for the content and functions of the platform www.rebe.store (hereinafter referred to as “Services”)
Last updated: May 2025
Privacy policies are often difficult to read. We understand that. And we want to do things differently. With our privacy policy, we want to provide you with an easy-to-understand explanation of how we process your personal data. To this end, we have structured our privacy policy in a clear manner and will explain how we process your personal data in each area.
Our privacy policy is structured as follows:
The protection of your personal data and privacy is extremely important to us. That is why we want to offer you comprehensive transparency regarding the processing of your personal data (GDPR) and the storage of information on your device (TDDDG). Only when the processing of personal data and information is transparent to you as the data subject will you be sufficiently informed about the scope, purposes, and benefits of the processing.
This privacy policy applies to all processing of personal data carried out by us and to the storage of information on your end devices. It therefore applies both in the context of the provision of our services and within external online presences, such as our social media fan pages.
The controller within the meaning of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and other data protection regulations is:
ReBe secondhand UG (limited liability)
Korsörer Straße 18
10437 Berlin
Phone number: +49 1575 2646 368
Email: [email protected]
Hereinafter referred to as “ responsible party” or “we”.
First of all, we would like to provide you with some introductory information about what the protection of your personal data means, what personal data is, how we process it, and what security measures we take in doing so.
Personal data (hereinafter also referred to as “data”) is individual information about the personal or factual circumstances of an identified or identifiable individual.
Individual information about personal or factual circumstances includes, for example:
The “processing” of personal data includes, for example, the following measures:
We only process personal data within the legally permissible limits. We are obliged to do so by law, in particular by the GDPR. This means that we are obliged to always be able to base data processing operations on a legal basis. These legal bases are standardized in Art. 6 (1) GDPR. Here we list the most common legal bases on which we process your personal data.
We only process personal data for specific purposes (Art. 5 (1) (b) GDPR). As soon as the purpose of the processing ceases to apply, your personal data will be deleted or protected by technical and organizational measures (e.g., by pseudonymization).
The same applies to the expiry of a prescribed storage period, except in cases where further storage is necessary for the conclusion or fulfillment of a contract. In addition, there may be a legal obligation to store data for a longer period or to transfer it to third parties (in particular to law enforcement authorities). In other cases, the storage period and type of data collected, as well as the type of data processing, depend on which functions you use in each individual case. We will be happy to provide you with information on this in individual cases, in accordance with Art. 15 GDPR.
2.3 Data categories we process
Data categories include the following data in particular:
2.4 Security measures we take
In accordance with legal requirements and taking into account the state of the technology, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to your rights and freedoms, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring that your data is stored and processed confidentially, with integrity, and is readily accessible at all times. Furthermore, the security measures we implement include controls on access to your data, as well as access, input, disclosure, availability, and separation from data belonging to other natural persons. In addition, we have established procedures to ensure that data subjects' rights (see section 5) are exercised, data is deleted, and responses are provided in the event of a threat to your data. Furthermore, we take the protection of personal data into account during the development of our software and through procedures that comply with the principle of data protection through technology design and data protection-friendly default settings.
2.5 How we transfer or disclose personal data to third parties
When we process your personal data, this data may be transferred or disclosed to other entities, companies, legally independent organizational units, or individuals. These third parties may include, for example, payment institutions in connection with payment transactions, service providers entrusted with IT tasks, or providers of services and content that we have integrated into our services. If we transfer or disclose your personal data to third parties, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.
2.6 This is how a transfer to a third party country occurs
If this privacy policy states that we transfer your personal data to a third party country, i.e. a country outside the EU or EEA, the following applies. The transfer to a third party country will only take place in accordance with the legal requirements. We assure you that we have contractual or legal authorization to transfer and process your data in the third party country in question. Furthermore, we only allow your data to be processed by service providers in third countries that, in our opinion, have a recognized level of data protection. This means that there is, for example, an adequacy decision between the EU and the country to which we transfer your personal data. An “adequacy decision” is a decision adopted by the European Commission in accordance with Art. 45 GDPR, which determines that a third country (i.e., a country that is not bound by the GDPR) or an international organization offers an adequate level of protection for personal data. Alternatively, for example if there is no adequacy decision, a transfer to a third country will only take place if, for example, contractual obligations between us and the service provider in the third country exist in the form of so-called standard contractual clauses of the EU Commission and further technical security measures have been taken to ensure a level of protection equivalent to that in the EU, or if the service provider in the third country has data protection certifications and your data is only processed in accordance with internal data protection regulations (Articles 44 to 49 GDPR. Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Within the framework of the so-called “Data Privacy Framework” (“DPF”), the EU Commission has recognized the level of data protection for certain companies from the USA as secure within the framework of the adequacy decision of July 10, 2023. A list of certified companies and further information on the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). In this privacy policy, we inform you which services we use that are certified under the Data Privacy Framework.
2.7 The deletion of data
The data we process will be deleted in accordance with the legal requirements as soon as the consents permitted for processing are revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer applies or it is not necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.
Within the scope of this privacy policy, we provide information, where applicable, on the deletion and storage of data that applies specifically to the respective processing process.
2.8 Storage of and access to data on your device
Unless we obtain your consent to do so, information will be stored on or accessed from your device in accordance with Section 25 (2) No. 2 of the German Act on Data Protection and Privacy in Telecommunications and Digital Services (TDDDG), as the storage of and access to this information is absolutely necessary in order to provide the desired functions of our services. If we obtain your consent, the legal basis is Section 25 (1) TDDDG. Our services use cookies, tokens, beacons, or other technologies that may be stored on your end devices and without which the provision of our services would not be possible.
Cookies, tokens, beacons, or other technologies are usually text files that are stored on your device and can be read by us and third parties when you access our services. Many of the aforementioned technologies contain their own ID. Such an ID is a unique identifier for the technology used in each case. It consists of a string of characters that can be used to assign websites and servers to the specific Internet browser or the specific service or device used in which cookies, tokens, beacons, or other technologies have been stored. This enables website operators and analysis services to identify you as a user and distinguish you from others.
2.9 Order processing
If we use external service providers to process your data, we carefully select and commission them. If the services provided by these service providers constitute order processing within the meaning of Art. 28 GDPR, the service providers are bound by our instructions and are regularly monitored. Our order processing agreements comply with the strict requirements of Art. 28 GDPR and the specifications of the German data protection authorities.
3. Rights of data subjects
If your personal data is processed, you are a “data subject” within the meaning of the GDPR and, as a data subject, you have the following rights towards us as the “ data controller”:
3.1 Right to access information
You may request confirmation from the data controller as to whether personal data concerning you is being processed by us.
If such processing is taking place, you may request the following information from the controller:
3.2 Right to correction
You have the right to request that the data controller correct and/or complete your personal data if it is inaccurate or incomplete. The data controller must make the correction immediately.
3.3 Right to restriction of processing
You may request the restriction of the processing of personal data concerning yourself under the following conditions:
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
3.4 Right to erasure
3.4.1. You may request that the controller delete your personal data without delay, and the data controller is obliged to delete this data without delay if one of the following reasons applies:
3.4.2. If the data controller has made the personal data concerning you public and is obliged to delete it in accordance with Art. 17 (1) GDPR, it shall take reasonable steps, including technical measures, taking into account the available technology and implementation costs, to inform data processors who process the personal data that you, as the data subject, have requested the deletion of all links to this personal data or of copies or replications of this personal data, that you, as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.
3.4.3. Exceptions to the right to erasure
The right to erasure does not apply if the processing of your data is necessary for the following measures:
3.5 Right to information
If you have asserted your right to rectification, erasure, or restriction of processing against the data controller, the latter is obliged to notify all recipients to whom your personal data has been disclosed of this rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the data controller about these recipients.
3.6 Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the data controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another data controller without hindrance from the data controller to whom the personal data was provided, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transferred directly from one data controller to another, provided that this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data transferability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
3.7 Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these regulations.
The data controller will no longer process the personal data concerning you unless it is demonstrated that there are compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes; this also applies to profiling in connection with direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning yourself will no longer be processed for these purposes.
You have the option, in connection with the use of information society services, regardless of Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.
3.8 Right to revoke consent in accordance with the data protection law
You have the right to revoke your declaration of consent under the data protection law at any time. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until revocation.
The processing is lawful until you revoke your consent – the revocation therefore only affects the processing after your revocation has been received. You can declare your revocation informally by post or email. Your personal data will then no longer be processed, subject to permission being granted on another legal basis. If this is not the case, your data must be deleted immediately after revocation in accordance with Art. 17 (2) GDPR. Your right to revoke your consent subject to the above conditions is guaranteed.
Your revocation should be sent to:
ReBe secondhand UG (limited liability)
Korsörer Straße 18
10437 Berlin
Phone number: +49 1575 2646 368
Email: [email protected]
3.9 Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.
3.10 Automated decisions in individual cases, including profiling
In individual cases, automated decisions, such as profiling, shall be made, unless specifically addressed in this privacy policy.
3.11 Notification obligations of the data controller
If your personal data has been disclosed to other recipients (third parties) on legal grounds, we will notify them of any correction, deletion, or restriction of the processing of your personal data (Art. 16, Art. 17 (1), and Art. 18 GDPR). The obligation to notify does not apply if it involves disproportionate effort or is impossible. We will also inform you about the recipients upon request.
4. Information about cookies and other technologies used
We use cookies, i.e., beacons, or other technologies to provide and evaluate our services and to conduct marketing using the evaluated data. Cookies are small text files that contain data from visited websites or domains and are stored on your device (computer, tablet, or smartphone). When you access a website, the cookie stored on your device sends information to the party that placed the cookie.
4.1 How we use cookies and other technologies
We want you to be able to make an informed decision for or against the use of cookies and other technologies that are not strictly necessary for the technical features of the services. Therefore, in the event that we use cookies and other technologies that require your consent, we allow you to choose which cookies and other technologies you allow in a voluntary decision when you first visit our services and then permanently in the corresponding settings. In this context, functional cookies and other technologies are mandatory for visiting our services and are therefore already permitted via our default settings. Statistics and marketing cookies and other technologies are optional. You can allow them by consenting to the setting of these cookies and other technologies in the consent banner. Alternatively, you can reject statistics and marketing cookies and other technologies. Please note that you may still see advertisements even if you reject the use of statistics and marketing cookies and other technologies. However, these advertisements will be less tailored to your interests. You can still use the full functionality of the services.
4.2 Storage duration of cookies and other technologies
Unless we provide you with explicit information about the storage period for cookies and other technologies (e.g., in the consent banner), you can assume that the storage period may be up to two years. If cookies and other technologies have been set on the basis of your consent, you have the option of revoking your consent at any time or objecting to the processing of your data by cookies/technologies (collectively referred to as “opt-out”).
4.3 Types of cookies and other technologies
We distinguish between
4.4 Consent Management
We use Klaro! as a consent management tool from KIProtect GmbH (“Klaro!”) as part of the tracking and analysis activities in our services. Klaro! collects log file and consent data using JavaScript. This JavaScript enables us to inform you about your consent to certain tags in our services and to obtain, manage, and document this consent.
We process the following data: (1) Consent data (anonymized logbook data (consent ID, processor ID, controller ID), consent status, timestamp), (2) Device data or data on the devices used (including truncated IP addresses (IP v4, IP v6), device information, timestamp), (3) User data or user information (including email, ID, browser information, setting IDs, changelog). The ConsentID (containing the above data) and the consent status, including timestamp, are stored in your browser's local memory and simultaneously on the cloud servers we use. Further processing only takes place if you submit a request for information or revoke your consent. The legal basis for processing personal data using Klaro! in accordance with the provisions set out here results from our legitimate interest and from the fulfillment of legal requirements, and thus from Art. 6 (1) lit. f and c GDPR. By using Klaro!, we want to comply with legal requirements for data protection and tracking, and thus ensure that our information technology systems function in a manner that is both legally compliant and user-centered.
5. Data processing in connection with the use of our services
The use of our services with all their functions involves the processing of personal data. We explain exactly how this works below.
5.1 Informational use of our services
Simply accessing our services for informational purposes requires the processing of the following personal data and information: browser type and version, operating system used, address of previously visited websites, IP address of the device you are using to access our services, and the time at which you accessed our services. All this information is automatically transmitted by your browser, unless you have configured it to suppress the transmission of information.
This personal data is processed for the purpose of ensuring the functionality and optimization of our services, as well as to guarantee the security of our information technology systems. These purposes are also legitimate interests pursuant to Art. 6 (1) (f) GDPR, meaning that the processing is carried out on legal grounds.
5.2 Usage during and after registration
5.2.1 Registration as a partner
Beyond the purely informational use of our services, you have the option of registering as a partner for our services and using our entire range of services, in particular to sell your products and services to interested customers via our platform. In this context, we process basic data and contact details such as your name, address, email address, and password. In addition, we automatically process connection data such as date, device information, and IP address. After registration, you have the option of using our services, which primarily consist of using our platform as a technical platform for selling your products and services to interested customers, in order to establish your own contractual relationship with the customers and then handle it responsibly. Our services enable you to receive support in various sub-processes of selling your products and services, such as in particular in the presentation, technical checkout, and payment processing. This use of our services may require the processing of personal data and information in the manner described in this section 5.
Some processing steps may also be carried out by third-party providers. Data processing by third-party providers is carried out in accordance with the terms and conditions of the relevant privacy policies. In the case of data processing with third-party providers, this may constitute order processing within the meaning of Art. 28 GDPR. This is subject to strict legal requirements, which we comply with in the course of our contractual agreements with our order processors.
The use of your data during and after registration, as well as the processing of your data in this context, is necessary in order for us to provide you with the services of our platform in the first place and to fulfill our contracts with you, i.e., on the legal basis of Art. 6 (1) (b) GDPR.
5.2.2 Setting up and using a user account as a user
As a user, you can create a user account (hereinafter also referred to as “profile”) in our services in order to use our services and their functions. If you do so, the personal data you provide there, such as basic data or contact details, will be transmitted to us by your device and stored in our information technology systems. Your IP address and the time at which the user account was created will also be stored. When you log in to your profile, our service stores tokens on your device to enable you to remain logged in, even if you have to reload our services in the meantime. By creating a profile, you can use the functions of our services.
The processing operations associated with creating a profile serve the purpose of being able to assign future usage operations and to be able to access the entire range of our services. When ordering any products and services from our partners, the processing of your data also serves the purpose of contract execution and is therefore purpose-related and necessary in accordance with Art. 6 (1) lit. b GDPR.
The storage of your IP address and the time of registration is necessary to ensure the security of our information technology systems. This is also our legitimate interest, which is why the processing is also lawful under Art. 6 (1) lit. f GDPR.
The personal data you enter will be stored until you delete this data from your profile or, at the latest, until your profile is completely deleted from our system. Contrary to this, we only process certain personal data about you if we have legal or contractual authorization to do so. This is the case, for example, if we are permitted to retain contract or payment data even after your profile has been deleted for billing or other reasons that are necessary for the proper execution of our contractual relationship.
5.2.3 Sign-on and single sign-on
There are various options available for registration or the creation of a user account. You can register or log in as described above or, if offered by us, use guest access initially.
Logging in with your email address and guest access
When you log in with your email address or use our services via guest access, an individual ID is first generated for your device and stored together with your IP address and, in the case of email registration, your email address and password.
6. Communication Services
6.1 Contact form / Contacting us by email
We process the personal data you provide us with when contacting us for the purpose of responding to your inquiry, email, or callback request. The categories of data processed in this context are basic data, contact data, content data, usage data (if applicable), connection data, and contract data (if applicable). In individual cases, we forward this data to affiliated companies or third parties that we commission to process orders. The legal basis for processing depends on the purpose of the contact. By submitting your inquiry in the contact form or by contacting us by email, you declare that you would like answers or information on specific topics. You also provide your data for this purpose. We will respond to your request as desired and process your data for this purpose. Therefore, the authorization to process your data is based on Art. 6 (1) lit. b GDPR, as we process it to respond to your request and thus to fulfill the contract in this regard.
6.2 Vision AI (AI services)
In our services, we use the AI service “Vision AI” to show you suitable suggestions for products and services from our partners based on reference images you have uploaded. The recipient of the data is
Google Ireland Limited,
Gordon House,
4 Barrow St,
Dublin,
D04 E5W5, Ireland (“Google”).
The categories of data processed are basic data, contact data, content data, usage data (if applicable), connection data, and contract data (if applicable). If Google transfers this data to a third party country (e.g., the USA), this is done on the basis of a data processing agreement concluded with Google and in accordance with standard contractual clauses agreed with Google and other security measures permitted by the GDPR, which guarantee the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). Vision AI offers us the opportunity to provide you with perfectly tailored product recommendations through its services and their integration into our services. With Vision AI, we can provide you with an intelligent system as part of the data processing for the provision of our main services, which processes all interactions in our services integrated with Vision AI in the most efficient and useful way for you.
The purpose of this data processing is therefore to provide such an advanced system that enables us to always provide you with the best possible services. Your personal data is only processed to a very limited extent. Particularly sensitive personal data is not required at all, if possible.
The legal basis for the use of Vision AI is therefore our legitimate interest. The legal basis is thus derived from Art. 6 (1) (f) GDPR.
6.3 Twilio
We use Twilio, a service tool provided by
Twilio Ireland Limited,
25-28 North Wall Quay,
Dublin 1,
Ireland,
to improve customer communication.
The categories of data processed are basic data, contact details, and contract data. This data is only exchanged in encrypted form between Twilio and our services. The main purpose of this is to ensure a secure authentication and information process for our services. This enables us, for example, to inform you even more quickly about changes to your customer account via SMS messages. Our legal basis for using Twilio is Art. 6 (1) (f) GDPR (legitimate interest), since we are interested in making authentication and information processes as simple as possible and have identified Twilio as the provider that does this in the most data-efficient and efficient way possible.
You can find the latest data protection information on Twilio and additional information on this website: https://www.twilio.com/legal/privacy.
6.4 Sendgrid
So-called “transactional” emails (such as order confirmations and other emails) are sent via the US service provider SendGrid. The recipient of the data is
Twilio SendGrid, Inc.,
1801 California Street,
Suite 500,
Denver,
CO 80202, USA.
The dispatch via a specialized service provider is necessary here to ensure the delivery of the emails to your email account. In the case of transactional emails, it is of significant importance that you receive these emails (e.g., a purchase confirmation). Normal delivery via our host is not an equally suitable alternative for this purpose. If SendGrid transfers this data to a third party country (e.g., the USA), this is done on the basis of a data processing agreement concluded with SendGrid and in accordance with standard contractual clauses agreed with SendGrid and other security measures permitted by the GDPR, which guarantee the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). The legal basis for the use of SendGrid in sending these transactional emails is Art. 6 (1) lit. f GDPR, our legitimate interest. We have a legitimate interest in using a service provider for these processes who carries out the relevant communication efficiently and automatically.
7. Online Shop
Online Shop
If you use our online shop, we process your data for the purpose of transmitting your data to our partners from whom you have ordered the relevant products and services. They need this data, among other things, to process and deliver your orders. We also use your data to ensure the security of our information technology systems. We process your personal data to enable you to purchase the selected products, pay for them, and enable our partners to deliver them. To this end, we forward the data necessary for the payment and processing of your order to our partners.
We and our partners use service providers, in particular postal, freight forwarding, and shipping companies, to deliver our products. We or our partners use the services of banks and payment service providers to process payment transactions. Please see our explanations below. The categories of data processed in this context are basic data, contact data, usage data, connection data, contract data, and payment data. We do not pass on your data to unauthorized third parties. The legal basis for these processing measures results from
8. Payment processing
We offer various payment methods for processing payment claims. To this end, we use the payment service providers described below. We do this for the purpose of providing our services in a proper and needs-based manner. In this context, the data processed includes usage data, connection data, basic data, payment data, contact data, and contract data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract, sum, and recipient-related information. This information is necessary to carry out the transactions. The data entered is only processed and stored by the payment service providers. We do not receive any account or credit card-related information, but only information about the confirmation or rejection of the payment. Under certain circumstances, your data may be transmitted by the payment service providers to credit agencies. The purpose of this transmission is to verify your identity and creditworthiness. For more information, please refer to the terms and conditions and privacy policy of the payment service providers. The legal basis for the use of payment service providers is Art. 6 (1) (b) GDPR. We can only provide the services promised to you with our services and thus fulfill our contractual obligations if we use third parties, such as payment service providers, to process payment transactions. We have concluded a data processing agreement with each of the payment service providers to ensure that the security of your data is guaranteed at all times.
Payment Service Provider
Mollie
In our services, we offer payment via the payment provider “Mollie” in the “mollie connect” variant. The provider of this payment service is
Mollie B.V.,
Keizersgracht 313,
1016 EE Amsterdam,
Netherlands (hereinafter “Mollie”).
If you choose to pay via Mollie, the payment details you enter will be transmitted to Mollie and the selected payment provider (credit card, SOFORT Banking, Giropay, PayPal, etc.). Mollie is solely responsible for the protection and handling of the data collected by Mollie. The data transmitted to Mollie may be passed on to credit agencies by Mollie. The purpose of this transfer is to verify identity and creditworthiness. Mollie may also pass on your data to third parties if this is necessary to fulfill contractual obligations or if the data is to be processed on behalf of Mollie. In this respect, Mollie's terms of use apply, which you can access at www.mollie.com. Further information on the handling of your data can be found in Mollie's privacy policy, which is available at the following link: https://www.mollie.com/de/privacy. The legal basis for data processing is Art. 6 (1) (b) GDPR, as the processing of the data is necessary for payment with Mollie and thus for the performance of the contract.
9. Webhosting
9.1 Provision of our services
In order to provide you with our services, we use the services of a web hosting provider. Our services are accessed from the servers of this web hosting provider. For these purposes, we use the infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services provided by the web hosting provider.
The data processed includes all data that you enter in connection with your use and communication in connection with your visit to our services or that is collected from you in this context (e.g., your IP address). Our legal basis for using a web hosting provider to provide our services is Art. 6 (1) (f) GDPR (legitimate interest).
9.2 Receiving and sending emails
The web hosting services we use may also include the sending, receiving, and storage of emails. For these purposes, the addresses of the recipients of your emails and the senders, as well as other information relating to the sending of emails (e.g., the providers involved) and the content of the respective emails, are processed. The aforementioned data is processed for purposes including the detection of spam. Emails are generally not sent in encrypted form on the internet. As a rule, emails are encrypted during transport, but (unless end-to-end encryption is used) not on the servers from which they are sent and received. We therefore cannot accept any responsibility for the transmission of emails between the sender and the recipient on our server. Our legal basis for using a web hosting provider to receive and send emails is Art. 6 (1) (f) GDPR (legitimate interest).
9.3 Collection of access data and logged files
We ourselves (or our web hosting provider) collect data on every access to the server (server log files). The server log files may include the address and name of the services and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, your operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider.
The server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of malicious attacks, known as DDoS attacks), and to ensure server utilization and stability. Our legal basis for using a web hosting provider to collect access data and log files is Art. 6 (1) (f) GDPR (legitimate interest).
10. Tracking & Tools
To ensure smooth technical operation and optimal user-friendly use of our services, we use the following services:
PostHog
We use PostHog for the purpose of statistical analysis of your use of our services. We collect your IP address before it is anonymized by PostHog by truncation prior to permanent storage on their servers. PostHog enables us to understand how you use our services and how we can improve and develop them accordingly. For example, PostHog shows us which content you click on or visit repeatedly. The data processed is usage data and connection data. The recipient of the data is PostHog Inc, 965 Mission Street, San Francisco, CA 94103 USA (as joint controller, Art. 26 GDPR). If PostHog transfers this data to a third party country (e.g., the USA), this will only happen in individual cases, on the basis of a data processing agreement concluded with PostHog and in accordance with standard contractual clauses agreed with PostHog and other security measures permitted by the GDPR, which guarantee the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). The legal basis for the use of PostHog is your consent (e.g., via an opt-in in the consent banner), provided that you have given us this consent during your visit to our services, and therefore results from Art. 6 (1) (a) GDPR. Based on your consent, cookies, so-called “beacons” or similar (text) files are stored on your device and personal data is read out. If you have not given us your consent to use PostHog (no opt-in in the consent banner or revocation of your consent), we will not (no longer) use PostHog in the context of your visits to our services. Further information on PostHog's data protection can be found here https://posthog.com/privacy.
11. Newsletter distribution
With your consent (usually by subscribing), we will send you newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletters”). Our newsletters generally contain technical, commercial, and promotional information about our services.
To subscribe to our newsletter, all you need to do is provide your email address. If necessary, we may ask you to provide additional information such as your name or other information.
Registration for our newsletter always takes place in a so-called double opt-in procedure. After registering for our newsletter, you will receive an email asking you to confirm your registration by clicking on a confirmation link. This confirmation is necessary to prevent someone else from signing up for a newsletter using your email address. We log newsletter registrations for the purpose of being able to verify the registration process in accordance with legal requirements. For this purpose, we store the time of registration and confirmation as well as your IP address. Changes to your data stored by the mailing service provider are also logged.
You can unsubscribe from our newsletter at any time. To do so, simply click on the “Unsubscribe” button in the footer of each newsletter. If you unsubscribe from our newsletter, your email address may be stored for up to three years on the basis of our legitimate interests before we delete it, so that we can prove your former consent.
If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure mailing system.
The legal basis for sending newsletters is your consent, provided that you have given us this consent by subscribing to the newsletter, and therefore results from Art. 6 (1) (a) GDPR. If you have not given us your consent to send newsletters, we will not send you any newsletters (anymore).
MailChimp
We use the services of MailChimp to send newsletters. MailChimp is a service that can be used, among other things, to organize and analyze the sending of newsletters. If you enter data for the purpose of receiving newsletters (e.g., email address), this data will be stored on MailChimp's servers in the USA. With the help of MailChimp, we can analyze our newsletter campaigns. When you open an email sent by MailChimp, a file contained in the email (known as a web beacon) connects to MailChimp's servers in the USA. This allows us to determine whether a newsletter message has been opened and which links, if any, have been clicked on. Technical information is also collected (e.g., time of retrieval, IP address, browser type, and operating system). This information cannot be assigned to the respective newsletter recipient. It is used exclusively for statistical analysis of newsletter campaigns. The results of these analyses can be used to better tailor future newsletters to the interests of the recipients. If you do not want MailChimp to perform any analysis, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message. You can also unsubscribe from the newsletter directly in our services. The data you provide us for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from both our servers and MailChimp's servers after you unsubscribe. Data stored by us for other purposes (e.g., email addresses for the member area) remains unaffected by this. The provider of Mailchimp and thus the recipient of the data is
Rocket Science Group LLC,
675 Ponce De Leon Ave NE,
Suite 5000,
Atlanta,
GA 30308, USA.
The transfer of your personal data to a third party country such as the USA only takes place in individual cases, on the basis of a data processing agreement concluded with MailChimp, in accordance with standard contractual clauses agreed with MailChimp and other security measures permitted by the GDPR, which guarantee the security of the processing of your personal data with a level of protection identical to that in the EU, in particular on the basis of the EU-US Data Privacy Framework (DPF). The processing of data processed in the context of sending newsletters is based on your consent (Art. 6 (1) (a) GDPR). You can revoke your consent at any time, for example via the “unsubscribe” link in the newsletter. The legality of data processing operations that have already taken place remains unaffected by the revocation.
For more details, please refer to MailChimp's privacy policy at: https://mailchimp.com/de/gdpr/.
12. Fan pages on social media sites
We and our partners maintain fan pages on social networking websites and process personal data in this context in order to communicate with active users there or to provide information about us. Please note that your data may be processed outside the European Union when you visit fan pages. The operators of the respective social networks are responsible for this. A detailed description of the respective forms of processing and the options for objection (e.g., opt-out) can be found in the privacy policies of the operators of the respective social networks. If we refer to “our” fan pages on social media platforms below, the same statements apply to the partner in each case if partners have linked their own social media profiles on their partner profile pages.
We operate an Instagram fan page for our company on Instagram. When you visit the Instagram fan page, Meta can evaluate your usage behavior and share the information obtained from this with us (“Insights”). The page insights are used for the purposes of economic optimization and the needs-based design of our website/services. The categories of data processed may include basic data, contact details, content data, usage data, and connection data. The recipient of the data is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 (1) lit. f GDPR.
Meta is responsible for implementing your rights as a data subject. Meta will inform you about your rights as a data subject at: https://privacycenter.instagram.com/policy. You can also assert your rights against us, and we will then forward your request to Meta immediately.
TikTok
We operate a TikTok fan page for our company on TikTok. When you visit the TikTok fan page, TikTok can evaluate your usage behavior and share the information obtained from this with us. The information is used for the purposes of economic optimization and the needs-based design of our website/services. The categories of data processed may include basic data, contact details, content data, usage data, and connection data. The recipient of the data is tiktok technology limited 10 earlsfort terrace, dublin d02 t380 Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 (1) lit. f GDPR.
TikTok is responsible for implementing your rights as a data subject. TikTok will inform you about your rights as a data subject at: https://www.tiktok.com/legal/privacy-policy?lang=de-DE. You can also assert your rights against us, and we will then forward your request to TikTok immediately.
We operate a LinkedIn fan page for our company on LinkedIn. When you visit and use the LinkedIn fan page, LinkedIn can evaluate your usage behavior and share the information obtained from this with us. This information is used for the purposes of economic optimization and the needs-based design of our website/services. The categories of data processed here are basic data, contact data, content data, usage data, and connection data. The recipient of the data is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 (1) lit. f GDPR.
LinkedIn is responsible for implementing your rights as a data subject. LinkedIn will inform you about your rights as a data subject at: https://de.linkedin.com/legal/privacy-policy. You can also assert your rights against us, and we will then forward your request to LinkedIn immediately.
YouTube
We operate a channel on YouTube for our company. When you visit and use our YouTube channel, Google may evaluate your usage behavior and share the information obtained with us. This information is used for the purposes of economic optimization and the needs-based design of our website. The categories of data processed here are basic data, contact data, content data, usage data, and connection data. The recipient of the data is Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, as joint controller in accordance with Art. 26 GDPR. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 (1) lit. f GDPR.
YouTube is responsible for implementing your rights as a data subject. YouTube provides information about your rights as a data subject at: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines. You can also assert your rights against us, and we will then forward your request to YouTube immediately.
13. Sharing feature in our services
Our services allow you to share generated images directly on your own profiles on various social networks. When you click “Share,” the social networks receive and process your IP address via corresponding plug-ins. The social networks are thus immediately informed that you were previously using our services. Some social networks use pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on our services. You can give or refuse your consent to this when using the “Share” function on social networks. Further information may also be stored in cookies on your device and may include technical information about your browser and operating system, the time of your visit to our services, and other information about your use of our services, which may be linked to information from other sources. The categories of data processed in this context are basic data, contact data, content data, usage data, and connection data. The recipients of the data are the respective operators of the social networks. The legal basis for processing the data in accordance with the provisions set out here results from our legitimate interest and thus from Art. 6 (1) lit. f GDPR. The operators of the social networks are responsible for implementing your rights as a data subject. Please inform yourself there about your rights.
We have integrated corresponding “share” links into our services for the following social networks.
Facebook: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Facebook is responsible for implementing your rights as a data subject. Facebook informs you about your rights as a data subject at: https://www.facebook.com/legal/terms/information_about_page_insights_data.
Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta is responsible for implementing your rights as a data subject. Meta provides information about your rights as a data subject at: https://privacycenter.instagram.com/policy.
TikTok: tiktok technology limited 10 earlsfort terrace, dublin d02 t380 Ireland. TikTok is responsible for implementing your rights as a data subject. TikTok will inform you about your rights as a data subject at: https://www.tiktok.com/legal/privacy-policy?lang=de-DE.
LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. LinkedIn is responsible for implementing your rights as a data subject. LinkedIn will inform you about your rights as a data subject at: https://de.linkedin.com/legal/privacy-policy.