Privacy Policy

This policy was updated on January 27, 2025

We are very delighted that you have shown interest in our enterprise. Data protection is of a particularly high priority for the management of the APPlyzer GmbH. The use of the Internet pages of the APPlyzer GmbH is possible without any indication of personal data; however, if a data subject wants to use special enterprise services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.
‍
The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to the APPlyzer GmbH. By means of this data protection declaration, our enterprise would like to inform the general public of the nature, scope, and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed, by means of this data protection declaration, of the rights to which they are entitled.

As the controller, the APPlyzer GmbH has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every data subject is free to transfer personal data to us via alternative means, e.g. by telephone.

1. Definitions

In our Privacy Policy, we use special terms fromvarious data protection laws. We want our statement to be easy to understandand therefore explain these terms in advance.

The following definitions shall be interpreted orexpanded, as appropriate, based on the case law of the General Court of theEuropean Union (EGC), the European Court of Justice (ECJ), the Swiss FederalSupreme Court (SFSC), the Supreme Court of the United Kingdom (UKSC) or onnational data protection laws or national case law of a state or federal state,including but not limited to California, including case law, also under commonlaw, if this is necessary for the application of the law in individual cases.

We use the following terms, among others, in this PrivacyPolicy:

a) Personal Data

Personal Data means any information relating to anidentified or identifiable natural person. An identifiable natural person isone who can be identified, directly or indirectly, in particular by referenceto an identifier such as a name, an identification number, location data, anonline identifier or to one or more factors specific to the physical,physiological, genetic, mental, economic, cultural or social identity of thatnatural person, or who must be regarded as such under national data protectionlegislation or national jurisdiction of a state or federal state, includingunder common law.

b) Data Subject

Data Subject is any identified or identifiable naturalperson whose Personal Data is processed by the Controller, a Processor, aninternational organization or another data recipient, and persons who must beregarded as such under national data protection laws or national jurisdictionof a state or federal state, including case law, also under common law.

c) Processing

Processing is any operation or set of operations which isperformed on Personal Data or on sets of Personal Data, whether or not byautomated means, such as collection, recording, organisation, structuring,storage, adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment orcombination, restriction, erasure or destruction.

d) Restriction of Processing

Restriction of Processing is the marking of storedPersonal Data with the aim of limiting their Processing in the future.

e) Profiling

Profiling is any form of automated Processing of PersonalData consisting of the use of Personal Data to evaluate certain personalaspects relating to a natural person, in particular to analyse or predictaspects concerning that natural person’s performance at work, economicsituation, health, personal preferences, interests, reliability, behaviour,location or movements.

f) Pseudonymization

Pseudonymization is the Processing of Personal Data insuch a manner that the Personal Data can no longer be attributed to a specificData Subject without the use of additional information, provided that suchadditional information is kept separately and is subject to technical andorganizational measures to ensure that the Personal Data are not attributed toan identified or identifiable natural person.

g) Controller

The Controller is the natural or legal person, publicauthority, agency or other body which, alone or jointly with others, determinesthe purposes and means of the Processing of Personal Data. Where the purposesand means of such Processing are determined by Union or Member State law, theController or the specific criteria for its nomination may be provided for byUnion or Member State law.

h) Processor

A Processor is a natural or legal person, publicauthority, agency or other body which processes Personal Data on behalf of theController.

i) Recipient

A Recipient is a natural or legal person, publicauthority, agency or another body, to which the Personal Data are disclosed,whether a Third Party or not. However, public authorities which may receivePersonal Data in the framework of a particular inquiry in accordance with Unionor Member State law shall not be regarded as recipients.

j) Third Party

A Third Party is a natural or legal person, publicauthority, agency or body other than the Data Subject, Controller, Processorand persons who, under the direct authority of the Controller or Processor, areauthorised to process Personal Data.

k) Consent

Consent is any freely given, specific, informed andunambiguous indication of the Data Subject’s wishes by which he or she, by astatement or by a clear affirmative action, signifies agreement to theProcessing of Personal Data relating to him or her.

2. Name and address of theController

The Controller within the meaning of the General DataProtection Regulation, other data protection laws applicable in the MemberStates of the European Union and the European Economic Area, British dataprotection laws, Swiss data protection laws (DSG, DSV), Californian dataprotection law (CCPA/CPRA), Chinese data protection law (PIPL), as well asinternational laws and provisions with a data protection nature is:

APPlyzer GmbH

Mozartstr. 2

88361 Altshausen

Phone.: +49 7584 7340034

eMail: feedback@applyzer.com

Website: www.applyzer.com

3. Collection of generaldata and information

Our websites collect a range of general data andinformation each time the websites are accessed by a Data Subject or anautomated system. This general data and information are stored in the log filesof the respective server. Among other things, the (1) browser types andversions used, (2) the operating system used by the accessing system, (3) thewebsite from which an accessing system accesses our websites (so-calledreferrer), (4) the sub-websites which are accessed via an accessing system onour websites, (5) the date and time of access to the website, (6) an internetprotocol address (IP address), (7) the internet service provider of theaccessing system and (8) other similar data and information used for securitypurposes in the event of attacks on our information technology systems can berecorded.

When using this general data and information, we generallydo not draw any conclusions about the Data Subject. Rather, this information isrequired to (1) correctly deliver the content of our websites, (2) optimize thecontent of our websites and the advertising for them, (3) ensure the long-termfunctionality of our information technology systems and the technology of ourwebsites and (4) provide law enforcement authorities with the informationnecessary for criminal prosecution in the event of a cyber-attack. Thisanonymously collected data and information is therefore evaluated by us bothstatistically and with the aim of increasing data protection and data securityin our organisation to ultimately ensure an optimal level of protection for thePersonal Data processed by us. The data of the server log files are storedseparately from all Personal Data provided by a Data Subject.

The purpose of processing is to avert danger and ensure ITsecurity, as well as the aforementioned purposes. The legal basis is Art. 6 (1)(f) GDPR. Our legitimate interest is the protection of our informationtechnology systems. The log files are deleted after the stated purposes havebeen achieved.

4. Contact possibility viathe website and other data transfers and your Consent

Our website contains information that enables quickelectronic contact with our organisation as well as direct communication withus, which also includes a general address of the so-called electronic mail(email address) and possibly a telephone number. If a Data Subject contacts usby email, via a contact form, via an input form or in any other way, thePersonal Data transmitted by the Data Subject will be stored automatically.This Personal Data transmitted to us on a voluntary basis by a Data Subject is processedfor the purposes of usage or contacting the Data Subject.

We obtain your Consent for the transmission, storage andProcessing of your contact data and inquiries and for contacting you inaccordance with Art. 6 (1) (a) GDPR and Art. 49 (1) (1) (a) GDPR as follows:

By transmittingyour Personal Data, you voluntarily consent to the Processing of the PersonalData you have entered or transmitted for the purposes of processing the inquiryand contacting you. By transmitting your data to us, you also voluntarily giveyour explicit Consent in accordance with Art. 49 (1) (1) (a) GDPR to datatransfers to third countries to and by the companies named in this PrivacyPolicy and for the purposes stated, in particular for such transfers to thirdcountries for which there is or is not an adequacy decision by the EU/EEA andto companies or other bodies that are not subject to an existing adequacydecision on the basis of self-certification or other accession criteria and inwhich or for which there are significant risks and no suitable guarantees forthe protection of your Personal Data (e.g., due to Section 702 FISA, ExecutiveOrder EO12333 and the CloudAct in the USA). When you gave your voluntary andexplicit Consent, you were aware that there may not be an adequate level of dataprotection in third countries and that your data subject rights may not beenforceable. You can withdraw your Consent under data protection law at anytime with effect for the future. The withdrawal of Consent does not affect thelawfulness of Processing based on Consent before its withdrawal. With a singleaction (entry and transmission), you give several Consents. These are Consentsunder EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacyand telemedia law, and other international legislation, which are required,among other things, as a legal basis for any planned further Processing of yourPersonal Data. With your action, you also confirm that you have read and takennote of this Privacy Policy.

5. Routine deletion andrestriction of Personal Data

We process and store Personal Data for the periodrequired to achieve the purpose of processing or if this has been provided forby the European legislator or another legislator in laws or regulations towhich we are subject, or if a legal basis for the Processing exists.

If the purpose of processing no longer applies or if astorage period prescribed by the European legislator or another competentlegislator expires, or if the legal basis for the Processing no longer applies,the Personal Data will be routinely restricted or deleted in accordance withthe statutory provisions.

6. Rights of the DataSubject according to GDPR

a) Right to confirmation

Each Data Subject has the right to obtain from theController confirmation as to whether or not Personal Data concerning him orher is being processed.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

b) Right to information

Each Data Subject has the right to obtain from theController free information about the Personal Data stored about him/her and acopy of this data at any time. Furthermore, the European legislator has grantedthe Data Subject access to the following information:

• the purposes of processing,

• the categories of Personal Data that are processed,

• the recipients or categories of recipients to whom thePersonal Data have been or will be disclosed, in particular recipients in thirdcountries or international organizations,

• where possible, the envisaged period for which thePersonal Data will be stored, or, if not possible, the criteria used todetermine that period,

• the existence of the right to request from theController rectification or erasure of Personal Data or Restriction ofProcessing of Personal Data concerning the Data Subject or to object to suchProcessing,

• the existence of a right to lodge a complaint with asupervisory authority,

• if the Personal Data is not collected from the DataSubject: All available information about the origin of the data,

• the existence of automated decision-making, includingProfiling, referred to in Art. 22 (1) and (4) GDPR and, at least in thosecases, meaningful information about the logic involved, as well as thesignificance and the envisaged consequences of such Processing for the DataSubject.

Furthermore, the Data Subject has a right to informationas to whether Personal Data has been transferred to a third country or to aninternational organization. If this is the case, the Data Subject also has theright to obtain information about the appropriate safeguards in connection withthe transfer.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

c) Right to rectification

Each Data Subject has the right to demand the immediatecorrection of incorrect Personal Data concerning them. Furthermore, the DataSubject has the right to request the completion of incomplete Personal Data,including by means of a supplementary declaration, taking into account thepurposes of the Processing.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

d) Right to erasure (right to be forgotten)

Each Data Subject has the right, to obtain from theController the erasure of Personal Data concerning him or her without unduedelay, and the Controller shall have the obligation to erase Personal Datawithout undue delay where one of the following grounds applies, as long as theProcessing is not necessary:

• Personal Data was collected or otherwise processed forpurposes for which it is no longer necessary.

• The Data Subject withdraws Consent on which theProcessing is based according to Art. 6 (1) (a) GDPR, or Art. 9 (2) (a) GDPR,and where there is no other legal ground for the Processing.

• The Data Subject objects to the Processing pursuant toArt. 21 (1) GDPR and there are no overriding legitimate grounds for theProcessing, or the Data Subject objects to the Processing pursuant to Art. 21(2) GDPR.

• Personal Data was processed unlawfully.

• The deletion of Personal Data is necessary to fulfill alegal obligation under Union law or the law of the Member States to which theController is subject.

• The Personal Data was collected in relation toinformation society services offered in accordance with Art. 8 (1) GDPR.

If one of the aforementioned reasons applies, and a DataSubject wishes to request the erasure of Personal Data stored by us, he or shemay contact us at any time.

If we have made the Personal Data public and if ourorganisation is obliged to delete the Personal Data in accordance with Art. 17(1) GDPR, we shall take appropriate measures, including technical measures,taking into account the available technology and the implementation costs, toinform other data Controllers who process the published Personal Data that theData Subject has requested the deletion of all links to this Personal Data orof copies or replications of this Personal Data from these other data Controllers,insofar as the Processing is not necessary.

e) Right to Restriction of Processing

Each Data Subject has the right to obtain from theController Restriction of Processing where one of the following applies:

• The accuracy of the Personal Data is contested by theData Subject, for a period enabling the Controller to verify the accuracy ofthe Personal Data.

• The Processing is unlawful, and the Data Subject opposesthe erasure of the Personal Data and requests the restriction of their useinstead.

• The Controller no longer needs the Personal Data for thepurposes of the Processing, but they are required by the Data Subject for theestablishment, exercise or defense of legal claims.

• The Data Subject has objected to Processing pursuant toArt. 21 (1) GDPR pending the verification whether the legitimate grounds of theController override those of the Data Subject.

If one of the aforementioned conditions is met, and a DataSubject wishes to request the restriction of the Processing of Personal Datastored by us, he or she may contact us at any time.

f) Right to data portability

Each Data Subject has the right to receive the PersonalData concerning him or her, which he or she has provided to a Controller, in astructured, commonly used and machine-readable format. He or she also has theright to transmit those data to another Controller without hindrance from theController to which the Personal Data have been provided, where Processing isbased on Consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on acontract pursuant to Art. 6 (1) (b) GDPR and the Processing is carried out byautomated means, unless the Processing is necessary for the performance of atask carried out in the public interest or in the exercise of officialauthority vested in the Controller.

Furthermore, in exercising their right to data portabilitypursuant to Art. 20 (1) GDPR, the Data Subject has the right to have thePersonal Data transmitted directly from one Controller to another, wheretechnically feasible and provided that this does not adversely affect therights and freedoms of others.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

g) Right to object

Each Data Subject has the right to object, on groundsrelating to his or her particular situation, at any time, to Processing ofPersonal Data concerning him or her, which is based on point (e) or (f) ofArticle 6(1) of the GDPR. This also applies to Profiling based on theseprovisions.

In the event of an objection, we will no longer processthe Personal Data unless we can demonstrate compelling legitimate grounds forthe Processing which override the interests, rights and freedoms of the DataSubject or for the establishment, exercise or defense of legal claims.

If we process Personal Data for direct marketing purposes,the Data Subject shall have the right to object at any time to Processing ofPersonal Data concerning him or her for such marketing. This also applies toProfiling insofar as it is associated with such direct advertising. If the DataSubject objects to us to the Processing for direct marketing purposes, we willno longer process the Personal Data for these purposes.

In addition, the Data Subject has the right, on groundsrelating to his or her particular situation, to object to Processing ofPersonal Data concerning him or her by us for scientific or historical researchpurposes, or for statistical purposes pursuant to Article 89(1) of the GDPR,unless the Processing is necessary for the performance of a task carried outfor reasons of public interest.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time. The Data Subject is also free, in the context ofthe use of information society services, and notwithstanding Directive2002/58/EC, to exercise his or her right to object by automated means usingtechnical specifications.

h) Automated decisions in individual cases includingProfiling

Each Data Subject has the right not to be subject to adecision based solely on automated Processing, including Profiling, whichproduces legal effects concerning him or her, or similarly significantlyaffects him or her, provided that the decision (1) is not necessary for theconclusion or performance of a contract between the Data Subject and theController, or (2) is authorized by Union or Member State law to which theController is subject and which also lays down suitable measures to safeguardthe Data Subject's rights and freedoms and legitimate interests, or (3) isbased on the Data Subject's explicit Consent.

If the decision (1) is necessary for entering into, or theperformance of, a contract between the Data Subject and a data Controller, or(2) it is based on the Data Subject's explicit Consent, we shall implementsuitable measures to safeguard the Data Subject's rights and freedoms andlegitimate interests, at least the right to obtain human intervention on thepart of the Controller, to express his or her point of view and contest thedecision.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

i) Right to withdraw Consent under data protection law

Each Data Subject has the right to withdraw Consent to theProcessing of Personal Data at any time.

If a Data Subject wishes to exercise this right, he or shemay contact us at any time.

7. General purpose ofProcessing, categories of processed data and categories of recipients

The general purpose of processing Personal Data is thehandling of all activities relating to the Controller, customers, interestedparties, business partners or other contractual or pre-contractualrelationships between the aforementioned groups (in the broadest sense) orlegal obligations of the Controller. This general purpose applies if no morespecific purposes for specific Processing are specified.

The categories of Personal Data that we process arecustomer data, prospective customer data, employee data (including applicantdata) and supplier data. The categories of recipients of Personal Data arepublic bodies, external bodies, internal processing, intragroup processing andother bodies.

A list of our Processors and data recipients in thirdcountries and, if applicable, international organizations is either publishedon our website or can be requested from us free of charge.

8. Legal basis for the Processing

Art. 6 (1) (a) GDPR serves as the legal basis forProcessing operations for which we obtain Consent for a specific Processingpurpose. If the Processing of Personal Data is necessary for the performance ofa contract to which the Data Subject is party, as is the case, for example,when Processing operations are necessary for the supply of goods or to provideany other service or consideration, Processing is based on Art. 6 (1) (b) GDPR.The same applies to such Processing operations that are necessary to carry outpre-contractual measures, for example in cases of inquiries about our productsor services. If we are subject to a legal obligation which requires theProcessing of Personal Data, such as for the fulfillment of tax obligations,Processing is based on Art. 6 (1) (c) GDPR.

In rare cases, it may be necessary to process PersonalData to protect the vital interests of the Data Subject or another naturalperson. This would be the case, for example, if a visitor were injured in ourorganisation and their name, age, health insurance data or other vitalinformation would have to be passed on to a doctor, hospital or other ThirdParty. The Processing would then be based on Art. 6 (1) (d) GDPR.

If the Processing is necessary for the performance of atask carried out in the public interest or in the exercise of officialauthority vested in the Controller, the legal basis is Art. 6 (1) (e) GDPR.

Ultimately, Processing operations could be based on Art. 6(1) (f) GDPR. This legal basis is used for Processing operations which are notcovered by any of the abovementioned legal grounds, if Processing is necessaryfor the purposes of the legitimate interests pursued by our organisation or bya Third Party, except where such interests are overridden by the interests orfundamental rights and freedoms of the Data Subject which require protection ofPersonal Data. We are permitted to carry out such Processing operations inparticular because they have been specifically mentioned by the Europeanlegislator. In this respect, it took the view that a legitimate interest couldbe assumed, for example, if the Data Subject is a customer of the Controller(Recital 47 Sentence 2 GDPR).

9. Legitimate interests inProcessing pursued by the Controller or a Third Party and direct marketing

If the Processing of Personal Data is based on Art. 6(1) (f) GDPR and no more specific legitimate interests are stated, ourlegitimate interest is the performance of our business activities for thebenefit of the well-being of our staff and our shareholders.

We may send you direct advertising about our own goods orservices that are similar to the goods or services you have requested,commissioned or purchased. You may object to direct advertising at any time(e.g. by email). You will not incur any costs other than the transmission costsaccording to the basic rates. The Processing of Personal Data for directmarketing purposes is based on Art. 6 (1) (f) GDPR. The legitimate interest isdirect marketing.

Our messages and newsletters may also constitute directmarketing communications within the meaning of Article 13(2) of EU Directive2002/58 (Directive on privacy and electronic communications) and the nationallaw resulting from the Directive, provided that we have obtained yourelectronic and other contact information in connection with the sale of aservice or product, which includes the creation of a free user account thatallows you, among other things, to access free content on our websites and publications(newsletters, etc.), provided that we advertise similar products or servicesthrough direct marketing, so that direct marketing is also permissible withoutconsent (see ECJ, judgment of November 13, 2025, Case C 654/23). In such cases,you can refuse the use of your contact information at any time free of charge.

10. Duration for which thePersonal Data is stored

The criterion for the duration of the storage ofPersonal Data is the respective statutory retention period. If there is nostatutory retention period, the criterion is the contractual or internalretention period. After this period has expired, the corresponding data isroutinely deleted if it is no longer required to fulfill or initiate acontract. This applies in particular to all Processing operations for which nomore specific criteria have been defined.

11. Legal or contractualprovisions for the provision of Personal Data; necessity for the conclusion ofthe contract; obligation of the Data Subject to provide the Personal Data;possible consequences of non-provision

We would like to inform you that the provision ofPersonal Data is partly required by law (e.g., tax regulations) or may alsoresult from contractual obligations (e.g., information on the contractualpartner). Sometimes it may be necessary for a contract to be concluded for aData Subject to provide us with Personal Data that must subsequently beprocessed by us. For example, Data Subjects are obliged to provide us withPersonal Data if our organisation concludes a contract with them. Failure toprovide Personal Data would mean that the contract with the Data Subject couldnot be concluded. The Data Subject must contact us before providing PersonalData. We will inform the Data Subject on a case-by-case basis whether theprovision of the Personal Data is required by law or contract or is necessaryfor the conclusion of the contract, whether there is an obligation to providethe Personal Data and what the consequences would be if the Personal Data werenot provided.

12. Existence of automateddecision-making

As a responsible company, we do not normally useautomated decision-making or Profiling. If, in exceptional cases, we carry outautomated decision-making or Profiling, we will inform the Data Subject eitherseparately or via a sub-item in our Privacy Policy (here on our website). Inthis case, the following applies:

Automated decision-making, including Profiling, may takeplace if (1) this is necessary for the conclusion or performance of a contractbetween the Data Subject and us, or (2) this is permissible on the basis ofUnion or Member State legislation to which we are subject and this legislationcontains appropriate measures to safeguard the rights and freedoms andlegitimate interests of the Data Subject, or (3) this takes place with theexplicit Consent of the Data Subject.

In the cases referred to in Art. 22 (2) (a) and (c) GDPR,we shall implement suitable measures to safeguard the Data Subject's rights andfreedoms and legitimate interests. In these cases, you have the right to obtainhuman intervention on the part of the Controller, to express your point of viewand to contest the decision.

Meaningful information on the logic involved and the scopeand intended effects of such Processing for the Data Subject will be providedin this Privacy Policy where applicable.

13. Recipients in a thirdcountry and appropriate or adequate safeguards and how to obtain a copy of themor where they are available.

According to Art. 46 (1) GDPR, the Controller orProcessor may only transfer Personal Data to a third country if the Controlleror Processor has provided appropriate safeguards and if enforceable rights andeffective legal remedies are available to the Data Subjects. Appropriatesafeguards can be provided by standard contractual clauses without the need forspecial approval from a supervisory authority, Art. 46 (2) (c) GDPR.

The EU standard contractual clauses or other appropriatesafeguards are agreed with all recipients from third countries prior to thefirst transfer of Personal Data, or the transfers are based on adequacydecisions. Consequently, it is ensured that appropriate safeguards, enforceablerights and effective legal remedies are guaranteed for all Processing ofPersonal Data. Any Data Subject can obtain a copy of the standard contractualclauses or adequacy decisions from us. In addition, the standard contractualclauses and adequacy decisions are available in the Official Journal of theEuropean Union.

Art. 45 (3) GDPR authorizes the European Commission todecide by means of an implementing decision that a non-EU country ensures anadequate level of protection. This means a level of protection for PersonalData that essentially corresponds to the level of protection within the EU.Adequacy decisions mean that Personal Data can flow from the EU (as well asfrom Norway, Liechtenstein and Iceland) to a third country without furtherobstacles. Similar regulations apply to the United Kingdom, Switzerland and someother countries.

In all cases where the European Commission, or agovernment or competent authority of another country, has decided that a thirdcountry ensures an adequate level of protection and/or a valid framework exists(e.g., EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UKExtension to the EU-U.S. Data Privacy Framework), all transfers by us to themembers of such frameworks (e.g., self-certified entities) are based solely onthe membership of that entity in the respective framework or on the respectiveadequacy decisions. If we or one of our group companies is a member of such aframework, all transfers to us or our group company are based exclusively onthe membership of the respective company in this framework. If we or one of ourgroup companies is located in a third country with an adequate level ofprotection, all transfers to us or our group company are based solely on therespective adequacy decisions.

Any Data Subject can obtain a copy of the frameworks fromus. In addition, the frameworks are also available in the Official Journal ofthe European Union or in the published legal materials or on the websites ofdata protection supervisory authorities or other authorities or institutions.

14. Right to lodge acomplaint with a data protection supervisory authority

As the Controller, we are obliged to inform the DataSubject of the existence of the right to lodge a complaint with a supervisoryauthority. The right to lodge a complaint is regulated in Art. 77 (1) GDPR.According to this provision, without prejudice to any other administrative orjudicial remedy, every Data Subject has the right to lodge a complaint with asupervisory authority, in particular in the Member State of his or her habitualresidence, place of work or place of the alleged infringement if the DataSubject considers that the Processing of Personal Data relating to him or herinfringes the General Data Protection Regulation. The right to lodge acomplaint has been restricted by the EU legislator to the effect that it canonly be exercised with a single supervisory authority (Recital 141 Sentence 1GDPR). This provision is intended to avoid duplicate complaints in the samematter by the same Data Subject. If a Data Subject wishes to complain about us,it is therefore requested that only one supervisory authority is contacted.

15. Data protectionprovisions about the application and use of Google Analytics

Google Analytics is a tool from Google LLC thatprovides operators of websites and apps with detailed statistics on traffic anduser behavior. It enables the collection and analysis of data on websitevisits, user interactions and conversion rates, which helps operators tounderstand and optimize their online presence. Google Analytics uses cookies tocollect information about user behavior, including page views, time spent onthe site and the paths users take on the site.

When using Google Analytics, Personal Data such as IPaddresses, browser information and interaction data are processed. This datahelps website operators to measure the performance of their website, improvethe user experience and develop targeted marketing strategies.

The company that operates the service and thus therecipient of personal data is: Google LLC, 1600 Amphitheatre Parkway, MountainView, CA 94043, USA. For data subjects in the EU and EEA, Google IrelandLimited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as contact andrepresentative within the meaning of Art. 27 GDPR. The representative undernational law in the United Kingdom is: Google UK Limited, Belgrave House, 76Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative underArt. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: GoogleSwitzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of processing is theanalysis and optimization of websites, apps, and advertising. Processing isbased on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in improvingthe website, increasing user-friendliness and the effectiveness of onlinemarketing.

The company that operates the service is based in a thirdcountry, namely the USA. Transfers to third countries may be based on theconclusion of Standard Contractual Clauses or other suitable or appropriatesafeguards referred to in Art. 46 (2) GDPR. The company that operates theservice may be a certified member of one or more of the data privacyframeworks. You can find more information athttps://www.dataprivacyframework.gov/list. You can request a copy of thesuitable or appropriate safeguards from us.

The criteria for determining the duration for which thePersonal Data is processed are the contractual relationship between us and thecompany that operates the service or statutory or contractual retentionperiods. The provision of Personal Data is not required by law or contract, noris it necessary for the conclusion of a contract. You are not obliged toprovide us or the company that operates the service with Personal Data.However, if you do not provide it, you may not be able to use our services orthose of the company operating the service.

Further information and the applicable data protectionprovisions of Google Analytics can be found athttps://policies.google.com/privacy.

16. Newsletter tracking

Our newsletters contain so-called tracking pixelsand/or tracking links. Tracking pixels are miniature graphics that are embeddedin emails sent in HTML format to enable log file recording and log fileanalysis. This allows a statistical evaluation of the success or failure ofonline marketing campaigns to be carried out. Based on the embedded trackingpixel, we can recognize whether and when an email was opened by a Data Subjectand which links in the email were accessed by the Data Subject.

The pixel-code or tracking pixel data collected via ournewsletter is stored and evaluated by us to optimize the newsletter dispatchand to adapt the content of future newsletters even better to the interests ofthe recipients. The above purposes are the legitimate interests pursued by theController (Art. 6 (1) (f) GDPR). This Personal Data collected by us will notbe passed on to Third Parties.

You are entitled to withdraw the Consent you gave us viathe double opt-in procedure for the newsletter and to cancel the newslettercontract with us at any time.

17. Data protectionprovisions about the application and use of Google Ads

Google Ads, formerly known as Google AdWords, is anonline advertising program from Google LLC that allows businesses to placetargeted ads to increase their visibility on the internet. Google Ads offersvarious advertising formats, including search ads, display ads, YouTube videoads and more, which allow companies to reach potential customers on Googlesearch results pages, partner websites and other platforms in the Googlenetwork.

When using Google Ads, Personal Data such as IP addresses,cookies and other identifiers resulting from interaction with advertisementsare processed. This data helps to measure the effectiveness of advertisingcampaigns, to precisely address target groups and to personalize advertisementsbased on the interests and behaviour of users.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of processing is theanalysis and optimization of online advertising campaigns. Processing is basedon Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in the effectivedesign and delivery of advertising campaigns that are relevant to bothadvertisers and users.

Further information and the applicable data protectionprovisions of Google Ads can be found at https://policies.google.com/privacy.

18. Data protectionprovisions about the application and use of Google Ads Conversion Tracking

Google Ads Conversion Tracking helps us to measure theeffectiveness of our advertising campaigns by recording which users perform adesired action on our website after clicking on an ad, such as a purchase orregistration. By using this tool, personal data such as IP addresses, clickinformation and website views are processed. This data is used to evaluate andoptimize the success of Google Ads campaigns by providing information aboutwhich ads and keywords lead to conversions. Google Ads Conversion Trackinghelps us to use our marketing budget more efficiently and to plan targetedadvertising measures in order to maximize the return on investment (ROI).

Purposes for which personal data are to be processed andthe legal basis for the processing: The purpose of the processing is to measureand optimize the advertising campaigns and to improve the marketing ROI.Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interestlies in the optimization of advertising measures and the efficient use of thebudget.

The criteria for determining the duration for which thepersonal data is processed are the contractual relationship between us and thecompany that operates the service or statutory or contractual retentionperiods. The provision of Personal Data is not required by law or contract, noris it necessary for the conclusion of a contract. You are not obliged toprovide us or the company that operates the service with personal data.However, if you do not provide it, you may not be able to use our services orthose of the company operating the service.

Further information and the applicable data protectionprovisions can be found at https://ads.google.com/.

19. Data protectionprovisions about the application and use of Google Ads Optimized Targeting

Google Ads Optimized Targeting is a service that helpsus target our ads to appropriate users by using algorithms and machine learningto select the best audience for an ad based on available user data. The serviceprocesses personal data, in particular about user behavior, such as visits tothe website, interactions with ads and demographic data. The use of this dataenables us to maximize the reach of our campaigns, by displaying ads to userswho are most likely to interact with our content.

Purposes for which personal data is to be processed andthe legal basis for the processing: The purpose of the processing is tooptimize targeting and improve campaign performance. Processing is based onArt. 6 (1) (f) GDPR, whereby the legitimate interest lies in the improvement ofmarketing strategies and the maximization of advertising success.

Further information and the applicable data protectionprovisions can be found at https://support.google.com.

20. Data protectionprovisions about the application and use of Google Tag Manager

Google Tag Manager is a tag management system fromGoogle LLC that allows websites and app operators to easily implement andmanage tags for web analytics and marketing optimization tools without havingto change the source code of their websites or apps. Tags are small snippets ofcode that are used to analyze website data, understand user behavior, andmonitor the effectiveness of online marketing campaigns. Google Tag Managersupports the integration of a variety of tags, including Google Analytics, GoogleAds and many third-party tags.

The service allows users to manage and trigger tags thatcan collect data. This data is processed and stored by the respective tags andnot by the Google Tag Manager.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of using Google Tag Manageris to simplify tag implementation and tag management. Processing is based onArt. 6 (1) (f) GDPR, whereby our legitimate interest lies in optimizing andincreasing the efficiency of tag management and the associated web analysis andmarketing activities.

Further information and the applicable data protectionprovisions of Google Tag Manager can be found athttps://policies.google.com/privacy.

21. Data protectionprovisions about the application and use of LinkedIn

LinkedIn is a social network for professional contactsand career development. The platform allows users to create a professionalprofile, network with colleagues, business partners and potential employers,share professional experiences and skills, and keep up to date with industrynews. LinkedIn also provides tools for companies and recruiters to sourcetalent, post job ads and build a brand presence.

When using LinkedIn, Personal Data such as names, emailaddresses, professional titles and experience, educational background, skills,interests, and platform usage data are processed. This information is necessaryto provide and use the service to create networking opportunities, to presentpersonalized content and job offers and to ensure the security of user data.

The company that operates the service and thus therecipient of the Personal Data is: LinkedIn Corporation, 1000 W. Maude Avenue,Sunnyvale, CA 94085, USA.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of processing is the useand optimization of network and career services. Processing is based on theConsent of the user (Art. 6 (1) (a) GDPR), the performance of a contract (Art.6 (1) (b) GDPR) to which the Data Subject is party and on legitimate interests(Art. 6 (1) (f) GDPR), such as marketing and recruitment.

Further information and the applicable data protectionprovisions of LinkedIn Corporation can be found at https://www.linkedin.com.

22. Data protectionprovisions about the application and use of X (formerly Twitter)

X (formerly known as Twitter) is a global platform forpublic self-expression and real-time conversation. Users can create and shareshort messages, called tweets, which can include text, images, videos, andlinks. The platform allows users to follow breaking news, interact with othersand participate in global discussions.

When using X, several types of Personal Data areprocessed, including usernames, email addresses, telephone numbers and locationdata. This information can be used for account creation, personalization ofcontent, provision of advertising, security purposes and for analyticalevaluations.

The company that operates the service and thus therecipient of personal data is: X Corp., 865 FM-1209, Building 2, Bastrop, TX78602, USA. For data subjects in the EU and EEA, X Internet Unlimited Company,1 Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, acts as contactand representative within the meaning of Art. 27 GDPR. The representative underArt. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: XSchweiz GmbH, c/o Wasag Treuhand AG, Normannenstrasse 8, 3018 Bern, Switzerland.

The Processing of Personal Data takes place, among otherthings, on the basis of the user's Consent (Art. 6 (1) (a) GDPR), for theperformance of a contract (Art. 6 (1) (b) GDPR) to which the Data Subject is aparty, or on the basis of legitimate interests (Art. 6 (1) (f) GDPR), such asthe use of the platform and the improvement of communication with the public.

The company that operates the service is based in a thirdcountry, namely the USA. Transfers to third countries may be based on theconclusion of Standard Contractual Clauses or other suitable or appropriatesafeguards referred to in Art. 46 (2) GDPR. The company that operates theservice may have concluded one of the EU Standard Contractual Clauses with us.You can request a copy of the suitable or appropriate safeguards from us.

Further information and the applicable data protectionprovisions of X can be found at https://twitter.com/.

23. Data protectionprovisions about the application and use of YouTube

YouTube is a video sharing and viewing platform used byindividuals, artists, businesses, and media companies to publish a variety ofcontent such as music videos, vlogs, educational material and much more.YouTube offers users the ability to upload, share, comment and interact with abroad community.

When using YouTube, Personal Data such as IP addresses,user interactions (e.g., videos viewed, comments), location data (if enabledfor services) and information from linked Google accounts are processed. Thisinformation is required to provide personalized content and advertising, enableuser interactions, keep the platform secure and improve the user experience.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of data processing lies inthe use of the video sharing services. Processing is based on the performanceof a contract pursuant to Art. 6 (1) (b) GDPR, to which the Data Subject is aparty, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as theuse of an efficient video platform, the improvement of the user experience, theuse of personalized advertising and the use of embedded videos on our website.

Further information and the applicable data protectionprovisions of YouTube can be found at https://policies.google.com.

24. Payment services
24.1 Data protection provisions about the application and use of Paddle

Paddle is a technology company thatprovides payment processing, billing, subscription management, tax handling,and merchant-of-record services. Paddle enables businesses to sell digitalproducts and services online while managing payments, invoicing, tax compliance,and fraud prevention in a secure and efficient manner.

When using Paddle services, Personal Data suchas names, billing addresses, email addresses, IP addresses, payment andtransaction information, and other data necessary for payment processing may beprocessed. This information is required to complete transactions, managesubscriptions, handle taxes, prevent fraud, provide customer support, andcomply with legal and regulatory obligations.

The company that operates the service and thusthe recipient of personal data is:
Paddle.com Market Limited, JuddHouse, 18–29 Mora Street, London EC1V 8BT, United Kingdom.

For data subjects in the EU and EEA, Paddleacts as a data controller for payment-related processing in its role asmerchant of record. Paddle processes Personal Data in accordance withapplicable data protection laws, including the GDPR.

Purposes and legal basis for processing

The purpose of data processing lies in thehandling of payments, subscriptions, invoicing, and tax compliance via Paddle.Processing is carried out on the following legal bases:

· Art. 6 (1)(b) GDPR – performance of a contract to which the Data Subject is aparty (e.g. processing payments and subscriptions);

· Art. 6 (1)(f) GDPR – legitimate interests, such as fraud prevention, securepayment processing, service improvement, and compliance with legalrequirements.

International data transfers

Paddle may process Personal Data in countriesoutside the EU/EEA, including the United Kingdom and other third countries.Where such transfers occur, they are carried out on the basis of appropriatesafeguards pursuant to Art. 46 GDPR,such as Standard Contractual Clauses or other legally recognized transfermechanisms. A copy of the relevant safeguards may be requested from us.

Data retention and obligation to provide data

The criteria for determining the duration forwhich Personal Data is processed are statutory retention obligations andcontractual requirements. The provision of Personal Data is necessary for theconclusion and performance of a contract. You are not legally obliged toprovide Personal Data; however, without it, the use of our paid services andpayment processing will not be possible.

Further information about Paddle’s dataprotection practices can be found in Paddle’s privacy policy at:https://www.paddle.com/legal/privacy

The privacy policy listed here was createdusing a generator developed with the expertise of legal experts in IT law, theadvice of certified Data Protection Officers, and the certification expertiseof testing companies for ISO standards.

24.2 Data protectionprovisions about the application and use of Stripe

Stripe is a technology company that provides powerfuland flexible tools for e-commerce, including payment processing, billing, andfiscal management solutions. Stripe enables businesses of all sizes to acceptand process online payments, manage subscriptions, and perform fraudprevention. The platform is known for reducing the complexity of financialtransactions and making them more secure and user-friendly.

When using Stripe services, Personal Data such as names,addresses, email addresses, telephone numbers, bank and payment information andtransaction data are processed. This information is necessary to providepayment services, prevent fraud, provide customer support and comply with legalrequirements.

The company that operates the service and thus therecipient of personal data is: Stripe, Inc., 354 Oyster Point Boulevard, SanFrancisco, CA 94080, USA. For data subjects in the EU and EEA, Stripe PaymentsEurope Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210,Ireland, acts as contact and representative within the meaning of Art. 27 GDPR.The representative under national law in the United Kingdom is: Stripe PaymentsUK Ltd., 9th Floor, 107 Cheapside, London, EC2V 6DN, United Kingdom.

Purposes for which the Personal Data is to be processedand the legal basis for the Processing: The purpose of data processing lies inthe use of payment processing via Stripe. Processing is based on theperformance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the DataSubject is a party, and on legitimate interests pursuant to Art. 6 (1) (f)GDPR, such as the improvement of our services, fraud prevention, the use ofefficient payment applications, and compliance with legal requirements.

The company that operates the service is based in a thirdcountry, namely the USA. Transfers to third countries may be based on theconclusion of Standard Contractual Clauses or other suitable or appropriatesafeguards referred to in Art. 46 (2) GDPR. The company that operates theservice may have concluded one of the EU Standard Contractual Clauses with us.You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which thePersonal Data is processed are the statutory or contractual retention periods.The provision of Personal Data is required by law or contract or is necessaryfor the conclusion of a contract. You are not obliged to provide us withPersonal Data for this Processing activity. However, if you do not provide it,you will not be able to use our services.

Further information and the applicable data protectionprovisions of Stripe may be retrieved under https://stripe.com.

The privacy policy listed here was created using agenerator developed with the expertise of legalexperts in IT law, the advice of certifiedDPOs, and the certification expertise of the testing company for ISO standards.

‍

Privacy Policy

1. Definitions

24. Payment services24.1 Data protection provisions about the application and use of Paddle

Purposes and legal basis for processing

International data transfers

Data retention and obligation to provide data

Home

24. Payment services
24.1 Data protection provisions about the application and use of Paddle