I. Name and address of the responsible party
The responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:
c/o TH Cologne
Betzdorfer Street 2
II. General information on data processing
Scope of processing
As a matter of principle, we collect and use personal data only insofar as this is necessary for the provision of a functional website and our content and services, you have given your consent or the processing of the data is permitted by a legal regulation.
Legal basis for the processing of personal data
Insofar as we obtain your consent for processing operations of personal data, Art. 6 para. 1 p. 1 lit. a GDPR serves as the legal basis for the processing of personal data.
When processing personal data that is necessary for the performance of a contract to which you are a party, Art. 6 (1) p. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
If processing of personal data is necessary for compliance with a legal obligation to which our company is subject, Art. 6 (1) p. 1 lit. c GDPR serves as the legal basis. If processing is necessary to protect a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not override the former interest, Art. 6 (1) p. 1 lit. f GDPR serves as the legal basis for the processing.
Legitimate interests in processing
If the processing of your personal data is based on Art. 6 (1) p. 1 lit. f GDPR, our legitimate interest, unless otherwise stated, is the performance of our business activities. Otherwise, we have indicated our purposes and interests in each case as part of the above list of processing.
Data deletion and storage period
Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies or you revoke your consent. In addition, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. If the purpose of storage ceases to apply, if you revoke your consent or if a storage period prescribed by the European Directive and Regulation Maker or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions, unless there is a necessity for further storage of the data for the conclusion or performance of a contract.
Recipients of the collected data / data transmission
Recipients of the data collected via our website are primarily us as the responsible company. In addition, at most order processors (web hosters, IT service providers, etc.) have access to the data collected via our website. However, compliance with legal regulations is ensured in this respect by order processing contracts that we conclude with our order processors located in the EU. A data transfer to so-called Third countries outside the EU will only take place if and to the extent that this has been pointed out below.
Data transfer and processing in third countries
We only transfer data to a third country, i.e. a country outside the European Union (EU) and the European Economic Area (EEA), or have data processed via the use of third-party services in a third country, if this is a third country with a recognized level of data protection, we have concluded a so-called standard contractual clause or certifications or binding internal data protection regulations are available.
Necessity to disclose personal data
You can visit our website without personal data being collected. However, insofar as you wish to make use of our benefits and services, the provision of personal data is mandatory for the execution of the contract.
Existence of automated decision making
We do not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR.
We secure our website and other systems through comprehensive technical and organizational measures against loss, destruction, access, modification or distribution of your data by unauthorized persons. These measures are subject to constant review and improvement in order to ensure a current state of the art.
III. data processing when using our website and our services
Access data in server log files.
Our hosting provider Google Cloud, operated by Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland, automatically stores access data in so-called server log files each time our website is accessed.
This includes the date and time of the request, the amount of data transferred and, if applicable, the name of the requested file, the browser used and its version, the operating system used, the IP address, the requested URL including subpages and the referrer URL (URL that you visited immediately before).
The temporary storage of the IP address by the system is necessary to enable delivery of the website to your terminal device. For this purpose, your IP address must remain stored for the duration of the session.
The legal basis for the temporary storage of your data and the log files is Art. 6 para. 1 p. 1 lit. f GDPR.
This data is evaluated exclusively to ensure the permanent and trouble-free operation of the website and to ensure the security of our information technology systems. For this purpose, the above-mentioned data is stored for a maximum of 30 days.
The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of our website. Therefore, there is no possibility to object.
Data collection and use during registration and use of our services/utilization of our services
You have the option to register on our website. When you create a user account or log in, you must provide certain mandatory information in order to access and manage your user account (“mandatory information”). Mandatory information in the registration process is marked with an asterisk and is required for the conclusion of the user agreement. Which data is collected can be seen from the respective input forms. In the context of registration, this is your e-mail address. In addition, you must create a password. If you do not provide this data, you will not be able to create a user account.
On our website, we use Firebase Authentication, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, for registration and authentication. Firebase Authentication stores your credentials in various databases built into your browser (LocalStorage and IndexedDB). Your data is stored in the browser in order to recognize you even if you visit our website several times. The data is deleted when you log out of your account again. Alternatively, you can delete locally stored data via the settings in your browser.
The following personal data is also processed via Firebase Authentication: User name, profile picture as well as mobile phone number when logging in via SMS identification.
If you sign up for a paid subscription, we also collect your name and billing information. We use your data exclusively to bill you for our services. Accordingly, we use the data you provide only to process the contract and provide our services to you under the contract. We may also pass on your data to one or more order processors (e.g. payment service providers), who will also use your data exclusively for internal use on our behalf. The legal basis for the processing of your data is the fulfillment of our contract with you pursuant to Art. 6 para. 1 p. 1 lit. b GDPR.
We also store your IP address and the date and time of registration in order to prevent misuse of our website and the services offered on it and to investigate any crimes that may have been committed. The storage of this data is therefore necessary for our own protection. The legal basis for this processing of personal data is Art. 6 para. 1 p. 1 lit. f GDPR. In the aforementioned purposes also lies our legitimate interest.
After complete processing of the contract or deletion of your account, your data will initially be blocked for further use and deleted after expiry of the statutory retention periods, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you below. You have the option to object to the processing at any time and to delete your account. In such a case, the contractual relationship with you cannot be continued.
Alternative registration via single sign-on/log-in
Alternatively, you can also log in via so-called single sign-ons/log-ins with just a few clicks. In this case, there is no need for additional registration. To simplify the login and authentication process, Firebase Authentication may use third-party identity services and store the relevant third-party information. We currently use the following identity services through Firebase Authentication:
You can sign in via Firebase Authentication using your existing credentials from the respective identity service. By signing in, your profile with the respective identity service and our service are linked. Through the linking, we automatically receive your name, profile picture and email address from the respective identity service.
The aforementioned information is mandatory for the conclusion of the contract in order to be able to register and identify you. The legal basis for the processing of your data is accordingly the fulfillment of our contract with you Art. 6 para. 1 p. 1 lit. b GDPR.
In all other respects, the same regulations on revocation and deletion periods apply as for registration via our website in accordance with the above section.
We used Google Forms on our website, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland to evaluate our product in the context of surveys.
As part of the survey, we collect your responses to each question. You can optionally provide your email address so that we can contact you in case of queries. Participation in our surveys is voluntary, as is answering individual questions.
Unless you have provided an e-mail address, we do not collect any personal data as part of the survey. The legal basis for processing your data is the fulfillment of our contract with you pursuant to Art. 6 (1) p. 1 lit. b GDPR if you participate in a survey as a registered user. In all other cases, the legal basis for the processing of personal data is Art. 6 para. 1 p. 1 lit. f GDPR. Our legitimate interest is the optimization of our products and services as well as market research.
We need your data to optimize our products and services as well as for market research. In these purposes also lies our legitimate interest in the processing of personal data according to Art. 6 para. 1 p. 1 lit. f GDPR.
If you have provided your email address, we will delete the link between your email address and your answers upon completion of the survey evaluation.
In addition to this website, we also maintain presences in various social networks. Insofar as you visit such a presence, personal data may be transmitted to the provider of the social network. It is possible that, in addition to the storage of the data specifically entered by you in this social network, further information will also be processed by the provider of the social network. For example, your data is usually processed for market research and advertising purposes, including to create corresponding usage profiles and to display personalized advertising to you. For this purpose, the provider of the social network usually stores cookies on your terminal device in which your usage behavior and interests are stored. In addition, the provider of the social network may process the most important data of the computer system from which you visit it - for example, your IP address, the processor type and browser version used, including plugins.
If you are logged in with your personal user account of the respective network while visiting such a network, this network can assign the visit to your account. If you do not wish such an assignment, you must log out of your account and delete the cookies before visiting our social media presence.
The legal basis for the processing of personal data is Art. 6 para. 1 p. 1 lit. f GDPR. If you have given your consent to the processing to the respective provider of the social network, the legal basis for the processing of your data is Art. 6 para. 1 p. 1 lit. a GDPR.
We maintain the presences in the respective social networks in order to be able to communicate with you there and to inform you about our services. These purposes are also our legitimate interest in processing the personal data according to Art. 6 para. 1 p. 1 lit. f GDPR.
Instagram is operated by Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA.
LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland.
TikTok is operated by TikTok Technology Limited 10 Earlsfort Terrace, Dublin 2, Ireland.
Integration of YouTube
We embed videos of the social network youtube.com on our website, which is operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), a subsidiary of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
When you visit our website, a direct connection to the YouTube servers is established via your browser. Your browser is automatically prompted by the respective video embedded on our website to download a representation of the corresponding component from YouTube. As part of this technical process, YouTube receives knowledge of which specific subpage of our website you are visiting.
If you use the videos, the corresponding information - e.g. the activation of the play button - is transmitted from your browser to YouTube, possibly linked to your user account and stored.
The legal basis for the use of your data is Art. 6 para. 1 p. 1 lit. f GDPR.
Our legitimate interest in data processing according to Art. 6 para. 1 p. 1 lit. f GDPR is the optimization and economic operation of our website.
If you are logged in with your personal Google account while visiting our website, YouTube can assign the visit and the subpages of our website specifically visited by you to your account.
If you do not have a Google account, there is still the possibility that YouTube stores your IP address. Insofar as you do not wish such processing, you must log out of your Google account and delete your cookies before visiting our website.
You can object to the use of your data by Google at any time by clicking on the following link: https://adssettings.google.com/authenticated.
Newsletter and newsletter analysis
You can sign up to receive our newsletter. To send our newsletter, we use Google Forms, operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4.
Our newsletter is published regularly and contains information about new offers on our website and news about us.
To subscribe, you must provide us with your e-mail address. Other information that serves to optimize the newsletter can be provided voluntarily. The registration takes place in a so-called double opt-in procedure. After registering on our website, you will receive a confirmation e-mail from us in which you must confirm the registration once again. This entire process is documented and stored. This includes both the storage of the registration and the confirmation time as well as the storage of your IP address. The collection of this data is necessary so that we can trace the processes in the event of misuse of the e-mail address and therefore serves our legal protection. By subscribing to our newsletter, you agree to receive it.
We will only use the data you provide during registration to send you our newsletter. Furthermore, we could inform you if this is necessary for the operation of the newsletter, such as in the event of changes to the newsletter offer or changes in technical conditions.
The legal basis for the processing of your data after registration for the newsletter is, if you have given your consent, Art. 6 para. 1 p. 1 lit. a GDPR. You can revoke your consent to the storage and use of your personal data to receive the newsletter at any time with effect for the future. For the purpose of revoking your consent, you can use the link provided for this purpose in the newsletter or notify us of your revocation by e-mail to the following address: email@example.com. Your data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. Accordingly, your e-mail address will be stored as long as the subscription to the newsletter is active.
E-mail and Customer Relationship Management System
Due to legal requirements, we keep information available on our website that enables a quick electronic contact to us as well as an immediate communication with us. This primarily includes our e-mail address. Insofar as you contact us by e-mail, the personal data you transmit is automatically stored.
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) p. 1 lit. f GDPR. If the contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 p. 1 lit. b GDPR.
However, we use the personal data you provide exclusively for processing your specific request. The data provided will always be treated confidentially. Your information may be stored in a customer relationship management system (so-called CRM system) of our order processor Braintree, operated by PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg.
The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected. For personal data sent by e-mail, this is the case when the respective conversation with you has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.
If you contact us, you can object to the storage of your personal data at any time. In such a case, the conversation cannot be continued.
Payment service providers
We use the following external payment service providers to process payments:
- Braintree, a service of PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.
- PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
- Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland
If you have your own contractual relationship with the payment service provider, you will transmit to the respective payment service provider the data requested by it in the context of the contractual relationship. In this case, the respective payment service provider acts as the responsible party.
You transmit to the respective payment service provider your inventory data, such as first name, last name, address, date of birth, e-mail address, IP address, as well as your bank data, insofar as they are necessary for payment processing, e.g. account numbers, credit card numbers, passwords, TANs, verification numbers, validity date and CVC code.
In addition, for the purpose of processing the payment, personal data will be transmitted to the respective payment service provider that is related to your respective booking, such as prices and tax levies or information on previous ordering behavior, as well as your payment data, insofar as they are necessary for processing the payment, e.g. account numbers, credit card numbers, passwords, TANs, verification numbers, validity date and CVC code.
The transmission of the data is solely for the purpose of payment processing. If you maintain your own contractual relationship with the payment service provider, the regulations of the respective payment service provider apply. Otherwise, the legal basis for the transmission of data to the respective payment service provider is Art. 6 para. 1 p. 1 lit. b. GDPR, as the payment serves to fulfill a contract. Furthermore, we use external payment service providers on the basis of our legitimate interests pursuant to Art. 6 para. 1 p. 1 lit. f. GDPR in order to offer you effective and secure payment options.
We do not receive access to the data entered, these are processed and stored exclusively by the payment service providers. We only receive information with confirmation or negative information of the payment. The payment service providers may transmit your data to credit agencies for identity and credit checks and fraud prevention.
PayPal (Europe) S.à r.l. et Cie: https://www.paypal.com/de/webapps/mpp/ua/privacy-full
Stripe Payments Europe Ltd: https://stripe.com/de/privacy#translation
IV. Data subject rights
If your personal data are processed, you are entitled to the following rights in particular as a data subject within the meaning of the GDPR:
Right to information (Art. 15 GDPR).
You have the right to request confirmation as to whether we are processing data relating to you. You also have the right to receive from us at any time, free of charge, information about the personal data stored about you and a copy of this data in accordance with the legal requirements.
Right to rectification (Art. 16 GDPR).
You have the right to request the immediate correction and/or completion of any personal data concerning you that is inaccurate or incomplete. We shall carry out the rectification without delay.
Right to restriction of processing (Art. 18 GDPR).
You have the right to demand that we restrict processing if one of the legal requirements is met.
Right to erasure (Art. 17 GDPR).
You have the right to demand that we delete the personal data concerning you without undue delay, if one of the legal grounds applies and insofar as the processing is not necessary.
Right to information
If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right against us to be informed about these recipients.
Right to data portability (Art. 20 GDPR).
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, common and machine-readable format in accordance with the legal requirements. You also have the right to transfer this data to another controller without hindrance from us in accordance with the legal requirements. Furthermore, you have the right, in accordance with legal requirements, to have the personal data transferred directly from us to another controller, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of other persons.
Right to object (Art. 21 GDPR).
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6 (1) sentence 1 lit. e or f GDPR. This also applies to profiling based on these provisions. We will no longer process the personal data in the event of objection, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. To exercise the right to object, you can contact us at any time.
Right of withdrawal in case of consent.
You have the right to revoke your consent to the processing of personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.