ABOUT

SERVICES

CASES

FAQ

CONTACTS

Select Language

BOOK AN APPOINTMENT

Privacy Policy
DSGVO — GDPR

Introduction

With the following data protection statement, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. The data protection statement applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and in the context of our external online presence, such as our profiles on social networks (hereinafter jointly referred to as "Online Offering").

The terms used are not gender-specific.

Status: November 1, 2024.

Introduction
Responsible Person
Overview of Processing Operations
Relevant Legal Basis
Security Measures
Transmission of Personal Data
Data Processing in Third Countries
Data Deletion
Use of Cookies
Providing the Online Offering and Web Hosting
Managing Contacts and Requests
Web Analysis, Monitoring, and Optimization
Plugins and Embedded Features and Content
Changes and Updates to the Privacy Policy
Rights of Data Subjects
Definitions

Responsible Person

Reboot Legal, lawyer Dr. Veronika Denninger LL.M.
Invalidenstraße 7,
10115 Berlin, Germany

Phone: +49 15566 085652

Email: office@rebootlegal.de or datenschutz@rebootlegal.de

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing, and also refers to the data subjects.

Types of Processed Data

Location data.
Contact data.
Content data.
Usage data.
Meta/communication data.

Categories of Affected Individuals

Communication partners.
Users.

Purposes of Processing

Providing contractual services and customer service.
Contact requests and communication.
Security measures.
Measurement of reach.
Tracking.
Managing and responding to requests.
Feedback.
Profiles with user-related information.
Providing our online services and user experience.
Information technology infrastructure.

Relevant Legal Basis

Below you will find an overview of the legal bases under the GDPR, on the basis of which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your place of residence or our country. If more specific legal bases are applicable in individual cases, we will inform you of this in the data protection statement.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
Performance of the contract and pre-contractual inquiries (Art. 6 para. 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection rules of the General Data Protection Regulation, national data protection regulations are applied in Germany. These include, in particular, the Federal Data Protection Act (BDSG). In particular, the BDSG contains specific provisions on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and transfer, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates the processing of data for data protection purposes in employment relationships (§ 26 BDSG), in particular with regard to the establishment, exercise or termination of employment relationships, as well as employee consent. Additionally, data protection laws of individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with the law, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the level of threat to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

Measures include, among other things, ensuring confidentiality, integrity, and availability of data through monitoring access to data, both physical and electronic, as well as access to them, input, disclosure, ensuring availability, and separation of data. We have also implemented procedures that ensure the exercise of data subjects' rights, data deletion, and responses to data breaches. In addition, we already consider data protection when designing or selecting hardware, software, and procedures in accordance with the principle of data protection by design and by default.

TLS encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of Personal Data

As part of our processing of personal data, it may happen that data is transmitted to other bodies, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, service providers entrusted with tasks in the IT sector or service and content providers integrated into the website. In such cases, we comply with legal requirements and, in particular, conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), European Economic Area (EEA)) or processing takes place in the context of using services of third parties or disclosing or transferring data to other persons, bodies, or companies, this will only occur in accordance with legal requirements.

Subject to explicit consent or contractual or legally required transfer, we process or allow the processing of data in third countries only if there is an adequate level of data protection, contractual obligation through the so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding internal data protection rules (Art. 44-49 GDPR, informational page of the EU Commission: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Data Deletion

Data processed by us will be deleted in accordance with the legal requirements as soon as the consents for their processing are revoked or other permissions cease to apply (e.g., if the purpose of processing these data no longer exists or is no longer necessary). If data are not deleted because they are necessary for other legally permitted purposes, their processing is restricted to these purposes. This means that the data are blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or whose retention is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

Within our data protection notices, we may provide users with additional information regarding deletion as well as the periods for data retention that specifically apply to the relevant processing operations.

Use of Cookies

Cookies are small text files or other notes in memory that store information on end devices and read information from end devices. For example, they are used to retain user login status, shopping cart contents in online stores, viewed content, or features used in the online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and usability of online offerings, as well as for carrying out analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain the prior consent of users, except where this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary for providing a telemedia service (i.e., our online offering), explicitly requested by the user. The revocable consent is clearly communicated to users and contains information about the corresponding use of cookies.

Notes on legal bases of data protection: The legal basis for data protection on which we process users' personal data using cookies depends on whether we request users' consent. If users give consent, the legal basis for processing their data is their declared consent. Otherwise, data processed using cookies are processed on the basis of our legitimate interests (e.g., in the business operation of our online offering and improving its usability) or, if done in the context of fulfilling our contractual obligations, if the use of cookies is necessary for the fulfillment of our contractual obligations. The purposes for which cookies are processed by us are explained here in this privacy policy or within our consent and processing management procedures.

Retention period: The following types of cookies are distinguished regarding the retention period:

Session cookies (also: temporary cookies): Session cookies are deleted at the latest after the user has left the online offering and closed their end device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status may be retained or preferred content may be displayed directly when the user revisits the website. Additionally, user data collected through cookies may be used to measure reach. If we do not provide users with explicit information regarding the type and retention period of the cookies (e.g., when obtaining consent), users should assume that cookies are permanent and may be stored for up to two years.

General information on revocation and objection (refusal): Users can withdraw their consent at any time and also object to the processing in accordance with the legal requirements of Art. 21 GDPR. Users may also express their objection through their browser settings, for example, by disabling the use of cookies (though this may also limit the functionality of our online services).

Objections to the use of cookies for online marketing purposes may also be expressed through the websites https://optout.aboutads.info and https://www.youronlinechoices.com.

Types of processed data: metadata/communication data (e.g., device information, IP addresses).
Data subjects: Users (e.g., visitors to the website, users of online services).
Purposes of processing: Providing our online offering and usability.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Processing of cookie data based on consent: We use a consent management procedure for the use of cookies, within which users' consent for the use of cookies or for the processing and providers mentioned in the consent management procedure can be obtained and managed, and may also be revoked by users. The consent statement is stored, so that it does not need to be requested again and to provide evidence of consent in accordance with the legal obligation. Storage may occur on

Providing Online Offering and Web Hosting

We process users' data to provide them with our online services. For this purpose, we process the user's IP address, which is necessary for transmitting content and functions of our online services to the browser or device of the user.

Types of processed data: usage data (e.g., visited websites, interest in content, access time); meta/communication data (e.g., device information, IP addresses); content data (e.g., records in online forms).
Data subjects: Users (e.g., visitors to the website, users of online services).
Purposes of processing: providing our online offering and usability; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional information on processing processes, procedures, and services:

Providing online offerings on rented storage space: to provide our online offering, we use storage space, computing power, and software that we rent or obtain from the relevant server provider (also referred to as "web hoster"); legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the visited web pages and files, date and time of access, volume of data transferred, notification of successful access, type and version of the browser, operating system of the user, referrer URL (previously visited page) and, generally, IP addresses and requesting provider. Server log files can be used for security purposes, for example, to prevent server overload (especially in the case of malicious attacks, such as DDoS attacks), on the other hand, to ensure the server's loading and stability; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); data retention: Log file information is stored for a maximum of 30 days and is then deleted or anonymized. Data whose further storage is necessary for proof purposes is excluded from deletion until the final clarification of the relevant incident.
WordPress.com: Hosting and software for creating, providing, and operating websites, blogs, and other online offerings; provider: Aut O’Mattic A8C Ireland Ltd, Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://wordpress.com; Privacy policy: https://automattic.com/de/privacy; Data processing agreement: https://wordpress.com/support/data-processing-agreements.

Managing Contacts and Requests

When contacting us (e.g., through the contact form, email, phone, or via social media), as well as within existing user and business relationships, the information of the contacting persons is processed to the extent necessary to respond to requests and fulfill any requested measures.

Types of processed data: contact data (e.g., email, phone numbers); content data (e.g., records in online forms); usage data (e.g., visited websites, interest in content, access time); meta/communication data (e.g., device information, IP addresses).
Data subjects: Communication partners.
Purposes of processing: processing contact requests and communication; managing and responding to requests; feedback (e.g., collecting feedback through an online form); providing our online offering and usability.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); performance of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Additional information on processing processes, procedures, and services:

Contact form: If users contact us through our contact form, email, or other communication channels, we process the data provided to us in this context to process the reported request; Legal basis: Performance of the contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offering and may include information about the behavior, interests, or demographic data of visitors such as age or gender, in pseudonymized form. With the help of reach analysis, we can, for example, recognize when our online offering or its functions or content are most frequently used or invite repeat usage. We can also understand which areas need optimization.

In addition to web analysis, we may also use testing procedures, for example, to test and optimize different versions of our online offer or its components.

Unless otherwise indicated, profiles may be created for these purposes, i.e., data summarized for the usage process and information may be stored in the browser or on the end device and read from it. The collected information includes, among other things, visited websites and elements used there, as well as technical information such as the browser used, the computer system used, and information about the time of use. If users have consented to the collection of data regarding their location by us or by providers of services we use, location data may also be processed.

The IP addresses of users are also stored. However, we use the IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. As a rule, in the context of web analysis, A/B testing, and optimization, clear personal user data (e.g., email addresses or names) are not stored, only pseudonyms. This means that neither we nor the providers of the software used know the real identity of the users but only the information stored in their profiles for the purposes of the respective procedures.

Types of processed data: usage data (e.g., visited websites, interest in content, access time); meta/communication data (e.g., device information, IP addresses).
Data subjects: Users (e.g., visitors to the website, users of online services).
Purposes of processing: measuring reach (e.g., access statistics, recognition of returning visitors); profiling with user-related information (creating user profiles); tracking (e.g., profiling based on interests/behaviors, use of cookies); providing our online offering and usability.
Security measures: masking IP (pseudonymization of the IP address).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Additional information on processing processes, procedures, and services:

Google Analytics: web analysis, reach measurement, and measuring user flows; provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/ Privacy policy: https://policies.google.com/privacy Data processing agreement: https://business.safety.google/adsprocessorterms; Standard Contractual Clauses (guaranteeing a level of data protection when processing in third countries):https://business.safety.google/adsprocessorterms; Opt-out: Opt-out plugin: https://tools.google.com/dlpage/gaoptout, Ad settings: https://adssettings.google.com/authenticated; Additional information: https://privacy.google.com/businesses/adsservices (Types of processing and processed data).

Plugins and Embedded Features and Content

We integrate functional elements and content elements into our online offering that we obtain from the servers of relevant providers (hereinafter referred to as "third-party providers"). This may include, for example, graphics, videos, or maps (hereinafter collectively referred to as "content").

Integration always requires that third-party providers of this content process the user's IP address, as without the IP address they would not be able to send the content to their browser. Thus, the IP address is necessary for displaying this content or functions. We strive to use only that content whose relevant providers use the IP address exclusively for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. With the help of "pixel tags," information can be analyzed, such as page visits on this website. Pseudonymized information may also be stored in cookies on the user's device and may contain, among others, technical information about the browser and operating system, referring websites, time of visit, and other usage information of our online offering, and may also be linked to such information from other sources.

Types of processed data: usage data (e.g., visited web pages, interest in content, access time); meta/communication data (e.g., device information, IP addresses); location data (information about the geographical position of the device or person).
Data subjects: Users (e.g., visitors to the website, users of online services).
Purposes of processing: providing our online offering and usability; providing contractual services and customer service.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Additional information on processing processes, procedures, and services:

Google Fonts (provided on our server): Providing font files for a convenient representation of our online offering; provider: Google Fonts are hosted on our server, data is not transmitted to Google; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Google Maps: We integrate maps from the "Google Maps" service provider Google. Processed data may include, in particular, IP addresses and data about the location of users; provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mapsplatform.google.com; Privacy policy: https://policies.google.com/privacy.
Google Maps API and SDK: Interfaces to Google's mapping and location services that allow, for example, adding address entries, determining locations, calculating distances, or providing additional information about locations and other places; provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://mapsplatform.google.com; Privacy policy: https://policies.google.com/privacy.
Typekit Fonts from Adobe: We integrate fonts ("Typekit fonts") from the provider Adobe, with user data used solely for displaying fonts in users' browsers. Integration is based on our legitimate interests in the technically safe, maintenance-free, and efficient use of fonts, their uniform display, and consideration of possible licensing restrictions for their integration; provider: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.adobe.com; Privacy policy: https://www.adobe.com/de/privacy.html.

Changes and Updates to the Privacy Statement

We ask that you regularly inform yourself about the content of our data protection statement. We adapt the data protection statement as soon as changes in our data processing make this necessary. We will inform you as soon as changes require action on your part (e.g., consent) or another individual notice.

If we provide addresses and contact information of companies and organizations in this data protection statement, please note that addresses may change over time, and check the information before contacting us.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which result, among other things, from Articles 15-21 GDPR:

Right to Object: you have the right to object at any time on grounds relating to your particular situation to the processing of personal data concerning you, which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purposes of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
Right to Withdraw Consent: You have the right to withdraw any given consent at any time.
Right to Information: You have the right to request confirmation as to whether personal data concerning you is being processed, as well as information about such data and additional information, and a copy of the data in accordance with the legal requirements.
Right to Rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you, in accordance with the law.
Right to Deletion and Restriction of Processing: You have the right to request immediate deletion of personal data concerning you or, alternatively, to request restriction of the processing of personal data concerning you in accordance with the law.
Right to Data Portability: You have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transfer to another controller, in accordance with the law.
Complaint to a Supervisory Authority: Subject to the law and without prejudice to any other administrative or judicial remedies, you also have the right to lodge a complaint with a supervisory authority responsible for data protection, in particular with the supervisory authority in the member state of the EU where you have your habitual residence, the supervisory authority at your workplace, or the supervisory authority at the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.

Definitions

This section provides you with an overview of the terms used in this privacy policy. Many terms are taken from the law and defined primarily in Art. 4 GDPR. Legal definitions are mandatory. The following explanations, on the other hand, are primarily intended to help you understand them. Terms are sorted alphabetically.

Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
User-Related Information Profiles: The processing of "user-related information profiles," or briefly "profiles," includes any type of automated processing of personal data that involves the use of such personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may involve various information regarding demographics, behavior, and interests, such as interactions with websites and their content, etc.) (e.g., interests in specific content or products, click behavior on the website, or location). Cookies and web beacons are often used for profiling purposes.
Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to the online offering and may include visitors' behavior or their interest in specific information, such as website content. With the help of reach analysis, website owners can, for example, see when visitors visit their website and what content they are interested in. This allows them, for example, to better tailor the content of the website to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis purposes to recognize returning visitors and thus achieve a more accurate analysis of the use of the online offering.
Location Data: Location data is generated when a mobile device (or another device with technical requirements for location determination) connects to a radio cell, WLAN, or similar technical means and functions to determine location. Location data is used to indicate the geographically definable position on the earth where the respective device is located. For example, location data may be used to display mapping functions or other location-dependent information.
Tracking: We speak of "tracking" when users' behavior can be traced across multiple online offerings. Generally, information about behavior and interests is stored in cookies or on tracking technology providers' servers concerning the online offerings used (so-called profiling). This information can then be used, for example, to deliver advertising to users that is likely to match their interests.
Controller: "Controller" means a natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data, alone or jointly with others.
Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, be it collection, analysis, storage, transmission, or deletion.