Principality of Liechtenstein
Commercial Register No.: Office of Justice, Principality of Liechtenstein, Commercial Register, No. FL-0002.542.971-6
Managing Director: Dr. Wilhelm Klagian (joint signatures of two persons)
Phone Number: +423 375 2500
The Controller is hereinafter also referred to as “we” or “us”.
Description of our services and objectives:
Running of an online platform for CNC manufacturers and CNC buyers. The online platform serves as a partner platform for CNC manufacturers and CNC buyers, enabling them (the users) to place interactive ads on the website and using intelligent filters to assist with their coming together.
Type of processed data:
– Inventory data (e.g., customer master data, such as names, addresses).
– Contact details (e.g., e-mail, phone numbers).
– Content Data (e.g., text input, photographs, videos).
– Contract Data (e.g., subject matter of the contract).
– Payment Data (e.g., bank details, payment history).
– Usage Data (e.g., visited websites, interest in content, access times).
– Meta/communication Data (e.g., device IDs, IP addresses).
Processing of special categories of Data (Art. 9 (1) GDPR):
No special categories of Data are processed.
Categories of data subjects:
– Users / Customers / prospective customers / business partners.
– Visitors and users of the online service.
In the following, we will also summarise the data subjects as “Users”.
Purpose of Processing:
– Provision of our services, its contents and functions.
– Server hosting, domain registration, Software-as-a-Service (SaaS) services
– Provision of contractual services, customer care and support.
– Response to contact requests and communication with Users.
– Marketing, advertising and market research.
– Security measures.
Automated individual decision-making (Art. 22 GDPR):
We do not use exclusively automated individual decision-making.
Note on legal basis:
– If we process data from Users from the EU/EEC, the legal basis of the GDPR stated below shall apply.
– In all other respects, we process the data on the basis of the data protection law applicable to the Principality of Liechtenstein. I.e. in this case the following information applies, but on the basis of the law of the Principality of Liechtenstein and not the aforementioned GDPR standards.
– Where other mandatory data protection regulations apply to Users who are consumers, these data protection regulations shall take precedence.
As of: July 2020
- 1. Terms used
- 2. Relevant Legal Basis for the Processing
- 4. Security of Data Processing
- 5. Disclosure and Transmission of Data
- 6. Transfers to Third Countries
- 7. Rights of Data Subjects
- 8. Right of Withdrawal
- 9. Right to Object
- 10. Cookies and Right to Object in Direct Marketing
- 11. Erasure of data and archiving obligations
- 12. Purposes of data processing
- 13. Payments
- 14. Registration and termination
- 15. Presentation of 3D objects with Autodesk
- 16. Administration, Financial Accounting, Office Organization, Archiving
- 17. Economic Analyses and Market research
- 18. Contact and Customer Service
- 19. Newsletter
- 20. Participation in The Partner Program with Celeritive Technologies
- 21. Communication via Mail, E-Mail, Fax or Telephone
- 22. Online-Profiles in Social Media
- 23. Collection of access data (logfiles)
- 24. Google Analytics
- 25. Google Conversion und Advertising Display Services
- 26. Facebook Social Plugins
- 27. Facebook remarketing, Facebook-Pixel and Custom Audiences
- 28. Analytic and Optimization Service Hotjar
- 29. LinkedIn marketing services
- 30. Outbrain
- 31. Taboola
- 32. Integration of third-party services and content
- 33. Cloud Services
1. Terms used
1.1.”Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2.”Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.3.”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1.4.”Profiling” means any automated processing of personal data consisting in the use of such personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this includes information regarding age, gender, location and movement data, interaction with websites and their contents, shopping behaviour, social interactions with other people) (e.g. interests in certain contents or products, click behaviour on a website or the location). Cookies and web beacons are often used for profiling purposes.
1.5.”Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; E.g. if an exact interest profile of the computer User is stored in a cookie (a ‘marketing avatar’), but not the name of the User, then data is processed pseudonymously. If his name is stored, e.g. as part of his e-mail address or his IP address is stored, then the processing is no longer pseudonymous.
1.6.”Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
2. Relevant Legal Basis for the Processing
4. Security of Data Processing
4.1.We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; the measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transfer, integrity and pseudonymity. Furthermore, we have established procedures that guarantee the assertion of Data Subjects’ rights, the erasure of data and the response to data hazards. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design of technology and by data protection-friendly presettings (Art. 25 GDPR).
4.2.The security measures include in particular the encrypted transmission of data between your browser and our server.
4.3.Employees are bound to confidentiality with regard to data protection, are instructed, monitored, and informed of possible liability consequences.
5. Disclosure and Transmission of Data
5.1.If we disclose data to other persons and companies (processors or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this will only be carried out on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as to payment service providers, is required for contract fulfilment pursuant to Art. 6 (1) b GDPR), if you have consented, if a legal obligation requires this or on the basis of our legitimate interests (e.g. when using agents, web hosting services, etc.).
5.2.If we commission third parties with the processing of data on the basis of a so-called ‘Data Processing Agreement’, this is done on the basis of Art. 28 GDPR.
5.3.If we disclose, transfer or otherwise grant access to data to other companies in our Group of Companies (Undertakings), this is done in particular for administrative purposes as a legitimate interest and in addition on the basis of a Data Processing Agreement.
6. Transfers to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transmission of data to third parties, this only takes place if it is necessary to fulfil our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or let the data being processed in a third country only if the special requirements of Art. 44 ff. GDPR are met. This means, for example, processing is carried out on the basis of special guarantees, such as the officially recognised adequate data protection level corresponding to the EU (e.g. compliance with officially recognised special contractual obligations (so-called ‘Standard Contractual Clauses’).
7. Rights of Data Subjects
7.1.You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the further information and a copy of the data in accordance with Art. 15 GDPR.
7.2.You have correspondingly. In accordance with Article 16 of the GDPR, the right to obtain from the controller the rectification of inaccurate personal data concerning you, or the completion of the data concerning you.
7.3.In accordance with Art. 17 GDPR, you have the right to demand that relevant data be erased without undue delay or, alternatively, to demand a restriction of the processing of the data in accordance with Art. 18 GDPR.
7.4.You have in accordance with Art. 20 GDPR the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
7.5.In accordance with Art. 77 GDPR, you also have the right to file a complaint with a supervisory authority.
8. Right of Withdrawal
You have the right to withdraw consents granted pursuant to Art. 7 (3) GDPR with effect for the future.
9. Right to Object
You can object to the future processing of the data concerning you in accordance with Art. 21 GDPR at any time. The objection may be lodged in particular against processing for direct marketing purposes.
10. Cookies and Right to Object in Direct Marketing
10.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
10.4. If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of our online services.
11. Erasure of data and archiving obligations
12. Purposes of data processing
12.1.We process your Data for the purposes of delivering the functions of our Online Service requested by you and to fulfil our contractual, business and other legal obligations (among other things, provision and performance of our services and guaranteeing efficient customer service and technical support). Data processing comprises the transmission or disclosure of Data to third parties if this serves to fulfil our contractual or legal obligations (e.g. brokering jobs between CNC manufacturers and CNC buyers) or if this is necessary for invoicing purposes (e.g. transfer of Data to a payment service provider).
12.2.We additionally process your Data in accordance with the statutory requirements on the basis of our justified interests. These processing purposes include statistical analyses that serve on the one hand to optimise our Online Service and on the other to fulfil our own business purposes. In this context, we are able to create so-called User profiles (hereinafter “Profiles”) based on the Data recorded (e.g. addresses, profile descriptions, profile access, jobs assigned, offer and request profiles). To protect your interests, we process your Data for the above-mentioned purposes using pseudonyms wherever possible, i.e. the Profiles are logged without any means of identification such as names or email addresses. Only if it is necessary for a Profile to be attributable to a User, for example to show the User specific information based on their behaviour, do We establish a link between a Profile and the specific User. Insofar as it is not necessary for a Profile to be attributable to a User (for example if We are only interested in statistical information), the User’s Details are processed anonymously, i.e. the Profiles and analysis results cannot be attributed to individual Users, thus identifying them.
12.3.We process the User’s IP address on the basis of legitimate interests in increasing the User convenience of our online service, e.g. to display our online service in the User’s language or to prefill the time zones and location entries as part of the registration process.
12.4.Additionally, we may process Data in accordance with your consent, which We will explicitly ask you to grant.
12.6.You shall be notified of the individual purposes, forms and scope of Data processing and of the authorisations granted within the context of the consent granted in relation to this Data processing.
12.7.The deletion takes place after the expiry of statutory warranty and comparable obligations, the necessity of data retention is reviewed every three years; in the case of statutory archiving obligations, the erasure takes place after their expiry.
13.1.In the interests of our customers’ security, we do not log any credit card details or bank data ourselves and instead use the payment service Stripe, provided by Stripe, Inc., 510 Townsend Street San Francisco, CA 94103, USA.
14. Registration and termination
14.1.The Users themselves decide which personal details they wish to disclose and who has access to these details, for example when a User enters their name in Profiles, comment boxes, or similar.
14.2.The following Data is collected mandatorily when a User registers:
- Email address (not disclosed to other Users)
- Password (logged in encrypted form)
- First name and surname
- Information and mandatory data (e.g. tax related) on the Company.
14.3.Above and beyond the above-mentioned details, the Users themselves decide which other personal details are disclosed. The Users may additionally be required to make further disclosures insofar as these are necessary with regard to the provision of our Online Service and the fulfilment of the statutory requirements. Furthermore, details that are relevant to the contract are recorded and stored, such as details about the services that are subscribed to, payment history, content and log data on communications conducted through Orderfox, other details and uploads.
14.4.The Users’ public Profile information can be viewed by and searched in by other registered Users. The Users’ locations can be presented on a map.
14.5.Upon the termination of a Paid Subscription, only the profile settings in the company profile are retained. If the User also terminates the Free Subscription, Orderfox is entitled to delete the profiles of the respective Users. The User’s data will be deleted unless it is necessary to store them, e.g. for tax reasons (storage period is generally 10 years) or in the event of queries regarding the contract, such as payment history (storage period is generally 5 years) or a longer period of use has been expressly agreed with the User. In the case of consent given separately (i.e. independently of the User profile) for the mailing of commercial communications, this consent must be revoked separately. Furthermore, we would like to point out that in the event of a User account being blocked without being terminated at the same time, the User data will not be deleted in order to enable the account to be used after the account has been reactivated.
14.6.Communications and attachments exchanged with other Users shall remain stored with such Users and may only be deleted by giving legitimate reasons and in general after consultation with the recipient of the communiactions and attachments.
15. Presentation of 3D objects with Autodesk
15.1.We use the service Autodesk Forge provided by US based company Autodesk (Autodesk, Inc. 111 McInnis Pkwy, San Rafael, California 94903, USA) for the presentation of three-dimensional objects. For this purpose, 3D models are uploaded to Autodesk servers for further processing.
15.2.The use of Autodesk is made in accordance with Art. 6 (1) b. GDPR for the fulfilment of our contractual services towards the User, which includes the provision of the presentation function as part of the features of Orderfox.
15.3.In order to be able to assign 3D models to Users who have uploaded them and, we transmit the 3D models to Autodesk with an identifier which is assigned to the User by us. Autodesk only receives pseudonymized data of the User without a possibility to assign the 3D objects to the User. The processing at Autodesk can only exceptionally contain further personal data if this results from the displayed 3D object and the metadata stored with the 3D object itself and if this data should allow an identification of the User.
15.4.The 3D objects will be deleted within 6 months at the latest if they are removed by the User or otherwise from our system.
16. Administration, Financial Accounting, Office Organization, Archiving
16.1.We process data in the course of administrative tasks as well as the organisation of our company, financial accounting and compliance with legal obligations, e.g. archiving. We process the same data that we process as part of the performance of our contractual services. The processing bases are Art. 6 (1) c. GDPR, Art. 6 (1) f., Art. 28 GDPR. Data Subjects are affected by the processing: customers, interested parties, business partners and website visitors. The purpose of the processing is the administration, financial accounting, office organization, archiving of data that serve the maintenance of our company and our services.
16.2.We disclose or transmit data to the tax authorities, tax consultants, auditors, other fee offices, legal advisors and payment service providers.
16.3.Furthermore, we store information on business partners, customers and prospects on the basis of our business interests, e.g. for the purpose of making contact at a later date. We store this data, which is mainly company-related, permanently.
17. Economic Analyses and Market research
17.1.In order to operate our business economically and to identify market trends, customer and User wishes, we analyse the data available to us on business transactions, contracts, inquiries, etc., in order to ensure that we are able to offer our customers the best possible service. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 (1) f. GDPR, whereby the persons concerned include customers, prospective customers, business partners, visitors and users of our online service. The analyses are carried out for the purpose of economic evaluations, marketing and market research. The analyses serve us to increase the user-friendliness, the optimization of our offer and the economic efficiency. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with aggregated values.
17.2.If these analyses or profiles are personal, they will be deleted or made anonymous upon cancellation of the contractual relationship, otherwise after three years from the conclusion of the contract. For the rest, macroeconomic analyses and general trend determinations are prepared anonymously wherever possible.
18. Contact and Customer Service
18.1.When contacting us (via contact form or e-mail), the User’s details will be processed for processing the contact request and its handling in accordance with Art. 6 (1) b. (customers/ prospects), Art. 6 (1) f. (other Users) GDPR.
18.2.User information may be stored in our Customer Relationship Management System (“CRM System”) or comparable request organization.
18.4.Outside of existing customer relationships, we will delete the requests if they are no longer necessary. Within customer relations we store the data for their duration; we check the necessity of the storage every three years; furthermore, the legal archiving obligations apply.
19.1.The following sections explain the contents of our newsletter, the registration, circulation and statistical analysis processes, and your rights of revocation. By subscribing to our newsletter, you consent to receipt of the newsletter and to the processes as outlined.
19.2.We send newsletters, emails and other electronic notifications containing advertising information (hereinafter “Newsletters”) only with the recipients’ consent or subject to legal permission. Insofar as the content of the Newsletter is specifically outlined at the registration stage, this content is authoritative with regard to the User’s consent. Our Newsletters otherwise contain information regarding developments and offers within the CNC industry and relating to our services.
19.3.Registering for our Newsletter involves a so-called double opt-in process. This means you will receive an email after registration requesting you to confirm your registration. This confirmation is necessary so as to prevent people from registering with another person’s email address. Newsletter registrations are logged so that evidence of the registration process can be produced pursuant to the statutory requirements. This includes logging of the times of registration and confirmation and of the IP address. Changes in your data recorded by the dispatch service provider are likewise logged.
19.4.We use the following service providers to send our newsletters on the basis of our legitimate interests in an economically efficient, user-friendly and secure way in accordance with Art. 6 (1) f. GDPR. The mailing service providers can use the data of the recipients in pseudonymous form, i.e. without allocation to a User, to optimise or improve their own services, e.g. for technical optimisation of the mailing and the presentation of the newsletter or for statistical purposes. However, the mailing service providers do not use the data of our newsletter recipients to write to them themselves or to pass the data on to third parties.
19.6.Submission of your email address will suffice for a Newsletter registration. We optionally ask you to provide other details such as your first name and surname for the purposes of Newsletter personalisation and your industry in order that We can bring the content of the Newsletter into line with the readers’ interests.
19.7.The Newsletters contain a so-called web beacon, i.e. a pixel-sized file which is accessed by the Dispatch Service Provider’s server when the Newsletter is opened. When this is accessed, technical information is logged regarding, for example, your browser and system, your IP address and the time at which it is accessed. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour, the places from which it is accessed (determined with the aid of IP addresses) or the times at which it is accessed. The statistics logged also include details regarding whether the Newsletters are opened, when they are opened and which links are clicked on. While this information can be attributed to specific Newsletter recipients for technical reasons, neither We nor the Dispatch Service Provider endeavour to monitor individual Users. Rather, the analyses allow Us to identify our Users’ reading habits and to adapt our content accordingly or to dispatch different content based on our Users’ interests.
19.8.The newsletter is sent and the performance measurement associated with it is based on the recipient’s consent pursuant to Art. 6 (1) lit. a, Art. 7 GDPR or, if no legal permission is required, on our legitimate interests in direct marketing pursuant to Art. 6 (1) lit. f. GDPR. The registration procedure is logged on the basis of our legitimate interests pursuant to Art. 6 (1) lit. f. GDPR. We are interested in the use of a user-friendly and secure newsletter system that serves both our business interests and the expectations of users and also allows us to provide proof of consent.
19.9.We may store the e-mail addresses we have unsubscribed for up to three years on the basis of our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove a previously given consent. The processing of these data is limited to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that at the same time the former existence of a consent is confirmed. A separate revocation of the performance measurement is unfortunately not possible, in this case the entire newsletter subscription must be cancelled.
20. Participation in The Partner Program with Celeritive Technologies
20.1.As part of the partner program with Celeritive Technologies Inc, at 95 E High St, Moorpark, CA 93021, USA, we process the data of Users who decide to take advantage of special offers from Celeritive Technologies or Orderfox.
20.2.To take advantage of the offers, Users can enter a special code when registering on the website. Users receive this code from Celeritive Technologies. By redeeming the code, Orderfox provides Users with the promised benefits.
20.3. By redeeming the code, Users also agree to receive an e-mail from Orderfox with the request to register their personal data and to receive a further e-mail after confirmation of registration and completion of their company profile with a link and code to a special offer from Celeritive Technologies to be activated by the User directly through the website of Celeritive Technologies.
20.4. The data processed within the scope of the partner program includes inventory data / Customer master data of the Users (i.e. company name, name, e-mail address, country and promo code) and the fact that both Orderfox and Celeritive Technologies learn that the User has made use of the offer of the other provider.
20.5.In addition, no User Data is disclosed between Orderfox and Celeritive Technologies. The respective providers, i.e. Orderfox or Celeritive Technologies, are responsible for processing the User’s Data within the scope of the offers used in each case.
20.6.Users may object to the processing of their Data for the aforementioned purposes, in which case the advantages of the offers may be excluded if the prerequisite for this is the objected data processing (e.g. if Users do not wish to receive a link to a special offer).
20.7.The legal basis for Orderfox’s processing of Users’ Data is their consent pursuant to Art. 6 (1) a., Art. 7 GDPR.
21. Communication via Mail, E-Mail, Fax or Telephone
21.1.We use means of telecommunication such as mail, telephone or e-mail for business transactions and marketing purposes. We process inventory data, address and contact data as well as contract data of customers, participants, interested parties and communication partners.
21.2.The processing is carried out on the basis of Art. 6 (1) a., Art. 7 GDPR, Art. 6 (1) f. GDPR in conjunction with legal requirements for advertising communications. Contact is only established with the consent of the contact partners or within the scope of legal permissions and the processed data is deleted as soon as it is not required and otherwise with objection/ revocation or discontinuation of the authorization basis or legal archiving obligations.
22. Online-Profiles in Social Media
22.1.We maintain online presences within social networks and platforms in order to communicate with the customers, interested parties and Users who are active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective providers apply.
23. Collection of access data (logfiles)
23.1.For the purposes of our legitimate interests, we collect data every time the server on which the service is located is accessed. This data is collected in the form of server log files. These access logs include the name of the webpage and/or file accessed by the User, the date and time of access, the amount of data transferred, notification of successful retrieval, details of the web browser used (including the version), the User’s operating system, the referrer URL (of the previous page linking to our website), the IP address and the requesting provider.
23.2.Log file information is retained for security reasons (e.g. to detect improper use or fraud) for a maximum of seven days before being deleted. Data that is to be retained as evidence shall be excluded from deletion until the relevant case has been finalized.
24. Google Analytics
24.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
24.3.Google will use this information on our behalf for the purpose of evaluating use of our Websites by the User, compiling reports on activity on the Websites, and providing us with other services relating to the use of the Websites and use of the Internet. This process may involve creating pseudonymized usage profiles of Users from the processed data.
24.4.We use Google Analytics to display the ads placed by Google and its partners within advertising services, only to those Users who have shown an interest in our online offers or who have particular characteristics (e. g. interests in certain topics or products determined by the websites visited) that we transmit to Google (so-called Remarketing or Google Analytics audiences). With the help of remarketing audiences, we would also like to ensure that our advertisements are in line with the potential interest of the Users and do not have a nuisance effect.
24.5.We only use Google Analytics with IP anonymization enabled. That means Google truncates the User’s IP address within Member States of the European Union and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.
24.6.The IP address transmitted by the User’s browser is not associated with any other data held by Google. Users can prevent cookies from being installed on their computer by adjusting their browser settings accordingly. Users can also prevent Google from collecting data generated by cookies concerning their use of the Websites and can prevent Google from processing this data by downloading and installing a browser plug-in from the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
24.7.Further information on Google’s use of data, your settings options and your opt-out options can be found on Google’s websites: https://policies.google.com/technologies/partner-sites (‘How Google uses information from sites or apps that use our services’), https://policies.google.com/technologies/ads (‘Data use for advertising purposes’), https://adssettings.google.com/authenticated (‘Manage the information used by Google to display advertising to you’).
24.8.Personal data will be made anonymous or deleted after a period of 14 months.
25. Google Conversion und Advertising Display Services
25.1.We use the Google’s conversion und advertising Display, marketing and remarketing services (hereinafter referred to as “Google Marketing Services”) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (“Google”).
25.2.If we ask the Users for their consent (in particular within the context of a so-called „cookie banner“), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
25.3.Google Marketing Services enable us to display ads for and on our website in a more targeted fashion, helping us to only show ads to Users that are potentially of interest to them. The method we use, known as remarketing, involves, for example, showing Users ads for products in which they have already shown an interest on other websites. For this purpose, our Websites – and other websites on which Google Marketing Services are active – contain a snippet of code, which is executed directly by Google. This integrates what are known as (re)marketing tags in the website (invisible image files or code, also known as web beacons). With the help of these tags, an individual cookie, i.e. a small file, is saved on the User’s device (comparable technologies may also be used instead). These cookies may be set from a few different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. This file notes which sites the User visits, which content interests the User, and which offers he or she clicked, as well as technical information on the browser and operating system, referring websites, visit duration and other data on the use of the Websites. The User’s IP address is also recorded, though we wish to make it clear that, within the context of Google Analytics, the IP address is truncated within European Union Member States and in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to the US-based Google server and truncated there. The IP address is not merged with User data within other Google offerings or services. The information referred to above may also be linked to comparable information from other sources. If the User subsequently visits other websites, they may be presented with ads tailored to them according to their interests.
25.4.User data is processed in a pseudonymized manner within the context of Google Marketing Services, i.e. Google does not store and process details such as the name or email address of the User, but instead processes the relevant data within pseudonymized usage profiles based on cookies. This means that, from Google’s perspective, the ads are not managed for and displayed to a named or otherwise identifiable person, but rather for and to the cookie holder, regardless of who this cookie holder is. That is not, however, the case if a User has expressly granted Google permission to process their data in a non-pseudonymized manner. Information collected on Users by Google Marketing Services is transmitted to Google and stored on Google’s servers in the USA.
25.5.One of the Google marketing services we use is the online advertising service Google AdWords. In the case of Google AdWords, each AdWords client receives a different ‘conversion cookie’. Thus, cookies cannot be tracked across the websites of AdWords clients. The information collected by the conversion cookies is used to provide aggregate conversion statistics for AdWords clients who have opted in to conversion tracking. AdWords clients are informed of the total number of users who clicked on the ad and were forwarded to a conversion tracking tag page. However, they do not receive any information that would enable them to identify users personally.
25.7.We use Google Optimize a service that allows us to track the effects of various changes to a website (e. g. changes in input fields, design, etc.) within the framework of so-called ‘A/B tests’.
25.9.The data may be processed by Google for up to two years before it is anonymised or deleted.
25.10.Further information on Google’s use of data for marketing purposes can be found on the overview page: https://policies.google.com/technologies/ads Google’s data protection declaration can be accessed at https://policies.google.com/privacy. If you wish to object to interest-based advertising by Google marketing services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.
26. Facebook Social Plugins
26.1.Our Online Service makes use of the Social Plugins (“Plugins”) of the social network facebook.com, which is run by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The Plugins can be identified on the basis of one of the Facebook logos (white ‘f’ on a blue tile, the terms ‘Like’ or a thumbs-up symbol) or feature the phrase ‘Facebook Social Plugin’. A list of and the appearance of Facebook Social Plugins can be found here: https://developers.facebook.com/docs/plugins/.
26.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
26.3.When a User accesses a function of this Online Service containing such a Plugin, their device establishes a direct link with Facebook’s servers. The Plugin contents are sent directly to the User’s device by Facebook and are incorporated into the Online Service by the device. Usage profiles can be generated in relation to the Users on the basis of the data processed. We therefore have no control over the volume of Data collected by Facebook with the aid of this Plugin and therefore notify the Users on the basis of what we know.
26.4.When the Plugins are incorporated, Facebook is notified when a User views the corresponding page of the Online Service. If the User is logged in to Facebook, Facebook can assign this visit to their Facebook account. If Users interact with the Plugins, for example by clicking on the ‘Like’ button or adding a comment, the relevant information is sent directly to Facebook by their device and logged by Facebook. If the User is not a member of Facebook, Facebook is nonetheless able to determine and log their IP address. According to Facebook, only anonymised IP addresses are logged in Germany.
26.5.Users can learn about the purpose and extent of Facebook’s data collection and its further processing and use, and about the corresponding rights and settings for the protection of their privacy in Facebook’s data privacy notice: https://www.facebook.com/about/privacy/.
26.6.If a User is a Facebook member and does not wish Facebook to collect information on them via this Online Service or combine such information with their Facebook membership details, they must log out of Facebook prior to using our Online Service and must delete their cookies. Other settings can be selected and consents to the use of data for advertising purposes revoked within the Facebook profile settings at https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices.
27. Facebook remarketing, Facebook-Pixel and Custom Audiences
27.1.Our Online Service uses the so-called Facebook Pixel belonging to the social network Facebook, which is run by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are resident in the EU, by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). The Facebook Pixel enables Facebook to identify visitors to our Online Service as the target group for the presentation of so-called Facebook Ads. Accordingly, we use the Facebook Pixel to present the Facebook Ads placed by us only to those Facebook users who have expressed an interest in our Online Service (so called ‘custom audiences’). In other words, with the assistance of the Facebook Pixel, we want to ensure that our Facebook Ads are in keeping with the Users’ possible interests, rather than being seen as a nuisance. Additionally, the Facebook Pixel allows Us to understand the effectiveness of Facebook Ads for statistical and market research purposes by allowing Us to see whether Users were taken to our website upon clicking on a Facebook Ad.
27.2.If we ask the Users for their consent (in particular within the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
27.3.The Facebook Pixel is incorporated by Facebook immediately upon one of our websites being viewed and can store a cookie, i.e. a small file, on your device. If you subsequently log in to Facebook or visit the page when already logged in to Facebook, your visit to our Online Service is recorded within your profile. The data collected on you is anonymous for us and we are therefore unable to draw conclusions concerning the Users’ identities. However, the data is logged and processed by Facebook, and can therefore be linked to the corresponding User Profile. Facebook uses the data in accordance with its data policy. Accordingly, further information regarding how the remarketing pixel works and generally on the presentation of Facebook Ads can be found in Facebook’s data policy: https://www.facebook.com/policy.php.
27.4.On the basis of the consent of the User pursuant to Article 6 (1) 1 a GDPR, we use the procedure ‘Custom Audiences from File’ provided by the social network Facebook, Inc. In this case, the e-mail addresses of consenting Users are uploaded to Facebook. The upload process is encrypted. The upload is used solely to determine the recipients of our Facebook ads. This is to ensure that ads are only displayed to Users who have an interest in our information and services.
27.5.You may revoke your consent and object to the Facebook Pixel collecting data as well as building custom audiences and using these data to present Facebook Ads. You can access the page created by Facebook to do so, at https://www.facebook.com/settings?tab=ads, following the instructions there regarding the settings for use-based advertising, or you can revoke your consent via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices such as desktop computers and mobile devices.
28. Analytic and Optimization Service Hotjar
28.1. We use Hotjar, an analysis software provided by Hotjar Ltd, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta (“Hotjar”). With the help of the information obtained through Hotjar, we can analyse and improve the use of our online services.
28.2. For this purpose alone, data of the Users of our websites will be stored and evaluated. We use Hotjar to analyse our online services only, and not to analyse the individual Users. User data will therefore be pseudonymised and processed within the European Union as well as on the basis of the processing contract offered by Hotjar. User inputs, e.g. in forms or keystrokes, are not processed, i.e. neither stored by Hotjar nor transmitted to Hotjar (unless these inputs are clearly intended for Users for evaluation purposes, e.g. feedback forms).
28.3. For the aforementioned purposes, Hotjar stores and evaluates cookies with a pseudonymous identification number on the User’s devices. The cookies that Hotjar uses have various ‘lifespans’; some last up to 365 days, some only last for the duration of the relevant website visit.
28.4. The processed data of Users shall include in particular:
- devices and metadata: IP address of the terminal (collected and stored in anonymous format), screen resolution, type of terminal (individual terminal identifiers), operating system and browser type, referring URL and domain;
- geographical location (country only);
- Usage data and log data: Date and time when the online service was accessed, preferred language, User interactions, such as mouse events (movements, position and clicks), keyboard entries, web pages accessed and interactions with their content and functions.
- Content data: Inputs within the framework of surveys and feedback forms.
28.5. If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
28.6. Users may prevent Hotjar from collecting the data by using their browser’s ‘do not track’ settings or by clicking on the following link and following its instructions: https://www.hotjar.com/legal/compliance/opt-out.
29. LinkedIn marketing services
29.1. We use the marketing services of the social network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.
29.2. LinkedIn’s marketing services allow us to display advertisements within LinkedIn’s social network and link advertisers’ services in a targeted way or to present advertisements only to users that may potentially be of their interest. If, for example, a user is shown ads for products in which he is interested on other online services, this is referred to as ‘remarketing’. Furthermore, we can track the success of our ads (so-called ‘conversion measurement’). However, we only know the anonymous total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. However, we do not receive information that personally identifies users.
29.3.For the purposes set out above, a LinkedIn code will be implemented when users access our and other websites on which LinkedIn’s marketing services are active and so-called ‘insights tags’ (invisible graphics or code, also referred to as ‘web beacons’) will be incorporated into the websites. With the help of insights tags, an individual cookie, i.e. a small file, will be stored on the user’s device (comparable technologies can also be used instead of cookies). In this file, it is noted which websites the user visits, which contents he is interested in and which offers the user has clicked, further technical information about the browser and operating system, referring websites, visiting time as well as further information about the use of the online service.
29.4.The user’s data will be processed pseudonymously within the scope of LinkedIn’s marketing services. I.e. LinkedIn does not store and process the name or e-mail address of the user, but processes the relevant data in a cookie-related way within pseudonymous user profiles. This means that from LinkedIn’s point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who that cookie owner is. This does not apply if a user has expressly permitted LinkedIn to process the data without this pseudonymisation. If you are registered with LinkedIn, it is still possible for LinkedIn to associate your interaction with our online services with your user account.
29.5.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6(1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. GDPR.
29.6.The information collected about users is transmitted to LinkedIn and stored on Google’s servers in the United States.
30.1.We use the service provider Outbrain, Outbrain Inc, 39 West 13th Street, 3rd floor, New York, NY 10011, USA for the purpose of personalized advertisements, for example, to post ads on our or other websites that are based on users’ presumed interests. For this purpose, usage data, metadata, IP address (abbreviated) and a pseudonymous Unique User ID (UUID) are processed. The stored personal data will be deleted or anonymized after 13 months. Outbrain assures that it will comply with European and Swiss data protection law and uses so-called standard contractual clauses of the EU Commission for this purpose.
30.2.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. of the GDPR.
31.1. We use the service provider Taboola, Inc. 16 Madison Square West 7th Floor New York, New York 10010, USA, to integrate content and content recommendations into our or third-party online services on the basis of the presumed interests of users. For this purpose, usage data, metadata, IP address (abbreviated) and a pseudonymous Taboola user ID are processed. Taboola stores user information collected directly for the purpose of ad placement for a maximum of eighteen (18) months after the user’s last interaction with the Taboola Services and anonymizes it by removing personal identifiers or aggregating data. Taboola stores anonymous or aggregated data that cannot identify a person or device and is used for reporting and analysis purposes for as long as is commercially necessary.
31.2.If we ask the Users for their consent (particularly in the context of a so-called ‘cookie banner’), the legal basis for this processing is Art. 6 (1) a. GDPR. Otherwise, the personal data of the User will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of Art. 6 (1) f. of the GDPR.
32. Integration of third-party services and content
32.1.For the purposes of our legitimate interests (i.e. our interest in analysing, optimizing and running our Websites in a commercially viable manner within the meaning of Art. 6 (1) f. of the GDPR), we use third-party content and service delivery services on our Websites in order to incorporate content and services such as videos and fonts, for example (hereinafter jointly referred to as “Content”). The third-party provider of this Content always requires the User’s IP address in order to send the Content to the browser of the respective User. In other words, the IP address is required to display this Content. We endeavour only to use such Content where the respective provider uses the IP address exclusively to deliver said Content. Third-party providers may additionally use ‘pixel tags’ (invisible image files, also known as web beacons) for statistical or marketing purposes. Pixel tags can be used to analyse information such as the number of visitors accessing the pages of this website. The pseudonymized information may additionally be stored on User devices in the form of cookies. This information includes technical information on the browser and operating system, referring websites, time spent on the website, and further details on how Users make use of our Websites, plus it can also be combined with comparable information from other sources.
32.2.The list below provides an overview of third-party providers and their Content as well as links to their privacy policies, which contain further information on data processing and opt-out mechanisms, some of which have already been discussed here:
- External fonts from Typekit. Typekit is a service of the company Adobe. These fonts are incorporated when an Adobe server is accessed (in the USA). More information can be found in Typekit’s data privacy notice here: http://www.adobe.com/privacy/typekit.html.
33. Cloud Services
33.1.We use Internet-accessible software services (so-called ‘cloud services’, also referred to as ‘software as a service’) provided on the servers of its providers for the following purposes: document storage and administration, calendar management, e-mail delivery, spreadsheets and presentations, exchange of documents, content and information with specific recipients or publication of websites, forms or other content and information, as well as chats and participation in audio and video conferences.
33.3.If we use cloud services to provide documents and content to other Users or publicly accessible websites, forms, etc., providers may store cookies on Users’ devices for web analysis or to remember User settings (e.g. in the case of media control).
33.4.The following data types can be processed as part of cloud services: Inventory data (e.g., customer master data, such as names, addresses), Payment Data (e.g., bank details, invoices, payment history), Contact data (e.g., e-mail, telephone numbers), Content data (e.g., text input, photographs, videos), Contract data (e.g., contract object, duration, customer category), Usage data (e.g., websites visited, interest in content, access times), Meta/communication data (e.g., device information, IP addresses),.
33.5.Information on the providers of cloud services used by us: