The protection of your data and the safeguarding of your personal rights are of great importance to us. On this page, we would like to inform you about which data AltaSigma processes and for what purposes. If you have any questions or suggestions regarding the privacy policy, please feel free to contact us.

Contents

1. Foreword and Selected Terminology
2. Responsible Party and Data Protection Officer
3. Compact Overview
4. Legal Basis for the Processing of Personal Data
5. Your Rights under the General Data Protection Regulation (GDPR)
6. External Hosting
7. Automatic Server Log Files
8. Use of Cookies
9. Data Processing in the Context of Communication and Contact
10. Information for Applicants
11. Direct Marketing
12. Audio and Video Conferences with MS Teams
13. Our Social Media Presence
14. Additional Privacy Information for Our Business Partners

1. Foreword and Selected Terminology

This privacy policy informs visitors and users of our website about the data processing activities that involve the processing of personal data online. In addition, it provides information about our processing activities that do not primarily take place online.

• GDPR stands for the European General Data Protection Regulation.
• BDSG is the abbreviation for the German Federal Data Protection Act in its current version.
• Personal data refers to any individual information that allows conclusions to be drawn about a natural person (definition according to Art. 4(1) GDPR). This includes, for example, names, email addresses, telephone numbers, as well as data such as IP addresses or customer numbers.
• Processing of personal data includes all operations such as the collection, storage, transmission, archiving, or deletion of personal data (definition in Art. 4(2) GDPR).
• A data subject under data protection law is any natural person whose personal data is processed.
• Further definitions of terms can be found in the GDPR, mainly in Art. 4 (Definitions).

2. Responsible Party and Data Protection Officer

Responsible Party

AltaSigma GmbH
Sedelhofgasse 19
89073 Ulm
Germany
Phone: +49 731 360808-40
Fax: +49 731 360808-41
Email: info@altasigma.com

Data Protection Officer

DSB External Data Protection Officer Stuttgart
Fabian Henkel
Diplom-Betriebswirt (FH)
Certified Data Protection Officer
Phone: +49 176 32744172
Email: info@externer-datenschutzbeauftragter-stuttgart.de
Web: https://www.externer-datenschutzbeauftragter-stuttgart.de

3. Compact Overview

The following content provides you with a brief overview of the processing of personal data. More detailed information can be found in the respective sections.

Security on our Website

Our website is equipped with a TLS certificate, which encrypts data transmission processes. This happens, for example, when you send us a message via a form. However, we point out that one hundred percent security in electronic data processing is not possible, and there is always a residual risk.

Data You Transmit to Us

We process the data you enter on this site, for example in a form. The purpose of the processing results from the type of form and, additionally, from this privacy policy. Also, when you send us a message via email or contact us in any other way, we process your data in accordance with the purpose of the contact.

Automatic Server Log Files

Our server also automatically records all access, including IP addresses (log files). This serves to protect against attacks, analyze access numbers, and ensure smooth operation.

Newsletter / Direct Marketing

Direct Marketing to Existing Customers Based on Legitimate Interest
We reserve the right to send our customers newsletters based on Section 7(3) of the German Unfair Competition Act (UWG) in conjunction with Art. 6(1)(f) GDPR. Of course, you can object to receiving direct marketing information at any time.

Other Data Recipients

Use of Data Processors
We use data processors according to Art. 28 GDPR, for example in the areas of IT services, web hosting, email hosting, or printing services. They process personal data on our behalf and according to our instructions.

Use of External Services
Where necessary (e.g., for contract execution), we pass your data to third parties such as banks, shipping service providers, our tax consultant, or lawyers.

Legal Obligations
In certain cases, we are legally obliged to report information under the Money Laundering Act to the relevant authorities. We are also subject to other legal obligations, such as commercial or tax laws, which may require us to transmit certain data, for example to tax authorities.

Clarification of Criminal Offenses
If necessary for the clarification of a criminal offense, we pass data on to law enforcement authorities.

General Information on Deletion Periods for Personal Data

We process data as long as it is necessary for the respective purpose. Where necessary, we process your personal data for the duration of our business relationship, including the initiation and execution of a contract. Additionally, we are obliged to comply with legal retention periods. If data processing is based on your consent, we delete your data upon withdrawal of your consent.

Transfer of Personal Data to a Third Country

We endeavor to use service providers and services from providers located within the European Union wherever possible. Data transfer to a third country may occur if you have given us your consent and/or we have concluded a contract for data processing in accordance with Art. 28 GDPR, taking appropriate safeguards into account. In individual cases, we may use plugins or tools hosted in third countries, but we rely on our legitimate interests when doing so. In such cases, we will point out this fact where necessary.

Obligation to Provide Personal Data

Whether you provide personal data on our website for certain purposes is entirely voluntary. However, for the execution of legal transactions, the provision of personal data may be contractually required.

4. Legal Bases for the Processing of Personal Data

The legal bases for the processing of personal data are exceptions that allow the processing of personal data. The main legal bases are set out in particular in Article 6 of the GDPR. The specific legal bases under which we process personal data are described in the individual processing operations within this privacy policy.

Consent Given (Art. 6 (1) (a) GDPR)

Consent is one of these legal bases and requires that the consenting person gives it voluntarily and based on informed understanding. Consent based on Art. 6 (1) (a) GDPR can generally be withdrawn at any time without providing reasons.

Data Processing Related to a Contract (Art. 6 (1) (b) GDPR)

The processing of personal data for the initiation or performance of contracts is also a legal basis, defined in Art. 6 (1) (b) GDPR.

Legal Obligation (Art. 6 (1) (c) GDPR)

The exception for data processing based on a legal obligation is found in Art. 6 (1) (c) GDPR — for example, we are obliged to comply with specific retention periods under commercial and tax law.

Legitimate Interests (Art. 6 (1) (f) GDPR)

The processing of personal data based on a balancing of interests under Art. 6 (1) (f) GDPR allows data processing after careful consideration of financial or legal interests against the fundamental rights and freedoms of the data subject.

5. Your Rights Under the General Data Protection Regulation

Every natural person has certain rights, particularly defined in Articles 15 to 21 and 77 of the GDPR. You can generally exercise the following rights with us:

Right to Withdraw Consent (Art. 7 GDPR)

You can withdraw any consent given to us at any time without giving reasons, with future effect.

Right of Access (Art. 15 GDPR) (Subject to limitations under §34 BDSG)

You have the right at any time to request information about the data processed about you and the purposes of the processing.

Right to Rectification (Art. 16 GDPR)

If you find that we are processing incorrect or incomplete data about you, you have the right to request correction.

Right to Erasure (Art. 17 GDPR) (Subject to limitations under §35 BDSG)

You have the right to request the deletion of your personal data at any time. If complete deletion is not possible — for example, because we are legally required to retain the data or have other legitimate interests — your data will be restricted until the reasons for retention cease to apply.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of the processing of your personal data. You can contact us at any time at the address provided in the imprint. You can exercise the right to restriction of processing in the following cases:

• If you dispute the accuracy of the personal data we hold about you, we generally need time to verify this. During the verification period, you have the right to request restriction of processing.
• If the processing of your personal data was/is unlawful, you can request restriction of the data processing instead of deletion.
• If we no longer need your personal data, but you require them for the establishment, exercise, or defense of legal claims, you have the right to request restriction instead of deletion.
• If you have objected to processing pursuant to Art. 21(1) GDPR, a balance must be struck between your and our interests. Until it is determined whose interests prevail, you have the right to request restriction of processing.

If you have restricted the processing of your personal data, such data — apart from storage — may only be processed with your consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive the data we process automatically on the basis of your consent or in performance of a contract, in a structured, commonly used, and machine-readable format, or to have it transmitted to a third party. If you request the direct transfer of the data to another controller, this will only be done if technically feasible.

Right to Object to Certain Processing Activities and Direct Marketing (Art. 21 GDPR)

If data processing is based on Art. 6 (1) (e) or (f) GDPR, you have the right at any time to object, on grounds relating to your particular situation, to the processing of your personal data; this also applies to profiling based on these provisions. The respective legal basis for processing can be found in this privacy policy.
If you object, we will no longer process your affected personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims (objection under Art. 21(1) GDPR).

If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you object, your personal data will subsequently no longer be used for direct marketing purposes (objection under Art. 21(2) GDPR).

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR in conjunction with §19 BDSG)

In case of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement. The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.

6. External Hosting

This website is hosted externally. The personal data collected on this website is stored on the servers of the hosting provider(s). This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access data, and other data generated via a website.

External hosting is carried out for the purpose of fulfilling contracts with our potential and existing customers (Art. 6 (1) (b) GDPR) and in the interest of a secure, fast, and efficient provision of our online offer by a professional provider (Art. 6 (1) (f) GDPR). If consent has been requested, processing will only take place based on Art. 6 (1) (a) GDPR and § 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's device (e.g., device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.

Our hosting provider will only process your data to the extent necessary to fulfill their service obligations and will follow our instructions regarding this data.

We use the following hosting provider:
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany

You can find Hetzner Online GmbH’s privacy notice here.

Data Processing Agreement
We have entered into a data processing agreement (DPA) with the above-mentioned service provider. This is a contract required under data protection law, ensuring that they process the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

7. Automatic Server Log Files

Our web server automatically logs all accesses, including the IP addresses of visitors. This serves to prevent attacks, analyze visitor numbers, and ensure smooth operation. We have a legitimate interest in this (Art. 6 (1) (f) GDPR).

The server log typically records the following data along with the IP address:

• Date and time of access
• Information about the browser type and version used
• Information about the operating system
• Device (client)
• Referrer URL (the page from which you arrived at our site)
• Accessed hyperlinks

We process these data only for the purposes stated above. Server log files are deleted at the latest after six months.

8. Use of Cookies

We strive to design our website to be as privacy-friendly as possible and to minimize or avoid the use of cookies whenever feasible. Cookies are small data packets that do not cause any harm to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit ends. Persistent cookies remain on your device until you delete them yourself or your browser deletes them automatically.

Cookies can originate from us (first-party cookies) or from third-party companies (third-party cookies). Third-party cookies allow the integration of certain services from third-party companies on a website (e.g., cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary because certain website functions would not work without them (e.g., the shopping cart function or displaying videos). Other cookies are used to analyze user behavior or for advertising purposes.

Cookies necessary for carrying out the electronic communication process, providing specific functions you desire (e.g., shopping cart functionality), or optimizing the website (e.g., measuring the web audience) are stored based on Art. 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically flawless and optimized provision of its services. Where consent for the storage of cookies and similar technologies has been requested, processing is based solely on this consent (Art. 6 (1) (a) GDPR and § 25 (1) TTDSG); consent can be withdrawn at any time.

You can configure your browser to inform you about the setting of cookies, allow cookies only on a case-by-case basis, exclude the acceptance of cookies for specific cases or generally, and activate automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

You can find out whether and which cookies and services are used on this website in this privacy policy.

9. Data Processing in the Context of Communication and Contact

Message via Contact Form

You can send us messages via a contact form. In doing so, we process the data entered by you in the data entry form. Required fields are marked and must be filled out. The purpose of the data processing is to handle your request and possibly contact you afterward. The processing of the data entered in the contact form is generally based on your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time with future effect without giving reasons. Additionally, we process your data to initiate or perform purchase contracts if you, for example, ask product-related questions (Art. 6 (1) (b) GDPR).

We store the transmitted data until the purpose of storage no longer applies or you revoke your consent. Please note that the process may be subject to statutory retention periods. In such cases, we restrict your data for further processing until these periods expire.

Communication via Email

If you send us an email, we process your data according to the content and purpose of the message. As a rule, the processing is carried out based on pre-contractual measures or in the context of the performance of a contractual relationship according to Art. 6 (1) (b) GDPR and Art. 6 (1) (f) GDPR. It is a legitimate interest to handle your request quickly and efficiently.

If it concerns a product- or service-related message, we process your data generally based on our legitimate interests under Art. 6 (1) (b) GDPR.

Please note that we store all incoming emails according to the principles of proper accounting for ten years, beginning on the first day of the following year in which the message was received. Therefore, if you request deletion, we will restrict your data for further processing and retain it only for compliance with legal retention obligations based on our legitimate interests.

Communication via Telephone or Fax

If you contact us by telephone or fax, we process your data either to initiate and perform contractual relationships (if the content is product- or service-related) and/or based on our legitimate interests, similarly to email communication.
We do not record conversation content but may take notes to process your request, which are stored until the purpose of processing has been fulfilled.

10. Information for Applicants

Data Protection Provisions for the Application Process

If you apply to us, whether for an advertised position or unsolicited, we process your data for the purpose of conducting the selection process. It does not matter whether you apply by mail, email, or via an online form, if available for the respective position.

Scope of Processing

In general, during an application process, we only process the data you have transmitted to us yourself. Consulting other sources may only occur after informing and consulting with you—for example, if we may contact a former employer.

The legal basis for conducting an application process is §26 BDSG in conjunction with Art. 6 (1) (b) GDPR (initiation of an employment contract). If you consent to longer-term storage of your data, this is based on Art. 6 (1) (a) GDPR.

Retention Periods for Applicant Data

We delete applicant data at the latest four months after the conclusion of the application process (once a candidate has been selected and all applicants have been informed of the outcome). Generally, the purpose of data processing ends with the end of the selection process. However, we have a legitimate interest (Art. 6 (1) (f) GDPR) in defending ourselves against potential claims from rejected applicants. If you believe that your interests in the immediate deletion of your data outweigh ours, you can request us to do so. We will review your request and provide feedback.

After the expiration of the above-mentioned period, your data will be deleted unless we must defend ourselves in a legal proceeding, for example, due to a lawsuit under the General Equal Treatment Act. In such cases, data will be deleted after the conclusion of the procedure unless statutory retention obligations exist.

If we are allowed to store your data longer based on your consent, we will delete your data upon your request and withdrawal of your consent. We may also delete your data before the withdrawal if it becomes clear that no suitable position will be available.

Inclusion in Our Applicant Pool

If we cannot offer you a position at the current time, we may ask for your consent to store your data further. This is done so we can offer you a suitable position at a later date. The legal basis for processing your data in our applicant pool is your consent (Art. 6 (1) (a) GDPR). Naturally, you can revoke your consent at any time with future effect. If you do not withdraw your consent within two years, we will delete your data from our applicant pool no later than after this period.

11. Direct Marketing

Direct marketing to existing customers based on legitimate interest

We reserve the right to use data collected in the context of a purchase contract or service contract for direct advertising via email or postal mail in accordance with Section 7 (3) of the German Act Against Unfair Competition (UWG), provided the customer does not object to this use. The direct advertising is limited exclusively to offers for similar products or services to those already purchased by the customer.

We use your data for direct marketing purposes for up to three years after the last transaction based on legitimate interest.

We have a legitimate economic interest (Art. 6 (1) lit. f GDPR) in informing our customers about new products and improving our services. Of course, you can object to receiving direct marketing at any time. Please direct your objection to the controller named above. In addition, each newsletter contains information on how you can exercise your right to object.

12. Audio and Video Conferences with MS Teams

We use Microsoft Teams for communication purposes. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Details on data processing can be found in the Microsoft Teams Privacy Statement.

Microsoft Teams processes all data you provide or use to access the tools (such as your email address and/or telephone number). Furthermore, the conference tools process the duration of the conference, the beginning and end (time) of participation, the number of participants, and other "contextual information" related to the communication process (metadata).

The provider also processes all technical data necessary to facilitate online communication, including IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone, speaker, and connection type.

If content is exchanged, uploaded, or otherwise provided within the tool, it is also stored on the servers of the tool provider. This includes cloud recordings, chat or instant messages, voicemails, uploaded photos and videos, files, whiteboards, and other shared information during the use of the service.

Please note that we have limited control over the data processing activities of the tool providers. Our influence is largely determined by the corporate policies of the respective provider. For more detailed information about data processing by the conferencing tools, please consult the privacy policies of the tools we use, listed below this section.

Purpose and Legal Basis

We use Microsoft Teams to communicate with prospective or existing contract partners or to provide certain services to our customers (Art. 6 (1) lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest pursuant to Art. 6 (1) lit. f GDPR). Where consent has been requested, the processing is based on this consent; the consent can be revoked at any time with future effect.

Storage Duration

Data directly collected by us through video and conference tools will be deleted from our systems once you request deletion, revoke your consent to storage, or the purpose for the data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal retention periods remain unaffected.

We have no influence over the storage duration of your data processed by the operators of the conferencing tools for their own purposes. For details, please consult the privacy statements of the respective tool providers.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) with the provider mentioned above. This is a contract required under data protection law, ensuring that the provider processes personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

13. Our Social Media Appearances

Data Processing by Social Networks

We maintain publicly accessible profiles on social networks. You can find the social networks we use below.

Social networks like Facebook, LinkedIn, etc., generally can analyze your user behavior comprehensively when you visit their website or a website with integrated social media content (such as like buttons or advertising banners). Visiting our social media presences triggers numerous data protection-relevant processing operations. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can associate this visit with your user account. Your personal data may also be collected even if you are not logged in or do not have an account with the respective social media portal. In this case, data collection may occur, for example, via cookies stored on your device or by recording your IP address.

Using the data collected in this way, social media operators can create user profiles that store your preferences and interests. This enables interest-based advertising to be shown to you both inside and outside of the respective social media presence. If you have an account with the relevant social network, interest-based advertising can be displayed on all devices where you are or have been logged in.

Please also note that we cannot fully track all processing activities of the social media portals. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and privacy policies of the respective social media portals.

Legal Basis
Our social media appearances are intended to ensure a broad presence on the internet, which constitutes a legitimate interest pursuant to Art. 6 (1) lit. f GDPR. The analytical processes initiated by social networks may be based on different legal bases, which must be specified by the respective network operators (e.g., consent under Art. 6 (1) lit. a GDPR).

Controller and Assertion of Rights
When you visit one of our social media appearances (e.g., on Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered by that visit. You can assert your rights (access, rectification, erasure, restriction of processing, data portability, and complaint) both against us and against the operator of the respective social media portal (e.g., Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing activities of the portals. Our influence is largely determined by the corporate policies of the respective providers.

Storage Duration
The data collected directly by us through our social media presences will be deleted from our systems as soon as the purpose for their storage no longer applies, you request deletion, revoke your consent to storage, or the purpose for storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal requirements – particularly retention periods – remain unaffected. We have no control over the storage duration of your data that is stored by the social media network operators for their own purposes. For details, please refer directly to the privacy statements of the respective social network operators (see below).

Social Networks in Detail

LinkedIn
We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link.
Details on how LinkedIn handles your personal data can be found in their Privacy Policy.

XING
We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.
Details on their handling of your personal data can be found in the Privacy Policy of XING.

X (formerly Twitter)
We use the short messaging service X. The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. You can adjust your privacy settings independently in your user account. To do so, click the following link and log in.
Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here.
For more details, please refer to Twitter’s Privacy Policy.

Instagram
We have a profile on Instagram. The provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875, and https://de-de.facebook.com/help/566994660333381.
For more information on how Instagram handles your personal data, please see the Privacy Policy of Instagram.

14. Supplementary Privacy Information for Our Business Partners

Categories of Data and Purposes of Processing

We process personal data of our service providers and partners, which we receive directly within the framework of our business relationship. If we have received data from you, we will generally only process it for the purposes for which we received or collected it.

Typically, we process the following categories of your data:

• First and last name
• Address and/or company address
• Telecommunication data
• Email address
• Company
• Professional function and/or position
• Bank details / other payment information
• Data regarding the history of the business relationship

During the initiation phase and throughout the business relationship—especially through personal, telephone, or written contacts initiated either by you or one of our employees—additional personal data may be generated, such as information about the contact channel, date, reason, and result; (electronic) copies of correspondence, and information about participation in direct marketing activities.

We also process personal data that we have obtained and are permitted to process from publicly accessible sources (e.g., commercial and association registers, press, media, internet).

Processing data for other purposes is only considered if the necessary legal requirements under Art. 6(4) GDPR are met. We will, of course, comply with any information obligations under Art. 13(3) GDPR and Art. 14(4) GDPR if such a case arises.

Legal Bases for Processing Your Data

Based on Your Consent (Art. 6(1)(a) GDPR)
We process personal data for one or more specific purposes if you have given us your consent. If personal data is processed based on your consent, you have the right to withdraw your consent at any time with future effect.

Data Processing for the Performance of Contracts (Art. 6(1)(b) GDPR)
We process personal data to fulfill contracts. This includes the initiation, execution, and termination of a contract. We also process personal data necessary for pre-contractual measures taken at your request.

Data Processing Due to a Legal Obligation (Art. 6(1)(c) GDPR)
Like any company, we are subject to retention and documentation obligations, which may involve documents containing personal information. Processing for these purposes is based on legal obligations.

Data Processing Based on Legitimate Interests (Art. 6(1)(f) GDPR)
If we process data based on a balancing of interests, you have the right, under Art. 21 GDPR, to object to the processing of personal data. Where possible, we process your data in a pseudonymized or anonymized form.

Other Recipients of Your Data

Disclosure to Processors under Art. 28 GDPR
We use processors (Art. 28 GDPR)—especially in IT services and printing services—that process your data on our behalf and according to our instructions. When engaging service providers, we always comply with data protection regulations, ensuring data disclosure occurs only after the conclusion of appropriate data processing agreements. We are happy to inform you about the processors we use.

For Contract Execution
If necessary for contract fulfillment, we share your data, for example, with our bank for payment processing or with shipping providers such as Deutsche Post, DHL, UPS, GSL, DPD, or other occasion-specific providers.

Disclosure Due to Legal Obligation
If a legal or regulatory obligation exists, we transfer your data to public bodies or authorities (e.g., in the context of criminal prosecution).

Other Recipients with Your Consent
We may transfer your data to other recipients if you have explicitly consented. This will only occur within the limits of your demonstrable consent.

Information on Retention Periods for Personal Data

Principle of Purpose Limitation and Compliance with Legal Retention Periods
We process your data as long as it is necessary for the specific purpose. Where necessary, we process your personal data for the duration of our business relationship, which includes the initiation and completion of a contract.

Furthermore, like any company, we must comply with legal retention periods, such as those stipulated under commercial and tax law. If legal retention obligations exist, the corresponding personal data is stored for the duration of the retention period. The storage period also depends on legal limitation periods, which typically range from three years under §§ 195 ff. of the German Civil Code (BGB), but in certain cases can extend up to thirty years. After the retention period expires, we check whether processing is still necessary; if not, the data is deleted.

In general, such retention periods related to business transactions (under §147 AO / §257 HGB / §14b UStG) are ten years, starting with the year following the business transaction.

Concrete Example
If you provide us with your contact data, for instance by email, telephone, or handing over your business card, we store this data based on Art. 6(1)(b) GDPR (pre-contractual measures) and our legitimate interest (Art. 6(1)(f) GDPR) in smooth and targeted communication. If no contract is concluded, we delete your data upon request or after three years of no further contact.
If you conclude a contract (Art. 6(1)(b) GDPR) with us, we store your data for ten years according to commercial and tax law requirements. After that period, we review whether deletion is possible and proceed accordingly.

Emails and Business Letters
We archive all email correspondence for ten years. If you send us an email, your data and the content of the email will be stored for ten years. Most emails qualify as business letters or may contain tax-relevant information. Reviewing each email individually is, in our view, disproportionate to the effort required compared to the protection of the sender’s interests. Of course, you may always request deletion, and we will review it on a case-by-case basis and inform you of the outcome, which may result in deletion or restricted processing depending on the email's content.

Revocation of Your Consent
If we process your data based on your consent (Art. 6(1)(a) GDPR), we will delete your data upon your revocation unless legitimate interests prevent complete deletion. For example, we generally retain consent forms for up to three years after receiving your revocation, based on our legitimate interest (Art. 6(1)(f) GDPR) in defending ourselves in case of a dispute. We retain the consent solely with restricted processing for this purpose.

Legal or Contractual Obligation to Provide Personal Data

Providing personal data is generally necessary for the initiation, conclusion, execution, and termination of a contract. If you do not provide the required personal data, we cannot conclude or fulfill a contract with you.

Transfer to a Third Country

Your personal data is generally processed in data centers located within Germany or the European Union. A transfer to a third country only occurs if you have given your consent, or if we have entered into a data processing agreement under Art. 28 GDPR with appropriate safeguards or other suitable guarantees.