Data Privacy Statement

**Privacy Policy**

This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") in the context of the provision of our services as well as within our online offerings and the associated websites, functions, content, and external online presences, such as our social media profiles (hereinafter collectively referred to as "online offerings"). Regarding the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

### Notice on the Responsible Authority

The responsible entity for data processing on this website is:

Uphill Projects GmbH
Fichtenweg 14
57271 Hilchenbach, Germany
Phone: +4927331297660
Email: [email protected]

The responsible entity is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g., names, email addresses, etc.).

### Types of Data Processed

- Inventory data (e.g., basic personal data, names, or addresses).
- Contact data (e.g., email addresses, phone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).

### Categories of Affected Individuals

Visitors and users of the online offerings (we refer to the affected individuals collectively as "users").

### Purpose of Processing

- Provision of the online offerings, its functions, and content.
- Responding to contact requests and communication with users.
- Security measures.
- Reach measurement/marketing.

### Terminology Used

**Personal Data** refers to any information relating to an identified or identifiable natural person (hereinafter "data subject"); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

**Processing** refers to any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

**Pseudonymization** refers to the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

**Profiling** refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

**Controller** refers to the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

**Processor** refers to a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

### Relevant Legal Bases

In accordance with Article 13 of the GDPR, we inform you of the legal basis for our data processing. For users within the scope of the GDPR (i.e., the EU and the EEA), the following applies unless the legal basis is stated in the privacy policy:

- The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR;
- The legal basis for processing to perform our services and carry out contractual measures, as well as to respond to inquiries, is Article 6(1)(b) of the GDPR;
- The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) of the GDPR;
- If vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis;
- The legal basis for the processing necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) of the GDPR;
- The legal basis for processing to protect our legitimate interests is Article 6(1)(f) of the GDPR;
- Processing of data for purposes other than those for which it was collected is governed by the provisions of Article 6(4) of the GDPR;
- The processing of special categories of data (in accordance with Article 9(1) of the GDPR) is determined by the provisions of Article 9(2) of the GDPR.

### Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risks to individuals' rights and freedoms.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through control over physical access to the data, as well as access, input, transmission, availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data breaches. We also take the protection of personal data into account when developing or selecting hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

### Cooperation with Processors, Joint Controllers, and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors, joint controllers, or third parties), transmit it to them, or otherwise grant them access to the data, this is done only on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is necessary for the fulfillment of a contract), users have consented, a legal obligation provides for this, or on the basis of our legitimate interests (e.g., the use of agents, web hosts, etc.).

If we disclose, transmit, or otherwise grant access to data to other companies within our corporate group, this is done primarily for administrative purposes as a legitimate interest and, in addition, based on a legal basis.

### Hosting

We host the content of our website with the following provider:

**IONOS**

The provider is IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany (hereinafter "IONOS"). When you visit our website, IONOS collects various log files, including your IP addresses. For details, please refer to IONOS's privacy policy: [https://www.ionos.de/terms-gtc/terms-privacy](https://www.ionos.de/terms-gtc/terms-privacy).

The use of IONOS is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring the most reliable presentation of our website. If appropriate consent has been requested, the processing will take place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDG, insofar as the consent includes the storage of cookies or access to information in the user's device (e.g., device fingerprinting) as defined in the TDDG. The consent can be revoked at any time.

We have entered into a data processing agreement (DPA) with the above-mentioned service provider. This is a legally required contract that ensures that this service provider processes personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

**Jimdo**

The provider is Jimdo GmbH, Stresemannstraße 375, 22761 Hamburg, Germany (hereinafter "Jimdo"). Jimdo is a tool for creating and hosting websites. When you visit our website, Jimdo collects various log data, such as your IP address, browser type, browser language, and the date and time of access. Jimdo also stores cookies. This data is used to analyze and maintain the technical operation of the website and to combat misuse.

Further details can be found in Jimdo's privacy policy: [https://legal.jimdo.com/hc/de/articles/26840490952084-Jimdo-Datenschutzhinweise-f%C3%BCr-Jimdo-com](https://legal.jimdo.com/hc/de/articles/26840490952084-Jimdo-Datenschutzhinweise-f%C3%BCr-Jimdo-com).

The use of Jimdo is based on Article 6(1)(f) of the GDPR. We have a legitimate interest in ensuring the most reliable presentation of our website. If appropriate consent has been requested, the processing will take place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDG. The consent can be revoked at any time.

### External Hosting

We host the content of our website with the following providers:

**united-domains AG**

The provider is united-domains AG, Gautinger Straße 10, 82319 Starnberg, Germany. The personal data collected on this website is stored on the host's servers. This may include, in particular, IP addresses, contact requests, meta and communication data, contract data, contact details, names, website access, and other data generated via a website.

External hosting takes place for the purpose

of fulfilling contracts with our potential and existing customers (Article 6(1)(b) GDPR) and in the interest of providing a secure, fast, and efficient online offering by a professional provider (Article 6(1)(f) GDPR). If appropriate consent has been requested, processing will take place exclusively on the basis of Article 6(1)(a) of the GDPR and Section 25(1) of the TDDG. The consent can be revoked at any time.

Further details can be found in the privacy policy of united-domains: [https://www.united-domains.de/unternehmen/datenschutz/](https://www.united-domains.de/unternehmen/datenschutz/).

Our host(s) will process your data only to the extent necessary to fulfill their service obligations. Additionally, the host(s) will follow our instructions regarding this data.

We have entered into a Data Processing Agreement (DPA) for the use of the aforementioned service. This is a legally required contract under data protection law, which ensures that the service provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

**Transfers to Third Countries**

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation), or if this occurs in the context of using third-party services or disclosing, or transmitting data to other individuals or companies, it will only happen if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only under the legal requirements. That is, processing takes place, for example, based on specific guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU or compliance with officially recognized specific contractual obligations.

**Rights of the Data Subjects**

You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data, in accordance with legal requirements.

You also have the right, in accordance with legal requirements, to request the completion of data concerning you or the correction of inaccurate data concerning you.

You have the right, under the provisions of the law, to request that the relevant data be deleted immediately, or alternatively, to request a restriction on the processing of the data, in accordance with the legal requirements.

You have the right to request the data you have provided to us, in accordance with the legal requirements, and to request that it be transmitted to other controllers.

Furthermore, under the provisions of the law, you have the right to file a complaint with the competent supervisory authority.

**Right of Withdrawal**

You have the right to withdraw any consent granted with effect for the future.

**Right to Object**

You may object to the future processing of your data at any time, in accordance with legal requirements. The objection may particularly concern the processing for direct marketing purposes.

**Cookies and Right to Object to Direct Advertising**

"Cookies" are small files that are stored on users' computers. Various information can be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or "session cookies" or "transient cookies," are cookies that are deleted after a user leaves an online offering and closes their browser. For example, the content of a shopping cart in an online store or a login status can be stored in such a cookie. "Permanent" or "persistent" cookies are cookies that remain stored even after the browser is closed. For example, the login status can be saved if users return to the site after several days. Similarly, users' interests can be stored in such a cookie, which is used for reach measurement or marketing purposes. "Third-party cookies" are cookies offered by providers other than the controller that operates the online offering (if it is only the controller's cookies, they are called "first-party cookies").

We may use temporary and permanent cookies and provide information on this within our privacy policy.

If users do not want cookies stored on their computers, they are asked to disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies can lead to functional restrictions of this online offering.

A general objection to the use of cookies used for online marketing purposes can be declared via a number of services, especially in the case of tracking, on the U.S. site [http://www.aboutads.info/choices](http://www.aboutads.info/choices) or the EU site [http://www.youronlinechoices.com](http://www.youronlinechoices.com). Furthermore, the storage of cookies can be achieved by turning them off in the browser settings. Please note that not all functions of this online offering may be available if cookies are disabled.

**Deletion of Data**

The data we process will be deleted or restricted in its processing in accordance with legal requirements. Unless expressly stated within this privacy policy, the data we store will be deleted as soon as it is no longer required for its intended purpose and there are no legal retention obligations preventing its deletion.

If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

**Changes and Updates to the Privacy Policy**

We ask that you regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g., consent) or other individual notification.

**Business-Related Processing**

In addition, we process:

- Contract data (e.g., contract subject, duration, customer category),
- Payment data (e.g., bank details, payment history)

from our customers, prospects, and business partners for the purpose of providing contractual services, customer care, marketing, advertising, and market research.

**Order Processing in the Online Store and Customer Account**

We process our customers' data in the context of order processes in our online store to enable them to select and order the chosen products and services, as well as their payment and delivery, or execution.

The data processed includes inventory data, communication data, contract data, payment data, and data subjects include our customers, prospects, and other business partners. The processing is carried out for the purpose of providing contractual services in the context of operating an online store, billing, delivery, and customer services. Here, we use session cookies to store the contents of the shopping cart and permanent cookies to store the login status.

The processing is carried out for the purpose of fulfilling our services and carrying out contractual measures (e.g., carrying out order processes) and as far as it is legally required (e.g., legally required archiving of business transactions for commercial and tax purposes). In this respect, the information marked as required is necessary for the conclusion and fulfillment of the contract. The data is disclosed to third parties only within the framework of delivery, payment, or within the scope of legal permissions and obligations, as well as if this is based on our legitimate interests, about which we inform you within this privacy policy (e.g., to legal and tax advisors, financial institutions, freight companies, and authorities).

Users can optionally create a user account where they can view their orders in particular. During registration, the required mandatory information is communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data regarding the user account will be deleted, subject to its retention being required for commercial or tax reasons. Information in the customer account will remain until it is deleted, with subsequent archiving in the case of a legal obligation or our legitimate interests (e.g., in the case of legal disputes). It is the users' responsibility to back up their data before the end of the contract.

As part of the registration and new logins as well as the use of our online services, we store the IP address and the time of the respective user action. The storage takes place based on our legitimate interests, as well as the users' interest in protection against misuse and other unauthorized use. A transfer of this data to third parties does not take place unless it is necessary for the pursuit of our claims as a legitimate interest or there is a legal obligation to do so.

The deletion takes place after the expiry of legal warranty and comparable obligations (e.g., payment claims or performance obligations from contracts with customers), with the necessity of retaining the data being reviewed every three years; in the case of retention due to legal archiving obligations, the deletion takes place after their expiration.

**Agency Services**

We process the data of our customers as part of our contractual services, which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services.

Here, we process inventory data (e.g., customer master data, such as names or addresses), contact data (e.g., email, telephone numbers), content data (e.g., text input, photographs, videos), contract data (e.g., contract subject, duration), payment data (e.g., bank details, payment history), usage and metadata (e.g., as part of the evaluation and success measurement of marketing measures). We generally do not process special categories of personal data unless they are part of a commissioned processing. The data subjects include our customers, prospects, and their customers, users, website visitors, or employees, as well as third parties. The purpose of the processing is to provide contractual services, billing, and customer service. The legal bases for the processing arise from Article 6(1)(b) GDPR (contractual services), Article 6(1)(f) GDPR (analysis, statistics, optimization, security measures). We process data that is required to establish and fulfill the contractual services and point out the necessity of their disclosure. Disclosure to external parties only occurs if it is necessary within the framework of a contract. In the case of commissioned processing, we act in accordance with the instructions of the clients as well as the legal requirements of a commissioned processing in accordance with Article 28 GDPR and do not process the data for purposes other than those specified in the order.

We delete the data after the expiry of statutory warranty and comparable obligations. The necessity of retaining the data is reviewed every three years; in the case of statutory archiving obligations, deletion takes place after their expiration (6 years, under § 257(1) HGB, 10 years, under § 147(1) AO). In the case of data that we are provided with as part of an order by the client, we delete the data in accordance with the specifications of the order, generally after the end of the order.

**Therapeutic Services and Coaching**

We process the data of our clients, prospects, and other contractors or business partners (hereinafter collectively referred to as "clients") in accordance with Article 6(1)(b) GDPR to provide our contractual or pre-contractual services to them. The data processed, its nature, scope, purpose, and necessity for its processing are determined by the underlying contractual relationship. The data processed generally includes the basic and contact details of the clients (e.g., name, address, etc.), contact details (e.g., email address, phone number, etc.), contract data (e.g., services provided, fees, names of contact persons, etc.), and payment data (e.g., bank details, payment history, etc.).

As part of our services, we may also process special categories of data as per Article 9(1) GDPR, particularly health data of the clients, potentially related to their sex life or sexual orientation, ethnic origin, or religious or philosophical beliefs. For this, we obtain the explicit consent of the clients in accordance with Article 6(1)(a), Article 7, and Article 9(2)(a) GDPR when required and otherwise process the special categories of data for purposes of healthcare based on Article 9(2)(h) GDPR, § 22(1)(1)(b) BDSG.

Where necessary for fulfilling the contract or legally required, we disclose or transfer the data of the clients to other professionals or third parties, such as billing services or similar service providers, if this is required for providing our services according to Article 6(1)(b) GDPR, is legally mandated by Article 6(1)(c) GDPR, serves our legitimate interests or those of the clients in efficient and cost-effective healthcare according to Article 6(1)(f) GDPR, or is necessary to protect the vital interests of the clients or another natural person according to Article 6(1)(d) GDPR, or is done based on the consent of the clients in accordance with Article 6(1)(a), Article 7 GDPR.

The data will be deleted when it is no longer necessary to fulfill contractual or legal care obligations and to handle any warranty or comparable obligations. The necessity of retaining the data is reviewed every three years; otherwise, the statutory retention obligations apply.

**Contractual Services**

We process the data of our contractual partners, prospects, and other contractors, clients, or business partners (hereinafter collectively referred to as "contractual partners") in accordance with Article 6(1)(b) GDPR to provide our contractual or pre-contractual services to them. The data processed, its nature, scope, purpose, and necessity for its processing are determined by the underlying contractual relationship.

The data processed includes the core data of our contractual partners (e.g., names and addresses), contact details (e.g., email addresses and phone numbers), contract data (e.g., services provided, contract contents, contract communications, names of contact persons), and payment data (e.g., bank details, payment history).

We generally do not process special categories of personal data unless they are part of a commissioned or contractual processing.

We process data that is necessary for the establishment and fulfillment of the contractual services and indicate the necessity of providing such data if it is not obvious to the contractual partners. Data is disclosed to external persons or companies only if it is necessary within the context of a contract. When processing data provided to us as part of a contract, we act according to the instructions of the clients and the legal requirements of commissioned processing according to Article 28 GDPR, and we do not process the data for purposes other than those specified in the contract.

As part of the use of our online services, we may store the IP address and the time of the respective user activity. This storage is based on our legitimate interests and the users' interest in protection against misuse and other unauthorized use. The data is not passed on to third parties unless it is necessary to pursue our claims according to Article 6(1)(f) GDPR or there is a legal obligation according to Article 6(1)(c) GDPR.

Data is deleted when it is no longer necessary to fulfill contractual or legal care obligations and handle any warranty or comparable obligations. The necessity of retaining the data is reviewed every three years; otherwise, the statutory retention obligations apply.

**External Payment Service Providers**

We use external payment service providers through whose platforms users and we can carry out payment transactions (e.g., Paypal [https://www.paypal.com/de/webapps/mpp/ua/privacy-full], Klarna [https://www.klarna.com/de/datenschutz/], Skrill [https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/], Giropay [https://www.giropay.de/rechtliches/datenschutz-agb/], Visa [https://www.visa.de/datenschutz], Mastercard [https://www.mastercard.de/de-de/datenschutz.html], American Express [https://www.americanexpress.com/de/content/privacy-policy-statement.html]).

We use these payment service providers as part of fulfilling contracts on the legal basis of Article 6(1)(b) GDPR. Furthermore, we use external payment service providers based on our legitimate interests in providing an effective and secure payment option for our users under Article 6(1)(f) GDPR.

The data processed by payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, transaction, and recipient-related data. This information is required to carry out the transactions. The data entered is processed only by the payment service providers and stored by them. We do not receive any account or credit card-related information but only information confirming or negating the payment. Under certain circumstances, the data may be transmitted to credit agencies by the payment service providers. This transmission is intended to verify identity and creditworthiness. For this, we refer to the payment service providers' terms and conditions and privacy policies.

For the payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply, which can be accessed on the respective websites or transaction applications. We also refer to these for further information and for asserting revocation, information, and other data subject rights.

**Administration, Financial Accounting, Office Organization, Contact Management**

We process data as part of administrative tasks, organization of our business, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data we process in the course of providing our contractual services. The legal basis for processing is Article 6(1)(c) GDPR, Article 6(1)(f) GDPR. The data subjects include customers, prospects, business partners, and website visitors. The purpose and our interest in processing lies in administration, financial accounting, office organization, and data archiving, i.e., tasks that serve to maintain our business operations, perform our duties, and provide our services. The deletion of data with regard to contractual services and contractual communication is in line with the information provided in these processing activities.

We disclose or transmit data to financial authorities, consultants, such as tax advisors or auditors, as well as other fee offices and payment service providers.

In addition, we store data about suppliers, event organizers, and other business partners based on our business interests, for example, to establish contact at a later date. These majority business-related data are generally stored permanently.

**Business Analyses and Market Research**

To run our business economically, to recognize market trends, wishes of contractual partners and users, we analyze the data available to us from business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata based on Article 6(1)(f) GDPR, where the affected persons include contractual partners, prospects, customers, visitors, and users of our online offering.

The analyses are carried out for business evaluations, marketing, and market research. In doing so, we can take into account the profiles of registered users with details, for example, of their services used. The analyses are used to increase user-friendliness, optimize our offering, and improve business efficiency. The analyses are for our own use only and are not disclosed externally unless they are anonymous, aggregate analyses.

If these analyses or profiles are personal, they will be deleted or anonymized upon termination by the users, otherwise, after two years following the conclusion of the contract. In all other cases, the overall business analyses and general trend determinations are created anonymously as far as possible.

**Participation in Affiliate Partner Programs**

Within our online offering, we use tracking measures typical in the industry based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering) according to Article 6(1)(f) GDPR, provided they are necessary for the operation of the affiliate system. Below we clarify the technical background to users.

The services offered by our contractual partners can also be advertised and linked on other websites (so-called affiliate links or after-buy systems, if, for example, links or services of third parties are offered after the conclusion of a contract). The operators of the respective websites receive a commission if users follow the affiliate links and subsequently take advantage of the offers.

In summary, it is necessary for our online offering that we can track whether users who are interested in affiliate links and/or the offers available to us subsequently take up the offers at the instigation of the affiliate links or our online platform. For this purpose, the affiliate links and our offers are supplemented with certain values that can be part of the link or otherwise, e.g., in a cookie. The values include, in particular, the originating website (referrer), the time, an online identifier of the operator of the website where the affiliate link was located, an online identifier of the respective offer, an online

identifier of the user, as well as tracking-specific values such as advertising media ID, partner ID, and categorizations.

The online identifiers used by us are pseudonymous values. This means that the online identifiers themselves do not contain any personal data, such as names or email addresses. They help us only to determine whether the same user who clicked on an affiliate link or showed interest in an offer on our online offering took up the offer, i.e., entered into a contract with the provider. However, the online identifier is personal insofar as the partner company and also we have the online identifier together with other user data. Only in this way can the partner company inform us whether the user took up the offer and we, for example, can pay out the bonus.

**Amazon Affiliate Program**

We participate in the Amazon EU Affiliate Program based on our legitimate interests (i.e., interest in the economic operation of our online offering within the meaning of Article 6(1)(f) GDPR). This program is designed to provide a medium for websites through which advertising costs can be earned by placing advertisements and links to Amazon.de (so-called affiliate system). This means that we earn commissions on qualified purchases as an Amazon partner.

Amazon uses cookies to track the origin of orders. Among other things, Amazon can recognize that you clicked the partner link on this website and subsequently purchased a product on Amazon.

Further information on Amazon’s use of data and how to object can be found in the company’s privacy policy: [https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010](https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010).

Note: Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliated companies.

**Digistore24 Affiliate Program**

We participate in the affiliate program of Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim, Germany, based on our legitimate interests (i.e., interest in the economic operation of our online offering within the meaning of Article 6(1)(f) GDPR). This program is designed to provide a medium for websites through which advertising costs can be earned by placing advertisements and links to Digistore24 (so-called affiliate system). Digistore24 uses cookies to track the origin of the contract conclusion. Among other things, Digistore24 can recognize that you clicked the partner link on this website and subsequently entered into a contract with or via Digistore24.

Further information on Digistore24’s use of data and how to object can be found in the company’s privacy policy: [https://www.digistore24.com/page/privacyl](https://www.digistore24.com/page/privacyl).

**Privacy Notices in the Application Process**

We process applicants’ data only for the purpose and within the framework of the application process in accordance with legal requirements. The processing of applicant data is carried out to fulfill our (pre)contractual obligations within the application process within the meaning of Article 6(1)(b) GDPR and Article 6(1)(f) GDPR if data processing becomes necessary for us, for example, in the context of legal proceedings (in Germany, § 26 BDSG additionally applies).

The application process requires that applicants provide us with their applicant data. The necessary applicant data is indicated if we offer an online form, otherwise, it results from the job descriptions and generally includes the information about the person, postal and contact addresses, and the documents belonging to the application, such as cover letters, CVs, and certificates. In addition, applicants can voluntarily provide us with additional information.

By submitting the application to us, applicants consent to the processing of their data for purposes of the application process in accordance with the nature and scope described in this privacy policy.

Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are voluntarily provided during the application process, their processing is additionally carried out in accordance with Article 9(2)(b) GDPR (e.g., health data, such as disability status or ethnic origin). Insofar as special categories of personal data within the meaning of Article 9(1) GDPR are requested from applicants in the application process, their processing is additionally carried out in accordance with Article 9(2)(a) GDPR (e.g., health data if this is necessary for the exercise of the profession).

If provided, applicants can submit their applications via an online form on our website. The data is transmitted to us in encrypted form according to the state of the art.
Applicants can also send us their applications via email. However, we ask that you note that emails are generally not sent in encrypted form and applicants must ensure encryption themselves. Therefore, we cannot assume responsibility for the transmission path of the application between the sender and our server and recommend using the online form or postal submission instead. Alternatively, applicants can still submit their applications by post.

The data provided by applicants may be further processed by us for employment purposes if the application is successful. Otherwise, if the application for a job offer is unsuccessful, the applicants' data will be deleted. The applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time.

Deletion will take place after the expiration of a six-month period, subject to a justified revocation by the applicant, so that we can answer any follow-up questions about the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax regulations.

**Registration Function**

Users can create a user account. As part of the registration process, the required mandatory information will be communicated to the users and processed based on Article 6(1)(b) GDPR for the purpose of providing the user account. The data processed includes, in particular, the login information (name, password, and email address). The data entered during registration will be used for the purposes of utilizing the user account and its functionality.

Users may receive information related to their user account, such as technical changes, via email. If users terminate their user account, their data will be deleted, subject to legal retention obligations. It is the users' responsibility to back up their data before the contract ends. We are entitled to irreversibly delete all user data stored during the contract period.

As part of the use of our registration and login functions as well as the use of the user account, we store the IP address and the time of the respective user action. This storage is based on our legitimate interests, as well as the users' interest in protection against misuse and unauthorized use. The data will not be transferred to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Article 6(1)(c) GDPR. IP addresses will be anonymized or deleted no later than 7 days after collection.

**Contacting Us**

When contacting us (e.g., via contact form, email, phone, or social media), the user's information is processed for handling the contact request and its resolution in accordance with Article 6(1)(b) (within the scope of contractual or pre-contractual relationships) or Article 6(1)(f) GDPR (other inquiries). Users' information may be stored in a Customer Relationship Management (CRM) system or a similar inquiry organization.

We delete inquiries if they are no longer necessary. We review the necessity every two years; statutory archiving obligations also apply.

**Newsletter**

The following information explains the content of our newsletter, the registration, sending, and statistical evaluation procedures, as well as your rights to object. By subscribing to our newsletter, you agree to receive it and to the procedures described.

**Content of the Newsletter**: We send newsletters, emails, and other electronic notifications with promotional information (hereinafter "newsletter") only with the consent of the recipients or a legal basis. If the contents of the newsletter are specifically described as part of the subscription, they are decisive for the user's consent. Otherwise, our newsletters contain information about our services and us.

**Double Opt-In and Logging**: The registration for our newsletter takes place in a so-called double opt-in process. This means you will receive an email after registering in which you are asked to confirm your registration. This confirmation is necessary to prevent anyone from registering with external email addresses. The registrations for the newsletter are logged to demonstrate the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored with the email service provider are also logged.

**Registration Data**: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to provide a name for personal address in the newsletter.

The dispatch of the newsletter and its performance measurement are based on the consent of the recipients pursuant to Article 6(1)(a), Article 7 GDPR in conjunction with Section 7(2) No. 3 UWG (German Act Against Unfair Competition) or on the basis of our legitimate interests in direct marketing pursuant to Article 6(1)(f) GDPR in conjunction with Section 7(3) UWG, if consent is not required.

The logging of the registration process is based on our legitimate interests in accordance with Article 6(1)(f) GDPR. Our interest lies in the use of a user-friendly and secure newsletter system that serves both our business interests and meets users' expectations, while also allowing us to demonstrate consent.

**Cancellation/Revocation**: You can cancel the receipt of our newsletter at any time, i.e., revoke your consent. A link to cancel the newsletter can be found at the end of each newsletter. We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to prove prior consent. The processing of this data will be limited to the purpose of defending against claims. An individual deletion request is possible at any time, provided the prior existence of consent is confirmed.

**Newsletter - Service Provider**

The newsletter is sent by the service provider [NAME, ADDRESS, COUNTRY]. You can view the service provider's privacy policy here: [LINK TO PRIVACY POLICY]. The service provider is used on the basis of our legitimate interests pursuant to Article 6(1)(f) GDPR and an order processing agreement in accordance with Article 28(3) sentence 1 GDPR.

The service provider may use the recipients' data in pseudonymous form, i.e., without assigning it to a user, to optimize or improve its services, e.g., for the technical optimization of the newsletter dispatch and its presentation, or for statistical purposes. However, the service provider does not use the data of our newsletter recipients to contact them directly or to pass it on to third parties.

**Newsletter - Performance Measurement**

The newsletters contain a so-called "web-beacon", i.e., a pixel-sized file that is retrieved from our server, or from the server of the service provider if we use one, when the newsletter is opened. Within this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval, are collected.

This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. The statistical data also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our intention nor, if used, that of the service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

Unfortunately, a separate revocation of the performance measurement is not possible; in this case, the entire newsletter subscription must be canceled.

**Hosting and Email Dispatch**

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space, and database services, email dispatch, security services, and technical maintenance services that we use for the purpose of operating this online offering.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, metadata, and communication data of customers, prospects, and visitors to this online offering based on our legitimate interests in providing this online offering efficiently and securely, as per Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of an order processing agreement).

**Collection of Access Data and Log Files**

We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) based on our legitimate interests as per Article 6(1)(f) GDPR. The access data includes the name of the accessed website, file, date, and time of access, amount of data transferred, notification of successful retrieval, browser type along with version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Logfile information is stored for security reasons (e.g., to clarify misuse or fraud) for a maximum of 7 days and then deleted. Data whose further retention is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.

**Google Analytics**

Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC ("Google"). Google uses cookies. The information generated by the cookie about the use of the online offering by the users is usually transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to evaluate the use of our online offering by users, compile reports on the activities within this online offering, and provide us with other services related to the use of this online offering and the Internet. Pseudonymous usage profiles of users can be created from the processed data.

We use Google Analytics only with IP anonymization enabled. This means that the IP address of users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user's browser will not be merged with other data from Google. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offering to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

Further information on the use of data by Google, settings, and options for objecting can be found in Google's privacy policy (https://policies.google.com/privacy) and in the settings for displaying advertisements by Google (https://adssettings.google.com/authenticated).

The users' personal data will be deleted or anonymized after 14 months.

**Google AdSense with Personalized Ads**

We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"), based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR).

Google is certified under the Privacy Shield Agreement and offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

We use the AdSense service, which allows advertisements to be displayed on our website, and we receive compensation for displaying or otherwise using them. For these purposes, usage data, such as the click on an ad and the users' IP address, are processed, with the IP address being shortened by the last two digits. Therefore, the processing of users' data is pseudonymized.

We use AdSense with personalized ads. Google draws conclusions about users' interests based on the websites or apps they visit and the user profiles created in this way. Advertisers use this information to tailor their campaigns to those interests, which benefits both users and advertisers. Google considers ads to be personalized when collected or known data influences or determines the ad selection. This includes previous searches, activities, website visits, app usage, demographic and location information. Specifically, this includes: demographic targeting, targeting by interest categories, remarketing, targeting by lists for customer matching, and target group lists uploaded to DoubleClick Bid Manager or Campaign Manager.

Further information on the use of data by Google, settings, and options for objecting can be found in Google's privacy policy (https://policies.google.com/technologies/ads) and in the settings for displaying advertisements by Google (https://adssettings.google.com/authenticated).

**Facebook Pixel, Custom Audiences, and Facebook Conversion**

Within our online offering, the so-called "Facebook Pixel" of the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used based on our legitimate interests in analysis, optimization, and economic operation of our online offering and for these purposes.

Facebook is certified under the Privacy Shield Agreement and offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

With the help of the Facebook Pixel, Facebook is able to determine the visitors of our online offering as a target group for the display of advertisements (so-called "Facebook ads"). Accordingly, we use the Facebook Pixel to display the Facebook ads we have placed only to those Facebook users who have also shown an interest in our online offering or who have certain characteristics (e.g., interests in certain topics or products, which are determined based on the websites visited) that we transmit to Facebook (so-called "Custom Audiences"). With the help of the Facebook Pixel, we also want to ensure that our Facebook ads match the potential interest of users and are not annoying. With the help of the Facebook Pixel, we can further track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "conversion").

The processing of data by Facebook takes place within the framework of Facebook's data usage policy. Accordingly, general information on the display of Facebook ads can be found in Facebook's data usage policy: https://www.facebook.com/policy. Specific information and details about the Facebook Pixel and how it works can be found in Facebook's help section: https://www.facebook.com/business/help/651294705016616.

You can object to the collection by the Facebook Pixel and the use of your data to display Facebook ads. To set which types of ads are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based advertising: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, meaning they apply to all devices, such as desktop computers or mobile devices.

You can also object to the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

                                                                                                                            ▲▲▲▲