Privacy Policy

Status: August 31, 2025

Table of Contents

Controller

Axel Wehning
Bellstrasse 6
CH-6010 Kriens

Email address: support@axel-wehning.com

Legal Notice: axel-wehning.com/impressum

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the data subjects involved.

Types of Data Processed

  • Inventory data
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of Data Subjects

  • Service recipients and clients
  • Interested parties
  • Communication partners
  • Users
  • Business and contractual partners
  • Customers

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Reach measurement
  • Tracking
  • Office and organizational procedures
  • Audience building
  • Organizational and administrative procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Registration procedures
  • Provision of our online offering and user-friendliness
  • Information technology infrastructure
  • Public relations
  • Business processes and economic procedures

Relevant Legal Bases

Legal Bases under the GDPR: Below is an overview of the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may also apply in your or our country of residence or place of business. If, in individual cases, more specific legal bases are applicable, we will inform you of these in this Privacy Policy.

  • Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, data transfer, and automated individual decision-making including profiling. In addition, data protection laws of individual German federal states may apply.

Legal Bases under the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Swiss Federal Act on Data Protection (“Swiss DPA”). Unlike the GDPR, the Swiss DPA generally does not require a legal basis to be cited for the processing of personal data. However, personal data must be processed lawfully, in good faith, and proportionately (Art. 6(1) and (2) Swiss DPA). In addition, we only collect personal data for a specific, recognizable purpose and process it only in a manner compatible with that purpose (Art. 6(3) Swiss DPA).

Note on Applicability of the GDPR and Swiss DPA: These privacy notices serve to provide information under both the Swiss DPA and the GDPR. For the sake of broader applicability and comprehensibility, the terminology of the GDPR is used. In particular, instead of the terms used in the Swiss DPA such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the GDPR terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. The legal meaning of these terms, however, continues to be determined under the Swiss DPA where it applies.

Applicability of Data Protection Regulations in the Country of the Controller’s Seat: In the country where the controller is based, national data protection regulations apply in addition to the GDPR.

Security Measures

In accordance with statutory requirements and taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of protection commensurate with the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through control of physical and electronic access to the data, as well as control of access, input, transfer, availability, and segregation of the data. Furthermore, we have established procedures to facilitate the exercise of data subject rights, the deletion of data, and responses to data breaches. We also integrate data protection measures into the development and selection of hardware, software, and procedures in accordance with the principles of privacy by design and privacy by default.

Securing Online Connections through TLS/SSL Encryption (HTTPS): To protect user data transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) form the foundation of secure data transmission on the Internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), safeguarding the data against unauthorized access. TLS, as the evolved and more secure version of SSL, ensures that all data transmissions meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by HTTPS in the URL, signaling to users that their data is transmitted securely and encrypted.

Transfer of Personal Data

In the course of processing personal data, it may be transferred or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of such data may include service providers responsible for IT tasks or providers of services and content embedded in the website. In such cases, we comply with statutory requirements and, in particular, enter into agreements with recipients to ensure the protection of your data.

Internal Data Transfers: We may transfer personal data to other departments or units within our organization or grant them access to it. Where such transfers occur for administrative purposes, they are based on our legitimate commercial and operational interests, or they occur where necessary to fulfill contractual obligations, where consent of the data subject has been obtained, or where legally permitted.

International Data Transfers

Data Processing in Third Countries: Where personal data is transferred to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or in the context of using third-party services or disclosure of data to other persons, entities, or companies (evident from the provider’s postal address or explicitly indicated in the privacy notice), such transfers are carried out in compliance with statutory requirements.

For transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), recognized as a safe legal framework by the European Commission’s adequacy decision of 10 July 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers, compliant with EU Commission requirements, establishing contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF serves as the primary protection layer, while the SCCs provide an additional safety mechanism. Should changes occur within the DPF, the SCCs act as a reliable fallback to ensure your data remains adequately protected under any political or legal circumstances.

Providers are informed about their DPF certification status and the applicability of SCCs. Further information about the DPF and a list of certified companies is available on the U.S. Department of Commerce website: https://www.dataprivacyframework.gov/ (English language).

For transfers to other third countries, appropriate safeguards are applied, including SCCs, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found on the European Commission’s information portal: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

Disclosure of Personal Data Abroad (Switzerland): In accordance with the Swiss Data Protection Act (DPA), personal data is only disclosed abroad if adequate protection of the data subjects is ensured (Art. 16 Swiss DPA). If the Federal Council has not recognized adequate protection (list: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative safeguards.

For transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), recognized as a secure legal framework by the Swiss adequacy decision of 7 June 2024. Additionally, we have concluded Standard Data Protection Clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), establishing contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF serves as the primary protection layer, while the Standard Data Protection Clauses act as an additional safety mechanism. Should changes occur within the DPF, the clauses serve as a reliable fallback, ensuring that your data remains adequately protected.

Providers are informed about their DPF certification and the applicability of Standard Data Protection Clauses. A list of certified companies and further information about the DPF is available at: https://www.dataprivacyframework.gov/ (English language).

For transfers to other third countries, appropriate safeguards include international agreements, specific guarantees, Standard Data Protection Clauses approved by the FDPIC, or company-internal data protection policies pre-approved by the FDPIC or a competent foreign supervisory authority.

General Information on Data Retention and Deletion

We delete personal data that we process in accordance with statutory provisions as soon as the underlying consents are revoked or no further legal grounds for processing exist. This applies in cases where the original purpose of processing ceases to exist or the data is no longer required. Exceptions to this rule exist where statutory obligations or legitimate interests necessitate longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law purposes, or whose retention is necessary for legal enforcement or the protection of the rights of other natural or legal persons, shall be archived accordingly.

Our privacy notices contain additional information regarding the retention and deletion of data that apply specifically to certain processing activities.

Where multiple retention periods or deletion deadlines are indicated, the longest period shall always apply. Data retained for reasons other than the original purpose, for instance due to statutory requirements or other legitimate grounds, shall be processed solely for the reasons justifying their retention.

Retention and Deletion of Data under German Law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balances, and related working instructions and organizational documents necessary for understanding these records (pursuant to § 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
  • 8 years – Accounting vouchers, e.g., invoices and cost receipts (§ 147(1) No. 4 and 4a in conjunction with (3) sentence 1 AO; § 257(1) No. 4 in conjunction with (4) HGB).
  • 6 years – Other business documents: received commercial or business correspondence, copies of sent correspondence, and other documents relevant for taxation, e.g., time sheets, internal accounting records, calculation documents, price lists, as well as payroll records, unless already covered as accounting vouchers, and cash receipts (§ 147(1) Nos. 2, 3, 5 in conjunction with (3) AO; § 257(1) Nos. 2, 3 in conjunction with (4) HGB).
  • 3 years – Data required to consider potential warranty or compensation claims, or similar contractual claims and rights, as well as to process associated inquiries based on prior business experience and industry practices, retained for the duration of the statutory limitation period of three years (§§ 195, 199 BGB).

Retention and Deletion of Data under Swiss Law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balances, accounting vouchers, invoices, and all necessary working instructions and organizational documents (Art. 958f Swiss Code of Obligations (OR)).
  • 10 years – Data necessary to consider potential claims for damages or similar contractual rights, and to process associated inquiries based on prior business experience and industry practices, are retained for the statutory limitation period of ten years, unless a shorter five-year period is applicable in specific cases (Arts. 127, 130 OR). After five years, claims related to rent, lease, capital interest, periodic payments, delivery of food, hospitality, craft work, retail sales, medical services, professional services of lawyers, legal agents, procurators, notaries, and employment relationships are time-barred (Art. 128 OR).

Commencement of Retention Periods at the End of the Year: If a retention period is not explicitly set to a specific date and exceeds one year, it shall commence automatically at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships under which data is stored, the triggering event is the effective date of termination or other cessation of the legal relationship.

Rights of Data Subjects

Rights under the GDPR: As a data subject, you are entitled to various rights under the GDPR, in particular under Articles 15–21:

  • Right to Object: You have the right to object at any time to the processing of personal data concerning you, based on Art. 6(1)(e) or (f) GDPR, for reasons arising from your particular situation; this also applies to profiling based on these provisions. Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your data for such marketing purposes; this also applies to profiling in so far as it is related to such direct marketing.
  • Right of Withdrawal of Consent: You have the right to withdraw any consent previously given at any time.
  • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed and to obtain access to such data, including further information and a copy of the data, in accordance with statutory requirements.
  • Right to Rectification: You have the right to request the completion or correction of inaccurate personal data concerning you, in accordance with statutory requirements.
  • Right to Erasure and Restriction of Processing: You have the right, under statutory provisions, to request the immediate deletion of personal data concerning you, or alternatively, to request restriction of processing.
  • Right to Data Portability: You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with statutory provisions.
  • Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, workplace, or the location of the alleged infringement, if you consider that the processing of your personal data violates the GDPR.

Rights under the Swiss DPA:

As a data subject under the Swiss Data Protection Act, you are entitled to the following rights:

  • Right of Access: You have the right to obtain confirmation as to whether personal data concerning you is being processed and to receive information necessary to exercise your rights under this law and ensure transparent processing.
  • Right to Data Retrieval or Transfer: You have the right to request the transfer of personal data you have provided in a commonly used electronic format.
  • Right to Rectification: You have the right to request correction of inaccurate personal data concerning you.
  • Right to Object, Deletion, and Destruction: You have the right to object to the processing of your personal data and to request the deletion or destruction of personal data concerning you.

Business Services

We process data of our contractual and business partners, e.g., customers and prospective clients (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships, as well as associated measures, and with regard to communication with the contractual partners (including pre-contractually), for instance to respond to inquiries.

We use this data to fulfil our contractual obligations. This includes, in particular, obligations to provide the agreed services, any duties to update, and remedial measures in the event of warranty or other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative purposes associated with these obligations and for business organization. Additionally, we process the data on the basis of our legitimate interests, both to ensure proper and economically sound business management and to implement security measures to protect our contractual partners and our business operations against misuse, threats to their data, trade secrets, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). Under applicable law, we only disclose data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfil legal obligations. Further forms of processing, e.g., for marketing purposes, are communicated to contractual partners in this Privacy Policy.

The data necessary for the aforementioned purposes is communicated to contractual partners prior to or at the time of collection, for example via online forms, special markings (e.g., colors), symbols (e.g., asterisks), or in person.

We delete data upon expiry of statutory warranty and comparable obligations, generally after four years, unless the data is stored in a customer account, e.g., where retention is required for statutory purposes such as tax obligations (generally ten years). Data disclosed to us within the scope of an order by a contractual partner is deleted according to the applicable instructions and generally upon completion of the order.

  • Processed Data Types:
  • Master Data: e.g., full name, address, contact information, customer number.
  • Payment Data: e.g., bank account details, invoices, payment history.
  • Contact Data: e.g., postal and email addresses, telephone numbers.
  • Contract Data: e.g., subject matter, duration, customer category.
  • Usage Data: e.g., page views, duration of visits, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions.
  • Meta, Communication, and Procedural Data: e.g., IP addresses, timestamps, identification numbers, involved persons.
  • Data Subjects: Service recipients and clients; prospective clients; business and contractual partners.
  • Purposes of Processing: Provision of contractual services and fulfilment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative processes; business processes and operational procedures.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); legal obligation (Art. 6(1)(1)(c) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Online Shop, Order Forms, E-Commerce, and Service Fulfilment: We process customer data to enable the selection, purchase, or ordering of chosen products, goods, and related services, as well as their payment, provision, delivery, or execution. If necessary for order fulfilment, we engage service providers, in particular postal, freight, and delivery companies, to carry out the delivery or execution for our customers. Payment processing is performed using the services of banks and payment service providers. The necessary data are indicated as such during the order or similar purchase process and include information required for delivery, provision, billing, and contact to enable communication if needed. Legal Basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Business Processes and Procedures

Personal data of service recipients and clients—including customers, clients, and, in specific cases, mandatees, patients, or business partners, as well as other third parties—is processed in the context of contractual and comparable legal relationships, and pre-contractual measures such as the initiation of business relationships. This data processing supports and facilitates business operations in areas such as customer management, sales, payments, accounting, and project management.

The collected data is used to fulfil contractual obligations and to optimize operational processes. This includes the processing of business transactions, customer relationship management, optimization of sales strategies, and ensuring internal accounting and financial processes. Additionally, the data supports safeguarding the controller’s rights and facilitates administrative tasks and business organization.

Personal data may be disclosed to third parties if necessary to achieve the purposes described above or to comply with legal obligations. Disclosure is limited to the extent required and in compliance with data protection regulations. Possible recipients or categories of recipients include:

  • Internal units: for order processing, accounting, customer communication.
  • Payment service providers: Stripe, WooPayments, PayPal, Apple Pay, Google Pay – for payment processing.
  • Hosting providers: Hostinger (web hosting, backups, email delivery).
  • Analytics providers: Google Analytics (via Site Kit by Google, with IP anonymization).
  • Security and logging services: Jetpack (security and logging functions), WP Mail Logging (mail logs for error analysis).

Disclosure to authorities or debt collection agencies occurs only if necessary to enforce legal claims.

Where external service providers act as processors on our behalf, we conclude appropriate agreements on data processing (Art. 28 GDPR) and implement technical and organizational measures to ensure that the service providers process personal data exclusively according to our instructions and maintain an adequate level of protection. Where data is transferred to recipients in third countries outside the European Economic Area or Switzerland, we ensure in advance that adequate safeguards are in place (e.g., using Standard Contractual Clauses, contractual guarantees, or other recognized safeguards) or provide information on the relevant protection mechanism used.

Processed Data Types:

  • Master and Identification Data: first and last name, country/region, billing address, if applicable delivery address, customer number, email address.
  • Contact and Communication Data: contents of contact forms, email correspondence.
  • Contract and Order Data: order and payment status, product information, invoice numbers.
  • Payment Data: payment amount, date, payment method; card data is not stored by us but processed directly by the payment service provider.
  • Technical Data: IP address, browser and device information, date/time of access, error logs (via Jetpack and server logs).
  • Data Subjects: Service recipients and clients; prospective clients; communication partners; business and contractual partners; customers.
  • Purposes of Processing: Provision of contractual services and fulfilment of contractual obligations; office and organizational procedures; business processes and operational procedures; security measures; provision of our online offerings and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Customer Account: Customers may create an account within our online offerings (e.g., customer or user account, “customer account”). If registration is required, customers are informed about the account and the required information. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins and use of the account, we store the customers’ IP addresses and access times to document registration and prevent misuse. Upon account termination, data is deleted after termination unless retention is required for other purposes or legal reasons (e.g., internal storage of customer data, order processing, or invoices). Customers are responsible for securing their data upon account termination. Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR).
  • Economic Analyses and Market Research: To fulfil business purposes and identify market trends and customer preferences, data from business transactions, contracts, and inquiries is analyzed. Data subjects may include contractual partners, prospective clients, customers, visitors, and users of the controller’s online offerings. Analyses serve business, marketing, and market research purposes (e.g., identifying customer groups with differing characteristics). Where available, profiles of registered users including their service usage data are considered. Analyses are used exclusively by the controller and are not disclosed externally, except for anonymized analyses with aggregated data. Privacy is respected; data is processed pseudonymously and, where feasible, anonymized (e.g., aggregated data). Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Payment Procedures

Within the scope of contractual and other legal relationships, due to statutory obligations, or on the basis of our legitimate interests, we provide the data subjects with efficient and secure payment options and, for this purpose, employ not only banks and credit institutions but also other service providers (collectively referred to as “payment service providers”).

The data processed by the payment service providers includes master data, such as name and address, banking data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as contract-, amount-, and recipient-related information. These details are required to carry out the transactions. However, the entered data is processed and stored solely by the payment service providers. This means that we do not receive account- or credit card-related information, but only confirmation or negative confirmation regarding the payment. In certain circumstances, the data may be transmitted by the payment service providers to credit reporting agencies for the purpose of identity and creditworthiness verification. We refer to the terms and conditions and the privacy policies of the payment service providers in this regard.

For payment transactions, the terms and conditions and the privacy policies of the respective payment service providers apply, which can be accessed on the respective websites or transaction applications. We also refer to these for additional information and for exercising rights of withdrawal, access, and other data subject rights.

  • Processed Data Types:
  • Master data (e.g., full name, residential address, contact information, customer number, etc.);
  • Payment data (e.g., bank details, invoices, payment history);
  • Contract data (e.g., subject matter, term, customer category);
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions);
  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons);
  • Contact data (e.g., postal and email addresses, telephone numbers).
  • Data Subjects: Service recipients and clients; business and contractual partners; prospective clients.
  • Purposes of Processing: Provision of contractual services and fulfilment of contractual obligations; business processes and operational procedures.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Apple Pay: Payment services (technical integration of online payment methods); service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://www.apple.com/de/apple-pay/; privacy policy: https://www.apple.com/legal/privacy/de-ww/.
  • Google Pay: Payment services (technical integration of online payment methods); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://pay.google.com/intl/de_de/about/; privacy policy: https://policies.google.com/privacy.
  • Mastercard: Payment services (technical integration of online payment methods); service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://www.mastercard.de/de-de.html; privacy policy: https://www.mastercard.de/de-de/datenschutz.html.
  • PayPal: Payment services (technical integration of online payment methods, e.g., PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://www.paypal.com/de; privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full.
  • Stripe: Payment services (technical integration of online payment methods); service provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://stripe.com; privacy policy: https://stripe.com/de/privacy; basis for third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).
  • Visa: Payment services (technical integration of online payment methods); service provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, UK; legal bases: performance of a contract and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); website: https://www.visa.de; privacy policy: https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html.
  • WooCommerce Payments: Payment services (technical processing of online payments within the shop); service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; legal bases: performance of a contract and pre-contractual measures (Art. 6(1)(1)(b) GDPR); website: https://woocommerce.com/products/woopayments/; privacy policy: https://automattic.com/privacy/.

Provision of Online Services and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functionalities of our online services to the user’s browser or end device.

  • Processed Data Types:
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities);
  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons);
  • Log data (e.g., log files regarding logins, data retrieval, or access times).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices, e.g., computers, servers, etc.); security measures.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Collection of Access Data and Log Files: Access to our online services is logged in the form of “server log files.” Server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volume, message on successful retrieval, browser type and version, user’s operating system, referrer URL (previously visited page), and usually IP addresses and requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (particularly in cases of abusive attacks, so-called DDoS attacks), and to ensure server capacity and stability. Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is exempted from deletion until the respective incident is finally resolved.
  • Hostinger: Services in the field of information technology infrastructure and related services (e.g., hosting, storage space, computing capacities, email services, security services); service provider: Hostinger International Ltd., 61 Lordou Vironos Street, 6023 Larnaca, Cyprus; Legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR) for the secure, stable, and efficient provision of our online services; website: https://www.hostinger.com; privacy policy: https://www.hostinger.com/privacy-policy; data processing agreement: https://www.hostinger.com/legal/data-processing-agreement.

Use of Cookies

Cookies are functionalities that store information on users’ end devices and retrieve information from them. Cookies may also be used for different purposes, such as ensuring the functionality, security, and convenience of online services, as well as generating analyses of visitor flows. We use cookies in accordance with statutory provisions. Where required, we obtain prior consent from users. Where consent is not necessary, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide expressly requested content and functions, e.g., saving settings and ensuring the functionality and security of our online services. Consent can be revoked at any time. We provide clear information about the scope and type of cookies used.

Legal Basis for Data Processing via Cookies: The processing of personal data using cookies depends on consent. If consent is given, it constitutes the legal basis. Without consent, we rely on our legitimate interests, as described above in this section and in the context of the respective services and procedures.

Retention Period:

  • Temporary Cookies (Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their end device (e.g., browser or mobile application).
  • Permanent Cookies: Permanent cookies remain stored after closing the end device. They may, for example, save login status or display preferred content when the user revisits a website. Cookies may also be used for audience measurement. Unless we explicitly specify the type and retention period of cookies (e.g., when obtaining consent), users should assume they are permanent, with a retention period of up to two years.

General Notes on Revocation and Objection (Opt-Out): Users can revoke consent at any time and may object to processing in accordance with statutory provisions, e.g., via the privacy settings of their browser.

Processed Data Types:

  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Legal Bases: Legitimate interests (Art. 6(1)(1)(f) GDPR); consent (Art. 6(1)(1)(a) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Processing Cookie Data Based on Consent: We employ a consent management solution through which users’ consent for the use of cookies, or for the procedures and providers specified within the consent management solution, is obtained. This procedure serves to obtain, record, manage, and revoke consent, particularly regarding the use of cookies and comparable technologies that store, read, or process information on users’ end devices. Within this procedure, users’ consents for the use of cookies and associated processing of information, including the specific processing and providers named in the consent management solution, are obtained. Users may manage and revoke their consent at any time. Consent declarations are stored to avoid repeated queries and to provide proof of consent in accordance with statutory requirements. Storage is performed server-side and/or in a cookie (so-called Opt-In Cookie) or by comparable technologies, allowing the assignment of consent to a specific user or device. Unless specific information about consent management providers is available, the following general notes apply: the storage duration of consent is up to two years. A pseudonymous user identifier is created and stored along with the time of consent, details about the scope of consent (e.g., relevant categories of cookies and/or service providers), and information about the browser, system, and device used. Legal basis: consent (Art. 6(1)(1)(a) GDPR).

Blogs and Publication Media

We use blogs or comparable online communication and publication channels (hereinafter “publication media”). Readers’ data are processed for the purposes of the publication media only to the extent necessary for its display, for communication between authors and readers, or for security reasons. Otherwise, we refer to the information on processing visitors’ data of our publication media as provided in this privacy policy.

  • Processed Data Types:
    • Master data (e.g., full name, address, contact information, customer number, etc.);
    • Contact data (e.g., postal and email addresses, telephone numbers);
    • Content data (e.g., textual or visual messages and posts, including information about authorship or creation date);
    • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities);
    • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Feedback (e.g., collection of feedback via online forms); provision of our online services and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or social media) or within the scope of existing user and business relationships, the data of the contacting persons are processed to the extent necessary to respond to inquiries and any requested measures.

  • Processed Data Types:
  • Master data (e.g., full name, address, contact information, customer number, etc.);
  • Contact data (e.g., postal and email addresses, telephone numbers);
  • Content data (e.g., textual or visual messages and posts, including information about authorship or creation date);
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities);
  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Communication partners.
  • Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collection of feedback via online forms); provision of our online services and user-friendliness.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data provided to respond to and handle the respective request. This generally includes data such as name, contact information, and any additional information provided, necessary for appropriate handling. These data are used solely for the purpose of communication and handling the inquiry. Legal basis: contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR), legitimate interests (Art. 6(1)(1)(f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as “audience measurement”) is used to evaluate visitor flows on our online services and may include pseudonymous behavioral, interest, or demographic information (e.g., age or gender). Audience analysis allows us to determine peak usage times, identify which content or functions are most frequently used, and recognize areas needing optimization.

We may also use A/B testing or comparable methods to test different versions of our online services or their components for optimization purposes.

Unless otherwise stated, for these purposes, profiles may be created, aggregating data from individual usage sessions, and information may be stored on a browser or end device and later retrieved. Collected information includes visited pages, utilized elements, and technical details, such as browser and system used, as well as usage times. If users consent to the collection of their location data, processing of location data is also possible.

Additionally, users’ IP addresses are stored but pseudonymized through IP masking. No directly identifiable personal data (e.g., email addresses or names) are stored during web analysis, A/B testing, or optimization; only pseudonyms are used. Neither we nor the service providers know the actual identity of users, only the profile information stored for the respective procedures.

Legal Basis: If consent is obtained from users for the use of third-party services, the legal basis is consent. Otherwise, users’ data are processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). Reference is also made to the information on cookie usage in this privacy policy.

  • Processed Data Types:
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities);
  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Audience measurement (e.g., access statistics, recognition of returning visitors); creation of user profiles; provision of our online services and user-friendliness.
  • Retention and Deletion: Deletion in accordance with General Information on Data Retention and Deletion. Cookies stored for up to two years (unless otherwise specified).
  • Security Measures: IP masking (pseudonymization of the IP address).
  • Legal Basis: Consent (Art. 6(1)(1)(a) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Google Analytics: We use Google Analytics to measure and analyze the use of our online services based on a pseudonymous user identification number. This identification number does not contain any personally identifiable information, such as names or email addresses. It is used to assign analytical information to a device in order to determine which content users have accessed within one or multiple sessions, which search terms they have used, revisited, or interacted with on our online services. Additionally, the time of use and its duration are recorded, as well as the sources from which users were referred to our online services and technical aspects of their devices and browsers.
    Pseudonymous profiles of users may be created from information collected across different devices, and cookies may be used. Google Analytics does not log or store individual IP addresses of EU users. However, Analytics provides coarse geographic location data derived from the following IP address metadata: city (and corresponding latitude and longitude), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this geolocation derivation and is immediately deleted afterward. The data is not logged, is not accessible, and is not used for any other purposes. When Google Analytics collects measurement data, all IP queries are performed on EU-based servers before the traffic is forwarded to Analytics servers for processing.
    Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)
    Website: https://marketingplatform.google.com/intl/de/about/analytics/
    Security measures: IP masking (pseudonymization of the IP address)
    Privacy policy: https://policies.google.com/privacy
    Data processing agreement: https://business.safety.google/adsprocessorterms/
    Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (link), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (link)
    Opt-out: https://tools.google.com/dlpage/gaoptout?hl=de, Ad personalization settings: https://myadcenter.google.com/personalizationoff
    More information: https://business.safety.google/adsservices/ (Types of processing and processed data)
  • Jetpack (WordPress Stats): Jetpack provides analytics functions for WordPress software. Service provider: Automattic Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland
    Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)
    Website: https://automattic.com
    Privacy policy: https://automattic.com/privacy
    Data processing agreement: Provided by the service provider
    Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider)
  • Google PageSpeed Insights: We use Google PageSpeed Insights to measure and optimize the loading times and technical performance of our website. Data on loading speed, technical aspects of the browser, types of devices used, and general usage metrics are collected. This information is used solely to improve website performance and user experience. PageSpeed Insights does not work with personal user profiles like Google Analytics and does not create pseudonymized user identifiers. No cookies are set, and no data is linked to individual users.
    Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
    Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR), in Switzerland: Purpose limitation
    Privacy policy: https://policies.google.com/privacy
    Third-country transfers: EU/EEA – Standard Contractual Clauses, Switzerland – Standard Contractual Clauses
    More information: https://developers.google.com/speed/pagespeed/insights/
  • Google Search Console: We use the Google Search Console to measure and analyze the use of our online services within Google Search. Data on website accesses, displayed search results, clicks, impressions, and position in Google Search are collected. This data serves to optimize our website, for example to improve discoverability, content, and user experience. The Search Console does not work with personal user profiles like Google Analytics, and individual users are not identified across devices. However, IP metadata may be processed to derive location information based on the IP address. Cookies or pseudonymous user identifiers are not used by the Search Console. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR), in Switzerland: Purpose limitation Privacy policy: https://policies.google.com/privacy Third-country transfers: EU/EEA – Standard Contractual Clauses, Switzerland – Standard Contractual Clauses
    More information and opt-out options: https://support.google.com/webmasters/answer/4559176?hl=de

Social Media Presences

We maintain online presences on social networks and, in this context, process user data to communicate with active users or provide information about us.

Please note that user data may be processed outside the European Union. This may create risks for users, as enforcement of user rights could be more difficult.

Furthermore, user data within social networks are generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behavior and resulting interests. These profiles may be used to display advertisements both inside and outside the networks that likely match users’ interests. Accordingly, cookies are usually stored on users’ devices, recording their usage behavior and interests. Usage profiles may also contain data independently of the devices used by users (especially if they are members of the respective platforms and logged in).

For detailed information on the respective processing methods and opt-out options, we refer to the privacy policies of the respective network operators.

For requests for information and the exercise of data subject rights, please note that these are most effectively asserted directly with the providers. Only they have access to the user data and can take appropriate measures and provide information. If you need assistance, you may contact us.

  • Processed Data Types:
  • Contact data (e.g., postal and email addresses, telephone numbers);
  • Content data (e.g., textual or visual messages and posts, including authorship or creation date);
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Communication; feedback (e.g., collection of feedback via online forms); public relations.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion.
  • Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • YouTube: Social network and video platform. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Legal basis: legitimate interests (Art. 6(1)(1)(f) GDPR); Privacy Policy; third-country transfers: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF). Opt-out: https://myadcenter.google.com/personalizationoff.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online services, which are provided by servers of their respective providers (hereinafter referred to as “third parties”). These may include graphics, videos, or maps (collectively “content”).

Embedding these elements always requires the third-party providers to process users’ IP addresses, as content cannot be delivered to the browser without them. The IP address is therefore necessary for displaying these contents or functions. We strive to use content only from providers who use the IP address solely for content delivery.

Third parties may also use so-called pixel tags (invisible graphics, “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include technical information about the browser, operating system, referring websites, visit time, and other usage details, and may be combined with other information from other sources.

Legal Basis: If we request user consent for the use of third-party services, the legal basis for processing is consent. Otherwise, data are processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). Reference is made to the information on cookie usage in this privacy policy.

  • Processed Data Types:
  • Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functionalities);
  • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online services and user-friendliness; audience measurement (e.g., access statistics, identification of returning visitors); tracking (e.g., interest/behavior-based profiling, use of cookies); audience targeting; marketing.
  • Retention and Deletion: Deletion in accordance with the section General Information on Data Retention and Deletion. Cookies may be stored for up to two years unless otherwise specified.
  • Legal Basis: Consent (Art. 6(1)(1)(a) GDPR); legitimate interests (Art. 6(1)(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

Generated with the help of the free Privacy Policy Generator by Dr. Thomas Schwenke (datenschutz-generator.de).