the legal basis. Controller and Exercise of Rights When you visit one of our social media presences (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can exercise your rights (access, rectification, erasure, restriction of processing, data portability, and complaint) against both us and the operator of the respective social media portal (e.g., Facebook). Despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the portals. Our options are primarily determined by the corporate policies of the respective provider. Storage Duration Data directly collected by us via the social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Mandatory legal provisions - especially retention periods - remain unaffected. We have no influence on the storage period of data collected by social networks. For details, please refer directly to the operators of the social networks (e.g., in their privacy policy, see below). Facebook page We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data collected is also transferred to the USA and other third countries. We have entered into an agreement on joint processing (controller addendum) with Facebook, which specifies for which data processing operations we or Facebook are responsible. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum. You can adjust your advertising settings independently in your user account. To do this, click on the following link and log in: https://www.facebook.com/settings?tab=ads. The data transfer to the USA is based on the European Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. For more information on data processing by Facebook, please visit: https://www.facebook.com/about/privacy/. Instagram page We have a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The data transfer to the USA is based on the European Commission's Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. For details on how they handle your personal data, please refer to Instagram's privacy policy: https://help.instagram.com/519522125107875. LinkedIn page We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to deactivate LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. The data transfer to the USA is based on the European Commission's Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. For details on how they handle your personal data, please refer to LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy. 8. Email Newsletter You can subscribe to an email newsletter ("Newsletter") on our website. To sign up for our newsletter, you need to provide us with your email address. To verify your email address, we use the so-called double opt-in procedure. This means that after providing your email address, we will send a confirmation email to the email address provided, asking you to confirm that you wish to receive the newsletter. If you confirm, we will store your data until you unsubscribe from the newsletter. The storage is solely for the purpose of being able to send you the newsletter. The legal basis is your express consent pursuant to Art. 6 para. 1 lit. a GDPR. You can revoke your consent and unsubscribe from the newsletter at any time. You can revoke by clicking on the link provided in each newsletter email, by sending an email to the address mentioned above, or by sending a message to the contact details provided in the imprint. The data you provided to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter, and after unsubscribing, will be deleted from the newsletter distribution list. Data stored for other purposes remain unaffected. After you have unsubscribed from the newsletter distribution list, your email address may be stored by us in a blacklist to prevent future mailings. The data from the blacklist are used only for this purpose and are not merged with other data. This serves both your interests and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). The storage in the blacklist is not limited in time. You can object to the storage if your interests outweigh our legitimate interest. 9. Video Conferences To conduct video and audio conferences, webinars, and other types of video and audio meetings, we use third-party video conferencing tools. The following data categories are processed: ● Inventory data (e.g., names, addresses), ● Contact details (e.g., email, phone numbers), ● Content data (e.g., text inputs, photographs, videos), ● Meta/communication data (e.g., device information, IP addresses). The processing of the data is for the purpose of setting up and conducting online meetings/video conferences. The processing is carried out on the legal basis of Art. 6 para. 1 lit. b GDPR or Art. 6 para. 1 lit. f GDPR based on our legitimate interests in efficient and secure communication with our communication partners. If you have given consent to data processing beforehand, the processing of your data is based solely on Art. 6 para. 1 lit. a GDPR; consent can be revoked at any time. We use the following video conferencing tools: Google Meet: For the European region, the company responsible is Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland). To ensure sufficient guarantees for any data transfers to the USA or other third countries, the EU Standard Contractual Clauses are applied. When you share content in this service, it is stored on the providers' servers. This includes cloud recordings, chat messages, voice messages, as well as photos and videos you shared during the use of this service. We have no control over the processing by the provider of the video conferencing tool. For more information on data processing by the conference tools, please refer to the privacy policies of the respective tools. The data directly collected by us via the video and conference tools will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected. We have no control over the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please inquire directly with the operators of the conference tools. 10. Adobe Typekit Type and Scope of Processing This website uses web fonts from Adobe to display certain fonts uniformly. The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe). When you visit this website, your browser directly loads the required fonts from Adobe to correctly display them on your device. Your browser establishes a connection to Adobe's servers in the USA, thereby providing Adobe with knowledge that this website was accessed via your IP address. According to Adobe, no cookies are stored when providing the fonts. Purpose and legal basis The storage and analysis of data are based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of fonts on its website. If consent has been obtained (e.g., consent to store cookies), processing is based exclusively on Art. 6 para. 1 lit. a GDPR; consent can be revoked at any time. The data transfer to the USA is based on the Standard Contractual Clauses of the European Commission. Details can be found here: https://www.adobe.com/de/privacy/eudatatransfers.html. For more information about Adobe Fonts, please visit: https://www.adobe.com/de/privacy/policies/adobe-fonts.html. The privacy policy of Adobe can be found here: https://www.adobe.com/de/privacy/policy.html 11. Google Fonts Type and scope of processing This website uses web fonts for the uniform display of fonts. These are provided by Google. When you visit the page, your browser downloads the required web fonts into its cache to display text and fonts correctly. Your browser, therefore, establishes a connection to Google's servers, enabling Google to obtain knowledge of your IP address. If your browser does not support web fonts, a standard font from your computer is used instead. For more information about Google Web Fonts, you can visit https://developers.google.com/fonts/faq. You can find Google's privacy policy here: https://policies.google.com/privacy?hl=de. Purpose and legal basis The use of Google Web Fonts is based on our legitimate interest in a consistent presentation of the typography on our website (Art. 6 para. 1 lit. f GDPR). If consent has been requested (e.g., consent to the storage of cookies), the processing of data is carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR. This consent can be revoked at any time. 12. Vercel and StrapiCMS Type and scope of processing We use Vercel Inc., 440 N Barranca Ave #4133 Covina, CA 91723, USA ("Vercel"), and Strapi, Inc., 3500 S Dupont Hwy, Dover, DE 19901, USA ("StrapiCMS"), among other things, for web hosting and displaying our website. Additionally, Vercel and StrapiCMS collect statistical data about visits to our website. The following data is typically transferred: accessed website, date and time of access, amount of data transmitted, indication of whether access was successful, browser type and version, user's operating system, previously visited website (referrer), and IP address. These log data are processed solely for the above-mentioned purposes, as well as for maintaining the security, functionality, and optimization of the offerings of Vercel and StrapiCMS. Purpose and legal basis The use of the service is based on our legitimate interests, i.e., interest in secure and efficient provision, as well as the optimization of our online offering in accordance with Art. 6 para. 1 lit. f GDPR. 13. Amazon Web Services and Sentry Nature and Scope of Processing For the provision of our web apps, we use Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109 United States ("AWS"). We use AWS, among other things, for web hosting and displaying our web apps. Additionally, AWS collects statistical data about visits to our website. All data is stored at AWS and processed from there in accordance with the terms of use, which can be viewed at https://d1.awsstatic.com/legal/AWS_Site_Terms/AWS_Site_Terms_German_2022-09-30.pdf. All data is stored in Europe. This provider has access to the user's email if we send transactional or product-related emails. The following data is typically transferred: accessed website, date and time of access, amount of data transmitted, indication of whether access was successful, browser type and version, user's operating system, previously visited website (referrer), and IP address. These log data are processed solely for the above-mentioned purposes, as well as for maintaining the security, functionality, and optimization of our websites. We also use Functional Software, Inc. d/b/a Sentry, 45 Fremont Street, 8th Floor, San Francisco, CA 94105-2250, USA ("Sentry"). This provider may have access to user-related information in the event of an unexpected error in the system. The transmitted information is used so that our technical team can fix the error in the system. You can find Sentry's privacy policy here: https://sentry.io/privacy/?original_referrer=https%3A%2F%2Fwww.google.com%2F. Purpose and Legal Basis The use of the host is for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast, and efficient provision of our online offering by a professional provider (Art. 6 para. 1 lit. f GDPR). 14. Facebook Pixel We use the remarketing function "Custom Audiences," the audience function "Lookalike Audiences," and the Conversions API of Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland "Facebook") on our website. The "Custom Audiences" application aims to target website visitors with interest-based advertising ("Facebook Ads" or "Instagram Ads") on the social networks Facebook and Instagram, as well as on partner sites of Facebook. For this purpose, the Facebook Remarketing Tag (also called Facebook Pixel) has been implemented on the website. Facebook Pixel uses, among other things, cookies, which are small text files stored locally in the cache of your web browser on your device. When visiting the website, the Remarketing Tag establishes a direct connection to Facebook servers. This transmits to the Facebook server which of our pages you have visited and which interactions have been performed. In this case, Facebook Pixel also enables verification of whether you were redirected to our website after clicking on our Facebook or Instagram Ads. Facebook associates this information with your personal Facebook/Instagram user account. When you visit the social network Facebook or Instagram, you will then see personalized, interest-based "Facebook Ads" or "Instagram Ads." The data collected about you is pseudonymized for us, thus offering no conclusions about your identity. However, this data can be linked by Facebook to your Facebook/Instagram user account. The "Lookalike Audiences" function of Meta Platforms Ireland Limited ("Facebook") uses the same tracking pixel and is used by Facebook to calculate similarities with other Facebook/Instagram users and to identify new customers based on website visits and interactions. Statistical twins/lookalike target groups are formed based on this to display interest-based advertisements to these users as well. With Facebook Conversions API, data is still collected on the client and processed on our web server. However, data collection with the API also works if the Facebook Pixel is blocked on the client. On the server, a tracking code is then executed, which sends the collected events to the actual Facebook API on Facebook's servers. There, the data from the API and the Facebook Pixel are merged - so the Conversion API complements the tracking via Facebook Pixel. More information can be found at: https://www.facebook.com/business/help/2041148702652965?id=818859032317965 Meta Platforms Ireland Limited and we are jointly responsible for the collection of your data and the transmission of this data to Facebook when integrating the service. The basis for this is an agreement between us and Meta Platforms Ireland Limited on the joint processing of personal data, which defines the respective responsibilities. The agreement is available at: https://www.facebook.com/legal/controller_addendum According to this, we are particularly responsible for fulfilling the information obligations in accordance with Articles 13 and 14 GDPR, for complying with the security requirements of Article 32 GDPR regarding the correct technical implementation and configuration of the service, as well as for complying with the obligations under Articles 33 and 34 GDPR, insofar as a violation of the protection of personal data concerns our obligations under the agreement on joint processing. Meta Platforms Ireland Limited is responsible for enabling data subjects' rights under Articles 15 - 20 GDPR, complying with the security requirements of Article 32 GDPR regarding the security of the service, and complying with the obligations under Articles 33 and 34 GDPR, insofar as a violation of the protection of personal data concerns Meta Platforms Ireland Limited's obligations under the agreement on joint processing. As the transfer of personal data to the USA takes place, additional safeguards are required to ensure the level of data protection of the GDPR. There is no adequacy decision of the EU Commission for the USA. Data transmission is based, among other things, on standard contractual clauses as appropriate safeguards for the protection of personal data, which can be viewed at: https://www.facebook.com/legal/eu_data_transfer_addendum. In addition to the standard contractual clauses, Facebook has implemented the following technical and organizational measures to protect your data: https://www.facebook.com/legal/terms/data_security_terms The use of cookies or similar technologies is based on your consent pursuant to § 25 (1) sentence 1 TTDSG in conjunction with Article 6 (1) lit. a GDPR. The processing of your personal data is based on your consent pursuant to Article 6 (1) lit. a GDPR. You can revoke your consent at any time without affecting the lawfulness of the processing carried out based on the consent until revocation. For more information on the collection and use of data by Facebook, your rights in this regard, and options to protect your privacy, please refer to Facebook's privacy policy at: https://www.facebook.com/about/privacy. The deactivation of the "Facebook Custom Audiences" function is possible for logged-in users at this link and via the privacy settings in your browser. 15. Google Tag Manager Type and scope of processing We use the Google Tag Manager of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used to manage website tags via an interface and allows us to control the precise integration of services on our website. This allows us to flexibly integrate additional services to evaluate user access to our website. Purpose and legal basis The use of Google Tag Manager is based on our legitimate interests, i.e., the interest in optimizing our services in accordance with Art. 6 para. 1 lit. f GDPR. Storage Duration The specific storage duration of the processed data is not influenced by us but is determined by Google Ireland Limited. Further information can be found in the privacy policy for Google Tag Manager: https://www.google.com/analytics/terms/tag-manager/ 16. Hubspot We use the services of the provider HubSpot. HubSpot is a provider from the USA with a branch in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland). HubSpot is software for digital marketing, with which we can send emails and cover other aspects of our online marketing. For example, the following personal data can be collected: email address, first and last name of platform users; information about who receives which emails and interacts with which links. The data will be deleted when applicants delete themselves from the platform. Data processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR. The transfer to a third country is based on Art. 49 para. 1 lit. a GDPR. 17. Hotjar We use Hotjar, provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta), on our website to statistically analyze visitor data. Hotjar is a service that analyzes user behavior and feedback on our website through a combination of analysis and feedback tools. We receive reports and visual representations from Hotjar that show us where and how you navigate our site. Personal data is automatically anonymized and never reaches Hotjar's servers. This means that you, as a website user, are not personally identified, yet we still learn a lot about your user behavior. For the use of Hotjar, we use cookies (see section G). The use of Hotjar requires your consent, which we obtained with our cookie popup. This consent constitutes the legal basis for the processing of personal data, as may occur with the collection by web analytics tools, according to Art. 6 para. 1 lit. a GDPR (Consent). In addition to consent, we have a legitimate interest in analyzing the behavior of website visitors to improve our offer technically and economically. With the help of Hotjar, we can identify website errors, detect attacks, and improve profitability. The legal basis for this is Art. 6 para. 1 lit. f GDPR (Legitimate interests). However, we only use Hotjar if you have given your consent.