Privacy Policy

of the Practice

for Holistic Therapy

We appreciate your interest in our company. Protecting personal data is a top priority for Vanessa Lena. The use of the website vanessa-lena.com is generally possible without providing any personal data. However, if an individual wishes to use specific services offered through our website, the processing of personal data may be required. If such processing is necessary and no legal basis exists, we will generally seek the individual’s consent.

The processing of personal data—such as a person’s name, address, email address, or telephone number—is always carried out in compliance with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to vanessa-lena.com. Through this privacy policy, we aim to inform the public about the nature, scope, and purposes of the personal data we collect, use, and process. Additionally, this privacy policy informs individuals about their rights regarding data protection.

As the data controller, Vanessa Lena has implemented numerous technical and organizational measures to ensure the most comprehensive protection possible of personal data processed through this website. However, Internet-based data transmissions can always present security vulnerabilities, meaning absolute protection cannot be guaranteed. For this reason, individuals are free to provide personal data to us through alternative means, such as by telephone.

1. Data Protection at a Glance

General Information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data refers to all data that can be used to identify you personally. Detailed information on the subject of data protection can be found in the privacy policy set out below.

Data Collection on This Website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. The operator’s contact details can be found in the section “Note on the Responsible Body” within this privacy policy.

How do we collect your data?

Your data is collected, for example, when you provide it to us. This may include information entered into a contact form.
Other data is automatically collected by our IT systems when you visit the website, either with your consent or as part of technical operations. These are primarily technical data (e.g. internet browser, operating system or time of page access). The collection of this data occurs automatically as soon as you access the site.

What do we use your data for?

Part of the data is collected to ensure the website is provided without errors. Other data may be used to analyse your usage behaviour.
If contracts are concluded or initiated via this website, the data you provide may also be processed for purposes related to offers, orders or other service enquiries.

What rights do you have regarding your data?

You have the right to obtain, at any time and free of charge, information about the origin, recipient and purpose of your stored personal data. You also have the right to request the correction or deletion of your data. If you have given consent for data processing, you may withdraw that consent at any time with effect for the future. In certain circumstances, you also have the right to request the restriction of the processing of your personal data. Furthermore, you have the right to lodge a complaint with the competent supervisory authority. You may contact us at any time for further questions on the topic of data protection.

Analytics Tools and Third-Party Tools

When visiting this website, your browsing behaviour may be statistically evaluated. This is mainly done using so-called analytics programs.
Detailed information on these programs can be found in the following privacy policy.

2. Hosting

We host the content of our website with the following provider:

Webgo

The provider is webgo GmbH, Heidenkampsweg 81, 20097 Hamburg, Germany (hereinafter “webgo”).
When you visit our website, webgo collects various log files including your IP address.

For more details, please refer to webgo’s privacy policy: https://www.webgo.de/datenschutz/.

The use of webgo is based on Art. 6(1)(f) GDPR. We have a legitimate interest in ensuring the most reliable presentation of our website possible. Where consent has been requested, data processing is based solely on Art. 6(1)(a) GDPR and § 25(1) of the German Telecommunications-Digital Services Data Protection Act (TDDDG), insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g. for device fingerprinting) within the meaning of the TDDDG.
Consent can be withdrawn at any time.

Data Processing Agreement

We have concluded a Data Processing Agreement (DPA) with the above-mentioned provider. This is a contract required under data protection law that ensures the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

3. Definitions

The privacy policy of vanessa-lena.com is based on the terminology used by the European legislator when adopting the General Data Protection Regulation (GDPR). Our aim is to ensure that this privacy policy is clear and understandable for both the general public and our clients and business partners. To achieve this, we would first like to explain some of the key terms used.

In this privacy policy, we use, among others, the following terms:

Personal Data

Personal data refers to any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Data Subject

A data subject is any identified or identifiable natural person whose personal data is processed by the data controller.

Processing

Processing refers to any operation or set of operations performed on personal data, whether or not by automated means. This includes activities such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or any other form of making data available. It also encompasses alignment or combination, restriction, erasure, or destruction of data.

Restriction of Processing

Restriction of processing refers to the marking of stored personal data with the aim of limiting its future processing.

Profiling

Profiling refers to any form of automated processing of personal data used to evaluate certain personal aspects of an individual. This includes analyzing or predicting aspects related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymization

Pseudonymization is the processing of personal data in such a way that it can no longer be attributed to a specific individual without additional information. This additional information must be kept separately and subject to technical and organizational measures to ensure that personal data cannot be linked to an identified or identifiable person.

Controller (Data Controller)

The controller, or data controller, is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by European Union law or the laws of its member states, the controller or the specific criteria for its designation may be provided by that law.

Processor (Data Processor)

A processor, or data processor, is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Recipient

A recipient is a natural or legal person, public authority, agency, or other body to whom personal data is disclosed, whether or not they are considered a third party. However, public authorities that may receive personal data in the framework of a particular investigative mission under European Union or national law are not considered recipients.

Third Party

A third party refers to any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and those persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Consent

Consent of the data subject refers to any freely given, specific, informed, and unambiguous indication of their wishes, through which the data subject agrees, by a statement or a clear affirmative action, to the processing of personal data concerning them.

4. General Information and Mandatory Disclosures

Data Protection

The operators of this website take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with applicable data protection laws as well as this privacy policy.

When you use this website, various types of personal data are collected. Personal data refers to data that can be used to personally identify you. This privacy policy explains which data we collect and what we use it for. It also explains how and for what purpose this occurs.

Please note that data transmission over the internet (e.g. when communicating via email) may have security vulnerabilities. A complete protection of your data from access by third parties is not possible.

Information on the Responsible Entity

The responsible entity for data processing on this website is:

E-Mail: in**@**********na.com

Website: vanessa-lena.com

Verantwortliche Stelle ist die natürliche oder juristische Person, die allein oder gemeinsam mit anderen über
die Zwecke und Mittel der Verarbeitung von personenbezogenen Daten (z. B. Namen, E-Mail-Adressen o. Ä.)
entscheidet.

Therapeutic Services and Coaching

We process the data of our clients, prospective clients, and other contractual partners (collectively referred to as “clients”) in accordance with Art. 6(1)(b) GDPR, in order to provide our contractual or pre-contractual services. The type, scope, purpose and necessity of the data processing depend on the underlying contractual relationship. The processed data typically includes master and client data (e.g. name, address), contact data (e.g. email, phone number), contract data (e.g. services used, fees, names of contact persons), and payment data (e.g. bank details, payment history).

In the course of providing our services, we may also process special categories of data pursuant to Art. 9(1) GDPR, especially information related to a client’s health, possibly including information about their sex life or sexual orientation, ethnic origin, or religious or philosophical beliefs. Where required, we obtain explicit consent from clients pursuant to Art. 6(1)(a), Art. 7, and Art. 9(2)(a) GDPR. Otherwise, we process such special categories of data for health care purposes in accordance with Art. 9(2)(h) GDPR and § 22(1)(1)(b) of the German Federal Data Protection Act (BDSG).

If necessary for contract performance or legally required, we may disclose or transmit client data to other professionals, third parties involved in contract performance (such as billing agencies or similar service providers), if this is in accordance with Art. 6(1)(b) GDPR, legally required under Art. 6(1)(c) GDPR, in our or the client’s legitimate interest under Art. 6(1)(f) GDPR (e.g. efficient and cost-effective healthcare), or necessary under Art. 6(1)(d) GDPR to protect vital interests of the client or another natural person, or based on the client’s consent under Art. 6(1)(a) and Art. 7 GDPR.

Data is deleted when it is no longer required to fulfil contractual or statutory obligations of care, or for handling warranty or similar obligations. The necessity of retaining data is reviewed every three years. Statutory retention periods apply, unless the data is stored in a client account for legal archiving reasons. Legally, retention of tax-relevant documents such as ledgers, inventories, opening balance sheets, annual financial statements, and associated documents is required for ten years. Commercial letters and copies of such letters must be retained for six years. These periods begin at the end of the calendar year in which the relevant entry or document was created or received.

Where we use third-party providers or platforms to deliver our services, the terms and privacy policies of those providers apply in relation to the users.

Data Retention Period

Unless a more specific retention period is mentioned in this privacy policy, your personal data will remain with us until the purpose for data processing ceases to apply. If you request the deletion of your data or withdraw your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing it (e.g. tax or commercial law retention periods). In such cases, the data will be deleted once those reasons no longer apply.

General Legal Bases for Data Processing on This Website

If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR and, if applicable, Art. 9(2)(a) GDPR (in the case of special categories of data under Art. 9(1) GDPR). If you have explicitly consented to the transfer of personal data to third countries, data processing also occurs based on Art. 49(1)(a) GDPR. If you consent to the storage of cookies or access to your device’s information (e.g. via device fingerprinting), data processing is also based on § 25(1) TDDDG. Your consent can be revoked at any time.
If your data is required for contract fulfilment or pre-contractual measures, we process it on the basis of Art. 6(1)(b) GDPR. If required to comply with a legal obligation, data is processed under Art. 6(1)(c) GDPR. Data processing may also take place based on our legitimate interest under Art. 6(1)(f) GDPR. The applicable legal basis for each specific case is explained in this privacy policy.

Recipients of Personal Data

In the course of our business activities, we work with various external parties. This may require the transfer of personal data. We share personal data only if it is necessary for contract performance, required by law (e.g. with tax authorities), based on a legitimate interest under Art. 6(1)(f) GDPR, or legally permitted otherwise. Where we use processors, we only transfer personal data based on a valid data processing agreement. In the case of joint processing, a joint controller agreement is concluded.

Payment Methods

As part of contractual or other legal relationships, or due to legal obligations or our legitimate interests, we offer data subjects efficient and secure payment options. For this purpose, we use banks, credit institutions, and other service providers (collectively referred to as “payment service providers”).

The data processed by these payment service providers includes account data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs, verification codes, as well as contract-related, transaction-related and recipient-specific details. This information is necessary to carry out the transaction. However, the data entered is processed and stored exclusively by the payment providers. This means we do not receive any account or credit card information, but only confirmation or rejection of the payment. In some cases, the payment service providers may transfer data to credit agencies for identity and creditworthiness checks. Please refer to the general terms and conditions and privacy policies of the respective providers for more details.

The terms and privacy policies of the respective payment service providers apply to all payment transactions and can be accessed through their websites or applications. We also refer you to these for further information and for exercising your rights of withdrawal, access, and other data subject rights.

Types of data processed: Master data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contract data (e.g. contract subject, duration, customer category); usage data (e.g. visited websites, content interests, access times); metadata, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, consent status); contact data (e.g. email, phone numbers). Data subjects: Clients; prospective clients. Purposes of processing: Provision of contractual services and customer support.
Legal basis: Contract fulfilment and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Additional information on processing operations and service providers:

PayPal: Online payment services (e.g. PayPal, PayPal Plus, Braintree). Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
Legal basis: Art. 6(1)(b) GDPR. Website: https://www.paypal.com/de. Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Giropay: Provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany. Legal basis: Art. 6(1)(b) GDPR. Website: https://www.giropay.de. Privacy policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/.

Visa: Provider: Visa Europe Services Inc., Branch London, 1 Sheldon Square, London W2 6TT, United Kingdom. Legal basis: Art. 6(1)(b) GDPR. Website: https://www.visa.de. Privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.

Mastercard: Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium. Legal basis: Art. 6(1)(b) GDPR. Website: https://www.mastercard.de/de-de.html. Privacy policy: https://www.mastercard.de/de-de/datenschutz.html.

Withdrawal of Your Consent to Data Processing

Many data processing operations are only possible with your explicit consent. You may withdraw your previously granted consent at any time. The legality of the processing carried out before the withdrawal remains unaffected.

Right to Object to Data Processing in Special Cases and to Direct Marketing (Art. 21 GDPR)

IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME. THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RELEVANT LEGAL BASIS FOR PROCESSING IS STATED IN THIS PRIVACY POLICY.
IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS, OR THE PROCESSING IS FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21(1) GDPR).
IF YOUR PERSONAL DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING, INCLUDING PROFILING RELATED TO SUCH DIRECT MARKETING.
IF YOU OBJECT, YOUR PERSONAL DATA WILL NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART. 21(2) GDPR).

Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement. This right exists without prejudice to other administrative or judicial remedies.

Right to Data Portability

You have the right to receive the data we process automatically on the basis of your consent or in fulfilment of a contract, in a common, machine-readable format, or to have it transferred to a third party. If you request the direct transfer of data to another controller, this will be done only if it is technically feasible.

Right to Access, Rectification and Erasure

Within the scope of the applicable legal provisions, you have the right at any time to obtain free information about your stored personal data, its origin, recipient, and the purpose of processing, and, where applicable, the right to rectification or erasure of such data. You may contact us at any time regarding this or other questions concerning personal data.

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data. You may contact us at any time to exercise this right. The right to restriction of processing applies in the following cases:

If you contest the accuracy of your personal data held by us, we usually need time to verify this. For the duration of the verification, you have the right to request the restriction of processing.
If the processing of your personal data is unlawful, you may request restriction instead of deletion.
If we no longer need your personal data, but you require it for the establishment, exercise or defence of legal claims, you may request restriction instead of deletion.
If you have objected pursuant to Art. 21(1) GDPR, a balance must be struck between your interests and ours. As long as it is not yet clear whose interests prevail, you have the right to request restriction of processing.
If processing is restricted, your personal data – with the exception of storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a member state.

SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content (such as inquiries or bookings you send to us as website operator), this site uses SSL or TLS encryption. You can recognize an encrypted connection by the address line of your browser changing from “http://” to “https://” and the lock icon appearing in your browser bar.
When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to Unsolicited Marketing Emails

The use of contact data published under the legal notice obligations for sending unsolicited advertising and information materials is hereby prohibited. The site operators expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

5. Data Collection on This Website

Cookies

Our website uses so-called “cookies”. Cookies are small data packages that do not cause any harm to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently (persistent cookies) on your device. Session cookies are automatically deleted after your visit ends. Persistent cookies remain stored on your device until you delete them or your browser deletes them automatically.

Cookies can be set by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies allow the integration of specific services provided by third parties on websites (e.g. cookies for processing payment services).

Cookies serve various functions. Many cookies are technically necessary, as certain website features would not function properly without them (e.g. shopping cart functionality or video display). Other cookies may be used for analysing user behaviour or for advertising purposes.

Cookies that are necessary for the electronic communication process, for providing certain functions you request (e.g. shopping cart), or for optimising the website (e.g. cookies for measuring web audience), are stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. Where consent for the storage of cookies and similar recognition technologies has been requested, processing is based exclusively on this consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); such consent can be revoked at any time.

You can configure your browser to notify you when cookies are set, allow cookies only in specific cases, exclude the acceptance of cookies in general or for certain cases, and activate automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website.

You can find detailed information about the cookies and services used on this website in this privacy policy.

Server Log Files

The provider of this website automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

Browser type and version
Operating system used
Referrer URL
Hostname of the accessing computer
Time of the server request
IP address

This data is not merged with other data sources.

The collection of this data is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of the website – for this purpose, the server log files must be recorded.

Contact Form

If you contact us via the contact form, the data you provide in the form, including the contact details you entered, will be stored by us for the purpose of processing your inquiry and in case of follow-up questions. This data will not be shared without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR, if your inquiry relates to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries directed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent may be withdrawn at any time.

The data you enter in the contact form will remain with us until you request its deletion, revoke your consent for storage, or the purpose for storing the data no longer applies (e.g. once your inquiry has been fully processed). Mandatory legal provisions – in particular retention periods – remain unaffected.

Requests by Email, Telephone or Fax

If you contact us by email, telephone or fax, your inquiry including all resulting personal data (name, request) will be stored and processed for the purpose of handling your inquiry. We will not share this data without your consent.

The processing of this data is based on Art. 6(1)(b) GDPR if your inquiry relates to the performance of a contract or is necessary for pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective handling of inquiries (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR), if it was requested. Consent may be withdrawn at any time.

The data sent to us through contact requests will remain with us until you request its deletion, revoke your consent to storage, or the purpose for data retention no longer applies (e.g. after your request has been processed). Mandatory legal provisions – especially statutory retention periods – remain unaffected.

Collection of Personal Data Through Use of This Website or Services (when you give your consent or where permitted by applicable law)

We may collect personal data in the following ways:

To provide you with the services you requested, which may include use of or interaction with our website, app, questionnaires and/or third-party providers.
To respond to your inquiries, process your requests, and send you requested communications, such as the results of a completed questionnaire.
To send you administrative information, including details about services, changes to our terms and policies.
To deliver our services to you. This includes sending messages about our services, features, studies, surveys, news, updates, and events. These messages may be sent through email, in-app communication, and advertisements on third-party platforms.
For internal administrative and business purposes, including data analysis, development of new services, extension, improvement or modification of services, audits, fraud monitoring and prevention, identification of usage trends.
We may use personal data, including sensitive data, from a large number of users to create de-identified “aggregate data” (e.g. reports that calculate the percentage of users who gave a specific response in a questionnaire or achieved a specific result), which may be shared with third parties.
If you provide us with ideas, suggestions, feedback, recommendations, or other content (“Feedback”) in relation to the services.
Where we believe it is necessary or appropriate, and only to the extent permitted by applicable law: (a) to comply with legal processes; (b) to respond to requests from public and government authorities, including those outside your country of residence; (c) to protect our business or that of our affiliates, including investigating security incidents; or (d) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
To personalize your experience with the services, for example by showing you questionnaires and similar tools tailored to your needs.

6. Communication via Messenger Services

We use messenger services for communication purposes and kindly ask you to consider the following information regarding the functionality of these messengers, encryption, usage of communication metadata, and your right to object.

You may also contact us through alternative channels, such as telephone or email. Please use the contact options provided to you or those listed within our online offering.

If end-to-end encryption is used for the content of your messages (i.e., the content of your message and attachments), please note that the communication content (i.e., the message text and attached images) is encrypted end-to-end. This means that the content cannot be read by anyone, including the providers of the messenger services themselves. To ensure this level of security, you should always use the latest version of the messenger app with encryption enabled.

Nonetheless, we inform our communication partners that while the contents are encrypted, messenger providers may still access metadata — that is, information about when and with whom communication occurred, as well as technical data about the communication partner’s device. Depending on the device settings, location information may also be processed.

Legal Basis: If we request consent before communicating via a messenger service, the legal basis for processing your data is your consent in accordance with Art. 6(1)(a) GDPR. In all other cases — for example, if you contact us first — communication via messenger services is carried out as a pre-contractual or contractual measure (Art. 6(1)(b) GDPR), or based on our legitimate interest in efficient and prompt communication (Art. 6(1)(f) GDPR). We do not share your contact details with messenger services without your prior consent.

Withdrawal, Objection and Deletion: You may withdraw your consent at any time and object to communication with us via messenger services at any time. Messages exchanged via messenger services are deleted in accordance with our general deletion policies (e.g., after the end of a contractual relationship, or in the context of retention requirements), or when we can reasonably assume that your inquiry has been answered and no further follow-up is expected. Statutory retention obligations remain unaffected.

Right to Use Alternative Communication Channels: For your security, we reserve the right not to respond to inquiries sent via messenger services. This may apply if, for example, contractual matters require a higher degree of confidentiality, or if formal requirements are not met. In such cases, we will refer you to more appropriate means of communication.

Types of data processed: Contact data (e.g., email, phone numbers); usage data (e.g., visited pages, content interests, access times); metadata, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, consent status); content data (e.g., form entries). Data subjects: Communication partners. Purpose of processing: Handling inquiries and communication; direct marketing (e.g., by email or post). Legal basis: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Additional Information on Processing Activities, Services and Providers:

Instagram

Messaging via the Instagram social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.

Facebook Messenger

With optional end-to-end encryption (must be enabled if not active by default); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy Policy: https://www.facebook.com/about/privacy.Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing. Standard Contractual Clauses: https://www.facebook.com/legal/EU_data_transfer_addendum.

Signal

Signal Messenger with end-to-end encryption; Service provider: Signal Messenger, LLC, 650 Castro Street, Suite 120-223, Mountain View, CA 94041, USA. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://signal.org/de. Privacy Policy: https://signal.org/legal/.

Threema

Threema Messenger with end-to-end encryption; Service provider: Threema GmbH, Churerstrasse 82, 8808 Pfäffikon SZ, Switzerland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://threema.ch/en. Privacy Policy: https://threema.ch/de/privacy.

WhatsApp

WhatsApp Messenger with end-to-end encryption; Service provider: WhatsApp Ireland Limited, 4 Grand Canal Quay, Dublin 2, D02 KH28, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.whatsapp.com/. Privacy Policy: https://www.whatsapp.com/legal.

7. Video Conferences, Online Meetings, Webinars and Screen Sharing

We use platforms and applications provided by third-party providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as “conferences”). When selecting these platforms and their services, we observe the applicable legal requirements.

Data Processed by Conference Platforms: When participating in a conference, the conference platforms process the following categories of personal data. The extent of the data processing depends on the specific requirements of the individual conference (e.g. entry of access credentials or real names) and the optional information provided by participants. In addition to processing data for the purpose of conducting the conference, conference platforms may also process participants’ data for security or service optimisation purposes.

The processed data may include personal information (first and last name), contact details (email address, telephone number), access credentials (access codes or passwords), profile pictures, job title/position, IP address, device details, operating system, browser type, technical and language settings, chat input, as well as audio and video data and usage of available functions (e.g. polls). Communication content is encrypted to the extent technically provided by the respective platform. If participants are registered users of the conference platform, additional data may be processed in accordance with the contractual agreement with the provider.

Logging and Recordings: If text entries, participation results (e.g. poll results), or video/audio recordings are documented, this will be transparently communicated to participants in advance and, where necessary, consent will be requested.

Participant Data Protection Measures: Please refer to the respective privacy policies of the conference platforms for detailed information on how your data is processed. Adjust the security and privacy settings within the platform to meet your individual needs. During a video conference, please ensure the protection of your personal data and privacy in your environment (e.g. by informing cohabitants, closing doors, or using background blurring features if technically available). Conference links and access credentials must not be shared with unauthorised third parties.

Legal Basis: If, in addition to the conference platforms, we also process users’ data and request their consent for the use of conference platforms or certain functionalities (e.g. consent to conference recording), the legal basis for processing is that consent. Otherwise, processing may be necessary for fulfilling our contractual obligations (e.g. attendance lists or follow-up documentation). In all other cases, processing is based on our legitimate interests in effective and secure communication with our partners.

Types of data processed: Master data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. inputs in online forms); usage data (e.g. visited websites, interests, access times); metadata, communication and procedural data (e.g. IP addresses, timestamps, identifiers, consent status). Data subjects: Communication partners; users (e.g. website visitors, users of online services); individuals shown in video. Purpose of processing: Provision of contractual services and customer support; handling inquiries and communication; office and organisational procedures. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Additional Information on Processing Activities, Services and Providers:

Google Hangouts / Meet

Conference and communication software; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://hangouts.google.com/. Privacy Policy: https://policies.google.com/privacy. Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum. Standard Contractual Clauses: https://cloud.google.com/terms/eu-model-contract-clause.

Zoom

Conference and communication software; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://zoom.us. Privacy Policy: https://zoom.us/docs/de-de/privacy-and-legal.html. Data Processing Agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as “Global DPA”). Standard Contractual Clauses: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as “Global DPA”)

RED

Video conferencing software; Service provider: RED Medical Systems GmbH, Lutzstraße 2, 80687 Munich, Germany
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.redmedical.de/videosprechstunde-auswahl/. Privacy Policy: https://www.redmedical.de/datenschutzhinweise/.

8. Cloud Services

We use software services accessible via the internet and operated on the servers of their respective providers (so-called “cloud services”, also referred to as “Software as a Service”) for storing and managing content (e.g. document storage and management, sharing documents, content, and information with specific recipients, or publishing content and information).

In this context, personal data may be processed and stored on the servers of the respective providers, insofar as this data forms part of communication processes with us or is otherwise processed by us as described in this privacy policy. This may include master and contact data of users, data related to transactions, contracts, other procedures, and their content. Cloud service providers also process usage data and metadata, which are used for security purposes and service optimisation.

If we provide forms or other documents and content via cloud services to other users or publicly accessible websites, the providers may store cookies on users’ devices for the purposes of web analytics or to remember user settings (e.g. for media control preferences).

Types of data processed: Master data (e.g. names, addresses); contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. visited pages, interest in content, access times); metadata, communication and procedural data (e.g. IP addresses, timestamps, identifiers, consent status). Data subjects: Customers; employees (e.g. staff, applicants, former employees); prospective clients; communication partners; users (e.g. website visitors, users of online services). Purposes of processing: Office and organisational procedures; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

Additional Information on Processing Activities, Services and Providers:

Apple iCloud

Cloud storage service; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.apple.com/de/. Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

9. Analytics Tools and Advertising

Web analytics (also referred to as “audience measurement”) is used to evaluate visitor traffic on our online offering and may include pseudonymised data on user behaviour, interests, or demographic information such as age or gender. Audience analysis allows us to identify, for example, when our website or its features are most frequently used or what content encourages return visits. It also helps us determine which areas require improvement.

In addition to web analytics, we may use testing procedures to optimise different versions of our website or its components.

Unless otherwise specified below, profiles (i.e. data grouped by a usage process) may be created for these purposes. Information may be stored in or retrieved from a user’s browser or device. This includes details such as pages visited, elements used, technical data such as browser type, operating system, and access times. If users have consented to the collection of their location data (either to us or to third-party service providers we use), this data may also be processed.

IP addresses are also stored, but we use IP masking (i.e., pseudonymisation by shortening the IP address) to protect users. As a rule, no clear personal data such as email addresses or names are stored during analytics, A/B testing or optimisation. Only pseudonymous data is used. Neither we nor the software providers involved can identify individual users, only their assigned profiles.

Types of data processed: Usage data (e.g. visited websites, interest in content, access times); metadata, communication and procedural data (e.g. IP addresses, timestamps, identifiers, consent status). Data subjects: Users (e.g. website visitors, users of online services). Purpose of processing: Remarketing; audience segmentation; audience measurement (e.g. access statistics, identifying repeat visitors); user profiling; providing our online offering and enhancing user experience. Security measures: IP masking (pseudonymisation of IP addresses). Legal basis: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR)

Additional Information on Processing Activities, Services and Providers:

Matomo

This website uses Matomo, an open-source web analytics platform.

With Matomo, we are able to collect and analyse data about the use of our website by visitors. This allows us to understand, for example, when specific pages are accessed and from which region. We also collect various log files (e.g. IP address, referrer, browser type and operating system) and can measure user interactions (e.g. clicks, purchases, etc.).

Use of this analytics tool is based on Art. 6(1)(f) GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both the website and its advertising. Where user consent has been requested, processing is based solely on Art. 6(1)(a) GDPR and § 25(1) TDDDG, insofar as consent includes the storage of cookies or access to user device information (e.g. device fingerprinting) as defined by the TDDDG. Consent may be withdrawn at any time.

IP Anonymisation

We use IP anonymisation with Matomo. This means your IP address is shortened before analysis so that it can no longer be clearly linked to you.

Hosting

We host Matomo exclusively on our own servers, ensuring that all analytical data remains with us and is not passed on to third parties.

10. Presence on Social Networks (Social Media)

We maintain online presences within social networks and, in this context, process users’ data to communicate with users active on those platforms or to provide information about us.

Please note that user data may be processed outside the European Union in this context. This may pose risks to users, such as making it more difficult to enforce their rights.

In addition, user data within social networks is generally processed for market research and advertising purposes. For example, user behaviour and resulting interests can be used to create usage profiles. These profiles may in turn be used to display advertisements—both within and outside the platforms—that likely correspond to the interests of the users. For this purpose, cookies are typically stored on the users’ devices, in which their usage behaviour and interests are recorded. Moreover, data can be stored in usage profiles independently of the devices used by the users (especially if users are logged in as members of the respective platforms).

For a detailed overview of the processing activities and opt-out options, we refer to the privacy policies and information provided by the respective network operators.

In the event of information requests or the assertion of data subject rights, we also point out that these are most effectively addressed directly to the respective providers. Only the providers have access to the users’ data and can take appropriate action and provide information. If you still need assistance, you may contact us.

Types of data processed: Contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); metadata, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, consent status). Data subjects: Users (e.g. website visitors, users of online services). Purpose of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form); marketing. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further Information on Processing Activities, Services and Providers:

Instagram

Social network; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.

Facebook Pages

Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content users view or interact with or actions they take (see “Things you and others do and provide” in Facebook’s data policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s data policy). As explained in the section “How do we use this information?” in Facebook’s policy, Facebook also uses the data to provide page analytics (“page insights”) to page operators to help them understand how people interact with their pages and content. We have entered into a specific agreement with Facebook (“Information about Page Insights”: https://www.facebook.com/legal/terms/page_controller_addendum), which outlines the security measures Facebook must implement and confirms Facebook’s commitment to fulfil data subject rights (e.g. users may submit access or deletion requests directly to Facebook). These agreements do not restrict users’ rights (in particular rights to access, erasure, objection, or complaint to the supervisory authority). Further details: Page Insights information: https://www.facebook.com/legal/terms/information_about_page_insights_data. Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.facebook.com. Privacy policy: https://www.facebook.com/about/privacy.Standard Contractual Clauses (to ensure data protection in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum. Joint controllership agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. Joint responsibility is limited to data collection and transfer to Meta Platforms Ireland Limited, an EU-based company. All further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, including the transfer of data to its parent company Meta Platforms, Inc. in the USA, based on the Standard Contractual Clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.

LinkedIn

Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Website: https://www.linkedin.com. Privacy policy: https://www.linkedin.com/legal/privacy-policy. Data Processing Agreement: https://legal.linkedin.com/dpa. Standard Contractual Clauses: https://legal.linkedin.com/dpa. Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

YouTube

Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Privacy policy: https://policies.google.com/privacy. Opt-out option: https://adssettings.google.com/authenticated.

11. Plugins and Tools

We integrate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include graphics, videos, or maps (collectively referred to as “content”).

Such integration always requires that the third-party providers of this content process the users’ IP addresses, as they would not be able to send the content to the users’ browser without the IP address. The IP address is therefore necessary for displaying this content or functionality. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on the pages of this website to be analyzed. Pseudonymized information may also be stored in cookies on the user’s device and include technical information about the browser and operating system, referring websites, time of visit, and other details on the use of our online services. This data may also be linked with such information from other sources.

Types of data processed: Usage data (e.g. visited websites, interest in content, access times); Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, consent status); Inventory data (e.g. names, addresses); Contact data (e.g. email addresses, phone numbers); Content data (e.g. entries in online forms); Location data (information about the geographical position of a device or person); Event data (Facebook) (“Event Data” refers to data that can be transmitted by us to Facebook via Facebook Pixel (via apps or otherwise), and which relates to individuals or their actions; e.g. site visits, interactions with content, app installations, product purchases, etc. Event Data is used for audience segmentation for content and advertising (“Custom Audiences”); it does not include actual content such as written comments, login or contact information like names, email addresses, or phone numbers. Facebook deletes Event Data after a maximum of two years, or when we delete our Facebook account, including the associated audiences). Data subjects: Users (e.g. visitors to the website, users of online services). Purposes of processing: Provision of our online offering and user-friendliness; Fulfillment of contractual obligations and customer service; Marketing; User profile creation based on behavioral data. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further Information on Processing Activities, Tools, and Services:

YouTube with Enhanced Privacy Mode

This website embeds videos from YouTube, a service operated by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

When you visit a page on this site where a YouTube video is embedded, a connection to the YouTube servers is established. YouTube is informed about which pages you have visited. If you are logged into your YouTube account, YouTube can associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account.

We use YouTube in enhanced privacy mode. According to YouTube, videos played in enhanced privacy mode are not used to personalize the browsing experience on YouTube. Ads shown in enhanced privacy mode are also not personalized. No cookies are set in this mode. However, local storage elements are stored in the user’s browser, which can include personal data and be used for recognition purposes. Details on enhanced privacy mode are available here:
https://support.google.com/youtube/answer/171780.

After activating a YouTube video, additional data processing operations may occur over which we have no control.

The use of YouTube is based on our legitimate interest in presenting our online offering in an appealing way (Art. 6(1)(f) GDPR). Where consent is required, processing is based on Art. 6(1)(a) GDPR and § 25(1) of the German TDDDG (Telecommunications-Digital Services Data Protection Act), insofar as consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting). Consent may be revoked at any time.

Further information on YouTube’s privacy policy:
https://policies.google.com/privacy?hl=en.

Google LLC is certified under the “EU-U.S. Data Privacy Framework” (DPF), an agreement between the EU and the U.S. ensuring compliance with European data protection standards for data processing in the U.S. Certified companies are obliged to uphold these standards.
More info: https://www.dataprivacyframework.gov/participant/5780.

Created with the privacy policy generator from e-recht24.de. Adapted by the website author.