German English Spanish French Italian Dutch Portuguese (BR) Swedish

Privacy Policy

Effective: January 15, 2026

Preamble

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and particularly on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "Online Services").

The terms used are not gender-specific.

Table of Contents
  • Preamble
  • Controller
  • Overview of Processing
  • Applicable Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • Data Processing in Third Countries
  • Deletion of Data
  • Use of Cookies
  • Business Services
  • Providers and Services Used in Business Operations
  • Payment Methods
  • Provision of Online Services and Web Hosting
  • Registration, Login and User Account
  • Contact and Inquiry Management
  • Push Notifications
  • Application Process
  • Newsletter and Electronic Notifications
  • Social Media Presences
  • Management, Organization and Support Tools
  • Changes and Updates to the Privacy Policy
  • Rights of Data Subjects
  • Definitions
Controller

Stageapp Services GmbH
Kieselweg 1
22395 Hamburg

Authorized Representatives:

Sebastian Kraft
Email: office@castapp.pro

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed:

  • Master data
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication and process data
  • Applicant data

Categories of Data Subjects:

  • Customers
  • Employees
  • Prospects
  • Communication partners
  • Users
  • Applicants
  • Business and contractual partners

Purposes of Processing:

  • Provision of contractual services and customer service
  • Contact requests and communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Office and organizational procedures
  • Management and response to inquiries
  • Application process
  • Feedback
  • Marketing
  • Provision of our online services and user experience
  • Information technology infrastructure

Applicable Legal Bases

Below you will find an overview of the legal bases of the GDPR on the basis of which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Application process as pre-contractual or contractual relationship (Art. 6(1)(b) GDPR) - If special categories of personal data within the meaning of Art. 9(1) GDPR (e.g., health data such as severe disability status or ethnic origin) are requested from applicants in the application process so that the controller or the data subject can exercise the rights arising from labor law and the law of social security and social protection and fulfill their obligations in this regard, their processing is carried out in accordance with Art. 9(2)(b) GDPR, in the case of protecting vital interests of applicants or other persons pursuant to Art. 9(2)(c) GDPR, or for purposes of preventive healthcare or occupational medicine, for the assessment of the employee's working capacity, for medical diagnosis, care or treatment in the health or social sector, or for the administration of systems and services in the health or social sector pursuant to Art. 9(2)(h) GDPR. In the case of voluntary disclosure of special categories of data, their processing is based on Art. 9(2)(a) GDPR.

In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated decision-making in individual cases including profiling. Furthermore, it regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. State data protection laws of the individual federal states may also apply.

Contact Inquiries

When you contact us, we process your personal data such as name, address, email address, etc., which we need to respond to your inquiry.

The legal basis for processing your personal data in the context of contact inquiries is Art. 6(1)(b) GDPR.

In the context of contact inquiries, we store your personal data for as long as is necessary to process your inquiry, plus an appropriate retention period for follow-up questions.

The provision of this personal data is not required by law or contract or necessary for concluding a contract. However, if you do not provide us with this data, we may not be able to respond to your contact inquiry or - in the case of limited contact information - may not be able to respond via all requested communication channels.

Use of Website and App

When using our website and app, our hosting provider logs so-called "logfile" data each time the servers are accessed, such as the name of the accessed website, previously visited page ("referrer" URL), product and version information of the browser and operating system used, requesting provider, date and time of access, search engines used, country of access, amount of data transferred, names of downloaded files and IP address.

The legal basis for processing is Article 6(1)(f) GDPR. Our legitimate interest in storing logfile data lies in ensuring system security, including investigation of misuse. IP addresses are deleted after a maximum of 7 days, unless they are needed longer due to a security-relevant incident, e.g., for investigation or evidentiary purposes.

You do not have the right to object to our aforementioned processing of your personal data, as the aforementioned compelling legitimate reasons for our processing outweigh your interests, rights and freedoms, and our processing also serves to assert, exercise or defend legal claims.

Registration

When you register or place orders, we process your personal data such as name, address, email address, date of birth, payment data, etc., which we need to fulfill the contractual relationship with you or to carry out pre-contractual measures at your request.

We store your personal data collected during registration or ordering for as long as is necessary to fulfill the contractual relationship (including, where applicable, the provision of the customer account) and/or to carry out pre-contractual measures at your request and/or with regard to warranty, guarantee or similar obligations and/or with regard to statutory retention periods.

The legal bases for processing your personal data collected during registration or ordering are Art. 6(1)(b) and Art. 6(1)(c) GDPR.

The provision of this personal data is not required by law or contract. However, it is necessary for concluding the contract, i.e., for carrying out the registration or order, insofar as the relevant information is mandatory (rather than voluntary) in our registration/order process.

The artist profiles with the personal data entered by the artist, such as name, contact details, curriculum, physical characteristics relevant to the selection of performers, skills, etc., are shared within the platform functionalities with the casting accounts and agency accounts connected to the Castapp platform.

The main uses of artist profiles enabled by the platform functionalities for connected casting and agency accounts are listed in Section 3 of our Terms and Conditions.

Artist profiles are retained on the platform until the artist deletes their profile or user account on the platform, or the artist's user agreement with us expires, or until it is no longer necessary for the fulfillment of the contractual relationship and/or for carrying out pre-contractual measures at the artist's request and/or with regard to warranty, guarantee or similar obligations and/or with regard to statutory retention periods; whichever occurs latest.

The legal basis for processing artist profiles is Art. 6(1)(b) GDPR (processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

The provision of this personal data is not required by law or contract. However, it is necessary for concluding the contract, i.e., for carrying out our placement services.

The artist has the option to create a personalized profile link to make their selected videos from their Castapp account accessible. By creating this personalized link, the artist can select which of their videos should be displayed on this link. In addition to the videos, the artist's complete profile and contact details are displayed. The artist has the option to set the validity period of the link when creating it. The link can either be automatically deleted after 7 or 30 days or remain as a permanent link. By using this personalized profile link, the artist agrees that the selected information will be made publicly accessible.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood and severity of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, ensuring availability and separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data and responses to data threats. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

IP Address Shortening: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as "IP masking"). Here, the last two digits or the last part of the IP address after a period are removed or replaced by placeholders. The shortening of the IP address is intended to prevent or significantly hinder the identification of a person by their IP address.

TLS Encryption (https): To protect your data transmitted via our online services, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data Transfer within the Organization: We may transfer personal data to other entities within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of data is based on our legitimate business and operational interests or occurs if it is necessary for the fulfillment of our contractual obligations or if consent from the data subjects or legal permission exists.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of the use of third-party services or disclosure or transfer of data to other persons, entities or companies, this only occurs in accordance with legal requirements.

Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, contractual obligation through so-called EU Commission standard protection clauses, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of Data

The data processed by us is deleted in accordance with legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data has ceased or it is not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. I.e., the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.

Our privacy notices may also contain further information on the retention and deletion of data that takes precedence for the respective processing operations.

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and read information from the end devices. For example, to save the login status in a user account, shopping cart contents in an e-shop, the content accessed or functions used in an online service. Cookies can also be used for different purposes, e.g., for purposes of functionality, security and convenience of online services as well as the creation of analyses of visitor flows.

Information on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless this is not required by law. Consent is particularly not necessary if storing and reading information, including cookies, is strictly necessary to provide users with a telemedia service they have expressly requested (i.e., our online services). Strictly necessary cookies usually include cookies with functions that serve the display and operability of the online service, load balancing, security, storage of user preferences and choices or similar purposes related to the provision of the main and secondary functions of the online service requested by users. Revocable consent is clearly communicated to users and contains information about the respective cookie use.

Information on Legal Bases: The legal basis on which we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g., in the business operation of our online services and improvement of its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which cookies are processed by us in the course of this privacy policy or in the context of our consent and processing procedures.

Storage Duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their end device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and the storage duration can be up to two years.

General Information on Revocation and Objection (Opt-Out): Users can revoke consent they have given at any time and also lodge an objection to processing in accordance with the legal requirements of Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g., by deactivating the use of cookies (which may also limit the functionality of our online services).

Cookie Settings / Objection Option:

In this section, we inform you about the use of cookies on our website.

We only use functional cookies to make the use of the website easier and more convenient for visitors or to enable certain functions in the first place. Accordingly, we have a legitimate interest within the meaning of Art. 6(1)(f) GDPR in this processing. The legal basis for processing your personal data in connection with the use of cookies is Art. 6(1)(f) GDPR. In the context of the use of cookies, we store your personal data for as long as is necessary to make the use of our website easier and more convenient. The provision of this personal data is not required by law or contract or necessary for concluding a contract. If you do not provide us with this data, we cannot make the use of our website easier and more convenient.

In your browser, you can set that storage of cookies is only accepted if you agree, how to reject new cookies and disable already received ones. However, if you reject cookies, you may not be able to use certain website features, services, applications or tools.

Business Services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships and related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies for warranty and other service disruptions. In addition, we process the data to protect our rights and for the purpose of administrative tasks associated with these obligations as well as company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and business-economic management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g., for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the scope of applicable law, we only disclose contractual partner data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, e.g., for marketing purposes, in this privacy policy.

  • Data Types Processed: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Customers; Prospects; Business and contractual partners.
  • Purposes of Processing: Provision of contractual services and customer service; Security measures; Contact requests and communication; Office and organizational procedures; Management and response to inquiries.
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Customer Account: Contractual partners can create an account within our online services (e.g., customer or user account, "customer account" for short). If registration of a customer account is required, contractual partners are informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. In the context of registration and subsequent logins and use of the customer account, we store the IP addresses of customers along with access times to prove registration and prevent possible misuse of the customer account. When customers have terminated their customer account, the data relating to the customer account is deleted, unless their retention is required for legal reasons. It is the customers' responsibility to secure their data upon termination of the customer account; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • Provision of Software and Platform Services: We process the data of our users, registered and any test users (hereinafter uniformly referred to as "users"), in order to be able to provide them with our contractual services and on the basis of legitimate interests to ensure the security of our services and develop them further. The required information is marked as such in the context of the order, order or comparable contract conclusion and includes the information required for service provision and billing as well as contact information to be able to hold any consultations; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Providers and Services Used in Business Operations

In the course of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (hereinafter "services") in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organization.

  • Data Types Processed: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Contract data (e.g., subject matter, term, customer category).
  • Data Subjects: Customers; Prospects; Users (e.g., website visitors, users of online services); Business and contractual partners; Employees (e.g., employees, applicants, former employees).
  • Purposes of Processing: Provision of contractual services and customer service; Office and organizational procedures.
  • Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

Payment Methods

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers in addition to banks and credit institutions (collectively "payment service providers").

The data processed by payment service providers includes master data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sum and recipient-related information. The information is necessary to carry out transactions. However, the data entered is only processed and stored by the payment service providers. I.e., we do not receive account or credit card-related information, only information with confirmation or negative information about payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transfer is for the purpose of identity and credit checks. We refer to the terms and conditions and privacy notices of the payment service providers.

The terms and conditions and privacy notices of the respective payment service providers, which can be accessed within the respective websites or transaction applications, apply to payment transactions. We also refer to these for further information and the exercise of revocation, information and other data subject rights.

  • Data Types Processed: Master data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Customers; Prospects.
  • Purposes of Processing: Provision of contractual services and customer service.
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Stripe: Payment services (technical integration of online payment methods); Service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Website: https://stripe.com; Privacy policy: https://stripe.com/de/privacy.

Provision of Online Services and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

  • Data Types Processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status); Content data (e.g., entries in online forms).
  • Data Subjects: Users (e.g., website visitors, users of online services); Customers.
  • Purposes of Processing: Provision of our online services and user experience; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Provision of contractual services and customer service.
  • Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Provision of Online Services on Rented Storage Space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called "web host"); Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of Access Data and Log Files: Access to our online services is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed websites and files, date and time of access, amounts of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and generally IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks) and to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until final clarification of the respective incident.
  • Email Sending and Hosting: The web hosting services we use also include sending, receiving and storing emails. For these purposes, the addresses of recipients and senders as well as other information regarding email sending (e.g., the providers involved) and the contents of the respective emails are processed. The aforementioned data may also be processed for SPAM detection purposes. Please note that emails on the Internet are generally not sent encrypted. As a rule, emails are encrypted in transit but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not accept responsibility for the transmission path of emails between the sender and receipt on our server; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
  • Netcup: Services in the area of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: netcup GmbH, Daimlerstraße 25, 76185 Karlsruhe, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.netcup.com; Privacy policy: https://www.netcup.com/de/kontakt/datenschutzerklaerung.
  • Sentry: Monitoring of system stability and identification of code errors - information about the device or error time is collected pseudonymously and subsequently deleted; Service provider: Functional Software Inc., Sentry, 132 Hawthorne Street, San Francisco, California 94107, USA; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://sentry.io; Privacy policy: https://sentry.io/privacy; Standard contractual clauses (ensuring data protection level when processing in third countries): https://sentry.io/legal/dpa/.

Registration, Login and User Account

Users can create a user account. In the context of registration, users are informed of the required mandatory information and processed for the purpose of providing the user account on the basis of contractual obligation fulfillment. The processed data includes in particular login information (username, password and an email address).

In the context of using our registration and login functions and using the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as those of users in protection against misuse and other unauthorized use. This data is generally not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation to do so.

Users can be informed by email about processes relevant to their user account, such as technical changes.

  • Data Types Processed: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of contractual services and customer service; Security measures; Management and response to inquiries; Provision of our online services and user experience.
  • Legal Bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Registration with Pseudonyms: Users may use pseudonyms as usernames instead of real names; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • User Profiles Are Not Public: User profiles are not publicly visible or accessible.
  • Setting Profile Visibility: Users can use settings to determine to what extent their profiles are visible or accessible to the public or only to certain groups of people; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • Deletion of Data After Termination: When users have terminated their user account, their data relating to the user account is deleted, subject to legal permission, obligation or consent of the users; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
  • No Data Retention Obligation: It is the users' responsibility to secure their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the contract term; Legal bases: Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, telephone or via social media) and in the context of existing user and business relationships, the information of inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

  • Data Types Processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status); Master data (e.g., names, addresses); Contract data (e.g., subject matter, term, customer category).
  • Data Subjects: Communication partners; Customers; Prospects; Business and contractual partners.
  • Purposes of Processing: Contact requests and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online form); Provision of our online services and user experience; Provision of contractual services and customer service; Office and organizational procedures; Marketing.
  • Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

Push Notifications

With users' consent, we can send users so-called "push notifications". These are messages that are displayed on users' screens, end devices or in browsers, even when our online service is not actively being used. Push notifications are sent via our iOS and Android apps and via the website.

To subscribe to push notifications, users must confirm the request from their browser or end device to receive push notifications. This consent process is documented and stored. Storage is necessary to recognize whether users have consented to receiving push notifications and to be able to prove consent. For these purposes, a pseudonymous identifier of the browser (so-called "push token") or the device ID of an end device is stored.

Push notifications may be necessary for the fulfillment of contractual obligations (e.g., technical and organizational information relevant for the use of our online services) and are otherwise, unless specifically mentioned below, sent on the basis of user consent. Users can change receipt of push notifications at any time using the notification settings of their respective browsers or end devices.

  • Data Types Processed: Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Communication partners.
  • Purposes of Processing: Provision of our online services and user experience; Reach measurement (e.g., access statistics, recognition of returning visitors); Direct marketing (e.g., by email or post).
  • Legal Bases: Consent (Art. 6(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Push Notifications with Advertising Content: The push notifications we send may contain advertising information. Advertising push notifications are processed on the basis of user consent. If the content of advertising push notifications is specifically described when consent to receive them is given, the descriptions are decisive for user consent. In other respects, our newsletters contain information about our services and us; Legal bases: Consent (Art. 6(1)(a) GDPR).
  • Analysis and Success Measurement: We statistically evaluate push notifications and can thus recognize whether and when push notifications were displayed and clicked. This information is used to technically improve our push notifications based on technical data or target groups and their retrieval behavior or retrieval times. This analysis also includes determining whether push notifications are opened, when they are opened and whether users interact with their content or buttons. This information can be assigned to individual push notification recipients for technical reasons. However, it is neither our endeavor nor, if used, that of the push notification service provider to monitor individual users. The evaluations serve us rather to recognize the usage habits of our users and to adapt our push notifications to them or to send different push notifications according to the interests of our users. The evaluation of push notifications and success measurement are carried out on the basis of express user consent, which is given when consent to receive push notifications is given. Users can object to the analysis and success measurement by unsubscribing from push notifications. Unfortunately, a separate revocation of analysis and success measurement is not possible; Legal bases: Consent (Art. 6(1)(a) GDPR).
  • OneSignal: Sending and managing push notifications via our iOS and Android apps and via the website; Service provider: OneSignal, Inc., 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://onesignal.com; Privacy policy: https://onesignal.com/privacy_policy; Standard contractual clauses (ensuring data protection level when processing in third countries): concluded with the provider.

Electronic Notifications (Emails)

We send emails and other electronic notifications (hereinafter "notifications") only with the consent of recipients or legal permission.

Contents: Information about us, our services, promotions and offers.

  • Data Types Processed: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status); Usage data (e.g., visited websites, interest in content, access times).
  • Data Subjects: Communication partners; Customers; Prospects; Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Direct marketing (e.g., by email or post); Marketing; Reach measurement (e.g., access statistics, recognition of returning visitors).
  • Legal Bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).
  • Objection Option (Opt-Out): You can cancel receipt of our newsletter at any time, i.e., revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or can use one of the contact options given above, preferably email, for this purpose.

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

  • Measurement of Open and Click Rates: The newsletters contain a so-called "web beacon", i.e., a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. In the context of this retrieval, technical information such as information about the browser and your system, as well as your IP address and time of retrieval, are initially collected. This information is used to technically improve our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether newsletters are opened, when they are opened and which links are clicked. This information is assigned to individual newsletter recipients and stored in their profiles until deletion. The evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open rates and click rates as well as storage of measurement results in user profiles and their further processing are carried out on the basis of user consent. Unfortunately, a separate revocation of success measurement is not possible; in this case, the entire newsletter subscription must be cancelled or objected to. In this case, the stored profile information is deleted; Legal bases: Consent (Art. 6(1)(a) GDPR).
  • Zapier: Automation of processes, merging of different services, import and export of personal and contact data and analyses of these processes; Service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://zapier.com; Privacy policy: https://zapier.com/privacy; Standard contractual clauses (ensuring data protection level when processing in third countries): https://zapier.com/tos (part of terms of service).
  • Postmark: Email marketing platform; Service provider: ActiveCampaign, Inc., 1 N Dearborn, 5th Floor Chicago, Illinois 60602, USA; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://postmarkapp.com/; Privacy policy: https://postmarkapp.com/privacy-policy; Data processing agreement: https://postmarkapp.com/dpa; Standard contractual clauses (ensuring data protection level when processing in third countries): https://postmarkapp.com/dpa; Further information: https://postmarkapp.com/eu-privacy.

Social Media Presences

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.

We point out that user data may be processed outside the European Union. This may result in risks for users because, for example, enforcement of users' rights could be made more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on usage behavior and the resulting interests of users. The usage profiles can in turn be used, for example, to place advertisements inside and outside the networks that presumably correspond to the interests of users. For these purposes, cookies are usually stored on users' computers, in which usage behavior and user interests are stored. Furthermore, data can also be stored in usage profiles regardless of the devices used by users (especially if users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and objection options (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of information requests and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to user data and can take appropriate measures and provide information directly. Should you nevertheless need help, you can contact us.

  • Data Types Processed: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Contact requests and communication; Feedback (e.g., collecting feedback via online form); Marketing.
  • Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

Management, Organization and Support Tools

We use services, platforms and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organization, administration, planning and provision of our services. When selecting third-party providers and their services, we observe legal requirements.

In this context, personal data may be processed and stored on third-party provider servers. This may affect various data that we process in accordance with this privacy policy. This data may include in particular master data and contact data of users, data on processes, contracts, other processes and their contents.

If users are referred to third-party providers or their software or platforms in the context of communication, business or other relationships with us, third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes. We therefore ask that you observe the privacy notices of the respective third-party providers.

  • Data Types Processed: Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta, communication and process data (e.g., IP addresses, time data, identification numbers, consent status); Contact data (e.g., email, phone numbers).
  • Data Subjects: Communication partners; Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of contractual services and customer service; Office and organizational procedures; Contact requests and communication; Direct marketing (e.g., by email or post).
  • Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).

Weitere Hinweise zu Verarbeitungsprozessen, Verfahren und Diensten:

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require your participation (e.g., consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and please check the information before contacting us.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw consent given at any time.
  • Right of Access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to access such data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to Rectification: In accordance with legal requirements, you have the right to request the completion of personal data concerning you or the rectification of inaccurate data concerning you.
  • Right to Erasure and Restriction of Processing: In accordance with legal requirements, you have the right to request that personal data concerning you be erased without undue delay, or alternatively to request restriction of processing of the data in accordance with legal requirements.
  • Right to Data Portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
  • Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Supervisory Authority Responsible for Us:

Hamburg Commissioner for Data Protection and Freedom of Information

Ludwig-Erhard-Str 22
20459 Hamburg

Definitions

This section provides an overview of the terms used in this privacy policy. Many of the terms are taken from the law and are defined primarily in Art. 4 GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.

  • Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Reach Measurement: Reach measurement (also referred to as web analytics) serves to evaluate visitor flows of an online service and may include the behavior or interests of visitors in certain information, such as website content. With the help of reach analysis, website owners can, for example, recognize at what time visitors visit their website and what content they are interested in. This allows them, for example, to better adapt the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognize returning visitors and thus obtain more precise analyses of the use of an online service.
  • Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers practically every handling of data, be it collection, evaluation, storage, transmission or deletion.