2. General notes and required information

Data protection

We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. When you use this website, various personal data is collected. Personal data is data with which you can be personally identified. This privacy policy explains the data we collect and what we use it for. It also explains how and for what purpose this is done. We would like to point out that data transmission over the Internet (e.g. when communicating by e-mail) can have security gaps. Complete protection of data against access by third parties is not possible.

Note on the responsible authority

The authority responsible for data processing on this website is: 

in-akustik GmbH & Co. KG
Untermatten 12 - 14
79282 Ballrechten-Dottingen
Phone: +49 7634 5610 0
E-mail: datenschutz[at]in-akustik.de

 The responsible authority is the natural or legal person, who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

Recipients of personal data

As part of our business activities we work together with various external agencies. In some cases it is also necessary to transfer personal data to these external agencies. We only pass on personal data to external agencies if this is necessary in the context of fulfilling a contract, if we are legally obliged to do so (e.g. passing on data to tax authorities), if we have a legitimate interest in passing on the data in accordance with art. 6 para. 1 lit. f, GDPR, or if another legal basis allows the data to be passed on. When using processors (people) we only pass on our customers' personal data on the basis of a valid contract for order processing. In the case of joint processing a joint processing agreement is concluded.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your express consent. You can withdraw any consent you have already given at any time. All you need to do is send us an informal message by e-mail. The legality of the data processing performed until the withdrawal is unaffected by the withdrawal.

Right to object to the collection of data in special cases and to direct advertising (art. 21 GDPR)

IF THE DATA PROCESSING IS BASED ON ART. 6 PARA. 1 LIT. E OR F OF THE GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION. THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. YOU WILL FIND THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR RELEVANT PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR SUCH PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENSE OF LEGAL CLAIMS (OBJECTION UNDER ART. 21 PARA. 1 OF THE GDPR). IF YOUR PERSONAL DATA IS PROCESSED FOR THE PURPOSE OF DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT ADVERTISING. IF YOU OBJECT, YOUR PERSONAL DATA WILL THEN NO LONGER BE USED FOR THE PURPOSE OF DIRECT ADVERTISING (OBJECTION UNDER ART. 21 PARA. 2 OF THE GDPR).

Right to lodge a complaint with the competent supervisory authority

If you believe that we are not handling your personal data in accordance with the law, you have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority for data protection issues for our company is the State Data Protection Officer of Baden-Württemberg:

The State Commissioner for Data Protection and Freedom of Information
P.O. Box 10 29 32
70025 Stuttgart

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a standard, machine-readable format. If you request the direct transfer of the data to another responsible authority, this will only be done where it is technically feasible.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You will recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, correction and deletion

Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if necessary, a right to correction or deletion of this data. You can contact us at any time if you have further questions on the subject of personal data.

Objection to advertising e-mails

We hereby object to the use of contact data published in the context of the imprint obligation to send unsolicited advertising and information material. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam e-mails.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time for this purpose. The right to restriction of processing exists in the following cases:

If you dispute the accuracy of your personal data stored by us, we usually need time to check this. For the duration of the check, you have the right to request that the processing of your personal data be restricted.

If the processing of your personal data was/is performed unlawfully, you can request the restriction of data processing instead of deletion.

If we no longer need your personal data, but you need it to exercise, defend or assert legal claims, you have the right to request the restriction of the processing of your personal data instead of deletion.

If you have lodged an objection in accordance with art. 21 (1), GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to demand the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data – apart from its storage – may only be processed with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the European Union or of one of its member states.

3. Data protection officer

We have appointed a data protection officer for our company.

Net-Base Consulting & Solutions GmbH
Internet services / data protection / data security
Weißerlenstraße 3
79108 Freiburg
E-mail: datenschutz[at]in-akustik.de

4. Data collection on our website

Cookies

Our websites use "cookies". Cookies are small data packets and do not cause any damage to your devices. They are either stored temporarily for the duration of a session (session cookies) or permanently (permanent cookies) on your device. Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your device until you delete them yourself or they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third-party companies (third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping cart function or the display of videos). Other cookies can be used to evaluate user behavior or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping cart function) or to optimize the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of art. 6 para. 1 lit. f, GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically fault-free and optimized provision of their services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (art. 6 para. 1 lit. a, GDPR, and § 25 para. 1, TTDSG). Consent can be withdrawn at any time.

You can set your browser so you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

You will find out which cookies and services are used on this website in this privacy policy.

CookieFirst

Our website uses CookieFirst to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document these in compliance with data protection regulations. The provider of this technology is Digital Data Solutions B.V. (CookieFirst), Plantage Middenlaan 42A, 1018 DH Amsterdam, The Netherlands (hereinafter referred to as "CookieFirst").

When you open our website, a connection is established to the CookieFirst servers in order to obtain your consent and other declarations regarding the use of cookies. CookieFirst then stores a cookie in your browser in order to be able to assign the consents given or their withdrawal to you. The IP address (anonymized), the user agent of the browser and operating system and the URL from which consent was given are processed and integrated into CookieFirst. The data collected in this way is stored until you ask us to delete it, delete the CookieFirst cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory storage obligations are unaffected.

CookieFirst transmits personal data to third-party providers. These include CDN from Slovenia, IP geolocalization from Romania and hosting at OHV in Germany and France. CookieFirst is headquartered in Amsterdam, the Netherlands.

CookieFirst is used to obtain the legally required consent for the use of cookies. The legal basis for this is art. 6 para. 1 sentence 1 lit. c, GDPR.

Order processing: We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that the personal data of our website visitors will only be processed in accordance with our instructions and in compliance with the GDPR.

Server log files

This website is hosted externally. The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

External hosting is carried out for the purpose of performing the contract with our potential and existing customers (art. 6 para. 1 lit. b, GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (art. 6 para. 1 lit. f, GDPR). If a corresponding consent has been requested, the processing is carried out exclusively on the basis of art. 6 para. 1 lit. a, GDPR, and § 25 para. 1, TTDSG, provided the consent includes the storage of cookies or access to information in the user's device (e.g. device fingerprinting) under the terms of the TTDSG. Consent can be withdrawn at any time.

Our hoster will only process your data to the extent necessary to meet their performance obligations and follow our instructions with regard to this data.

We use the following hoster: Timme Hosting, 21335 Lüneburg

Order processing: We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that the personal data of our website visitors will only be processed in accordance with our instructions and in compliance with the GDPR.

Processing customer and contract data

We collect, process and use personal customer and contract data to establish, structure and amend our contractual relationships. We collect, process and use personal data about the use of this website (usage data) only insofar as this is necessary to enable or charge the user for the use of the service. The legal basis for this is art. 6 para. 1 lit. b, GDPR.

The collected customer data will be deleted after completion of the order or termination of the business relationship and expiry of any existing statutory storage periods. Statutory storage periods remain unaffected.

Data transmission with conclusion of contract for online stores, retailers and goods shipping

If you order goods from us, we will pass on your personal data to the transport company entrusted with the delivery and to the payment service provider commissioned to process the payment. Only the data required by the respective service provider to perform their task will be disclosed. The legal basis for this is art. 6 para. 1 lit. b, GDPR, which permits the processing of data for the performance of a contract or pre-contractual measures. If you have given your consent in accordance with art. 6 para. 1 lit. a, GDPR, we will pass on your e-mail address to the transport company entrusted with the delivery, so it can inform you by e-mail about the shipping status of your order. You can withdraw your consent at any time.

Credit checks

With a purchase on account or another payment method where we make advance payments, we may carry out a credit check (scoring). For this purpose we transmit the data you enter (e.g. name, address, age or bank details) to a credit agency. The probability of default is determined on the basis of this data. With an excessive risk of non-payment, we may refuse the payment method in question.

The credit check is performed on the basis of contractual performance (art. 6 para. 1 lit. b, GDPR) and to avoid payment defaults (legitimate interest according to art. 6 para. 1 lit. f, GDPR). If consent has been obtained, the credit check is performed on the basis of this consent (art. 6 para. 1 lit., GDPR). The consent can be withdrawn at any time.

For details see item 14, SCHUFA information. click here

5. Analysis tools and advertising

Google Tag Manager

We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that enables us to integrate tracking or statistics tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store any cookies and does not perform any independent analyses. It is only used to manage and display the tools integrated via it. However, Google Tag Manager records your IP address, which may also be transmitted to Google's parent company in the United States.

The Google Tag Manager is used on the basis of art. 6 para. 1 lit. f, GDPR. The website operator has a legitimate interest in the fast and uncomplicated integration and management of various tools on their website. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of art. 6 para. 1 lit. a, GDPR, and § 25 para. 1, TTDSG, provided the consent includes the storage of cookies or access to information in the user's device (e.g. device fingerprinting) under the terms of the TTDSG. Consent can be withdrawn at any time.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every DPF-certified company undertakes to comply with these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

Google Analytics

This website uses functions of the web analysis service, Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data is assigned to the user's respective device. There is no assignment to a user ID.

We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modeling methods to supplement the collected data records and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.

The use of this service is based on your consent in accordance with art. 6 para. 1 lit. a, GDPR, and § 25 para. 1, TTDSG. Consent can be withdrawn at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You will find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every DPF-certified company undertakes to comply with these data protection standards. Further information can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active

IP anonymization

Google Analytics IP anonymization is activated. Your IP address will therefore be shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and Internet usage to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plug-in

You can prevent the collection and processing of your data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You will find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Order processing: We have concluded an order processing contract with Google and fully meet the strict requirements of the German data protection authorities when using Google Analytics.

Google Analytics e-commerce measurement

This website uses the "e-commerce measurement" function of Google Analytics. With the help of e-commerce measurement, website operators can analyze the purchasing behavior of website visitors to improve their online marketing campaigns. Information such as orders placed, average order values, shipping costs and the time from viewing to purchasing a product is recorded. This data can be summarized by Google with a transaction ID that is assigned to the respective user or their device.

Facebook Pixel

This website uses Facebook's visitor action pixel to measure conversions. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

This allows the behavior of site visitors to be tracked after they have been redirected to the provider's website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and future advertising measures to be optimized.

The data collected is anonymous for us as the operator of this website. We cannot draw any conclusions about the identity of the user. The data is however stored and processed by Facebook, so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Usage Policy. This enables Facebook to place advertisements on Facebook pages and outside of Facebook. This use of the data cannot be influenced by us as the website operator.

The use of Facebook Pixel is based on art. 6 para. 1 lit. f, GDPR. The website operator has a legitimate interest in effective advertising measures, including social media. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is performed exclusively on the basis of art. 6 para. 1 lit. a, GDPR. The consent can be withdrawn at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You will find details here: www.facebook.com/legal/EU_data_transfer_addendum und de-de.facebook.com/help/566994660333381.

You will find further information on protecting your privacy in Facebook's privacy policy: de-de.facebook.com/about/privacy/

You can also deactivate the “Custom Audiences” remarketing function in the settings for advertisements at www.facebook.com/ads/preferences/ You must be logged in to Facebook to do this.

If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: www.youronlinechoices.com/de/praferenzmanagement/

6. Plug-ins and tools

Youtube

Our website uses plug-ins from YouTube, which is operated by Google. The operator of the sites is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit one of our sites equipped with a YouTube plug-in, a connection is made to the YouTube servers. This tells the YouTube server which of our sites you have visited. If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account. YouTube is used to provide an appealing presentation of our online offers. This constitutes a legitimate interest under the terms of art. 6 para. 1 lit. f, GDPR. You will find further information on the handling of user data in YouTube's privacy policy at: www.google.de/intl/de/policies/privacy

Use of DooFinder

1. Scope of personal data processing

We use functionalities of the Doofinder search function plug-in from Doofinder S.L., Rufino Gonzalez 23, 28037, Madrid, Spain (hereinafter: Doofinder).

Doofinder offers a smart search technology to help website visitors navigate our website. Doofinder provides, for example, the option of completing search queries, searching for images or refining product searches using a filter.

Doofinder processes your IP address here.

You will find further information on data processing by Doofinder here: www.doofinder.com/de/privacy-policy

2. Purpose of data processing

The IP address is processed for security reasons, in order to detect and prevent conspicuous or suspicious behavior. We use the plug-in to provide our website visitors reliable and fast search results.

3. Legal basis for personal data processing

The legal basis for data processing is art. 6 para. 1 sentence 1 lit. f, GDPR. Our legitimate interest is in the purposes of data processing given under 2.

4. Storage period

Your IP address will be deleted after 90 days. Your personal information will be stored for as long as necessary for the purposes described in this privacy policy or as required by law, e.g. for tax and accounting purposes.

5. Possibility of objection and removal

You can prevent the collection and processing of your personal data by Doofinder by preventing the storage of third-party cookies on your computer, using the "Do Not Track" function of a supporting browser, deactivating the execution of script code in your browser or installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.

You will find further information on objection and removal options vis-à-vis Doofinder at: www.doofinder.com/de/privacy-policy

Phonoent

In order to give visitors to our website the opportunity to listen to excerpts of sound recordings before purchasing them, we have included content from PHONONET GmbH, Bei der Pulvermühle 7a, D-22453 Hamburg, on the relevant sites. We do this on the basis of art. 6 para. 1 lit. f, GDPR, and to provide the most comprehensive customer service possible.

You will find information on data processing by PHONENET here: www.phononet.de/datenschutz/

7. Entering into a business relationship with us

If you wish to enter into a business relationship with in-akustik as a specialist dealer (B2B), we require some basic information about the company, including personal data, before entering into a business relationship. In detail, we collect the following data with our customer master data sheet:

Data and legal basis:

Required information::

• Company 
• Proprietor / Managing Director / Legal form 
• Street, zip code, district, phone and fax number
• Payment method and account details, if direct debit is requested 
• Tax number / Tax office
• HCR entry (CR excerpt, business registration is required)
•  ILN no.

Further information, if available:

• Internet / E-mail address
•  Cooperation, cooperation number 
• Delivery address

We process this data on the basis of art. 6 para. 1 lit. a (consent – you provide us with this data voluntarily), art. 6 para. 1 lit. b (contract or pre-contractual measures) and art. 6 para. 1 lit. f (legitimate interests – in-akustik wants to ensure that others, apart from commercial customers, are included in the customer base).

Forwarding your data:

Your data will be passed on internally for checking. In addition, we may also carry out a credit check and use the services of Euler Hermes here. Read the Euler Hermes privacy policy here: https://www.eulerhermes.de/datenschutz.html

Following approval, your data will be available to all employees involved in order processing.

As soon as you are registered with us as a specialist dealer, your contact details may be passed on to enquiring end customers, suppliers or other partners if this is necessary for processing our agreed contractual services.

Registered specialist dealers are also listed on our website: www.in-akustik.de/wer-wir-sind/haendler-distributoren/

Storage period::

Your customer master data sheet will be stored by us for the duration of our business relationship. If no specialist trade contract is concluded, your completed customer master data sheet will be destroyed immediately.

Your rights:

You have the right to withdraw your consent given above with immediate effect. Mandatory statutory provisions, in particular retention periods, are unaffected. The rights mentioned under item 2 of this privacy policy also apply.

8. Contacting us as a private individual

Feedback cards: : 

We are very much interested in finding out what we can do better or which products you particularly like as a "user". We therefore enclose feedback cards with some of our products, which you can return to us at your own volition. The cards are collected by us. We store your feedback electronically, without any personal references. The cards themselves are disposed of over the course of a year in compliance with data protection regulations. 

Registration and warranty cards: 

You can register some in-akustik products with us. We process the data that you send to us with the respective card. These are usually your address and contact details. We manage this data in a separate database and we use it exclusively to secure your claims (warranty processing) or to advise you (e.g. based on your request for suitable supplementary products). Once a year after you have submitted your warranty or registration card we will send you a "birthday letter" to inform you about suitable new products or to give you the opportunity to give us constructive criticism. 

Data processing with orders via our “Test listening store” 

To process your order we only process the necessary data that you have sent to us as part of the order form (hereinafter: "Contract data"). The contract data in particular includes: 

• Name
• Address
• E-mail

Data processing for the aforementioned purpose is performed on the basis of art. 6 para. 1 lit. b), GDPR (contractual performance). We store your contract data for as long as this is necessary to perform the stated purpose (process your order, billing). Thereafter we only store the contract data for as long as and to the extent that we are legally required or permitted to do so (e.g. to exercise legal claims).

Why do we process this data and what rights do you have? 

We process this data exclusively in order to continuously improve our services and product quality (art. 6 para. 1 lit. a, GDPR – your consent, you provide us with this data voluntarily, and art. 6 para. 1 lit. f, GDPR – legitimate interests), or to process warranty services (art. 6 para. 1 lit. b, GDPR – contractual performance). We will not transfer your data to third parties, unless you have expressly consented to this. There is no automated decision-making. You have the right to withdraw your consent given above with immediate effect. Mandatory statutory provisions, in particular retention periods, are unaffected. The rights mentioned under item 2 of this privacy policy also apply.

9. Making applications to us

Why do we process this data? 

We process your application data exclusively for the purpose of selecting suitable applicants for employment. We do this on the basis of art. 88 of the GDPR in conjunction with § 26 of the FDPA (new), "Data processing for the purposes of the employment relationship".

Your application data may be forwarded internally to the following points: HR department, management, specialist department with the corresponding HR requirements or department requesting HR. We do not transfer data to countries outside the EU, nor do we use automated decision-making.

Storage period

 Your application data will be transferred to your HR file if you are hired. If you are not hired, your data will be deleted within six months unless you give us your express consent in text form to store your data in our applicant pool. You can withdraw this consent at any time. 

 Your rights 

 You have the right to withdraw your consent given above with immediate effect. Mandatory statutory provisions, in particular retention periods, are unaffected. The rights mentioned under item 2 of this privacy policy also apply.

10. Visiting our Facebook or Instagram page

Data processing with social networks

We maintain publicly accessible profiles in social networks. The individual social networks we use are listed below. 

Social networks such as Facebook, Instagram, etc. can generally analyze your user behavior in detail when you visit their website or a website with integrated social media content (e.g. “Like” buttons or advertising banners). 

Visiting our social media presences triggers numerous data protection-relevant processing operations. 

In detail: 

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media portal. In this case this data collection is made, for example, via cookies that are stored on your device or by recording your IP address. 

With the help of the data collected in this way, the operators of the social media portals can create user profiles, in which your preferences and interests are stored. Interest-based advertising can then be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices you are logged in on or were logged in on. 

Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing operations may therefore be performed by the operators of the social media portals.

For details please see the terms of use and data protection provisions of the respective social media portals.

Legal basis  

Our social media presence is designed to ensure the most comprehensive online presence possible. This is a legitimate interest under the terms of art. 6 para. 1 lit. f, GDPR.

The analysis processes initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks (e.g. consent under the terms of art. 6 para. 1 lit. a, GDPR).  

Responsible party and assertion of rights 

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered with this visit. You can assert your rights (information, correction, deletion, restriction of processing, data portability and complaints), both against us and against the operator of the respective social media portal (e.g. against Facebook).

Please note that, despite the joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options depend largely on the company policy of the respective provider. 

Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for its storage no longer applies, you request us to delete it, withdraw your consent to storage, or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory provisions, in particular retention periods, are unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details please contact the operators of the social networks directly (e.g. in their privacy policy, see below). 

Facebook 

We have a profile on Facebook. The provider is Facebook Inc, 1 Hacker Way, Menlo Park, California 94025, USA. 

Instagram 

We have a profile on Instagram. The provider is Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland 

You will find a joint Facebook and Instagram data policy here: https://de-de.facebook.com/about/privacy/

11. Data processing when renting products for trial via our “Test listening store”

To process your order we only process the necessary data that you have sent to us as part of the order form (hereinafter: "Contract data"). The contract data in particular includes:

12. Payment services

We integrate third-party company payment services on our website. When you make a purchase with us, your payment details (e.g. name, payment amount, account details, credit card number) are processed by the payment service provider for the purpose of payment processing. The respective contractual and data protection provisions of the respective providers apply for these transactions. The payment service providers are used on the basis of art. 6 para. 1 lit. b, GDPR (contract processing) and in the interest of a smooth, convenient and secure payment process (art. 6 para. 1 lit. f, GDPR). Where your consent is requested for certain actions, art. 6 para. 1 lit. a, GDPR is the legal basis for data processing. Consent can be withdrawn at any time with immediate effect.

We use the following payment services/payment service providers on this website:

PayPal

The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter referred to as "PayPal").

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You will find details here: www.paypal.com/de/webapps/mpp/ua/pocpsa-full

You will find details in PayPal's privacy policy: www.paypal.com/de/webapps/mpp/ua/privacy-full

Stripe

The provider for customers within the EU is Stripe Payments Europe, Ltd, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (hereinafter referred to as "Stripe").

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You will find details here: www.stripe.com/de/privacy und www.stripe.com/de/guides/general-data-protection-regulation

You will find details on this in Stripe's privacy policy at the following link: www.stripe.com/de/privacy

Klarna (via Stripe)

The provider is Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter referred to as "Klarna"). Klarna offers various payment options (e.g. installment purchase). If you choose to pay with Klarna (Klarna Checkout solution), Klarna will collect various personal data from you. Klarna uses cookies to optimize the use of the Klarna Checkout solution. You will find details on the use of Klarna cookies at the following link: www.cdn.klarna.com/1.0/shared/content/policy/cookie/de_de/checkout.pdf

You will find details on this in Klarna's privacy policy at the following link: www.klarna.com/de/datenschutz/

Instant bank transfer (via Stripe)

The provider of this payment service is Sofort GmbH, Theresienhöhe 12, 80339 Munich (hereinafter referred to as "Sofort GmbH"). With the aid of the "Instant bank transfer" procedure, we receive a payment confirmation from Sofort GmbH in real time and can immediately begin to meet our obligations. If you have opted for the "Instant bank transfer" payment method, you send the PIN and a valid TAN to Sofort GmbH, with which it can log into your online banking account. After logging in, Sofort GmbH automatically checks your account balance and makes the transfer to us using the TAN you have sent. It then immediately sends us a transaction confirmation. After logging in, your revenue, the credit limit of the overdraft facility and the existence of other accounts and their balances are also checked automatically. In addition to the PIN and the TAN, the payment data entered by you and your personal data will also be sent to Sofort GmbH. Your personal data includes your first and last name, address, telephone number(s), e-mail address, IP address and any other data required for payment processing. This data transfer is necessary to establish your identity beyond doubt and to prevent fraud attempts. You will find details on instant bank transfer payment at the following links: www.sofort.de/datenschutz.html und www.klarna.com/sofort/

Mastercard

The provider of this payment service is Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium (hereinafter referred to as "Mastercard").

Mastercard may transfer data to its parent company in the USA. Data transfer to the USA is based on Mastercard's Binding Corporate Rules. You will find details here: www.mastercard.de/de-de/datenschutzt und www.mastercard.us/content/dam/mccom/global/documents/mastercard-bcrs.pdf

VISA

The provider of this payment service is Visa Europe Services Inc, London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom (hereinafter referred to as "VISA").

The UK is considered a safe third country under data protection law. This means the UK has a level of data protection that corresponds with the level of data protection in the European Union.

VISA may transfer data to its parent company in the USA. Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You will find details here: www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zu-zustandigkeitsfragen-fur-den-ewr.html

You will find further information in VISA's privacy policy: www.visa.de/nutzungsbedingungen/visa-privacy-center.html

American Express

The provider of this payment service is American Express Europe S.A., Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany (hereinafter referred to as "American Express").

American Express may transfer data to its parent company in the USA. Data transfer to the USA is based on the Binding Corporate Rules. You will find details here: www.americanexpress.com/en-pl/company/legal/privacy-centre/european-implementing-principles/

You will find further information in the American Express privacy policy: www.americanexpress.com/de/legal/online-datenschutzerklarung.html

Diners Club

The provider of this payment service is “card complete Service Bank AG”, Lassallestraße 3, 1020 Vienna, Austria (hereinafter referred to as "Diners Club").

For transactions abroad, the necessary information may be processed for the purpose of payment processing by the local credit card organization of the respective country and by "DFS Services LLC" and its subsidiaries, "Diners Club International LTD" and "Pulse Network LLC" (based in the USA), and thus outside the EU or the EEA. This transfer is necessary for contractual performance pursuant to art. 49 para. 1 lit. b, GDPR. You will find DFS Services LLC’s privacy policy at www.dinersclub.com/privacy-policy

You will find further information in Diners Club's privacy policy: www.dinersclub.de/datenschutz

13. Attending one of our webinars

Audio and video conferencing, data processing

We use online conferencing tools, among other things, to communicate with our customers. The individual tools we use are listed below. If you communicate with us by video or audio conference via the Internet, your personal data will be collected and processed by us and the provider of the respective conference tool.

The conference tools collect all data here that you provide/enter to use the tools (e-mail address and/or your phone number). The conference tools also process the duration of the conference, the start and end (time) of participation in the conference, the number of participants and other "context information" connected with the communication process (metadata).

The provider of the tool also processes all technical data required for managing the online communication. This in particular includes IP addresses, MAC addresses, device IDs, device type, operating system type and version, client version, camera type, microphone or speaker and the type of connection.

If content is exchanged, uploaded or provided in any other way within the tool, this is also stored on the tool provider's servers. Such content in particular includes cloud recordings, chat/instant messages, voice mails, uploaded photos and videos, files, whiteboards and other information shared while using the service.

Please note that we do not have full control over the data processing operations of the tools used. Our options depend largely on the company policy of the respective provider. You will find further information on data processing by the conference tools in the privacy policies of the respective tools used, which we have listed below this text.

Purpose and legal basis

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (art. 6 para. 1 lit. b, GDPR). Tools are also used for the general simplification and acceleration of communication with us or our company (legitimate interest under the terms of art. 6 para. 1 lit. f, GDPR). Where consent has been requested, the tools in question are used on the basis of this consent. Consent can be withdrawn at any time with immediate effect.

Storage period

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, withdraw your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your device until you delete them. Mandatory statutory storage periods are unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details please contact the operators of the conference tools directly.

Conference tools used

We use the following conference tools:

edudip

We use edudip from edudip GmbH, Jülicher Straße 306, 52070 Aachen, Germany. You will find information on data protection when using edudip here: www.edudip.com/de/sicherheit

Conclusion of an order processing contract: We have concluded an order processing contract with the provider of edudip.

Webinaris

We use the Webinaris software to organize and manage online webinars. The provider is Webinaris GmbH, Bussardstr. 5, 82166 Gräfelfing, Germany (hereinafter "Webinaris").

If you attend one of our Webinaris webinars, your personal data will be stored on the Webinaris servers for the purpose of managing the event. This concerns the following data:

• E-mail-address
• Browser and system data
•  IP address 
• Language and time zone 
• Chat data 
• Other data you have entered yourself (e.g. name, phone number or customer number, support requests, chat messages) 
• Usage data from webinars (e.g. access figures, application histories, registration for and participation in a webinar, access to certain pages, etc.)

This data is stored by Webinaris for a specific purpose and is deleted after the purpose no longer exists. The legal basis for using Webinaris is art. 6 para. 1 lit. b, GDPR (contractual performance) and our legitimate interest in the professional management of our webinars (art. 6 para. 1 lit. f, GDPR). If a corresponding consent has been requested, the processing is performed exclusively on the basis of art. 6 para. 1 lit. a, GDPR. The consent can be withdrawn at any time.

Order processing: We have concluded an order processing agreement (OPA) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the personal data of our website visitors will only be processed in accordance with our instructions and in compliance with the GDPR.

13. Subscribing to our newsletter

Newsletter data

If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or is only collected on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.

The data entered in the newsletter registration form is processed exclusively on the basis of your consent (art. 6 para. 1 lit. a, GDPR). You can withdraw your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, via the "unsubscribe" link in the newsletter, for example. The legality of the data processing operations already performed is unaffected by the withdrawal.

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter, and deleted from the newsletter distribution list after you unsubscribe from the newsletter or after the purpose for this no longer exists. We reserve the right to delete or block e-mail addresses from our newsletter distribution list at our own discretion within the scope of our legitimate interest pursuant to art. 6 para. 1 lit. f, GDPR.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest under the terms of art. 6 para. 1 lit. f, GDPR). Storage in the blacklist has no time limit. You can object to the storage if your interests outweigh our legitimate interest.

Rapidmail

This website uses Rapidmail to send newsletters. The provider is rapidmail GmbH, Augustinerplatz 2, 79098 Freiburg i.Br., Germany.

Rapidmail is a service that can be used to organize and analyze the sending of newsletters, among other things. The data you enter for the purpose of subscribing to the newsletter will be stored on Rapidmail's servers in Germany.

Data analysis by Rapidmail

For the purpose of analysis, the e-mails sent with Rapidmail contain a "tracking pixel", which connects to the Rapidmail servers when the e-mail is opened. It can then be determined whether a newsletter message has been opened.

We can also use Rapidmail to determine whether and which links in the newsletter message are clicked on. All links in the e-mail are tracking links, with which your clicks can be counted. If you do not wish to be analyzed by Rapidmail, you must unsubscribe from the newsletter. We provide a link for this purpose in every newsletter message.

You will find out more about Rapidmail’s analysis functions at the following link: www.rapidmail.de/hilfe/kategorie/statistiken

Legal basis

The data is processed on the basis of your consent (art. 6 para. 1 lit. a, GDPR). You can revoke this consent at any time. The legality of the data processing operations already performed is unaffected by the withdrawal.

Storage period

The data you provide us with for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter, and deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data stored by us for other purposes is unaffected by this.

After you unsubscribe from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest under the terms of art. 6 para. 1 lit. f, GDPR). Storage in the blacklist has no time limit. You can object to the storage if your interests outweigh our legitimate interest.

For further information, please see Rapidmail's data security information at: www.rapidmail.de/datensicherheit.

Conclusion of an order processing contract: We have concluded a contract with Rapidmail, in which we oblige Rapidmail to protect our customers' data and not pass it on to third parties. This contract can be viewed at the following link: de.rapidmail.wiki/files/adv/muster-auftragsdatenverarbeitung.pdf

14. SCHUFA information

1. Name and contact details of the responsible authority and the company data protection officer

SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany, tel.: +49 (0) 6 11-92 78 0

SCHUFA's company data protection officer can be contacted at the above address, attn.: Data Protection Department or by e-mail to datenschutz@schufa.de.

2. Data processing by SCHUFA

2.1) Purposes of data processing and legitimate interests performed by SCHUFA or a third party.

SCHUFA processes personal data to provide authorized recipients information to assess the creditworthiness of natural persons and legal entities. Score values are also calculated and transmitted for this purpose. It will only provide the information if a legitimate interest in it has been credibly demonstrated in the individual case and processing is permissible after weighing up all interests. The legitimate interest here is in particular provided before beginning transactions with a financial default risk. Credit scoring serves to protect recipients from losses in the lending business and at the same time opens up the possibility of protecting borrowers from excessive debt with bad advice. The data is also processed for fraud prevention, seriousness checks, money laundering prevention, identity and age checks, address verification, customer care or risk management, as well as tariffing or conditioning. SCHUFA will inform you of any changes to the purposes of data processing in accordance with art. 14 (4), GDPR.

2.2) Legal basis for data processing

SCHUFA processes personal data on the basis of the provisions of the General Data Protection Regulation. Processing is performed on the basis of consent and on the basis of article 6(1)(f), GDPR, provided processing is necessary for the purposes of the legitimate interests pursued by the responsible authority or by a third party and such interests are not outweighed by the interests or fundamental rights and freedoms of the person in question, who requires the protection of personal data. Consent can be withdrawn at any time vis-à-vis the contractual partner in question. This also applies to consents that were granted before the GDPR came into force. Withdrawal of consent does not affect the lawfulness of the personal data processed up to the time of withdrawal.

2.3) Origin of the data

SCHUFA receives its data from its contractual partners. These are institutions, financial companies and payment service providers based in the European Economic Area and in Switzerland and, if applicable, other third countries (provided that a corresponding adequacy decision of the European Commission exists for these) that bear a financial default risk (e.g. banks, savings banks, cooperative banks, credit card, factoring and leasing companies), as well as other contractual partners who use SCHUFA products for the purposes mentioned in item 2.1, in particular from the (mail order) trade, e-commerce, service, rental, energy supply, telecommunications, insurance or debt collection sectors. SCHUFA also processes information from generally accessible sources, such as public directories and official announcements (debtor directories, insolvency announcements).

2.4) Categories of personal data that are processed (personal data, payment history and contract compliance)

• Personal data, e.g. surname (including previous names, if applicable, which are provided on separate request), first name, date of birth, place of birth, address, previous addresses 
• Information on the contractual performance of a transaction (e.g. current accounts, installment loans, credit cards, seizure protection accounts, basic accounts)
• Information on undisputed, due and repeatedly reminded or enforceable claims and their settlement 
• Information on misuse or other fraudulent behavior, such as identity or creditworthiness fraud 
• Information from public directories and official announcements 
• Score values

2.5) Personal data recipient categories

Recipients are contractual partners based in the European Economic Area, Switzerland and, if applicable, other third countries (provided that a corresponding adequacy decision by the European Commission exists for these) in accordance with item 2.3. Other recipients may be external SCHUFA contractors in accordance with art. 28, GDPR, as well as external and internal SCHUFA offices. SCHUFA is also subject to the statutory intervention powers of government agencies.

2.6) Data storage period

SCHUFA only stores personal information for a certain period of time. The decisive criterion for determining this time is necessity. SCHUFA has set standard deadlines for checking the necessity for further storage or deletion of personal data. The basic storage period for personal data is therefore three years to the day after it has been processed. Deviating from this the following, for example, will be deleted:

• Information on inquiries after twelve months to the day
• Information on fault-free contract data on accounts that are documented without the claim based on them (e.g. current accounts, credit cards, telecommunications accounts or energy accounts), information on contracts for which the evidence check is provided for by law (e.g. seizure protection accounts, basic accounts) as well as guarantees and commercial accounts that are managed on a credit basis, immediately after notification of termination.
• Data from the debtor registers of the central enforcement courts after three years to the day, but earlier if SCHUFA is provided proof of deletion by the central enforcement court. 
• Information on consumer/insolvency proceedings or residual debt discharge proceedings to the day three years after the end of the insolvency proceedings or granting of residual debt discharge. In exceptional individual cases, earlier deletion may also be possible. 
• Information on the rejection of an insolvency application due to lack of assets, the termination of security measures or the refusal of residual debt discharge after three years to the day.
• Personal addresses are stored for three years to the day, after which the necessity of continued storage for a further three years is reviewed. They are then deleted daily, unless longer storage is required for identification purposes.

3. Rights of those affected

Vis-à-vis SCHUFA, each person affected has the right of access in accordance with art. 15, GDPR, the right to rectification in accordance with art. 16, GDPR, the right to deletion in accordance with art. 17, GDPR and the right to restriction of processing in accordance with art. 18, GDPR. SCHUFA has set up a private customer service center for the concerns of affected persons, which can be reached by writing to SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne, by telephone at +49 (0) 6 11-92 78 0 and via an Internet form at www.schufa.de. You can also contact the supervisory authority responsible for SCHUFA, the Hessian Data Protection Officer. Consent can be withdrawn at any time vis-à-vis the contractual partner in question.

Pursuant to art. 21 para 1, GDPR, data processing may be objected to on grounds relating to the particular situation of the affected person. The objection can be made in any form and should be addressed to SCHUFA Holding AG, Privatkunden ServiceCenter, Postfach 10 34 41, 50474 Cologne.

4. Profiling (scoring)

The SCHUFA information can be supplemented by score values. With the scoring a forecast of future events is made on the basis of information gathered and past experiences. All score values are calculated by SCHUFA on the basis of the information stored about a person affected at SCHUFA, which is also shown in the information pursuant to art. 15, GDPR. SCHUFA also takes the provisions of § 31 FDPA into account with the scoring. Based on the entries stored for a person, an assignment is made to statistical groups of people who have had similar entries in the past. The method used is known as "logistic regression" and is a well established, mathematical-statistical method for forecasting risk probabilities, which has been tried and tested in practice for many years.

The following types of data are used by SCHUFA to calculate scores, although not every type of data is included in every individual score calculation: General data (e.g. date of birth, gender or number of addresses used in business transactions), previous payment defaults, credit activity last year, credit utilization, length of credit history and address data (only if little personal credit-relevant information is available). Certain information is neither stored nor taken into account with the calculation of scores, e.g.: Information on nationality or special categories of personal data, such as ethnic origin or information on political or religious beliefs in accordance with art. 9, GDPR. The assertion of rights in accordance with the GDPR, e.g. access to the information stored by SCHUFA in accordance with art. 15, GDPR, does not have any influence on the score calculation either.

The transmitted score values support the contractual partners in their decision-making and are incorporated into the risk management. The risk assessment and evaluation of creditworthiness is carried out solely by the direct business partner, as only they have the required sufficient amount of additional information – from a credit application, for example. This applies even if they rely solely on the information and scores provided by SCHUFA. In any case, a SCHUFA score alone is not a sufficient reason to refuse conclusion of a contract.

Further information on credit scoring or the identification of conspicuous circumstances is available at www.scoring-wissen.de.