Privacy policy

1) Introduction and contact details of the controller

1.1 We are pleased that you are visiting our website and thank you for your interest. Below, we inform you about how your personal data is handled when using our website. Personal data means all data by which you can be personally identified.

1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is Vitalplant GmbH, Kalchstraße 43, 87700 Memmingen, Germany, Tel.: 083314908695, Fax: 08331/80510, Email: info@vitalplant.de. The controller responsible for the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.3 The controller has appointed a data protection officer, who can be contacted as follows: "Christian Lazar"

2) Data collection when visiting our website

2.1 When you use our website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the data that your browser transmits to the page server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:

Our visited website
Date and time of access
Amount of data sent in bytes
Source/reference from which you reached the page
Browser used
Operating system used
IP address used (if applicable: in anonymized form)

Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not disclosed or otherwise used. However, we reserve the right to check the server log files retrospectively if there are concrete indications of unlawful use.

2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries to the controller), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the character string "https://" and the lock symbol in your browser line.

3) Hosting & content delivery network

3.1 For hosting our website and displaying the page content, we use a provider that provides its services itself or through selected subcontractors exclusively on servers within the European Union.

All data collected on our website is processed on these servers.

We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

3.2 Shopify

We use a content delivery network from the following provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify")

Data may also be transferred to:

Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada
Cloudflare Inc., 101 Townsend St. San Francisco, CA 94107, USA

This service enables us to deliver large media files such as graphics, page content, or scripts more quickly via a network of regionally distributed servers. Processing is carried out to safeguard our legitimate interest in improving the stability and functionality of our website pursuant to Art. 6 para. 1 lit. f GDPR. We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

For data transfers to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

For data transfers to the USA, the data recipient has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision of the European Commission.

4) Cookies

To make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your end device. Some of these cookies are automatically deleted after the browser is closed (so-called "session cookies"), while others remain on your end device for longer and enable page settings to be saved (so-called "persistent cookies"). In the latter case, you can find the storage duration in the overview of your web browser's cookie settings.

If personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the performance of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of consent given, or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit.

You can set your browser so that you are informed about the setting of cookies and decide individually on their acceptance or exclude the acceptance of cookies for certain cases or in general.

Please note that if cookies are not accepted, the functionality of our website may be limited.

5) Contact

5.1 Shopify Inbox

This website uses the live chat system of the following provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

The processing of personal data transmitted via the chat is carried out either in accordance with Art. 6 para. 1 lit b GDPR because it is necessary for initiating or performing a contract, or in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in effectively assisting our website visitors.
The data transmitted by you in this way will be deleted, subject to statutory retention periods to the contrary, once the matter concerned has been conclusively clarified.

In addition, for the purpose of creating pseudonymized user profiles, further information may be collected and evaluated with the help of cookies, which, however, does not serve to identify you personally and is not merged with other data sets. If this information has a personal reference, processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in the statistical analysis of user behavior for optimization purposes.

The setting of cookies can be prevented by appropriate browser settings. However, the functionality of our website may then be limited.
You may object to the collection and storage of data for the purpose of creating a pseudonymized user profile at any time with effect for the future.

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada

We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

For data transfers to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

5.2 Reviews.io

We use the services of the following provider for review reminders: REVIEWS.io 2020 GmbH, Skalitzer Str. 104, 10997 Berlin, Germany

Exclusively on the basis of your express consent in accordance with Art. 6 para. 1 lit. a GDPR, we transmit your email address and, if applicable, further customer data to the provider so that it can contact you by email with a review reminder.

You can revoke your consent at any time with effect for the future vis-à-vis us or the provider.

We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

5.3 When you contact us (e.g. via contact form or email), personal data is processed exclusively for the purpose of handling and responding to your request and only to the extent necessary for that purpose.

The legal basis for processing this data is our legitimate interest in responding to your request in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted when it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that no statutory retention obligations prevent this.

6) Comment function

Within the scope of the comment function on this website, in addition to your comment, information on the time the comment was created and the commenter name chosen by you will be stored and published on this website. Furthermore, your IP address will be logged and stored. This storage of the IP address takes place for security reasons and in the event that the person concerned violates the rights of third parties or posts unlawful content by submitting a comment. We require your email address in order to contact you if a third party should object to your published content as unlawful.

The legal bases for storing your data are Art. 6 para. 1 lit. b and f GDPR. We reserve the right to delete comments if they are objected to as unlawful by third parties.

7) Data processing when opening a customer account

In accordance with Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed to the extent necessary if you provide it to us when opening a customer account. You can see which data is required to open an account from the input mask of the corresponding form on our website.

Your customer account can be deleted at any time and can be done by sending a message to the above-mentioned address of the controller. After deletion of your customer account, your data will be deleted provided that all contracts concluded through it have been fully processed, no statutory retention periods prevent this, and we no longer have any legitimate interest in continued storage.

8) Use of customer data for direct advertising

8.1 Subscription to our email newsletter

If you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your email address. Providing further data is voluntary and is used to address you personally. We use the so-called double opt-in procedure for sending the newsletter, which ensures that you only receive newsletters once you have expressly confirmed your consent to receive the newsletter by activating a verification link sent to the specified email address.

By activating the confirmation link, you grant us your consent to use your personal data in accordance with Art. 6 para. 1 lit. a GDPR. In doing so, we store your IP address entered by the Internet Service Provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your email address at a later time. The data collected by us when registering for the newsletter is used strictly for the intended purpose.

You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by sending a corresponding message to the controller named at the beginning. After unsubscribing, your email address will be deleted immediately from our newsletter mailing list, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

8.2 Klaviyo

Our email newsletters and other advertising email communications are sent via this provider: Klaviyo, Inc., 125 Summer St., Ste 600, Boston, MA 02110, USA

On the basis of our legitimate interest in effective and user-friendly email marketing, we pass on the data you provided during registration to this provider in accordance with Art. 6 para. 1 lit. f GDPR so that it can send emails on our behalf.

Subject to your express consent in accordance with Art. 6 para. 1 lit. a GDPR, the provider also carries out a statistical success evaluation of email campaigns using web beacons or tracking pixels in the sent emails, which can measure open rates and specific interactions with the content of the newsletter. Device information (e.g. time of retrieval, IP address, browser type, and operating system) is also collected and evaluated, but not merged with other data sets.

You can revoke your consent to email tracking at any time with effect for the future.

We have concluded a data processing agreement with the provider that protects the data of our website visitors and prohibits disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision of the European Commission.

9) Data processing for order handling

9.1 To the extent necessary for contract processing for delivery and payment purposes, the personal data collected by us will be passed on to the commissioned transport company and the commissioned credit institution in accordance with Art. 6 para. 1 lit. b GDPR.

If, on the basis of a corresponding contract, we owe you updates for goods with digital elements or for digital products, we process the contact data you transmitted when placing the order in order to inform you personally within the framework of our statutory information obligations in accordance with Art. 6 para. 1 lit. c GDPR. Your contact data will be used strictly for the purpose of notifications about updates owed by us and processed by us for this purpose only insofar as this is necessary for the respective information.

For the processing of your order, we also work together with the following service provider(s), who support us in whole or in part in performing concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.

9.2 Use of payment service providers (payment services)

- Paypal

One or more online payment methods from the following provider are available on this website: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg

If you select a payment method from the provider for which you pay in advance, your payment data communicated during the order process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the contents of your order will be passed on to the provider in accordance with Art. 6 para. 1 lit. b GDPR. In this case, your data is passed on exclusively for the purpose of payment processing with the provider and only insofar as it is necessary for this.

If you select a payment method for which we pay in advance, you will also be asked during the ordering process to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, email address, telephone number, and if applicable, data on an alternative payment method).

In order to safeguard our legitimate interest in determining your solvency in such cases, this data is forwarded by us to the provider for the purpose of a credit check in accordance with Art. 6 para. 1 lit. f GDPR. On the basis of the personal data you provide and other data (such as shopping basket, invoice amount, order history, payment experience), the provider checks whether the payment option you selected can be granted with regard to payment and/or default risks.

The credit information may contain probability values (so-called score values). Insofar as score values are included in the result of the credit information, they are based on a scientifically recognized mathematical-statistical procedure. Among other things, but not exclusively, address data is included in the calculation of the score values.

You can object to this processing of your data at any time by sending a message to us or to the provider. However, the provider may still be entitled to process your personal data if this is necessary for contractual payment processing.
- Shopify Payments

One or more online payment methods from the following provider are available on this website: Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

If you select a payment method from the provider for which you pay in advance (such as credit card payment), your payment data communicated during the order process (including name, address, bank and payment card information, currency, and transaction number) as well as information about the contents of your order will be passed on to the provider in accordance with Art. 6 para. 1 lit. b GDPR. In this case, your data is passed on exclusively for the purpose of payment processing with the provider and only insofar as it is necessary for this.

9.3 Electronic cancellation option for continuing obligations with consumers

Consumers who have entered into contracts for paid continuing obligations (such as subscription contracts) on this website have the option of cancelling them via an electronic button in accordance with the applicable cancellation periods.

Activating the button leads to a confirmation page on which the consumer can provide further details about the cancellation, clearly identify themselves, and then submit their cancellation electronically.

The collection of personal data and its transmission to us is carried out in accordance with Art. 6 para. 1 lit. b GDPR and only insofar as this is necessary for the proper processing of the cancellation. Also on the basis of Art. 6 para. 1 lit. b GDPR, the personal data provided is used to confirm receipt of the cancellation declaration and the time of cancellation electronically in text form. A further legal basis for processing is Art. 6 para. 1 lit. c GDPR. We are legally obliged to provide an electronic cancellation option for consumer contracts concluded by means of electronic commerce for paid continuing obligations.

10) Web analytics services

10.1 Google Analytics 4

This website uses Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), which enables analysis of your use of our website.

By default, when you visit the website, Google Analytics 4 sets cookies, which are stored as small text elements on your end device and collect certain information. This information also includes your IP address, which is, however, shortened by Google by the last digits in order to exclude direct personal reference.

The information is transferred to Google servers and processed there further. Transfers to Google LLC based in the USA are also possible.

Google uses the collected information on our behalf to evaluate your use of the website, compile reports on website activity for us, and provide other services related to website use and internet use. The shortened IP address transmitted by your browser as part of Google Analytics is not merged with other Google data. The data collected as part of the use of Google Analytics 4 is stored for a period of two months and then deleted.

All processing described above, in particular the setting of cookies on the device used, only takes place if you have given us your express consent in accordance with Art. 6 para. 1 lit. a GDPR.
Without your consent, Google Analytics 4 will not be used during your visit to the website. You can revoke your consent at any time with effect for the future. To exercise your right of revocation, please deactivate this service via the "cookie consent tool" provided on the website.

We have concluded a data processing agreement with Google that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

Further legal information on Google Analytics 4 can be found at https://business.safety.google/intl/de/privacy/, https://policies.google.com/privacy?hl=de&gl=de and at https://policies.google.com/technologies/partner-sites

Demographic characteristics
Google Analytics 4 uses the special "demographic characteristics" function and can thereby create statistics that provide information about the age, gender, and interests of website visitors. This is done by analyzing advertising and information from third-party providers. This allows target groups for marketing activities to be identified. However, the collected data cannot be assigned to a specific person and is deleted after being stored for a period of two months.

Google Signals
As an extension of Google Analytics 4, Google Signals may be used on this website to generate cross-device reports. If you have activated personalized ads and linked your devices to your Google account, Google may, subject to your consent to the use of Google Analytics pursuant to Art. 6 para. 1 lit. a GDPR, analyze your user behavior across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics. If you wish to stop cross-device analysis, you can deactivate the "Personalized advertising" function in your Google account settings. To do this, follow the instructions on this page: https://support.google.com/My-Ad-Center-Help/answer/12155764?hl=de
Further information on Google Signals can be found at the following link: https://support.google.com/analytics/answer/7532985?hl=de

UserIDs
As an extension of Google Analytics 4, the "UserIDs" function may be used on this website. If you have consented to the use of Google Analytics 4 pursuant to Art. 6 para. 1 lit. a GDPR, have created an account on this website, and log in to this account on different devices, your activities, including conversions, can be analyzed across devices.

10.2 Google Tag Manager

This website uses "Google Tag Manager," a service of the following provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google").

Google Tag Manager provides a technical basis for bundling various web applications, including tracking and analytics services, and calibrating, controlling, and linking them to conditions via a uniform user interface. Google Tag Manager itself does not store any information on user devices or read it. The service also does not perform any independent data analyses. However, when a page is called up, Google Tag Manager transmits your IP address to Google, where it may be stored. Transfer to servers of Google LLC in the USA is also possible.

This processing is only carried out if you have given us your express consent in accordance with Art. 6 para. 1 lit. a GDPR. Without this consent, Google Tag Manager will not be used during your visit to the website. You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "cookie consent tool" provided on the website.

We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

Further legal information on Google Tag Manager can be found at https://business.safety.google/intl/de/privacy/ and https://policies.google.com/privacy?hl=de&gl=de

10.3 Shopify Analytics

This website uses the web analytics service of the following provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Data is also transferred to: Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada

Using cookies and/or comparable technologies (tracking pixels, web beacons, algorithms for reading device and browser information), the service collects and stores pseudonymized visitor data, including information about the device used such as the IP address and browser information, in order to evaluate it for statistical analyses of user behavior on our website and to create pseudonymized user profiles. Among other things, this makes it possible to evaluate movement patterns (so-called heatmaps), which show the duration of page visits as well as interactions with page content (e.g. text input, scrolling, clicks, and mouse-overs). As a rule, pseudonymization excludes direct personal reference. No merging with clear personal data collected about you in other ways takes place.

All processing described above, in particular the reading or storing of information on the device used, is only carried out if you have given us your express consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating this service in the "cookie consent tool" provided on the website.

We have concluded a data processing agreement with the provider that protects the data of our website visitors and prohibits disclosure to third parties.

For data transfers to Canada, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

11) Retargeting/remarketing and conversion tracking

11.1 Meta Pixel

Within our online offering, we use the "Meta Pixel" service of the following provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta")

If a user clicks on an advertisement placed by us on Facebook and/or Instagram, the URL of our linked page is extended by a parameter using "Meta Pixel". This URL parameter is then entered into the user's browser after redirection by a cookie that our linked page itself sets.

This enables Meta, on the one hand, to determine the visitors of our online offering as a target group for the display of advertisements (so-called "ads"). Accordingly, we use the service to display the Facebook and/or Instagram ads placed by us only to users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Meta (so-called "custom audiences").

On the other hand, the "Meta Pixel" can be used to track whether users were redirected to our website after clicking on an advertisement and what actions they take there (so-called "conversion tracking").

The data collected is anonymous to us, so it does not allow us to draw conclusions about the identity of users. However, the data is stored and processed by Meta so that a connection to the respective user profile is possible and Meta can use the data for its own advertising purposes.

All processing described above, in particular the setting of cookies for reading information on the device used, is only carried out if you have given us your express consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by deactivating this service in the "cookie consent tool" provided on the website.

We have concluded a data processing agreement with the provider that ensures the protection of the data of our website visitors and prohibits unauthorized disclosure to third parties.

The information generated by Meta is generally transferred to a Meta server and stored there; in this context, data may also be transferred to servers of Meta Platforms Inc. in the USA.

11.2 Google Ads Remarketing

This website uses retargeting technology from the following provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

For this purpose, Google sets a cookie in the browser of your device, which automatically enables interest-based advertising by means of a pseudonymous cookie ID and on the basis of the pages you visit. Any further data processing only takes place if you have agreed with Google that your internet and app browsing history will be linked by Google to your Google account and that information from your Google account will be used to personalize ads that you view on the web. If, in this case, you are logged into Google while visiting our website, Google uses your data together with Google Analytics data to create and define audience lists for cross-device remarketing. For this purpose, your personal data is temporarily linked by Google with Google Analytics data in order to form target groups. As part of the use of Google Ads Remarketing, personal data may also be transferred to the servers of Google LLC in the USA.

All processing described above, in particular the setting of cookies for reading information on the device used, is only carried out if you have given us your express consent in accordance with Art. 6 para. 1 lit. a GDPR. Without this consent, retargeting technology will not be used during your visit to the website.

You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "cookie consent tool" provided on the website.

Details on the processing initiated by Google and on Google's handling of data from websites can be found here: https://policies.google.com/technologies/partner-sites

Further information on Google's privacy policy can be found here: https://business.safety.google/intl/de/privacy/ and https://www.google.de/policies/privacy/

11.3 Google Ads Conversion Tracking

This website uses the online advertising program "Google Ads" and, within the framework of Google Ads, conversion tracking of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). We use Google Ads to draw attention to our attractive offers on external websites with the help of advertising materials (so-called Google Adwords). In relation to the data of advertising campaigns, we can determine how successful the individual advertising measures are. In doing so, we pursue the interest of showing you advertising that is of interest to you, making our website more interesting for you, and achieving a fair calculation of the advertising costs incurred.

The cookie for conversion tracking is set when a user clicks on an ads advertisement placed by Google. Cookies are small text files that are stored on your device. These cookies generally lose their validity after 30 days and do not serve personal identification. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognize that the user clicked on the ad and was redirected to this page. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked via the websites of Google Ads customers. The information obtained using the conversion cookie is used to create conversion statistics for Google Ads customers who have opted for conversion tracking. Customers learn the total number of users who clicked on their ad and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. As part of the use of Google Ads, personal data may also be transferred to the servers of Google LLC in the USA.

Details on the processing initiated by Google Ads Conversion Tracking and on Google's handling of data from websites can be found here: https://policies.google.com/technologies/partner-sites

You can also permanently object to the setting of cookies by Google Ads Conversion Tracking by downloading and installing the browser plug-in from Google available at the following link:
https://support.google.com/My-Ad-Center-Help/answer/12155656?hl=de

Please note that certain functions of this website may not be available or may only be available to a limited extent if you have deactivated the use of cookies.
Google's privacy policy can be viewed here: https://business.safety.google/intl/de/privacy/ and https://www.google.de/policies/privacy/

12) Site functionalities

Google Customer Reviews (formerly Google Certified Shops Program)

We work with Google as part of the "Google Customer Reviews" program. The provider is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This program gives us the opportunity to obtain customer reviews from users of our website. After a purchase on our website, you will be asked whether you would like to participate in an email survey from Google.

If you give your consent in accordance with Art. 6 para. 1 lit. a GDPR, we will transmit your email address to Google. You will receive an email from Google Customer Reviews asking you to rate the purchase experience on our website. The rating you submit will then be aggregated with our other ratings and displayed in our Google Customer Reviews logo and in our Merchant Center dashboard. Your rating will also be used for Google Seller Ratings. As part of the use of Google Customer Reviews, personal data may also be transferred to the servers of Google LLC in the USA.

You can revoke your consent at any time by sending a message to the controller responsible for data processing or to Google.

Further information on Google's privacy policy can be found here: https://business.safety.google/intl/de/privacy/

13) Tools and miscellaneous

- weclapp

We use the service of the cloud-based accounting software of the following provider for bookkeeping: weclapp GmbH, Friedrich-Ebert-Straße 28, 97318 Kitzingen

The provider processes incoming and outgoing invoices as well as, if applicable, our company's bank transactions in order to automatically record invoices, match them to transactions, and create financial accounting from this in a semi-automated process.

If personal data is also processed in this context, processing is carried out on the basis of our legitimate interest in an efficient organization and documentation of our business processes in accordance with Art. 6 para. 1 lit. f GDPR.

14) Rights of the data subject

14.1 Applicable data protection law grants you the following data subject rights vis-à-vis the controller with regard to the processing of your personal data (rights of access and intervention), whereby reference is made to the legal basis cited for the respective requirements for exercising them:

Right of access pursuant to Art. 15 GDPR;
Right to rectification pursuant to Art. 16 GDPR;
Right to erasure pursuant to Art. 17 GDPR;
Right to restriction of processing pursuant to Art. 18 GDPR;
Right to be informed pursuant to Art. 19 GDPR;
Right to data portability pursuant to Art. 20 GDPR;
Right to withdraw granted consents pursuant to Art. 7 para. 3 GDPR;
Right to lodge a complaint pursuant to Art. 77 GDPR.

14.2 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, FURTHER PROCESSING REMAINS RESERVED IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS, AND FUNDAMENTAL FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

15) Duration of storage of personal data

The duration of storage of personal data is determined by the respective legal basis, the purpose of processing, and - if applicable - additionally by the respective statutory retention period (e.g. retention periods under commercial and tax law).

When personal data is processed on the basis of express consent in accordance with Art. 6 para. 1 lit. a GDPR, the data concerned is stored until you revoke your consent.

If statutory retention periods exist for data processed within the framework of legal or quasi-legal obligations on the basis of Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after expiry of the retention periods, provided that it is no longer required for contract fulfilment or contract initiation and/or we no longer have any legitimate interest in continued storage.

When personal data is processed on the basis of Art. 6 para. 1 lit. f GDPR, this data is stored until you exercise your right to object pursuant to Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

When personal data is processed for the purpose of direct marketing on the basis of Art. 6 para. 1 lit. f GDPR, this data is stored until you exercise your right to object pursuant to Art. 21 para. 2 GDPR.

Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data will otherwise be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.

Version: 17.04.2026, 03:27:22