Privacy Policy

In this privacy policy of ARTEL AG (“we” or “ARTEL”) we inform you about the processing of personal data when using our website.

In addition to this privacy policy for our website, we also have privacy policies for other services, which you may access using the links below:

As regards data protection, we are primarily guided by the legal requirements of Swiss data protection law, in particular the Federal Act on Data Protection (“FADP”), and the EU General Data Protection Regulation (“GDPR”), the provisions of which may be applicable in individual cases.

Content of this Privacy Policy

1. Controller and Contact Person
2. Data Processing on our Website
2.1 Our website call / Connection data 2.2 Contact 2.3 Bookings 2.4 Image upload for The Frame 2.5 Stripe 2.6 Hetzner Online GmbH 3. Use of Tools on the Website
3.1 Technologies applied 3.2 Legal basis and withdrawal 3.2.1 Legal basis
3.2.2 Obtaining your consent
3.2.3 Withdrawing your consent or changing your selection
4. Necessary Tools
4.1 Own tools 4.2 Google Tag Manager 4.3 Functional tools 4.4 YouTube-Videos 4.5 Analysis tools 4.6 Google Analytics 4 4.7 Marketing tools 5. Online Presence in Social Networks
6. Disclosure of Data
7. Links to other Online Services and Offers
8. Data Transfer to Third Countries
9. Storage Period
10. Your Rights, in particular Withdrawal and Objection
11. Changes to the Privacy Policy

1. Controller and Contact Person

The contact person and so-called controller for the processing (hereinafter referred to as “Processing”) of your personal data when visiting this website within the meaning of the General Data Protection Regulation (GDPR) is
ARTEL AG
Dolderstrasse 107
8032 Zürich
Switzerland

If you have any questions or suggestions on the subject of data protection, please do not hesitate to contact us. You are welcome to send your data protection concerns by e-mail to datenschutz@artel.travel. You may also find our full contact details in our legal notice under:

2. Data Processing on our Website

2.1 Our website call / Connection data

Each time you use our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data comprises the so-called HTTP header information, including the user agent, and includes in particular:

  • date and time of access;
  • name of the requested file;
  • website from which the file was requested;
  • access status (e.g. file transferred, file not found);
  • the web browser you use and the operating system of your device;
  • the IP address of the requesting device;
  • address of the requested website and path of the requested file;
  • if applicable, the previously accessed website/file (HTTP referrer);
  • version of the HTTP protocol, HTTP status code, size of the delivered file;
  • request information such as language, type of content, encoding of content, character sets;
  • cookies of the accessed domain stored on the end-device.

The data processing of this connection data is absolutely necessary to enable the website visit, to ensure the long-term functionality and security of our systems as well as for the general administrative maintenance of our website. The connection data is also stored in internal log files for the purposes described above, temporarily and limited to the most necessary content, in order to find the cause of and take action against repeated or criminal intentions that may endanger the stability and security of our website.

The legal basis for this processing is Article 6(1)(b) GDPR, insofar as the page call occurs in the course of initiating or performing a contract, and otherwise Article 6(1)(f) GDPR due to our legitimate interest in enabling the website call as well as long-term functionality and security of our systems. However, the automatic transmission of the connection data and the log files developed from it do not constitute access to the information in the end-device in the sense of the implementation laws of the ePrivacy Directive of the EU member states, in Germany section 25 TTDSG [German Telecommunications-Telemedia Data Protection Act]. For the rest, however, it would be absolutely necessary anyway.

The access data is also temporarily stored in internal log files for the purposes described above, in order to compile statistical information on the use of our website, to further develop our website with regard to the usage habits of our visitors (e.g. if the proportion of mobile devices used to access the pages increases) and for general administrative maintenance of our website. The legal basis for the data processing is Article 6(1)(f) GDPR, based on our legitimate interest in the appropriate optimisation of our website. The information stored in the log files does not allow any direct conclusions to be drawn about your person - in particular, we only store the IP addresses in shortened, anonymised form. The log files are stored for 30 days and then deleted.

Exceptionally, individual log files and IP addresses are retained longer in order to prevent further attacks from this IP address in the event of cyber attacks and/or to take action against the attackers by way of criminal prosecution.

2.2 Contact

Various options for getting in touch with us are available. This includes the contact form or also the telephone number and e-mail address as stated on the website. In this regard, we process your data exclusively for the purpose of communicating with you.

The legal basis for processing is Article 6(1)(b) GDPR, insofar as your information is required to answer your enquiry or for initiating or performing a contract, and otherwise Article 6(1)(f) GDPR is legal basis, based on our legitimate interest that you can contact us and we are able to answer your request. We may only make promotional telephone calls if you have given your consent. If you are not an existing customer, we will only send you promotional e-mails based on your consent. The legal basis in these cases is Article 6(1)(a) GDPR in conjunction with section 7, para. 2, no. 1 or 2 of the German Unfair Competition Act (UWG, Gesetz gegen den unlauteren Wettbewerb).

The data we collect when you contact us shall be automatically erased after we have fully processed your request, unless we still need your request to fulfil contractual or legal obligations (cf. Clause 9 “Storage Period”).

2.3 Bookings

Our website uses the services of Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany for the administration and booking of ARTELs. Smoobu is a software for landlords of holiday homes. The ARTELs on offer may be reserved and paid for via Smoobu’s booking function.

Within the booking process, cookies may be set by Smoobu, e.g. to analyse user behaviour and to make the offer more user-friendly and effective. The cookies used include so-called “session cookies”, which are automatically deleted after the end of your visit. You may deselect or delete other cookies via the settings in your browser.

The personal data collected when booking is necessary to enable the booking process.

During the booking process, we collect the mandatory data required for the processing of the contract:

  • First and last name;
  • Date of birth;
  • E-mail address;
  • Billing and shipping address;
  • Payment information; 
  • Period of stay;
  • Number of guests;
  • Selected ARTEL; 
  • Booking date and time. 

Optional is the indication of the telephone number, so that we may contact you in case of further inquiries also on this way. The legal basis of the processing is Article 6(1)(b) GDPR.

The legal basis for processing is Article 6(1)(b) GDPR, as the booking process is a pre-contractual measure.

2.4 Image upload for The Frame

When you upload an image via the App to be displayed via The Frame, processing of that image takes place on our servers.

As soon as the booking period of your stay begins, the images shall be displayed on The Frame via our system. After your booking period has expired, the images will no longer be available on The Frame. Your images remain on our servers as long as you have not deleted the images via our App.

The legal basis for the data processing is Article 6(1)(b) GDPR, as the processing of the image in our IT infrastructure is necessary for the performance of the contract.

2.5 Stripe

Stripe is an external payment service provider whose services we use to receive and process payments made to us, on our behalf. We do not retain personally identifiable information or financial information such as credit card numbers. Instead, the payment data (in particular contact and transaction data such as credit card details or bank account details) is passed through directly to Stripe.

Stripe also processes the data to detect and prevent abusive financial transactions, to implement legal requirements in the financial sector and to analyse, develop and improve its products. This processing of your personal data by Stripe is governed by their privacy policy: https://stripe.com/privacy.

The data processed includes, in particular, communication data (IP address, device identifier, operating system details).

The legal basis is Article 6(1)(b) GDPR, in order to fulfil the payment within the framework of a contract with you, and otherwise Article 6(1)(f) GDPR, whereby the use of an external payment service provider is based on our legitimate interest in being able to offer you an additional payment option with Stripe.

The data processing by Stripe partly takes place on servers in the USA. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Stripe in accordance with Article 46(2)(c) GDPR.

For further information and guidance on data processing under Stripe’s own responsibility or for Stripe’s own purposes, please refer to Stripe’s privacy policy : https://stripe.com/privacy.

2.6 Hetzner Online GmbH

The website is made available on the server of Hetzner Online GmbH,
Industriestr. 25, 91710 Gunzenhausen, Germany.

Hetzner Online GmbH processes technical connection data of the server access (e.g. IP address, browser information, date, requested page, time) to monitor the technical function and to increase the operational security of our web server, delivery and provision of the website and anonymisation and creation of statistics.

The legal basis for this processing is Article 6(1)(b) GDPR, as the hosting is a pre-contractual measure.

3. Use of Tools on the Website

3.1 Technologies applied

When you use the App, we process connection data that your App automatically transmits to enable you to use it. This connection data comprises the so-called HTTP header information, including the user agent, and includes in particular:

  • Cookies: information stored on the end-device, consisting in particular of a name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) shall be erased after the session, while so-called persistent cookies shall be erased after the specified expiry date. Cookies may also be removed manually.
  • Web Storage (Local Storage / Session Storage): information stored on the end-device, consisting of a name and a value. Information in the session storage shall be erased after the session, while information in the local storage has no expiry date and basically remains stored unless a mechanism for erasure has been set up (e.g. storage of a local storage with time entry). Information in the local and session storage may also be removed manually.
  • JavaScript: programming codes (scripts) embedded in or called up from the website which, for example, set cookies and web storage or actively collect information from the end-device or about the usage behaviour of the visitor. JavaScript may be used for “active fingerprinting” and user profiling. JavaScript may be blocked by a setting in the browser, although most services will then no longer function.
  • Pixel: tiny graphic automatically loaded by a service, which may make it possible to recognise visitors by automatically transmitting the usual connection data (in particular IP address, information on browser, operating system, language, address called and time of call) and to determine, for example, whether an e-mail has been opened or a website visited. With the help of pixels, “passive fingerprinting” and the creation of user profiles may be carried out. The use of pixels may be prevented, for example, by blocking images, for example in e-mails, although the display is then severely restricted.

With the help of these technologies and also through the mere establishment of a connection on a page, so-called “fingerprints” may be created, i.e. user profiles that do not require the use of cookies or web storage and can still recognise visitors. Fingerprints due to connection establishment may not be completely prevented manually.

Most browsers are set by default to accept cookies, the execution of scripts and the display of graphics. However, you may usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you completely block the storage of cookies, the display of graphics and the execution of scripts, our services will probably not work or not work properly.

In the following, we list the tools we use by category, informing you in particular about the providers of the tools, the storage duration of the cookies or information in local storage and session storage, and the transfer of data to third parties. We also explain the cases in which we obtain your voluntary consent to use the tools and how you can withdraw it.

3.2 Legal Basis and Withdrawal

3.2.1 Legal basis

We use tools necessary for website operation on the basis of our legitimate interest pursuant to Article 6(1)(f) GDPR in order to provide the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or for steps taken prior to entering into a contract, in which case the processing is carried out in accordance with Article 6(1)(b) GDPR. Access to and storage of information in the end-device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 2 TTDSG.

We use all other non-essential (optional) tools that provide additional functions on the basis of your consent in accordance with Article 6(1)(a) GDPR. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG. Data processing using these tools only takes place if we have received your prior consent.

If personal data is transferred to third countries (e.g. the USA), please refer to 8 (“Data Transfer to Third Countries”), also with regard to any associated risks. We shall inform you if an adequacy decision exists for the third country in question or if standard contractual clauses or other guarantees have been taken for the use of certain tools. If you have given your consent to the use of certain tools and to the associated transfer of your personal data to third countries, we (also) transfer to third countries the data processed when using the tools on the basis of this consent in accordance with Article 49 (1)(a) GDPR.

3.2.2 Obtaining your consent

For the collection and management of your consents we use the tool iubenda s.r.l
Via San Raffaele, 1 - 20121 Milan, Italy (hereinafter “iubenda”). This generates a banner informing you about the data processing on our website and giving you the option to consent to all, some or no data processing through optional tools. This banner appears the first time you visit our website as well as when you visit again your settings selection to change them or withdraw consents. The banner will also appear on further visits to our website if you have deactivated the storage of cookies or if the cookies have been erased by iubenda or have expired.

Your consent or withdrawal, your IP address, information about your browser, your end-device and the time of your visit are transmitted to iubenda as part of your website visit. In addition, iubenda stores necessary information on your end-device to document any consent and withdrawal you have given: _iub_cs-[User ID] (1 year); _iubenda_rsession (session); “country” (354 days); “local” (354 days).

Data processing by iubenda is necessary to provide you with the legally required consent management and to comply with our documentation obligations. The legal basis for the use of iubenda is Article 6 (1)(f) GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information in the end-device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 2 TTDSG.

3.2.3 Withdrawing your consent or changing your selection

You may withdraw your consent for certain tools, i.e. for the storage and access to information in end-device, the processing of your personal data and the transfer of your data to third countries, at any time with effect for the future. To do this, click on the lock symbol at the bottom right of the page. There you may also change the selection of tools you wish to consent to using as well as obtain additional information on the tools used. Alternatively, you may assert your withdrawal directly with the provider for certain tools.

4. Necessary Tools

We use certain tools to enable the basic functions of our website (“Necessary Tools”). These include, for example, tools to prepare and display website content, to manage and integrate tools, to detect and prevent fraud and to ensure the security of our website. Without these tools we could not provide our service. Therefore, Necessary Tools are used without consent.

The legal basis for Necessary Tools is the need for fulfilling our legitimate interests according to Article 6(1)(f) GDPR in the provision of the respective basic functions and the operation of our website. In cases where the provision of the respective website functions is necessary for the performance of a contract or for taking steps prior to entering into a contract, the legal basis for the data processing is Article 6(1)(b) GDPR. Access to and storage of information in the end-device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 2 TTDSG.

In the event that personal data is transferred to third countries (such as the USA), we refer to Clause 8 (“Data Transfer to Third Countries”) in addition to the information provided below.

4.1 Own tools

We use our own Necessary Tools that access information in the end-device or store information on the end-device, in particular

  • for load distribution,
  • to indicate that you have been shown information placed on our website - so that it is not shown again the next time you visit the website.

4.2 Google Tag Manager

Our website uses Google Tag Manager, a service offered to persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and to all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”).

The Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they shall only be integrated by the Google Tag Manager with your consent. The Google Tag Manager uses JavaScript and does not require the use of cookies.

The legal basis is Article 6(1)(f) GDPR, based on our legitimate interest in integrating and managing multiple tags on our website in a straightforward manner.

For the purposes of ensuring stability and functionality, Google collects information about which tags are integrated by our website within the framework of the use of Google Tag Manager. However, the Google Tag Manager does not store any personal data beyond the mere establishment of the connection, in particular no data on user behaviour or the pages visited.

In the event that personal data is transferred by Google Ireland Limited to the USA or other third countries, Google Ireland Limited and Google LLC shall have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Article 46(2)(c) of GDPR.

For data transfers to the USA, Google has joined the EU-US Data Privacy Framework , which ensures compliance with the European level of data protection on the basis of an adequacy decision issued by the European Commission and, for Switzerland, refers to Federal Data Protection and Information Commissioner (FDPIC) standard contractual clauses, which are intended to ensure compliance with the Swiss data protection level.

Further information, are available in the Google’s Information on the Tag Manager: https://support.google.com/tagmanager/answer/6102821.

4.3 Functional tools

We also use optional tools to enhance your experience on our website and to provide you with more features (“Functional Tools”). While these are not strictly necessary for the basic functions of the website, they may bring significant benefits to visitors, particularly in terms of user-friendliness and the provision of additional communication, presentation or payment channels. This may include, in particular, the integration of external content such as maps and videos.

The legal basis for the Functional Tools is your consent in accordance with Article 6(1)(a) GDPR, which you give via the consent banner or with the respective tool itself by individually allowing its use via a banner (overlay) placed above it. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG. To withdraw your consent, please see: 3.2.3 “Withdrawing your consent or changing your selection”.

In the event that personal data is transferred to third countries (such as the USA),your consent expressly extends to the data transfer (Article 49(1)(a) GDPR). For the associated risks, please refer to Clause 8 (“Data Transfer to Third Countries”).

4.4 YouTube-Videos

We have embedded videos in our website that are stored on YouTube and may be played from our websites. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA (“YouTube”), which is offered to persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”). In the process, YouTube may store information such as cookies, local storage and session storage on your end-device and execute JavaScript, which accesses information on your end-device.

We have enabled YouTube’s privacy-enhanced mode. According to YouTube’s own documentation, Google thus receives less usage information and also does not personalise the video recommendations and advertisements. Cookies are no longer stored. However, information shall still be stored in the local storage and session storage of your end-device, in particular your device ID and other information regarding the playback of the video, which may be retrieved by Google.

The following cookies may be set by YouTube:

  • “PREF” (8 months): saving settings such as autoplay and video size.

The following information is stored in the local storage:

  • “yt-remote-device-id”: storage of the device ID;
  • “yt-player-headers-readable”: storage of the possibility of reading out the player header information;
  • “yt.innertube::requests”: storage of the user’s requests;
  • “yt.innertube::nextId”: saving the ID of the next video;
  • “yt-remote-connected-devices”: storage of the connected end-devices;
  • “yt-player-bandwidth”: storage of the connection bandwidth;
  • “yt-player-volume”: saving the volume of the video;
  • “yt-player-quality”: saving the resolution/quality of the video;
  • “yt-player-performance-cap”: storage of a possible cap on resolution due to the connection bandwidth;
  • “yt-html5-player-modules::subtitlesModuleData::module-enabled”: saving whether sub-titles are activated.

The following information is stored in the session storage:

  • “yt-remote-session-app”: storage of the type of end-device;
  • “yt-remote-cast-installed”: saving whether YouTube streaming is installed;
  • “yt-remote-session-name”: storage of the type of end-device;
  • “yt-remote-cast-available”: saving whether YouTube streaming is available;
  • “yt-remote-fast-check-period”: storage of the check of the connection bandwidth;
  • “yt-player-volume”: saving the volume of the video;
  • “yt-player-caption-language-preferences”: saving the language of the sub-titles.

The legal basis for this data processing is your consent pursuant to Article 6(1)(a) GDPR. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG. The transfer of your data to the USA and other third countries takes place on the basis of your express consent in accordance with Article 49(1)(a) GDPR.

When you visit our website, YouTube and Google receive the information that you have viewed the relevant subpage of our website. This happens irrespective of whether you are logged in at YouTube or Google or not. YouTube and Google use this data also for the purposes of advertising, market research and the tailored design of their services. If you call YouTube on our website while you are logged in to your YouTube or Google profile, YouTube and Google may additionally link this event to the respective profiles. If you do not wish the allocation, it is necessary that you log out of Google before calling up our website.

In addition to withdrawing your consent, you also have the option of disabling personalised advertising in the Google’s advertising settings. In this case, Google shall only display non-individualised advertising: https://adssettings.google.com/notarget.

For further information, please refer to Google’s privacy policy, which also applies to YouTube: https://policies.google.com/privacy.

4.5 Analysis tools

In order to improve our website, we use optional tools for the recognition of visitors and for the statistical collection and analysis of general usage behaviour based on access data (“Analysis Tools”). We also use analysis services to evaluate the use of our various marketing channels. The usage information collected is aggregated and enables us to track the usage habits of our visitors. This serves to adapt and optimise the design of our website and to make the user experience more pleasant.

The legal basis for the Analysis Tools is your consent in accordance with Article 6(1)(a) GDPR. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG. To withdraw your consent, please see: 3.2.3 “Withdrawing your consent or changing your selection”.

In the event that personal data is transferred to third countries (such as the USA),your consent expressly extends to the data transfer (Article 49(1)(a) GDPR). For the associated risks, please refer to Clause 8 (“Data Transfer to Third Countries”).

4.6 Google Analytics 4

Our website uses the Google Analytics 4 service (“Google Analytics”), which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together “Google”) for all other persons.

Google Analytics uses JavaScript and pixels to read information on your end-device and cookies to store information on your end-device. This is used to analyse your usage behaviour and to improve our website. We shall process the information obtained to evaluate your use of the website and to compile reports on website activities for the website operators. The data arising in this context may be transferred by Google to a server in the USA for analysis and stored there.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. This is done in particular for forecast readings of future visitor behaviour based on structured event data, such as predicted turnover, likelihood of purchase and likelihood of churn. The forecast readings may also be used for forecasting target groups. You may find out more about this at: https://support.google.com/analytics/answer/9846734. In addition, Google Analytics 4 models conversions, insofar as not enough data is available to optimise the evaluation and reports. Information on this may be found at: https://support.google.com/analytics/answer/10710245. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find out more at: https://support.google.com/analytics/answer/9443595.

We have made the following data protection settings for Google Analytics:

  • IP anonymisation (shortening of the IP address before evaluation);
  • automatic erasure of old visit logs by limiting the storage period to 2 months;
  • no reset of the retention period for new activity;
  • disabling the collection of accurate location and position data;
  • disabling the collection of accurate device data;
  • disabled advertising function (including target group remarketing through GA Audience);
  • disabled remarketing;
  • disabled cross-device and cross-page tracking (Google Signals);
  • disabled data sharing to other Google products and services, benchmarking, technical support, account manager.

The following data is processed by Google Analytics:

  • IP address;
  • user ID, Google ID (Google Signals) and/or device ID;
  • referrer URL (the previously visited page),
  • pages accessed (date, time, URL, title, length of stay);
  • downloaded files;
  • clicked links to other websites;
  • if applicable, achievement of specific goals (conversions);
  • technical information: operating system; browser type, version, and language; device type, make, model, and resolution;
  • approximate location (country and city, if applicable, based on anonymised IP address).

Google Analytics sets the following cookies for the specified purpose with the respective storage period:

  • “_ga” (2 years), “_gid” (24 hours): recognition and differentiation of visitors by means of a user ID;
  • “_ga_[GA-ID]” (2 years): retention of the information of the current session;
  • “_gac_gb_[GA-ID]” (90 days): storage of campaign-related information and, if applicable, linking with Google Ads Conversion Tracking;
  • if necessary, “IDE” (13 months): recognition and differentiation of visitors by means of a user ID, recording of interaction with advertising, playing out of personalised advertising.

For further information on Google Analytics 4 cookies, please visit: https://support.google.com/analytics/answer/11397207?hl=de.

The legal basis for this data processing is your consent pursuant to Article 6(1)(a) GDPR. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG.

In the event that personal data is transferred by Google Ireland Limited to the USA, Google Ireland Limited and Google LLC shall have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Article 46(2)(c) of GDPR. In addition, we shall also obtain your express consent for the transfer of your data to third countries in accordance with Article 49(1)(a) GDPR. For data transfers to the USA, Google has joined the EU-US Data Privacy Framework , which ensures compliance with the European level of data protection on the basis of an adequacy decision issued by the European Commission and, for Switzerland, refers to Federal Data Protection and Information Commissioner (FDPIC) standard contractual clauses, which are intended to ensure compliance with the Swiss data protection level.

For further information, please see Google’s privacy policy: https://support.google.com/analytics/answer/6004245.

4.7 Marketing tools

We also use optional tools for advertising purposes (“Marketing Tools”). Some of the access data generated when using our website is used to create user profiles, which store in particular your usage behaviour, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences. By analysing and evaluating this access data, we are able to show you personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites and services of other providers.

The legal basis for the Marketing Tools is your consent in accordance with Article 6(1)(a) GDPR, which you grant individually via the consent banner. Access to and storage of information in the end-device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to section 25, para. 1 TTDSG. To withdraw your consent, please see: 3.2.3 “Withdrawing your consent or changing your selection”.

In the event that personal data is transferred to third countries (such as the USA), your consent expressly extends to the data transfer (Article 49(1)(a) GDPR). For the associated risks, please refer to Clause 8 (“Data Transfer to Third Countries”).

In the following section, we would like to explain the tools and the providers used for this purpose in more detail. The data collection may include in particular:

  • IP address of the device;
  • the information of a cookie and in the local or session storage;
  • the device identifier of mobile devices (e.g. device ID, advertising ID);
  • referrer URL (the previously visited page),
  • pages accessed (date, time, URL, title, length of stay);
  • downloaded files;
  • clicked links to other websites;
  • if applicable, achievement of specific goals (conversions);
  • technical information: operating system; browser type, version, and language; device type, make, model, and resolution;
  • approximate location (country and city, if applicable).

However, the collected data is only stored pseudonymously, so that no direct conclusions may be drawn about persons.

5. Online Presence in Social Networks

We maintain online presence in social networks in order to communicate there with customers and interested parties, among others, and to provide information about our products and services. The users’ data is usually processed by the social networks concerned for market research and advertising purposes. In this way, user profiles may be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. On the basis of these user profiles, advertisements are then placed within the social networks, for example, but also on third-party websites.

In the framework of the activity related to our online presence, it is possible that we may access information such as statistics on the use of our online presence provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presence (e.g. likes, subscription, sharing, viewing of images and videos) and the posts and content distributed via them. These may also provide information about the interests of users and which content and topics are particularly relevant to them. This information may also be used by us to customise the design and optimise our activities and content relating to the online presence for our audience. Please refer to the list below for details and links to the data of the social networks that we, as operators of the online presence, are able to access. The collection and usage of these statistics is usually subject to joint controllership. Where applicable, the relevant contract is listed below.

The legal basis for data processing is Article 6(1)(f) GDPR, based on our legitimate interest in effective information and communication with users, and Article 6(1)(b) GDPR, in order to stay in contact with and inform our customers and to take steps prior to entering in a contract with interested parties.

If you have an account with the social network, it is possible that we may see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This may be done, for example, via direct messages or via posted contributions. The content dissemination via the social network and the processing of content data is subject to the responsibility of the social network as a messenger and platform service. As soon as we transfer or further process personal data from you into our own systems, we are independently liable for this and this is done in order to take steps prior to entering into a contract and to fulfil a contract in accordance with Article 6 (1)(b) GDPR.

For the legal basis of the data processing carried out by the social networks under their own responsibility, please refer to the data protection information of the respective social network. The following links shall also provide you with further information on the respective data processing and the options to raise objections.
We would like to point out that data protection requests may be asserted most efficiently with the respective provider of the social network, as only these providers have access to the data and may directly take appropriate measures. Of course, you may also contact us with your request. In this case, we shall process your request and forward it to the provider of the social network.

Below is a list of information about the social networks on which we operate online presence:

  • Facebook (USA and Canada: Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland)
  • Instagram (Meta Platforms Ireland Ltd., Serpentine Avenue, Block J, Dublin 4, Ireland)
  • Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
  • LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
  • TikTok (TikTok Technology Limited, 10 Earlsfort Terrace, Co. Dublin, Dublin)

6. Disclosure of Data

The data we collect may only be passed on if:

  • you have given your express consent to this in accordance with  Article 6(1)(a) GDPR,
  • the transfer is necessary according to Article 6(1)(f) GDPR for the assertion, exercise or defence of legal claims and there is no reason to assume that you there is an overriding interest worthy of protection in the non-disclosure of data,
  • we are legally obliged to disclose data according to Article 6(1)(c) GDPR or
  • this is legally permissible and required in accordance with Article 6(1)(b) GDPR for the processing of contractual relationships with you or for taking steps prior to entering into a contract, that take place at your request.

Some of the data processing described in this privacy policy may be carried out by our service providers. Should we disclose data to our service providers, they may use the data solely for the fulfilment of their tasks. The service providers were carefully selected and commissioned by us. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, ensure an adequate level of data protection and are regularly monitored by us. In individual cases, disclosure may take place in connection with official enquiries, court orders and legal proceedings if it is necessary for legal prosecution or enforcement.

8. Data Transfer to Third Countries

As explained in this privacy policy, we use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision for these countries (Article 45 GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among others, the European Union’s standard contractual clauses and binding data protection corporate rules.

Where this is not possible, we base the data transfer on exceptions of Article 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or for taking steps prior to entering into a contract.

Where a third country transfer is envisaged and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the relevant third country (e.g. intelligence services) may gain access to the transferred data to collect and analyse it and that enforceability of your data subject rights may not be guaranteed. You shall also be informed of this when your consent is obtained via the consent banner.

Switzerland is one of the countries for which the EU Commission has determined that they have an adequate level of data protection (Adequacy Decision).

For Switzerland: Some of the recipients to whom we disclose personal data may be located abroad. Insofar as this is the case and no exception applies, including in particular your consent or the necessity of the disclosure for the fulfilment of the contract and that Federal Council has not determined that adequate protection is guaranteed for these countries, we have taken appropriate precautionary measures to ensure appropriate data protection for any data disclosures abroad. These include standard data protection clauses that have been approved, issued or recognised in advance by the Federal Data Protection and Information Commissioner or binding internal company data protection regulations that have been approved.

9. Storage Period

In principle, we only store personal data for as long as is necessary to fulfil the purposes for which we collected data. We then erase the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes regarding claims under civil law, due to statutory retention obligations or unless there is another legal basis under data protection law for the continued processing of your data in the specific individual case.

For evidence purposes, we shall retain in particular contract data for three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred at the earliest on this date in accordance with the standard statutory limitation period.

Even after that, we still shall store some of your data for accounting reasons. We are obliged to do so due to statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The time limits specified there for the retention of documents are two to ten years.

10. Your Rights, in particular Withdrawal and Objection

You are entitled, at any time and subject to the respective legal requirements, to the rights set out in Article 7(3), Articles 15-21 and Article 77 of GDPR: 

  • Right to withdraw your consent (Article 7(3) GDPR);
  • Right to object against the processing of your personal data (Article 21 GDPR);
  • Right to information about your personal data processed by us (Article 15 GDPR);
  • Right to rectification of your personal data stored by us that is incorrect (Article 16 GDPR);
  • Right to erasure of your personal data (Article 17 GDPR);
  • Right to restriction of your personal data processing (Article 18 GDPR);
  • Right to data portability of your personal data (Article 20 GDPR);
  • Right to lodge a complaint with a supervisory authority (Article  77 GDPR).

In order to assert your rights described here, you may contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection. Provided that the respective legal requirements are met, we shall comply with your data protection request.

Your enquiries regarding the assertion of data protection rights and our responses to them shall be stored for documentation purposes for a period of up to three years and, on a case-by-case basis, for longer should legal claims be asserted, exercised or defended. The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against any civil claims under Article 82 GDPR, avoiding fines under Article 83 GDPR and fulfilling our accountability obligations under Article 5(2) GDPR.

You have the right to withdraw consent once given to us at any time. This lead to the consequence that we shall no longer continue the data processing based on this consent for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Where we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your specific situation. If you object to the processing of data for direct marketing purposes, you have a general right to object, which will also be implemented by us without giving reasons.

If you wish to exercise your right of withdrawal or objection, it is sufficient to send an informal message to the above contact details.

Finally, you have the right to complain to a data protection supervisory authority at . You may exercise this right, for example, before a supervisory authority in the Member State of your residence, workplace or the place of the alleged infringement. In Zurich, where our registered office is located, the competent supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH - 3003 Bern, Switzerland.

11. Changes to the Privacy Policy

We occasionally update this privacy policy, for example, when we adapt our website or when legal or regulatory requirements change.

Version: 1.0 / As of: August 2023