Privacy Policy


We are delighted that you have expressed an interest in (hereinafter “Online Service” or “Website”). We take the protection of your data very seriously and want you to feel safe when using our Online Service. This privacy policy provides details of the personal data (hereinafter “Data” ) that we collect and how we use it. The term “User” comprises all customers (in particular CNC manufacturers and CNC buyers) and visitors to our Online Service. The terms used such as “User” are gender-neutral.


Orderfox AG

Industriering 3

9491 Ruggell

Principality of Liechtenstein

Commercial Register No.: Office of Justice, Principality of Liechtenstein, Commercial Register, No. FL-0002.542.971-6

Managing Director: Dr. Wilhelm Klagian (joint signatures of two persons)

Phone Number: +423 375 2500


The Controller is hereinafter also referred to as “we” or “us”.

Description of our services and objectives:

Running of an online platform for CNC manufacturers and CNC buyers. The online platform serves as a partner platform for CNC manufacturers and CNC buyers, enabling them (the users) to place interactive ads on the website and using intelligent filters to assist with their coming together.

Type of processed data:

– Inventory data (e.g., customer master data, such as names, addresses).

– Contact details (e.g., e-mail, phone numbers).

– Content Data (e.g., text input, photographs, videos).

– Contract Data (e.g., subject matter of the contract).

– Payment Data (e.g., bank details, payment history).

– Usage Data (e.g., visited websites, interest in content, access times).

– Meta/communication Data (e.g., device IDs, IP addresses).

Processing of special categories of Data (Art. 9 (1) GDPR):

No special categories of Data are processed.

Categories of data subjects:

– Users / Customers / prospective customers / business partners.

– Visitors and users of the online service.

In the following, we will also summarise the data subjects as “Users”.

Purpose of Processing:

– Provision of our services, its contents and functions.

– Server hosting, domain registration, Software-as-a-Service (SaaS) services

– Provision of contractual services, customer care and support.

– Response to contact requests and communication with Users.

– Marketing, advertising and market research.

– Security measures.

Automated individual decision-making (Art. 22 GDPR):

We do not use exclusively automated individual decision-making.

Note on legal basis:

– If we process data from Users from the EU/EEC, the legal basis of the GDPR stated below shall apply.

– In all other respects, we process the data on the basis of the data protection law applicable to the Principality of Liechtenstein. I.e. in this case the following information applies, but on the basis of the law of the Principality of Liechtenstein and not the aforementioned GDPR standards.

– Where other mandatory data protection regulations apply to Users who are consumers, these data protection regulations shall take precedence.

As of: July 2020


1. Terms used

1.1.”Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2.”Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.3.”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

1.4.”Profiling” means any automated processing of personal data consisting in the use of such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information regarding age, gender, location and movement data, interaction with websites and their contents, shopping behaviour, social interactions with other people) (e.g. interests in certain contents or products, click behaviour on a website or the location). Cookies and web beacons are often used for profiling purposes.

1.5.”Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; E.g. if an exact interest profile of the computer User is stored in a cookie (a ‘marketing avatar’), but not the name of the User, then data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address is stored, then the processing is no longer pseudonymous.

1.6.”Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2. Relevant Legal Basis for the Processing

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not explicitly stated in the Privacy Policy, the following applies: The legal basis for obtaining consents is Art. 6 (1) a and Art. 7 GDPR, the legal basis for processing for the performance of our services and performance of contractual measures as well as for answering inquiries is Art. 6 (1) b GDPR, the legal basis for processing to fulfil our legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f. GDPR. In the event that the vital interests of the Data Subject or another natural person require the processing of personal data, Article 6 (1) d GDPR serves as the legal basis.

3. Changes and Updates to this Privacy Policy

We ask you to keep yourself regularly informed about the contents of our Privacy Policy. We will adapt the Privacy Policy as soon as any changes in data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

4. Security of Data Processing

4.1.We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of Data Subjects’ rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).

4.2.The security measures include in particular the encrypted transmission of data between your browser and our server.

4.3.Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.

5. Disclosure and Transmission of Data

5.1.If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).

5.2.If we commission third parties with the processing of data on the basis of a so-called ‘Data Processing Agreement’, this is done on the basis of Art. 28 GDPR.

5.3.If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of a Data Processing Agreement.

6. Transfers to Third Countries

If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. compliance with officially recognised special contractual obligations (so-called ‘Standard Contractual Clauses’).

7. Rights of Data Subjects

7.1.You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.

7.2.You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.

7.3.In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.

7.4.You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

7.5.In accordance with Art. 77 GDPR, you also have the right to file a complaint with a supervisory authority.

8. Right of Withdrawal

You have the right to withdraw consents granted pursuant to Art. 7 (3) GDPR with effect for the future.

9. Right to Object

You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.

10. Cookies and Right to Object in Direct Marketing

10.1. ‘Cookies’ are small files that are stored on the User’s computer. Within the cookies, different data can be stored. A cookie is primarily used to store information about a User (or the device on which the cookie is stored) during or after his or her visit to an online service. Temporary cookies, or ‘session cookies’ or ‘transient cookies’, are cookies that are deleted after a User leaves an online service and closes his browser. In such a cookie, for example, the content of a shopping basket in an online shop or a login status can be stored. Cookies that remain stored even after the browser is closed are referred to as ‘permanent’ or ‘persistent’. For example, the login status can be saved when Users visit it after several days. Likewise, the interests of Users used for web analytics or marketing purposes may be stored in such a cookie. ‘Third-party cookies’ are cookies that are served by providers other than the Controller for operating the online services (otherwise, if they are only the Controller’s cookies, they are referred to as ‘first-party cookies’). We may use temporary and permanent cookies and clarify this in the context of our Privacy Policy.

10.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

10.3.We also use cookies to store consents or objections to the use of cookies.

10.4. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of our online services.

10.5. A general objection to the use of cookies used for online marketing purposes can be declared for many of the services, especially in the case of tracking, via the US site or the EU site Furthermore, the storage of cookies can be achieved by deactivating them in the browser settings.

11. Erasure of data and archiving obligations

The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this Privacy Policy, the data stored by us will be erased as soon as it is no longer required for its intended purpose and there are no legal obligations to retain it. If the data are not erased because they are necessary for other and legally permissible purposes, their processing is restricted. This means that the data is excluded and not processed for other purposes. This applies, for example, to data that must be retained for commercial or taxation reasons.

12. Purposes of data processing

12.1.We process your Data for the purposes of delivering the functions of our Online Service requested by you and to fulfil our contractual, business and other legal obligations (among other things, provision and performance of our services and guaranteeing efficient customer service and technical support). Data processing comprises the transmission or disclosure of Data to third parties if this serves to fulfil our contractual or legal obligations (e.g. brokering jobs between CNC manufacturers and CNC buyers) or if this is necessary for invoicing purposes (e.g. transfer of Data to a payment service provider).

12.2.We additionally process your Data in accordance with the statutory requirements on the basis of our justified interests. These processing purposes include statistical analyses that serve on the one hand to optimise our Online Service and on the other to fulfil our own business purposes. In this context, we are able to create so-called User profiles (hereinafter “Profiles”) based on the Data recorded (e.g. addresses, profile descriptions, profile access, jobs assigned, offer and request profiles). To protect your interests, we process your Data for the above-mentioned purposes using pseudonyms wherever possible, i.e. the Profiles are logged without any means of identification such as names or email addresses. Only if it is necessary for a Profile to be attributable to a User, for example to show the User specific information based on their behaviour, do We establish a link between a Profile and the specific User. Insofar as it is not necessary for a Profile to be attributable to a User (for example if We are only interested in statistical information), the User’s Details are processed anonymously, i.e. the Profiles and analysis results cannot be attributed to individual Users, thus identifying them.

12.3.We process the User’s IP address on the basis of legitimate interests in increasing the User convenience of our online service, e.g. to display our online service in the User’s language or to prefill the time zones and location entries as part of the registration process.

12.4.Additionally, we may process Data in accordance with your consent, which We will explicitly ask you to grant.

12.5.Insofar as content, tools and other means are used by other providers within the context of this privacy policy (hereinafter jointly referred to as ‘Third-Party Suppliers’) whose place of business is abroad, it may be assumed that Data will be transferred to the Third-Party Suppliers’ countries of business. Data is transferred to third-party countries either on the basis of a legal permit, the User’s consent, special guarantees, like special contractual clauses that safeguard the legal Data security standards.

12.6.You shall be notified of the individual purposes, forms and scope of Data processing and of the authorisations granted within the context of the consent granted in relation to this Data processing.

12.7.The deletion takes place after the expiry of statutory warranty and comparable obligations, the necessity of data retention is reviewed every three years; in the case of statutory archiving obligations, the erasure takes place after their expiry.

13. Payments

13.1.In the interests of our customers’ security, we do not log any credit card details or bank data ourselves and instead use the payment service Stripe, provided by Stripe, Inc., 510 Townsend Street San Francisco, CA 94103, USA.

13.2.Privacy policy:

14. Registration and termination

14.1.The Users themselves decide which personal details they wish to disclose and who has access to these details, for example when a User enters their name in Profiles, comment boxes, or similar.

14.2.The following Data is collected mandatorily when a User registers:

  • Email address (not disclosed to other Users)
  • Password (logged in encrypted form)
  • First name and surname
  • Information and mandatory data (e.g. tax related) on the Company.

14.3.Above and beyond the above-mentioned details, the Users themselves decide which other personal details are disclosed. The Users may additionally be required to make further disclosures insofar as these are necessary with regard to the provision of our Online Service and the fulfilment of the statutory requirements. Furthermore, details that are relevant to the contract are recorded and stored, such as details about the services that are subscribed to, payment history, content and log data on communications conducted through Orderfox, other details and uploads.

14.4.The Users’ public Profile information can be viewed by and searched in by other registered Users. The Users’ locations can be presented on a map.

14.5.Upon the termination of a Paid Subscription, only the profile settings in the company profile are retained. If the User also terminates the Free Subscription, Orderfox is entitled to delete the profiles of the respective Users. The User’s data will be deleted unless it is necessary to store them, e.g. for tax reasons (storage period is generally 10 years) or in the event of queries regarding the contract, such as payment history (storage period is generally 5 years) or a longer period of use has been expressly agreed with the User. In the case of consent given separately (i.e. independently of the User profile) for the mailing of commercial communications, this consent must be revoked separately. Furthermore, we would like to point out that in the event of a User account being blocked without being terminated at the same time, the User data will not be deleted in order to enable the account to be used after the account has been reactivated.

14.6.Communications and attachments exchanged with other Users shall remain stored with such Users and may only be deleted by giving legitimate reasons and in general after consultation with the recipient of the communiactions and attachments.

15. Presentation of 3D objects with Autodesk

15.1.We use the service Autodesk Forge provided by US based company Autodesk (Autodesk, Inc. 111 McInnis Pkwy, San Rafael, California 94903, USA) for the presentation of three-dimensional objects. For this purpose, 3D models are uploaded to Autodesk servers for further processing.

15.2.The use of Autodesk is made in accordance with Art. 6 (1) b. GDPR for the fulfilment of our contractual services towards the User, which includes the provision of the presentation function as part of the features of Orderfox.

15.3.In order to be able to assign 3D models to Users who have uploaded them and, we transmit the 3D models to Autodesk with an identifier which is assigned to the User by us. Autodesk only receives pseudonymized data of the User without a possibility to assign the 3D objects to the User. The processing at Autodesk can only exceptionally contain further personal data if this results from the displayed 3D object and the metadata stored with the 3D object itself and if this data should allow an identification of the User.

15.4.The 3D objects will be deleted within 6 months at the latest if they are removed by the User or otherwise from our system.

15.5.Further information can be found in Autodesk’s privacy policy:

16. Administration, Financial Accounting, Office Organization, Archiving

16.1.We process data in the course of administrative tasks as well as the organisation of our company, financial accounting and compliance with legal obligations, e.g. archiving. We process the same data that we process as part of the performance of our contractual services. The processing bases are Art. 6 (1) c. GDPR, Art. 6 (1) f., Art. 28 GDPR. Data Subjects are affected by the processing: customers, interested parties, business partners and website visitors. The purpose of the processing is the administration, financial accounting, office organization, archiving of data that serve the maintenance of our company and our services.

16.2.We disclose or transmit data to the tax authorities, tax consultants, auditors, other fee offices, legal advisors and payment service providers.

16.3.Furthermore, we store information on business partners, customers and prospects on the basis of our business interests, e.g. for the purpose of making contact at a later date. We store this data, which is mainly company-related, permanently.

17. Economic Analyses and Market research

17.1.In order to operate our business economically and to identify market trends, customer and User wishes, we analyse the data available to us on business transactions, contracts, inquiries, etc., in order to ensure that we are able to offer our customers the best possible service. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 (1) f. GDPR, whereby the persons concerned include customers, prospective customers, business partners, visitors and users of our online service. The analyses are carried out for the purpose of economic evaluations, marketing and market research. The analyses serve us to increase the user-friendliness, the optimization of our offer and the economic efficiency. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with aggregated values.

17.2.If these analyses or profiles are personal, they will be deleted or made anonymous upon cancellation of the contractual relationship, otherwise after three years from the conclusion of the contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.

18. Contact and Customer Service

18.1.When contacting us (via contact form or e-mail), the User’s details will be processed for processing the contact request and its handling in accordance with Art. 6 (1) b. (customers/ prospects), Art. 6 (1) f. (other Users) GDPR.

18.2.User information may be stored in our Customer Relationship Management System (“CRM System”) or comparable request organization.

18.3.To communicate with and support our customers (so-called customer relationship management or CRM), we make use of the Communication services provided by Intercom, Inc., 55 2nd Street, 4th Floor San Francisco, California 94105, USA. Intercom offers the possibility according to the expectations of the Users to get in touch with them faster and more directly and to process their inquiries. With Intercom, Users can send messages via live chat, e-mail, text messages or push messages. For this to be possible, contact information to the Users must be synchronized with Intercom via an interface. The following data of the communication participants is processed: User name, password, e-mail address, IP address, data analysis, device data, usage data, social media profiles, location data and communication content. Data shall be stored in accordance with the deletion periods for the processing of communication and customer data; in addition, data shall be deleted if they are not required and there are no archiving obligations which are regularly reviewed every two years or on an ongoing basis. Privacy policy and possibilities of objection:

18.4.Outside of existing customer relationships, we will delete the requests if they are no longer necessary. Within customer relations we store the data for their duration; we check the necessity of the storage every three years; furthermore, the legal archiving obligations apply.

19. Newsletter

19.1.The following sections explain the contents of our newsletter, the registration, circulation and statistical analysis processes, and your rights of revocation. By subscribing to our newsletter, you consent to receipt of the newsletter and to the processes as outlined.

19.2.We send newsletters, emails and other electronic notifications containing advertising information (hereinafter “Newsletters”) only with the recipients’ consent or subject to legal permission. Insofar as the content of the Newsletter is specifically outlined at the registration stage, this content is authoritative with regard to the User’s consent. Our Newsletters otherwise contain information regarding developments and offers within the CNC industry and relating to our services.

19.3.Registering for our Newsletter involves a so-called double opt-in process. This means you will receive an email after registration requesting you to confirm your registration. This confirmation is necessary so as to prevent people from registering with another person’s email address. Newsletter registrations are logged so that evidence of the registration process can be produced pursuant to the statutory requirements. This includes logging of the times of registration and confirmation and of the IP address. Changes in your data recorded by the dispatch service provider are likewise logged.

19.4.We use the following service providers to send our newsletters on the basis of our legitimate interests in an economically efficient, user-friendly and secure way in accordance with Art. 6 (1) f. GDPR. The mailing service providers can use the data of the recipients in pseudonymous form, i.e. without allocation to a User, to optimise or improve their own services, e.g. for technical optimisation of the mailing and the presentation of the newsletter or for statistical purposes. However, the mailing service providers do not use the data of our newsletter recipients to write to them themselves or to pass the data on to third parties.

19.5.We use the service provider Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA, to import e-mail addresses and other User data from other platforms (e.g., LinkedIn, Facebook or Google); Privacy policy:

19.6.Submission of your email address will suffice for a Newsletter registration. We optionally ask you to provide other details such as your first name and surname for the purposes of Newsletter personalisation and your industry in order that We can bring the content of the Newsletter into line with the readers’ interests.

19.7.The Newsletters contain a so-called web beacon, i.e. a pixel-sized file which is accessed by the Dispatch Service Provider’s server when the Newsletter is opened. When this is accessed, technical information is logged regarding, for example, your browser and system, your IP address and the time at which it is accessed. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour, the places from which it is accessed (determined with the aid of IP addresses) or the times at which it is accessed. The statistics logged also include details regarding whether the Newsletters are opened, when they are opened and which links are clicked on. While this information can be attributed to specific Newsletter recipients for technical reasons, neither We nor the Dispatch Service Provider endeavour to monitor individual Users. Rather, the analyses allow Us to identify our Users’ reading habits and to adapt our content accordingly or to dispatch different content based on our Users’ interests.

19.8.The newsletter is sent and the performance measurement associated with it is based on the recipient’s consent pursuant to Art. 6 (1) lit. a, Art. 7 GDPR or, if no legal permission is required, on our legitimate interests in direct marketing pursuant to Art. 6 (1) lit. f. GDPR. The registration procedure is logged on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f. GDPR. We are interested in the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of users and also allows us to provide proof of consent.

19.9.We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove a previously given consent. The processing of these data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that at the same time the former existence of a consent is confirmed. A separate revocation of the performance measurement is unfortunately not possible, in this case the entire newsletter subscription must be cancelled.

20. Participation in The Partner Program with Celeritive Technologies

20.1.As part of the partner program with Celeritive Technologies Inc, at 95 E High St, Moorpark, CA 93021, USA, we process the data of Users who decide to take advantage of special offers from Celeritive Technologies or Orderfox.

20.2.To take advantage of the offers, Users can enter a special code when registering on the website. Users receive this code from Celeritive Technologies. By redeeming the code, Orderfox provides Users with the promised benefits.

20.3. By redeeming the code, Users also agree to receive an e-mail from Orderfox with the request to register their personal data and to receive a further e-mail after confirmation of registration and completion of their company profile with a link and code to a special offer from Celeritive Technologies to be activated by the User directly through the website of Celeritive Technologies.

20.4. The data processed within the scope of the partner program includes inventory data / Customer master data of the Users (i.e. company name, name, e-mail address, country and promo code) and the fact that both Orderfox and Celeritive Technologies learn that the User has made use of the offer of the other provider.

20.5.In addition, no User Data is disclosed between Orderfox and Celeritive Technologies. The respective providers, i.e. Orderfox or Celeritive Technologies, are responsible for processing the User’s Data within the scope of the offers used in each case.

20.6.Users may object to the processing of their Data for the aforementioned purposes, in which case the advantages of the offers may be excluded if the prerequisite for this is the objected data processing (e.g. if Users do not wish to receive a link to a special offer).

20.7.The legal basis for Orderfox’s processing of Users’ Data is their consent pursuant to Art. 6 (1) a., Art. 7 GDPR.

20.8.Celeritive Technologies’ processing of Users’ Data is governed solely by Celeritive Technologies’ Privacy Policy, which can be found under:

21. Communication via Mail, E-Mail, Fax or Telephone

21.1.We use means of telecommunication such as mail, telephone or e-mail for business transactions and marketing purposes. We process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners.

21.2.The processing is carried out on the basis of Art. 6 (1) a., Art. 7 GDPR, Art. 6 (1) f. GDPR in conjunction with legal requirements for advertising communications. Contact is only established with the consent of the contact partners or within the scope of legal permissions and the processed data is deleted as soon as it is not required and otherwise with objection/ revocation or discontinuation of the authorization basis or legal archiving obligations.

22. Online-Profiles in Social Media

22.1.We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and Users who are active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective providers apply.

22.2.Unless otherwise stated in our Privacy Policy, we process the data of Users who communicate with us within social networks and platforms, e.g. write posts on our online presences or send us messages.

23. Collection of access data (logfiles)

23.1.For the purposes of our legitimate interests, we collect data every time the server on which the service is located is accessed. This data is collected in the form of server log files. These access logs include the name of the webpage and/or file accessed by the User, the date and time of access, the amount of data transferred, notification of successful retrieval, details of the web browser used (including the version), the User’s operating system, the referrer URL (of the previous page linking to our website), the IP address and the requesting provider.

23.2.Log file information is retained for security reasons (e.g. to detect improper use or fraud) for a maximum of seven days before being deleted. Data that is to be retained as evidence shall be excluded from deletion until the relevant case has been finalized.

24. Google Analytics

24.1.We use Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google uses cookies. The information generated by cookies concerning the use of the Websites by the User will generally be transmitted to and stored by Google on servers in the USA.

24.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

24.3.Google will use this information on our behalf for the purpose of evaluating use of our Websites by the User, compiling reports on activity on the Websites, and providing us with other services relating to the use of the Websites and use of the Internet. This process may involve creating pseudonymized usage profiles of Users from the processed data.

24.4.We use Google Analytics to display the ads placed by Google and its partners within advertising services, only to those Users who have shown an interest in our online offers or who have particular characteristics (e. g. interests in certain topics or products determined by the websites visited) that we transmit to Google (so-called Remarketing or Google Analytics audiences). With the help of remarketing audiences, we would also like to ensure that our advertisements are in line with the potential interest of the Users and do not have a nuisance effect.

24.5.We only use Google Analytics with IP anonymization enabled. That means Google truncates the User’s IP address within Member States of the European Union and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

24.6.The IP address transmitted by the User’s browser is not associated with any other data held by Google. Users can prevent cookies from being installed on their computer by adjusting their browser settings accordingly. Users can also prevent Google from collecting data generated by cookies concerning their use of the Websites and can prevent Google from processing this data by downloading and installing a browser plug-in from the following link:

24.7.Further information on Google’s use of data, your settings options and your opt-out options can be found on Google’s websites: (‘How Google uses information from sites or apps that use our services’), (‘Data use for advertising purposes’), (‘Manage the information used by Google to display advertising to you’).

24.8.Personal data will be made anonymous or deleted after a period of 14 months.

25. Google Conversion und Advertising Display Services

25.1.We use the Google’s conversion und advertising Display, marketing and remarketing services (hereinafter referred to as “Google Marketing Services”) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (“Google”).

25.2.If we ask the Users for their consent (in particular within the context of a so-called „cookie banner“), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

25.3.Google Marketing Services enable us to display ads for and on our website in a more targeted fashion, helping us to only show ads to Users that are potentially of interest to them. The method we use, known as remarketing, involves, for example, showing Users ads for products in which they have already shown an interest on other websites. For this purpose, our Websites – and other websites on which Google Marketing Services are active – contain a snippet of code, which is executed directly by Google. This integrates what are known as (re)marketing tags in the website (invisible image files or code, also known as web beacons). With the help of these tags, an individual cookie, i.e. a small file, is saved on the User’s device (comparable technologies may also be used instead). These cookies may be set from a few different domains, including,,,, and This file notes which sites the User visits, which content interests the User, and which offers he or she clicked, as well as technical information on the browser and operating system, referring websites, visit duration and other data on the use of the Websites. The User’s IP address is also recorded, though we wish to make it clear that, within the context of Google Analytics, the IP address is truncated within European Union Member States and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to the US-based Google server and truncated there. The IP address is not merged with User data within other Google offerings or services. The information referred to above may also be linked to comparable information from other sources. If the User subsequently visits other websites, they may be presented with ads tailored to them according to their interests.

25.4.User data is processed in a pseudonymized manner within the context of Google Marketing Services, i.e. Google does not store and process details such as the name or email address of the User, but instead processes the relevant data within pseudonymized usage profiles based on cookies. This means that, from Google’s perspective, the ads are not managed for and displayed to a named or otherwise identifiable person, but rather for and to the cookie holder, regardless of who this cookie holder is. That is not, however, the case if a User has expressly granted Google permission to process their data in a non-pseudonymized manner. Information collected on Users by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.

25.5.One of the Google marketing services we use is the online advertising service Google AdWords. In the case of Google AdWords, each AdWords client receives a different ‘conversion cookie’. Thus, cookies cannot be tracked across the websites of AdWords clients. The information collected by the conversion cookies is used to provide aggregate conversion statistics for AdWords clients who have opted in to conversion tracking. AdWords clients are informed of the total number of users who clicked on the ad and were forwarded to a conversion tracking tag page. However, they do not receive any information that would enable them to identify users personally.

25.6.Our Websites may contain third-party ads from the Google marketing service DoubleClick. DoubleClick uses cookies that enable Google and its partner websites to display ads based on User visits to this website and/or other websites on the Internet.

25.7.We use Google Optimize a service that allows us to track the effects of various changes to a website (e. g. changes in input fields, design, etc.) within the framework of so-called ‘A/B tests’.

25.8.We may also use Google Tag Manager to incorporate and manage Google analysis and marketing services in our Websites. Google Tag Manager is a solution with which we can manage so-called website tags (and thus integrate Google Analytics and other Google marketing services into our online services). The Tag Manager itself (which implements the tags) does not process any personal user data. With regard to the processing of Users’ personal data, reference is made to the information on Google services contained in this privacy policy.

25.9.The data may be processed by Google for up to two years before it is anonymised or deleted.

25.10.Further information on Google’s use of data for marketing purposes can be found on the overview page: Google’s data protection declaration can be accessed at If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google:

26. Facebook Social Plugins

26.1.Our Online Service makes use of the Social Plugins (“Plugins”) of the social network, which is run by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The Plugins can be identified on the basis of one of the Facebook logos (white ‘f’ on a blue tile, the terms ‘Like’ or a thumbs-up symbol) or feature the phrase ‘Facebook Social Plugin’. A list of and the appearance of Facebook Social Plugins can be found here:

26.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

26.3.When a User accesses a function of this Online Service containing such a Plugin, their device establishes a direct link with Facebook’s servers. The Plugin contents are sent directly to the User’s device by Facebook and are incorporated into the Online Service by the device. Usage profiles can be generated in relation to the Users on the basis of the data processed. We therefore have no control over the volume of Data collected by Facebook with the aid of this Plugin and therefore notify the Users on the basis of what we know.

26.4.When the Plugins are incorporated, Facebook is notified when a User views the corresponding page of the Online Service. If the User is logged in to Facebook, Facebook can assign this visit to their Facebook account. If Users interact with the Plugins, for example by clicking on the ‘Like’ button or adding a comment, the relevant information is sent directly to Facebook by their device and logged by Facebook. If the User is not a member of Facebook, Facebook is nonetheless able to determine and log their IP address. According to Facebook, only anonymised IP addresses are logged in Germany.

26.5.Users can learn about the purpose and extent of Facebook’s data collection and its further processing and use, and about the corresponding rights and settings for the protection of their privacy in Facebook’s data privacy notice:

26.6.If a User is a Facebook member and does not wish Facebook to collect information on them via this Online Service or combine such information with their Facebook membership details, they must log out of Facebook prior to using our Online Service and must delete their cookies. Other settings can be selected and consents to the use of data for advertising purposes revoked within the Facebook profile settings at or via the US website or the EU website The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices.

27. Facebook remarketing, Facebook-Pixel and Custom Audiences

27.1.Our Online Service uses the so-called Facebook Pixel belonging to the social network Facebook, which is run by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The Facebook Pixel enables Facebook to identify visitors to our Online Service as the target group for the presentation of so-called Facebook Ads. Accordingly, we use the Facebook Pixel to present the Facebook Ads placed by us only to those Facebook users who have expressed an interest in our Online Service (so called ‘custom audiences’). In other words, with the assistance of the Facebook Pixel, we want to ensure that our Facebook Ads are in keeping with the Users’ possible interests, rather than being seen as a nuisance. Additionally, the Facebook Pixel allows Us to understand the effectiveness of Facebook Ads for statistical and market research purposes by allowing Us to see whether Users were taken to our website upon clicking on a Facebook Ad.

27.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

27.3.The Facebook Pixel is incorporated by Facebook immediately upon one of our websites being viewed and can store a cookie, i.e. a small file, on your device. If you subsequently log in to Facebook or visit the page when already logged in to Facebook, your visit to our Online Service is recorded within your profile. The data collected on you is anonymous for us and we are therefore unable to draw conclusions concerning the Users’ identities. However, the data is logged and processed by Facebook, and can therefore be linked to the corresponding User Profile. Facebook uses the data in accordance with its data policy. Accordingly, further information regarding how the remarketing pixel works and generally on the presentation of Facebook Ads can be found in Facebook’s data policy:

27.4.On the basis of the consent of the User pursuant to Article 6 (1) 1 a GDPR, we use the procedure ‘Custom Audiences from File’ provided by the social network Facebook, Inc. In this case, the e-mail addresses of consenting Users are uploaded to Facebook. The upload process is encrypted. The upload is used solely to determine the recipients of our Facebook ads. This is to ensure that ads are only displayed to Users who have an interest in our information and services.

27.5.You may revoke your consent and object to the Facebook Pixel collecting data as well as building custom audiences and using these data to present Facebook Ads. You can access the page created by Facebook to do so, at, following the instructions there regarding the settings for use-based advertising, or you can revoke your consent via the US website or the EU website The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices.

28. Analytic and Optimization Service Hotjar

28.1. We use Hotjar, an analysis software provided by Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta (“Hotjar”). With the help of the information obtained through Hotjar, we can analyse and improve the use of our online services.

28.2. For this purpose alone, data of the Users of our websites will be stored and evaluated. We use Hotjar to analyse our online services only, and not to analyse the individual Users. User data will therefore be pseudonymised and processed within the European Union as well as on the basis of the processing contract offered by Hotjar. User inputs, e.g. in forms or keystrokes, are not processed, i.e. neither stored by Hotjar nor transmitted to Hotjar (unless these inputs are clearly intended for Users for evaluation purposes, e.g. feedback forms).

28.3. For the aforementioned purposes, Hotjar stores and evaluates cookies with a pseudonymous identification number on the User’s devices. The cookies that Hotjar uses have various ‘lifespans’; some last up to 365 days, some only last for the duration of the relevant website visit.

28.4. The processed data of Users shall include in particular:

  • devices and metadata: IP address of the terminal (collected and stored in anonymous format), screen resolution, type of terminal (individual terminal identifiers), operating system and browser type, referring URL and domain;
  • geographical location (country only);
  • Usage data and log data: Date and time when the online service was accessed, preferred language, User interactions, such as mouse events (movements, position and clicks), keyboard entries, web pages accessed and interactions with their content and functions.
  • Content data: Inputs within the framework of surveys and feedback forms.

28.5. If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

28.6. Users may prevent Hotjar from collecting the data by using their browser’s ‘do not track’ settings or by clicking on the following link and following its instructions:

28.7. Privacy Policy of Hotjar: Cookie Policy:

29. LinkedIn marketing services

29.1. We use the marketing services of the social network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

29.2. LinkedIn’s marketing services allow us to display advertisements within LinkedIn’s social network and link advertisers’ services in a targeted way or to present advertisements only to users that may potentially be of their interest. If, for example, a user is shown ads for products in which he is interested on other online services, this is referred to as ‘remarketing’. Furthermore, we can track the success of our ads (so-called ‘conversion measurement’). However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive information that personally identifies users.

29.3.For the purposes set out above, a LinkedIn code will be implemented when users access our and other websites on which LinkedIn’s marketing services are active and so-called ‘insights tags’ (invisible graphics or code, also referred to as ‘web beacons’) will be incorporated into the websites. With the help of insights tags, an individual cookie, i.e. a small file, will be stored on the user’s device (comparable technologies can also be used instead of cookies). In this file, it is noted which websites the user visits, which contents he is interested in and which offers the user has clicked, further technical information about the browser and operating system, referring websites, visiting time as well as further information about the use of the online service.

29.4.The user’s data will be processed pseudonymously within the scope of LinkedIn’s marketing services. I.e. LinkedIn does not store and process the name or e-mail address of the user, but processes the relevant data in a cookie-related way within pseudonymous user profiles. This means that from LinkedIn’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who that cookie owner is. This does not apply if a user has expressly permitted LinkedIn to process the data without this pseudonymisation. If you are registered with LinkedIn, it is still possible for LinkedIn to associate your interaction with our online services with your user account.

29.5.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6(1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.

29.6.The information collected about users is transmitted to LinkedIn and stored on Google’s servers in the United States.

29.7.For more information about LinkedIn’s use of data, see LinkedIn’s Privacy Policy ( and Cookie Policy ( You can object to the aforementioned use of your data by LinkedIn:

30. Outbrain

30.1.We use the service provider Outbrain, Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA for the purpose of personalized advertisements, for example, to post ads on our or other websites that are based on users’ presumed interests. For this purpose, usage data, metadata, IP address (abbreviated) and a pseudonymous Unique User ID (UUID) are processed. The stored personal data will be deleted or anonymized after 13 months. Outbrain assures that it will comply with European and Swiss data protection law and uses so-called standard contractual clauses of the EU Commission for this purpose.

30.2.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. of the GDPR.

30.3.Information on the cookies used: Privacy policy and opt-out possibilities:

31. Taboola

31.1. We use the service provider Taboola, Inc. 16 Madison Square West 7th Floor New York, New York 10010, USA, to integrate content and content recommendations into our or third-party online services on the basis of the presumed interests of users. For this purpose, usage data, metadata, IP address (abbreviated) and a pseudonymous Taboola user ID are processed. Taboola stores user information collected directly for the purpose of ad placement for a maximum of eighteen (18) months after the user’s last interaction with the Taboola Services and anonymizes it by removing personal identifiers or aggregating data. Taboola stores anonymous or aggregated data that cannot identify a person or device and is used for reporting and analysis purposes for as long as is commercially necessary.

31.2.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. of the GDPR.

31.3. Privacy Policy:; Opt-Out:

32. Integration of third-party services and content

32.1.For the purposes of our legitimate interests (i.e. our interest in analysing, optimizing and running our Websites in a commercially viable manner within the meaning of Art. 6 (1) f. of the GDPR), we use third-party content and service delivery services on our Websites in order to incorporate content and services such as videos and fonts, for example (hereinafter jointly referred to as “Content”). The third-party provider of this Content always requires the User’s IP address in order to send the Content to the browser of the respective User. In other words, the IP address is required to display this Content. We endeavour only to use such Content where the respective provider uses the IP address exclusively to deliver said Content. Third-party providers may additionally use ‘pixel tags’ (invisible image files, also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to analyse information such as the number of visitors accessing the pages of this website. The pseudonymized information may additionally be stored on User devices in the form of cookies. This information includes technical information on the browser and operating system, referring websites, time spent on the website, and further details on how Users make use of our Websites, plus it can also be combined with comparable information from other sources.

32.2.The list below provides an overview of third-party providers and their Content as well as links to their privacy policies, which contain further information on data processing and opt-out mechanisms, some of which have already been discussed here:

33. Cloud Services

33.1.We use Internet-accessible software services (so-called ‘cloud services’, also referred to as ‘software as a service’) provided on the servers of its providers for the following purposes: document storage and administration, calendar management, e-mail delivery, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information, as well as chats and participation in audio and video conferences.

33.2.Within this framework, personal data may be processed and stored on the provider’s servers insofar as this data is part of communication processes with us or is otherwise processed by us in accordance with this privacy policy. This data may include in particular master data and contact data of Data Subjects, data on processes, contracts, other proceedings and their contents. Cloud service providers also process usage data and metadata that they use for security and service optimization purposes.

33.3.If we use cloud services to provide documents and content to other Users or publicly accessible websites, forms, etc., providers may store cookies on Users’ devices for web analysis or to remember User settings (e.g. in the case of media control).

33.4.The following data types can be processed as part of cloud services: Inventory data (e.g., customer master data, such as names, addresses), Payment Data (e.g., bank details, invoices, payment history), Contact data (e.g., e-mail, telephone numbers), Content data (e.g., text input, photographs, videos), Contract data (e.g., contract object, duration, customer category), Usage data (e.g., websites visited, interest in content, access times), Meta/communication data (e.g., device information, IP addresses),.

33.5.Information on the providers of cloud services used by us: