Preamble

With the following Privacy Policy, we inform you which types of your personal data (hereinafter also referred to as “data”) we process for which purposes and to what extent when providing our application.

The terms used are gender-neutral.

Table of Contents

• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• International Data Transfers
• General Information on Storage and Deletion
• Rights of Data Subjects
• Provision of the Online Offer and Web Hosting
• Use of Cookies
• Registration, Login and User Account
• Community Features
• Single Sign-On Login
• Push Notifications
• Web Analytics, Monitoring and Optimization
• Presence on Social Networks (Social Media)

Controller

Boran Bogdanow / Groopia UG (haftungsbeschränkt)
Straße der Jugend 18
14974 Ludwigsfelde

Email: service@groopia.com

Overview of Processing

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

Types of Data Processed

• Inventory data.
• Contact data.
• Content data.
• Usage data.
• Meta, communication, and procedural data.
• Log data.

Categories of Data Subjects

• Communication partners.
• Users.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Reach measurement.
• Organizational and administrative procedures.
• Feedback.
• Profiles with user-related information.
• Registration procedures.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.
• Public relations.

Relevant Legal Bases

Legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection provisions may apply in your or our country of residence/seat. Where more specific legal bases apply in individual cases, we will inform you in this Privacy Policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the data subject’s request prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National data protection rules in Germany: In addition to the GDPR, national data protection rules apply in Germany, in particular the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right of access, erasure, objection, processing of special categories of data, processing for other purposes and transmission, and automated individual decision-making including profiling. State data protection laws of the German federal states may also apply.

Note on applicability of the GDPR and the Swiss FADP: These privacy notices serve to provide information under both the Swiss Federal Act on Data Protection (FADP) and the GDPR. For broader applicability and clarity, GDPR terms are used. In particular, instead of the FADP terms “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. The legal meaning of the terms under the FADP remains determined by the FADP where applicable.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, availability, and separation concerning the data. We have also established procedures to enable the exercise of data subjects’ rights, deletion of data, and responses to data risks. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

International Data Transfers

Processing in third countries: Where we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA))—or this occurs in the course of using third-party services or disclosing/transferring data to other persons, bodies, or companies (as apparent from a provider’s postal address or where expressly stated)—this is always done in compliance with legal requirements.

For transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), recognized by the European Commission’s adequacy decision of 10 July 2023 as a secure legal framework. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers, which comply with the European Commission’s requirements and impose contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF provides the primary level of protection, while the SCCs serve as an additional safety net. Should changes to the DPF occur, the SCCs function as a reliable fallback. In this way, we ensure appropriate protection even amid potential political or legal changes.

For each provider, we indicate whether they are certified under the DPF and whether SCCs are in place. Further information on the DPF and a list of certified companies can be found on the U.S. Department of Commerce website at https://www.dataprivacyframework.gov/ (in English).

For transfers to other third countries, corresponding safeguards apply, in particular SCCs, explicit consent, or legally required transfers. For information on third-country transfers and applicable adequacy decisions, see the European Commission’s information page: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Storage and Deletion

We delete personal data we process in accordance with legal requirements once the underlying consents are revoked or no further legal basis for processing exists. This applies where the original purpose no longer exists or the data is no longer needed. Exceptions apply where statutory obligations or special interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion specific to certain processing activities.

Where multiple retention or deletion periods are indicated for a dataset, the longest period shall prevail.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships under which data is stored, the triggering event is the effective date of termination or other ending of the legal relationship.

Data retained not for the original purpose but due to legal requirements or other reasons will be processed solely for the reasons justifying their retention.

Further notes on processing operations, procedures, and services:

• Retention and deletion of data: The following general periods apply under German law:
  • 10 years – retention of books and records, financial statements, inventories, management reports, opening balance sheet as well as the work instructions and other organizational documents required to understand them (§ 147(1) no. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) no. 1 in conjunction with (4) HGB).
  • 8 years – accounting records such as invoices and cost receipts (§ 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) no. 4 in conjunction with (4) HGB).
  • 6 years – other business documents: incoming/outgoing commercial correspondence and other documents relevant for taxation, e.g., timesheets, cost accounting sheets, calculation documents, price labels, and also payroll documents insofar as they are not accounting records, and till receipts (§ 147(1) nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) nos. 2 and 3 in conjunction with (4) HGB).
  • 3 years – data necessary to account for potential warranty and damage claims or similar contractual claims and rights, as well as related inquiries, based on prior business experience and common industry practice, retained for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Identity Verification

To unlock certain features and protect our community, we offer an optional verification of your profile.

• Categories of data processed: Selfie (current photo), photos of the front and back of an official ID document (please cover any data that is not required, e.g. ID/serial number, MRZ), date of birth/age, technical metadata (timestamps, reviewer notes), as well as a random gesture indicator (e.g. number of fingers) for liveness checking.
• Purposes of processing: Identity and age verification, abuse/fraud prevention, safeguarding platform integrity, evidence of compliance with our Terms of Use.
• Legal bases: Art. 6(1)(b) GDPR (contract/contract initiation, insofar as verification is required for specific features) and Art. 6(1)(f) GDPR (legitimate interests in the security of our platform). Where we request your consent prior to upload, additionally Art. 6(1)(a) GDPR (consent).
  Note on biometric data: No automated creation of biometric templates for unique identification takes place. Manual visual review and purely technical face/quality detection without identity matching do not qualify as special categories of data within the meaning of Art. 9 GDPR.
• Recipients / processors: Authorised internal reviewers (role-based), our hosting/backend service provider Google Firebase (Cloud Firestore/Storage/Functions) as a processor. The safeguards described in the sections “Use of Firebase (Google)” and “International Data Transfers” apply (including DPF/SCC, TLS, access controls).
• Retention period: Verification images and metadata are deleted immediately after the review is completed. Log/evidence records of the verification result may be retained longer where necessary to establish, exercise or defend legal claims (Art. 6(1)(f) GDPR).
• Obligation to provide / voluntariness: Verification is voluntary. Without successful verification, certain features may be restricted (e.g. access to age-restricted areas).
• Security measures: Transport encryption (TLS), access limited to authorised roles, logging of access/changes, storage location according to Firebase configuration, data minimisation (covering non-required fields).
• No automated decisions: No decision producing legal effects is made solely by automated means (Art. 22 GDPR).
• Withdrawal and rights: You may withdraw consent at any time with effect for the future. You also have the rights set out in the section “Rights of data subjects” (access, erasure, etc.).

Rights of Data Subjects

GDPR rights: As a data subject, you have various rights under the GDPR, in particular those arising from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of your personal data based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing for such marketing, including profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to obtain confirmation as to whether data concerning you are being processed and access to such data and further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right to have incomplete personal data completed or inaccurate data corrected in accordance with legal requirements.
• Right to erasure and restriction of processing: You have the right to obtain the erasure of personal data concerning you or, alternatively, restriction of processing in accordance with legal requirements.
• Right to data portability: You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit those data to another controller, in accordance with legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Location Data

For location-based matching we process—depending on your device settings—precise or approximate location data (e.g., via GPS, Wi-Fi, Bluetooth, cell towers).

• Purposes: Suggestions for suitable Groops nearby, distance display, misuse/spam prevention.
• Legal bases: Art. 6(1)(b) GDPR (contract/performance) for matching; Art. 6(1)(a) GDPR (consent) where you enable precise location at OS level; Art. 6(1)(f) GDPR (legitimate interests) for security/misuse prevention.
• Retention: for the ongoing usage purpose; we do not store a continuous movement history beyond that purpose.
• Voluntariness: You may disable location sharing at any time in your device; functionality may then be limited.

In-App Purchases & Subscriptions (StoreKit)

Purchases/subscriptions are billed via your Apple ID. Payment data is processed by Apple as an independent controller. We do not receive full payment details (e.g., card numbers) but transaction metadata (product ID, receipt, term, status) in order to unlock, verify, and manage subscription status.

• Purposes: Provision and verification of your subscription status, fraud prevention, support.
• Legal bases: Art. 6(1)(b) GDPR (contract); Art. 6(1)(f) GDPR (fraud prevention, support).
• Retention: until the end of statutory record/retention periods or as required for contract performance.
• Management/Cancellation: iOS Settings → [Your Name] → Subscriptions.

Use of Firebase (Google)

We use Firebase services (Google) for hosting/backend functions. Data may be processed in the EU and—where necessary—in third countries. For third-country transfers, the safeguards described under “International Data Transfers” apply.

• Cloud Firestore / Realtime DB: Storage of profile, group, and interaction data; purpose: app functionality (Art. 6(1)(b)).
• Firebase Authentication: Login/registration; purpose: account management, security (Art. 6(1)(b)/(f)).
• Firebase Cloud Messaging (Push): Delivery of technical/service push notifications; storage of a device token; legal basis: consent (Art. 6(1)(a)) or contract (e.g., necessary system notices).
• Crashlytics: Error reports with anonymized diagnostics; purpose: stability/fix issues (Art. 6(1)(f)). No content from chats/profiles.
• Firebase Analytics: Reach measurement & app usage; legal basis typically consent (Art. 6(1)(a)). IP addresses are shortened/pseudonymized.

Retention: according to purpose and legal obligations; deletion or pseudonymization once no longer necessary.

Encryption

Data transmissions between the App and servers are protected by transport encryption (TLS). End-to-end encryption (E2EE) is used only where explicitly indicated within the App. If E2EE is not active, messages can be processed server-side (e.g., delivery, moderation, abuse prevention).

Profiling & Matching

For the Groop suggestion logic, we process, among other things, interests, activity information, and location data to suggest suitable groups. This constitutes profiling within the meaning of the GDPR but does not produce similarly significant legal effects. You may object to profiling on grounds relating to your particular situation (Art. 21 GDPR); in that case, key features may no longer be available.

Minimum Age

The App is intended for persons aged 18 years and older. Younger persons may only use the App where valid consent of legal guardians exists and such use is permitted under the law of their country of residence.

Retention Periods (Overview)

Data category	Purpose	Period
Account/Profile data	Account & contract	until account deletion; thereafter deletion/anonymization unless obligations prevent this
Groups/Chats	Provision of the App	ongoing purpose; deletion by user action or per internal deletion concepts
Subscription/transaction meta	Activation, recordkeeping	statutory retention periods (generally 6–10 years)
Crash/diagnostics	Stability	short-term, generally 90 days
Server log files	Security	max. 30 days (exception: incident investigation)

Provision of the Online Offer and Web Hosting

We process users’ data in order to provide our online services. To this end, we process the user’s IP address, which is necessary to deliver the content and functions of our online services to the user’s browser or device.

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, parties involved); log data (e.g., logins, data retrievals, access times). Content data (e.g., textual or visual messages and posts and related information such as authorship or creation time).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures. Provision of contractual services and fulfillment of contractual obligations.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures, and services:

• Collection of access data and log files: Access to our online offer is logged in so-called “server log files”. These may include the addresses and names of retrieved web pages and files, date and time of retrieval, transferred data volumes, status messages, browser type and version, user operating system, referrer URL (previous page), and as a rule IP addresses and the requesting provider. Server log files are used for security (e.g., to prevent server overload, in particular in the case of abusive attacks, so-called DDoS attacks) and to ensure server utilization and stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data required to be kept for evidence purposes are excluded from deletion until the incident is finally clarified.
• Email transmission and hosting: Our web hosting services also include the sending, receipt, and storage of emails. For these purposes we process recipient and sender addresses, information relating to email transmission (e.g., providers involved), and the contents of the respective emails. The aforementioned data may also be processed for spam detection. Please note that emails on the Internet are generally not encrypted. As a rule, emails are encrypted in transit but (unless end-to-end encryption is used) not on the servers from which they are sent and received. We therefore cannot assume responsibility for the transmission path of emails between the sender and the receipt on our server; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
• 1&1 IONOS: Services in the field of IT infrastructure and related services (e.g., storage and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy. Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

Use of Cookies

“Cookies” refers to functions that store information on users’ devices and read it from them. Cookies may be used for various purposes, e.g., functionality, security, and convenience of online offers, as well as audience analytics. We use cookies in accordance with legal requirements. Where required, we obtain users’ consent in advance. Where consent is not necessary, we rely on our legitimate interests, for example where storing and reading information is essential to provide expressly requested content and features. This includes storing settings and ensuring functionality and security of our online offer. Consent can be withdrawn at any time. We provide clear information about the scope of consent and which cookies are used.

Notes on legal bases: Whether we process personal data using cookies depends on consent. Where consent is given, it is the legal basis. Without consent, we rely on our legitimate interests as outlined in this section and in the context of the respective services and procedures.

Storage duration: The following types of cookies are distinguished:

• Temporary cookies (session cookies): Deleted at the latest after a user leaves an online offer and closes their device (e.g., browser or mobile app).
• Persistent cookies: Remain stored after closing the device. For example, the login status can be saved and preferred content displayed directly upon revisiting. Data collected via cookies may also be used for reach measurement. Unless explicitly stated otherwise (e.g., during consent), assume that such cookies are persistent with a storage period of up to two years.

General notes on withdrawal and objection (opt-out): Users may withdraw consent at any time and may also object to processing in accordance with legal requirements, including via the privacy settings of their browser.

• Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, parties involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further notes on processing operations, procedures, and services:

• Processing of cookie data based on consent: We use a consent-management solution to obtain users’ consent for the use of cookies and the procedures/providers listed within the solution. This procedure serves to obtain, record, manage, and withdraw consent, in particular with regard to using cookies and comparable technologies used to store, read, and process information on users’ devices. Users can manage and withdraw their consents. Consent declarations are stored to avoid repeated queries and to provide proof of consent as required by law. Storage takes place server-side and/or in a cookie (opt-in cookie) or similar technologies to assign consent to a specific user or device. Unless specific providers are named, the following applies: consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, the scope of consent (e.g., categories of cookies and/or providers), and information about the browser, system, and device used; Legal bases: Consent (Art. 6(1)(a) GDPR).

Registration, Login and User Account

Users may create a user account. During registration, users are informed of the required mandatory information, which is processed for the purpose of providing the user account based on contractual performance. Data processed include, in particular, login information (username, password, and an email address).

When using our registration and login functions and the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests and those of users in protection against misuse and unauthorized use. Data is generally not passed on to third parties unless required to pursue our claims or there is a legal obligation to do so.

Users may be informed by email about processes relevant to their user account, such as technical changes.

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts and related information such as authorship or creation time); usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems, interactions with content and features). Log data (e.g., logins, data retrievals, access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”. Deletion upon termination.
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures, and services:

• Registration with pseudonyms: Users may use pseudonyms instead of real names as usernames; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Two-factor authentication: Adds an extra layer of security to your account, ensuring only you can access it even if someone else knows your password. In addition to your password, you must perform another authentication step (e.g., entering a code sent to a mobile device). We will inform you about the procedure used; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
• Deletion of data after termination: If users terminate their account, their account-related data will be deleted, subject to legal permission, obligation, or the users’ consent; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Community Features

Our community features allow users to communicate with each other and otherwise interact. Please note that the use of community features is permitted only in compliance with applicable law, our terms and policies, and the rights of other users and third parties.

• Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.). Usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems, interactions with content and features).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures. Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”.
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Single Sign-On Login

“Single-Sign-On” (SSO) authentication allows users to log in to our online offer using an account with an SSO provider (e.g., a social network). Users must be registered with the SSO provider and enter the required credentials in the designated form or already be logged in with the SSO provider and confirm the SSO login via button.

Authentication is performed directly with the SSO provider. We receive a user ID indicating that the user with this ID is logged in with the SSO provider and an ID (a “user handle”) that we cannot use for other purposes. Whether additional data are transmitted depends solely on the SSO method used, the data choices during authentication, and the privacy settings in the user’s SSO account. Depending on provider and user choices, this may include data such as email address and username. The password entered within the SSO process is neither visible to us nor stored by us.

Please note that data stored with us can be automatically synchronized with the user’s SSO account, but this is not always possible or actually performed. For example, if users change their email address, they must update it manually in their account with us.

Where agreed with users, we may use SSO during or before contract performance, process it with consent, or otherwise rely on legitimate interests of both parties in an effective and secure login system.

If users decide not to use their SSO account linking for SSO, they must disconnect the link within their account at the SSO provider. If users wish to delete their data with us, they must terminate their registration with us.

• Types of data processed: Inventory data; contact data; usage data; meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, parties involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; login procedures. Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”. Deletion upon termination.
• Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Push Notifications

With users’ consent, we may send so-called “push notifications”. These are messages displayed on users’ screens, devices, or browsers even when our online service is not actively used.

To subscribe to push notifications, users must confirm the prompt in their browser or device. This consent process is recorded and stored. Storage is required to recognize whether users have consented to receive push notifications and to prove consent. For these purposes, a pseudonymous browser identifier (a “push token”) or the device ID is stored.

Push notifications may be necessary to fulfill contractual obligations (e.g., technical and organizational information relevant to use of our online offer).

• Types of data processed: Usage data (e.g., page views and dwell time, click paths, intensity and frequency of use, device types and operating systems).
• Data subjects: Communication partners.
• Purposes of processing: Communication. Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”. Deletion upon termination.
• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring and Optimization

Web analytics (also “reach measurement”) evaluates visitor flows to our online offer and may include behavior, interests, or demographic information about visitors (e.g., age or gender) as pseudonymous values. With reach analysis we can, for example, identify when our online offer or functions/content are used most frequently or invite reuse. We can also identify areas requiring optimization.

In addition to web analytics, we may use testing procedures to assess and optimize different versions of our online offer or its components.

Unless stated otherwise below, profiles (data combined per usage process) may be created for these purposes and information stored in a browser/device and subsequently read. Data collected includes, in particular, websites visited and elements used there as well as technical information such as browser used, computer system, and usage times. Where users have consented to the collection of their location data by us or by providers we use, processing of location data is also possible.

IP addresses are also stored; however, we use IP masking (i.e., pseudonymization by truncation of the IP address) to protect users. As a rule, no clear data (e.g., email addresses or names) are stored within analytics, A/B testing, and optimization; only pseudonyms are used. That means neither we nor the software providers know users’ actual identities, only the information stored in the profiles for the respective procedures.

Notes on legal bases: Where we ask for consent to use third-party services, consent is the legal basis. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). Please also see our notes on cookies in this Privacy Policy.

• Types of data processed: Usage data; meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, parties involved).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g., access statistics, recognition of returning visitors); profiles with user-related information (user profiles). Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”. Storage of cookies for up to 2 years (unless otherwise stated).
• Security measures: IP masking (pseudonymization of IP address).
• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures, and services:

• Google Analytics: We use Google Analytics to measure and analyze use of our online offer based on a pseudonymous user ID. This identifier contains no unique data such as names or email addresses. It associates analytics information with a device to understand which content users accessed within one or multiple sessions, which search terms they used, whether they returned, or interacted with our offer. The time and duration of use, sources referring users to our offer, and technical aspects of their devices and browsers are stored.
  Pseudonymous user profiles across devices may be created, and cookies may be used. Google Analytics does not log or store individual IP addresses for EU users. Analytics provides rough geolocation by deriving the following metadata from IP addresses: city (and derived latitude/longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used only for this derivation before being immediately deleted. It is not logged, not accessible, and not used for further purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before traffic is forwarded for processing to Analytics servers; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security measures: IP masking; Privacy Policy: https://policies.google.com/privacy; Data Processing Terms: https://business.safety.google/adsprocessorterms/; Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out: Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff. Further information: https://business.safety.google/adsservices/ (types of processing and data).

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in that context to communicate with active users or provide information about us.

Please note that user data may be processed outside the European Union. This may entail risks for users because it could, for example, make it more difficult to enforce users’ rights.

Furthermore, users’ data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and interests. These may in turn be used to display advertisements inside and outside the networks that presumably correspond to users’ interests. Cookies are generally stored on users’ computers in which usage behavior and interests are stored. Usage profiles may also store data across devices (particularly if users are members of the respective platforms and are logged in).

For a detailed description of processing and opt-out options, please refer to the privacy notices and information provided by the respective network operators.

For access requests and the exercise of data subject rights, please note these are most effectively asserted with the providers. Only they have access to user data and can take direct measures and provide information. If you still need assistance, you may contact us.

• Types of data processed: Contact data; content data; usage data.
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Communication; feedback (e.g., collecting feedback via online form). Public relations.
• Retention and deletion: Deletion as set out under “General Information on Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures, and services:

• Instagram: Social network for sharing photos and videos, commenting and favoriting posts, messaging, following profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Third-country transfer basis: Data Privacy Framework (DPF).
• Facebook Pages: Profiles within the Facebook network. We are joint controllers with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook Page (“Fanpage”). This includes information about types of content users view or interact with or actions taken (see “Things you and others do and provide” in Facebook’s Privacy Policy: https://www.facebook.com/privacy/policy/) and information about devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s Privacy Policy). As explained under “How do we use this information?”, Facebook also collects and uses information to provide analytics (“Page Insights”) to page operators, giving insights into how people interact with their pages and content. We have a specific agreement with Facebook (“Page Insights Controller Addendum”, https://www.facebook.com/legal/terms/page_controller_addendum) which, among other things, sets out Facebook’s security measures and its commitment to fulfill data subject rights (e.g., users can address access or deletion requests directly to Facebook). Users’ rights (in particular access, erasure, objection, and complaint to a supervisory authority) are not limited by our arrangements with Facebook. Further information can be found in “Information about Page Insights data” (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint controllership is limited to collection and transfer of data to Meta Platforms Ireland Limited, an EU company. Further processing is under the sole responsibility of Meta Platforms Ireland Limited, including transfers to Meta Platforms, Inc. in the USA; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Third-country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
• X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://x.com; Privacy Policy: https://x.com/de/privacy.