Privacy Policy

Scope
This Privacy Policy applies to all pages of https://hiamo.com/. It does not apply to any linked websites or online presences of other providers.


Data Controller
The entity responsible for the processing of personal data within the scope of this Privacy Policy is:
Hiamo Management GmbH
Hopfenstr. 23
20359 Hamburg
Email: hello@hiamo.com


Questions About Data Protection
If you have any questions regarding data protection in relation to our company or our website, please contact us using the contact information provided in the “Data Controller” section.


Security 
We have implemented comprehensive technical and organizational measures to protect your personal data from unauthorized access, misuse, loss, and other external threats. To this end, we regularly review our security measures and update them to reflect the latest technological advancements.


Your Rights
You have the following rights regarding your personal data, which you may exercise by contacting us:

  • Right of access: You have the right to request information about the personal data we process regarding you, in accordance with Article 15 of the GDPR. 
  • Right to rectification: If the information concerning you is no longer accurate, you may request that it be corrected in accordance with Article 16 of the GDPR. If your data is incomplete, you may request that it be completed.
  • Right to erasure: You may request the erasure of your personal data in accordance with Article 17 of the GDPR.
  • Right to restriction of processing: In accordance with Article 18 of the GDPR, you have the right to request that the processing of your personal data be restricted. 
  • Right to object to processing: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out pursuant to Article 6(1)(e) or (f) of the GDPR, in accordance with Article 21(1) of the GDPR. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. Further processing may also take place if the processing serves to assert, exercise, or defend legal claims (Article 21(1) of the GDPR). Furthermore, pursuant to Article 21(2) of the GDPR, you have the right to object at any time to the processing of your personal data for the purposes of direct marketing; this also applies to any profiling to the extent that it is related to such direct marketing. We draw your attention to the right to object in this privacy policy in connection with the respective processing.
  • Right to withdraw your consent: If you have given your consent to the processing of your personal data, you have the right to withdraw that consent under Article 7(3) of the GDPR. 
  • Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format (“data portability”), as well as the right to have this data transmitted to another controller if the conditions of Article 20(1)(a) and (b) of the GDPR are met (Article 20 of the GDPR).

You may exercise your rights by contacting us using the contact information provided in the “Data Controller” section.

If you believe that the processing of your personal data violates data protection law, you also have the right under Article 77 of the GDPR to lodge a complaint with a data protection supervisory authority of your choice. This includes the data protection supervisory authority responsible for the controller: 


The Hamburg Commissioner for Data Protection and Freedom of Information, Ludwig-Erhard-Str. 22, 20459 Hamburg, Phone: 040/428 54-40 40, Email: mailbox@datenschutz.hamburg.de, https://www.datenschutz-hamburg.de. 


Visiting Our Website
When you visit our website, your browser sends information to the server to establish a connection and display the content securely, quickly, reliably, and in the correct format on your device.
The following data may be processed in this process:

  • Browser type/browser version,
  • operating system used,
  • Browser language and version,
  • Date and time of access,
  • IP address,
  • Content of the request (specific webpage),
  • Access status/HTTP status code,
  • Referrer URL (the previously visited website),
  • A message indicating whether the call was successful and
  • Amount of data transferred
  • Time zone difference from GMT.

This data is also stored to ensure the proper functioning of the website and the security of our IT systems.
The legal basis for processing is Article 6(1)(f) of the GDPR. Our legitimate interests lie in ensuring the proper functioning of the website as well as its integrity and security. Storing access data, particularly the IP address, enables us to detect and prevent misuse. This includes, for example, defending against requests that overload the service or potential bot activity. The access data is deleted as soon as it is no longer necessary to achieve the purpose of its processing. In the case of data collected for the provision of the website, this occurs when you end your visit to the website. The log data is deleted after two months at the latest.
You may object to the processing. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact details provided in the “Controller” section.


Device Information
In addition to the aforementioned access data, technologies are used when you use the website that store information on your device (e.g., desktop PC, laptop, tablet, and smartphone) or access information already stored on your device. These technologies may include, for example, so-called cookies, pixels, LocalStorage, SessionStorage, IndexedDB, or browser fingerprinting technologies. These technologies can be used to recognize you across devices and websites. 
Pursuant to Section 25(1) of the TDDDG, we generally require your consent to use these technologies. According to Section 25(2) of the TDDDG, such consent is not required only if the technologies either enable the transmission of a message via a public telecommunications network or if they are strictly necessary to provide a telemedia service that you have expressly requested.

Technically Necessary Device Information
Some elements of our website serve the sole purpose of transmitting a message (Section 25(2)(1) TDDDG) or are strictly necessary to provide you with our website or individual features of our website (Section 25(2)(2) TDDDG):

  • Language settings,
  • Shopping cart,
  • Cache entries in online forms,
  • Login information,
  • Accessibility settings.

The data is deleted once it is no longer needed. You can prevent this processing by adjusting the settings in your browser. For data that is not limited to the duration of the session, you can delete it in your browser settings after your session ends.
 

Device information that is not technically necessary

We also use elements on the website that are not technically necessary. In accordance with legal requirements, we use these technologies only with your consent. You can find information about the individual technologies and features in our “Advanced Settings” within the consent management platform (“cookie banner”), as well as organized by individual features in the information below.


Consent Management Platform

We use a consent tool on our website to request your consent for the processing of your device information and personal data via cookies or other tracking technologies. This allows you to consent to or refuse the processing of your device information and personal data via cookies or other tracking technologies for the purposes listed. Such processing purposes may include, for example, the integration of external elements, statistical analysis, audience measurement, or personalized advertising.
You may grant or deny your consent for all processing purposes, or grant or deny your consent for specific purposes or specific third-party providers.
You may also change the settings you have selected at a later time. The purpose of integrating the consent management platform is to allow users of our website to decide whether to enable cookies and similar functionalities and to offer them the option to change settings they have already made while continuing to use our website.
In the course of using the consent management platform, we process personal data as well as information about the devices used. The information regarding the settings you have made is also stored on your device
. The legal basis for the processing is Art. 6(1)(c) GDPR in conjunction with Art. 7(1) GDPR, insofar as the processing serves to fulfill the legally mandated obligations to provide evidence of consent. In all other cases, Article 6(1)(f) of the GDPR is the applicable legal basis. Our legitimate interests in the processing lie in the storage of user settings and preferences regarding the use of cookies and the evaluation of consent rates
. Consent will be requested again twelve months after the user settings have been made. The user settings you have configured will be stored until they are no longer necessary for the purposes for which they were collected, unless you delete the information about your user settings yourself beforehand using the device storage provided for this purpose.

You may object to the processing of your data if such processing is based on Article 6(1)(f) of the GDPR. You have the right to object on grounds relating to your particular situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.

The recipient of the personal data processed in this context is the provider of the consent management platform we use: 

  • Usercentrics A/S (Havnegade 39, 1058 Copenhagen, Denmark) regarding the consent management platform “Cookiebot” 


Contacting Our Company
When you contact our company, e.g., via email, we process the personal data you provide in order to respond to your inquiry. The legal basis for processing is Article 6(1)(f) of the GDPR or Article 6(1)(b) of the GDPR if the contact is aimed at concluding a contract. If the inquiry is aimed at concluding a contract, the provision of your data is required and mandatory. If the data is not provided, the conclusion or performance of the contract and the processing of the inquiry will not be possible. We will delete the data collected in this context once processing is no longer necessary—typically two years after the end of communication—or, where applicable, restrict processing to comply with existing mandatory legal retention obligations.
You may object to the processing if it is based on Article 6(1)(f) of the GDPR. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact details provided in the “Data Controller” section. 


Processing for Contractual Purposes
We process your personal data if and to the extent that this is necessary for the initiation, establishment, performance, and/or termination of a legal transaction with our company. The legal basis for this is Article 6(1)(b) of the GDPR. The provision of your data is necessary for the conclusion of the contract or its preparation, and you are contractually obligated to provide your data. If you do not provide your data, it is not possible to conclude and/or execute the contract. Once the purpose has been achieved (e.g., contract fulfillment), the personal data will be blocked from further processing or deleted as soon as the purposes associated with the processing have been achieved and there are no statutory retention periods, e.g., Sections 147 AO, 257 HGB, or to the extent that we are authorized to process the data further based on legitimate interests (e.g., retention for the enforcement or defense of legal claims).
In addition, we process the aforementioned data for the establishment, exercise, or defense of legal claims. The legal basis for the processing is Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. In these cases, our legitimate interest lies in asserting or defending claims. 
You may object to the processing. Your right to object applies for reasons arising from your particular situation. You may submit your objection to us using the contact details provided in the “Controller” section. 


Online Booking/Reservation System
If you wish to make a booking via our website, it is necessary and mandatory for the initiation and conclusion of the contract that you provide personal data such as your first and last name, your address, your phone number, and your email address. The mandatory information required for booking and contract processing is marked separately; additional information is provided voluntarily. We process your data for booking processing and, for this purpose, will in particular forward payment data to the payment service provider you have selected or to our house bank. The legal basis for the processing of your contract or booking data is Art. 6(1)(b) GDPR. The provision of your data is necessary and mandatory for the conclusion and/or performance of the contract. If you do not provide your data, it is not possible to conclude and/or perform the contract.
We will delete the data collected in connection with your booking once storage is no longer necessary, or restrict processing if statutory retention obligations apply. Due to mandatory commercial and tax law regulations, we are required to retain your address, payment, and order data for a period of up to ten years. Two years after the contract ends, we will restrict processing and limit it to compliance with existing legal obligations. 

To provide a clear overview of available accommodations and to process your booking or reservation request, we use an external service provider:

  • likeMagic AG (Wallisellenstr. 57, Dübendorf, Zurich CH-8600, Switzerland) with regard to the booking system. The provider is the recipient of the aforementioned data. 

The provider processes your personal data as our data processor pursuant to a data processing agreement in accordance with Article 28 of the GDPR. The provider also processes your data in Switzerland. The European Commission has issued an adequacy decision regarding data transfers to Switzerland. For more information on data protection at likeMagic, please visit https://likemagic.tech/de/privacy-policy.


Customer Account / Guest Login
When booking accommodation, you also have the option to create a customer account on our website to view past bookings, edit your profile information, or enter your personal data more quickly into the booking form for future bookings. Creating a customer account is voluntary and not a requirement for making a booking or completing the digital guest journey. If you decide to create a customer account on our website, you can register using the following information: 

  • First and last name
  • Address
  • Email address and 
  • password of your choice
  • First and last name,
  • Username.

In addition, your IP address and the date and time of registration are processed at the time of registration. 
We use two-factor authentication to create a customer account. After you have submitted the data required for registration, you will receive an email with an activation link. Only after you have activated the link by clicking on it will access to your customer account be created and the registration successfully completed. For subsequent logins, you must enter the login credentials (username and password) you selected during your initial registration. If the link is not confirmed within 24 hours, we will lock the information provided to us and automatically delete it after one month at the latest. Your data will be deleted as soon as it is no longer necessary to achieve the purpose of processing. This applies to the data collected during the registration process if the registration on the website is canceled or modified.
The following functions are available to you in the login area: 

  • Changing your profile information, 
  • View completed bookings, 
  • Manage newsletter subscriptions. 

If you use the website’s login area—for example, to edit your profile information or view past orders—we also process the personal data necessary for entering into or fulfilling a contract, in particular your address information and payment details.
The legal basis for this processing is Article 6(1)(b) of the GDPR. The provision of your data is necessary and mandatory for the conclusion or performance of the contract. If you do not provide your data, you cannot register or use the login area, meaning that the conclusion and/or performance of the contract is not possible.
Your data will be deleted as soon as it is no longer necessary for the purpose of processing. This is the case after the customer account is deleted, unless we are required by law to retain the data. In this case, we restrict the processing. Due to mandatory commercial and tax law regulations, we are required to retain your address, payment, and order data for a period of up to ten years. 

Marketing
Existing Customer Marketing
We reserve the right to use the email address you provided during the booking process in accordance with applicable laws to send you the following content via email during or after the booking, provided you have not already objected to this processing of your email address: 

  • Special offers/limited-time offers, 
  • New offers related to our products and services, such as those related to your stay
  • Inquiries regarding customer feedback / customer satisfaction.

The legal basis for data processing is Article 6(1)(f) of the GDPR. Our legitimate interests in the aforementioned processing lie in improving and optimizing our services, sending direct marketing communications, and ensuring customer satisfaction. We will delete your data when you terminate your use of our services, but no later than three years after the termination of the contract. We use an external email marketing service to send emails. You can find more information about this service provider in the “Marketing Service Providers” section.
Please note that you may object to receiving direct marketing and to processing for the purpose of direct marketing at any time without incurring any costs other than the transmission costs according to the standard rates. You have a general right to object without providing reasons (Art. 21(2) GDPR). To do so, click on the unsubscribe link in the respective email or send us your objection using the contact details provided in the “Controller” section.  


Newsletter
You can subscribe to our email newsletter on the website, through which we will keep you regularly informed about the following topics: 

  • New service offerings for our products and services
  • Special offers/limited-time offers,
  • Invitations to our company's events.

To receive the newsletter, you must provide your name or username and a valid email address. We process this data for the purpose of sending you the newsletter and for as long as you remain subscribed to the newsletter. We use an external marketing service provider to send the newsletter. For more information about this provider, please see the “Marketing Service Provider” section.
The legal basis for processing is Art. 6(1)(a) of the GDPR. We process your data until you revoke your consent. 
You may revoke your consent to the processing of your email address for the purpose of receiving the newsletter at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller.” This does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of your revocation. 


Double opt-in process
To document your newsletter subscription and prevent misuse of your personal data, registration for our email newsletter is carried out using the so-called double opt-in process. After you enter the data marked as required, we will send you an email to the address you provided, asking you to explicitly confirm your subscription to the newsletter by clicking on a confirmation link. In doing so, we process your IP address, the date and time of your newsletter registration, and the time of your confirmation. This ensures that you truly wish to receive our email newsletter. We are legally required to document your consent to the processing of your personal data in connection with your newsletter subscription (Art. 7(1) GDPR). Due to this legal obligation, data processing is based on Art. 6(1)(c) GDPR. 

You are not required to provide your personal information during the registration process. However, if you do not provide the necessary personal information, we may not be able to process your subscription, or may not be able to process it in full. If we do not receive confirmation of your newsletter subscription within 24 hours, we will block the information you provided and automatically delete it after one month at the latest. After your confirmation, your data will be processed for as long as you remain subscribed to the newsletter. 


 Newsletter Tracking

We statistically analyze the open, delivery, and unsubscribe rates of our newsletters, as well as the number of clicks on links contained therein and click-through rates, and measure the reach of our newsletters. For this purpose, user behavior on our websites and within the newsletters we send is analyzed using device-specific information (e.g., email client used and software settings). For this analysis, the emails we send contain so-called web beacons or tracking pixels, which are single-pixel image files that are also embedded on our website.
 For the purpose of measuring reach, we track the number of visitors who have accessed our websites by clicking on links and who perform certain actions there, such as redeeming vouchers and booking accommodations.
The legal basis for processing is Art. 6(1)(a) GDPR. We will delete your data when you cancel your newsletter subscription.
You may withdraw your consent at any time, either by sending us a message (see the contact details in the “Controller” section) or by clicking the unsubscribe link directly in the newsletter. This does not affect the lawfulness of the processing carried out on the basis of your consent up until the time of your withdrawal.


Block List
If you unsubscribe by revoking your consent or by exercising your right to object to marketing communications for existing customers, we process your data—in particular your email address—to ensure that you do not receive any further newsletters from us. For this purpose, we add your email address to a so-called “block list,” which ensures that you do not receive any further newsletters from us. The legal basis for data processing is Article 6(1)(c) of the GDPR to fulfill our obligations to provide proof; otherwise, Article 6(1)(f) of the GDPR. Our legitimate interests in this case consist of complying with our legal obligations to reliably cease sending you newsletters.

You have the right to object to the processing of your personal data. This right applies for reasons related to your particular situation. You may submit your objection to us using the contact information provided in the “Data Controller” section.


Marketing Service Providers
 We use the following marketing services to send email advertisements; these are the recipients of your personal data: Sendinblue GmbH (Köpenicker Straße 126, 10179 Berlin) with the service “Brevo”. Further information on data protection: https://www.brevo.com/de/legal/privacypolicy/
. If you have subscribed to receive the newsletter, the data provided during registration as well as the data processed while using our newsletter service will also be processed on the servers of the aforementioned marketing service. This service provider acts as our data processor (Art. 28 GDPR) and is contractually restricted in its authority to use your personal data for purposes other than the provision of services to us in accordance with the concluded data processing agreement.
 

Payment Processing
 We offer various payment methods on our website. After selecting one of the available payment methods, e.g., during the booking process, the payment details you provide (e.g., during the booking process or bank transfer) will be processed along with information about your booking, as well as your first and last name, payment reference, and order/invoice/customer number for the purpose of payment processing. To be able to assign your payment, we process your shipping/billing address, email address, and the payment method selected at
. If data required for payment processing is transmitted, this is done via the secure “SSL” protocol.
For payment processing, we also sometimes use external payment service providers, who are considered recipients of your personal data. Further information on these payment service providers can be found in the section “Integration of Payment Service Providers.”
The legal basis for processing is Art. 6(1)(b) GDPR. The provision of your payment data is necessary and mandatory for the conclusion or performance of the contract. If payment data is not provided, it is not possible to conclude and/or perform the contract using the selected payment method. 
We will delete the data collected in this context once storage is no longer necessary, or restrict processing if statutory retention obligations apply. Due to mandatory commercial and tax law regulations, we are required to retain your address, payment, and order data for a period of up to ten years. 


Payment Services
As part of the payment processing on our website, e.g., when booking accommodation, we enable you to make payments through the following providers, who are then recipients of your personal data and process your data in part under their own responsibility: 

  • Credit card payment: For the purpose of processing your payment, we will share the payment details required for the credit card transaction with the financial institution handling the payment or with the payment and billing service provider we have engaged, which you can select during the booking process (e.g., Mastercard, VISA, etc.). 
  • “PayPal” provided by the service provider (PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, and PayPal Holdings, Inc., 2211 North First Street, 95131 San José, California, USA; hereinafter: “PayPal”). “PayPal” also processes your data in the United States. Standard data protection clauses have been concluded with PayPal Holdings, Inc. to ensure that PayPal Holdings, Inc. maintains an adequate level of data protection. You can view a copy of the Standard Data Protection Clauses at “PayPal” at https://www.paypal.com/de/smarthelp/contact-us/privacy. Further information on data processing by “PayPal” is available here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
  • “Klarna,” provided by Klarna Bank AB (publ) (Sveavägen 46, 11134 Stockholm, Sweden; hereinafter: “Klarna”). For more information on data processing by “Klarna,” please visit https://cdn.klarna.com/1.0/shared/content/legal/terms/de-DE/privacy and https://www.klarna.com/de/agb/.


Hosting
Wir verwenden externe Hosting-Leistungen des Anbieters Detco GmbH (Haferwende 36, 28357 Bremen, Deutschland) die der Zurverfügungstellung der folgenden Leistungen dienen: Infrastruktur- und Plattformdienstleistungen, Rechenkapazität, Speicherressourcen und Datenbankdienste, Sicherheits- sowie technische Wartungsleistungen. Zu diesen Zwecken werden sämtliche Daten – unter anderem die unter dem Punkt „Nutzung unserer Website“ genannten Zugriffsdaten – verarbeitet, die für den Betrieb und die Nutzung unserer Website erforderlich sind. Rechtsgrundlage für die Verarbeitung ist Art. 6 Abs. 1 S. 1 lit. f) DSGVO. Wir verfolgen mit dem Einsatz von Hosting-Leistungen unsere berechtigten Interessen an einer effizienten und sicheren Zurverfügungstellung unseres Webangebots.
Sie können Widerspruch gegen die Verarbeitung einlegen. Ihr Widerspruchsrecht besteht bei Gründen, die sich aus Ihrer besonderen Situation ergeben. Sie können uns Ihren Widerspruch über die im Abschnitt „Verantwortlicher“ genannten Kontaktdaten zukommen lassen.
Einbindung von Inhalten Dritter
Google Maps
Diese Website nutzt den Dienst „Google Maps“ von „Google“ (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Irland und Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; im Weiteren: „Google“ und „Google Maps“) zum Zwecke der Darstellung von Karten bzw. Kartenausschnitten und ermöglicht Ihnen damit die komfortable Nutzung der Karten-Funktion auf der Website. Durch den Besuch auf der Website
erhält Google die Information, dass Sie die entsprechende Unterseite unserer Website aufgerufen haben. Zudem werden zum Teil die in dem Abschnitt „Nutzung unserer Website“ genannten Daten an Google übermittelt. Dies erfolgt unabhängig davon, ob Google ein Nutzerkonto bereitstellt, über das Sie eingeloggt sind, oder ob kein Nutzerkonto besteht. Wenn Sie bei Google eingeloggt sind, werden Ihre Daten direkt Ihrem Konto zugeordnet. Wenn Sie die Zuordnung mit Ihrem Profil bei Google nicht wünschen, müssen Sie sich vor Aktivierung des Buttons ausloggen. Google speichert Ihre Daten als Nutzungsprofile und verarbeitet sie unabhängig vom Vorhandensein eines Nutzerkontos bei Google für Zwecke der Werbung, Marktforschung und/oder bedarfsgerechten Gestaltung seiner Website. Hinsichtlich der Speicherung von und des Zugriffs auf Informationen in Ihrem Endgerät ist Ihre Einwilligung die Rechtsgrundlage gemäß § 25 Abs. 1 TDDDG; für die weitere Verarbeitung ist ebenfalls Ihre Einwilligung die Rechtsgrundlage gemäß Art. 6 Abs. 1 S. 1 lit. a) DSGVO. Google verarbeitet Ihre personenbezogenen Daten auch in den USA. Für einen Datentransfer in die USA existiert ein Angemessenheitsbeschluss der EU-Kommission. Google, LLC ist im Rahmen dessen zertifiziert. Zusätzlich wurden mit Google, LLC sog. Standardvertragsklauseln abgeschlossen, um Google, LLC auf ein angemessenes Datenschutzniveau zu verpflichten. Eine Kopie der Standardvertragsklauseln erhalten Sie unter https://cloud.google.com/terms/sccs. Weiterführende Informationen zu Zweck und Umfang der Verarbeitung durch den Plug-in-Anbieter und der Speicherdauer bei Google Maps finden Sie unter https://policies.google.com/privacy?hl=de. 

Ein Widerruf Ihrer Einwilligungen in die Verarbeitung ist jederzeit möglich, indem Sie den Regler unter „Erweiterte Einstellungen“ des Consent-Tools für den jeweiligen Drittanbieter zurückschieben. Die Rechtmäßigkeit der Verarbeitung bleibt bis zur Ausübung des Widerrufs unberührt
.Dienste zu Statistik- und Analyse- und Marketingzwecken
 Wir nutzen Dienste von Drittanbietern zu Statistik-, Analyse- und Marketingzwecken. Auf diese Weise ist es uns möglich, Ihnen eine benutzerfreundliche, optimierte Verwendung der Website zu ermöglichen. Die Drittanbieter verwenden zur Steuerung ihrer Dienste Cookies, Pixel, Browser-Fingerprinting oder andere Tracking-Technologien. Wir informieren Sie nachfolgend über die aktuell auf unserer Website eingesetzten Dienste externer Anbieter sowie über die jeweilige Verarbeitung im Einzelfall und über Ihre bestehenden Widerrufsmöglichkeiten
.Google Analytics
4Um unsere Websites optimal auf Nutzerinteressen abstimmen zu können, nutzen wir „Google Analytics 4“, einen Webanalysedienst von „Google“ (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Irland und Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; im Weiteren: „Google” und „Google Analytics 4“). Google Analytics 4 verwendet sog. Cookies, die zur Wiedererkennung auf Ihrem Endgerät gespeichert werden, sowie ähnliche Tracking-Methoden zur Wiedererkennung von Endgeräten wie Zählpixel, Device Fingerprinting und Programmierschnittstellen (z. B. APIs und SDKs), um Informationen aus Ihrem Endgerät zu verarbeiten. Hierfür wird Ihrem Endgerät eine zufällig generierte Identifikationsnummer (Cookie-ID/Geräte-ID) zugewiesen. Mithilfe dieser Technologien verarbeitet Google die erzeugten Informationen über die Benutzung unserer Websites durch Ihr Endgerät sowie Zugriffsdaten zum Zwecke der statistischen Analyse – z. B. Aufruf einer bestimmten Webseite, Anzahl der eindeutigen Besucher, Einstiegs- und Ausstiegsseiten, Verweildauer, Klick-, Wisch- und Scrollverhalten, Betätigung von Schaltflächen, Anmeldung zum Newsletter, Absprungrate und ähnliche Nutzerinteraktionen. Zu diesem Zweck kann auch ermittelt werden, ob unterschiedliche Endgeräte zu Ihnen oder zu Ihrem Haushalt gehören. Zu den Zugriffsdaten zählen insbesondere die IP-Adresse, Browser- und Geräteinformationen, Cookie-ID/Geräte-ID, die zuvor besuchte Website sowie Datum und Uhrzeit der Serveranfrage. In Systemen von Google Analytics 4 werden keine einzelnen IP-Adressen protokolliert oder gespeichert. Im Moment der Erfassung der IP-Adresse durch Google in speziellen lokalen Rechenzentren in der EU wird Ihre IP-Adresse verwendet, um Standortinformationen zu bestimmen. Anschließend wird die IP-Adresse gelöscht, bevor die Zugriffsdaten in einem Rechenzentrum oder auf einem Server für Google Analytics gespeichert werden. In Google Analytics 4 werden keine genauen Daten zum geografischen Standort bereitgestellt, sondern lediglich allgemeine Standortinformationen wie die Region und Stadt des Standortes des Endgeräts, die aus der IP-Adresse abgeleitet werden. Google wird diese Informationen verarbeiten, um deine Nutzung der Website auszuwerten, uns Berichte über die Website-Aktivitäten zusammenzustellen und – soweit wir gesondert darauf hinweisen – um uns weitere mit der Website-Nutzung verbundene Dienstleistungen zu erbringen. Sofern Sie bei einem Dienst von Google registriert sind, kann Google den Website-Besuch einem Nutzer-Account zuordnen und anwendungsübergreifend Nutzerprofile erstellen und auswerten. Zudem erfolgt eine plattformübergreifende Analyse des Nutzungsverhaltens auf Websites und Apps, die Google Analytics 4 Technologien nutzen. Dadurch kann das Nutzungsverhalten in unterschiedlichen Umgebungen gleichermaßen erfasst, gemessen und verglichen werden. Dabei werden z. B. automatisiert Scroll-Events des Nutzers erfasst, die ein besseres Verständnis für die Nutzung von Websites und Apps ermöglichen sollen. Hierfür werden unterschiedliche Cookie-IDs/Geräte-IDs für verschiedene Endgeräte verwendet. Im Anschluss werden uns anonymisierte und nach ausgewählten Kriterien erstellte Statistiken über die Nutzung der unterschiedlichen Plattformen bereitgestellt. 
Mithilfe des Tools Google Ads können sodann interessenbezogene Werbeanzeigen in Suchergebnissen ausgespielt werden. Ebenso können Nutzern von Websites auf anderen Websites innerhalb des Google-Werbenetzwerks (in der Google-Suche, auf „YouTube“, sog. „Google Anzeigen“ oder auf anderen Websites) wiedererkannt und auf Grundlage der festgelegten Zielgruppenkriterien zugeschnittene Werbeanzeigen präsentiert werden.
Hinsichtlich der Speicherung von und des Zugriffs auf Informationen in Ihrem Endgerät ist Rechtsgrundlage § 25 Abs. 1 TDDDG; für die weitere Verarbeitung ist Rechtsgrundlage Art. 6 Abs. 1 S. 1 lit. a) DSGVO. Google verarbeitet die Daten zum Teil auch in den USA. Für einen Datentransfer in die USA existiert ein Angemessenheitsbeschluss der EU-Kommission. Es wurden zudem mit Google sog. Standardvertragsklauseln abgeschlossen, um Google auf ein angemessenes Datenschutzniveau zu verpflichten. Eine Kopie der Standardvertragsklauseln erhalten Sie unter https://cloud.google.com/terms/sccs. Ihre Daten im Zusammenhang mit Google Analytics 4 werden spätestens nach 24 Monaten gelöscht. Weitere Informationen zum Datenschutz bei Google finden Sie unter: http://www.google.de/intl/de/policies/privacy.
Ein Widerruf ihrer Einwilligungen in die Verarbeitung ist jederzeit möglich, indem Sie die Nutzung von Cookies und ähnlichen Trackingtechnologien in unserem

decline or toggle the relevant switch back in the “Advanced Settings” of the Consent Tool. The lawfulness of the processing remains unaffected until the withdrawal is exercised.


Google Ads Conversions
We use Google Ads from Google (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, and Google, LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter: “Google” and “Google Ads”) to draw attention to our offerings on external websites using advertising tools (formerly known as “Google AdWords”). We can determine the success of individual advertising measures based on the data from the advertising campaigns. These advertising tools are delivered by Google via so-called ad servers. To do this, we use ad server cookies, which allow us to measure certain parameters for reach measurement, such as the display of ads or clicks by users. If you access our websites via a Google ad, Google Ads will store a cookie on your device. Using these cookies, Google processes the information generated by your device regarding interactions with our advertising materials (visiting a specific webpage or clicking on an advertisement), including your IP address, browser information, the previously visited website, and the date and time of the server request, for the purpose of analyzing and visualizing the reach of our advertisements. For this purpose, it may also be determined whether different devices belong to you or your household. Due to the marketing tools used, your browser automatically establishes a direct connection with Google’s server. If you are registered with a Google service, Google can associate the visit with your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and process your IP address. We receive only statistical reports from Google for the purpose of measuring the effectiveness of our advertising materials. The legal basis for the storage of and access to information on your device is § 25(1) TDDDG; the legal basis for further processing is Art. 6(1) sentence 1 lit. a) of the GDPR. Google also processes some of the data in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. In addition, so-called standard contractual clauses have been concluded with Google to oblige Google to maintain an adequate level of data protection. You can obtain a copy of the standard contractual clauses at https://cloud.google.com/terms/sccs. The retention period at Google is a maximum of 12 months. Further information on data protection and the retention period at Google can be found at: https://policies.google.com/privacy.

You may revoke your consent to the processing at any time by disabling the use of cookies and similar tracking technologies in our

decline or reset the relevant slider in the "Advanced Settings" of the consent tool. The lawfulness of the processing remains unaffected until the withdrawal is exercised.

Meta Pixel (Custom Audiences)

On our websites, we use the features provided by Meta (the providers are Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and Meta Platforms Inc., 1601 Willow Rd, Menlo Park, California, USA; hereinafter: “Meta”). For this purpose, we use the so-called Meta Pixel to analyze the use of our websites and online presence, e.g., on social networks such as Facebook and Instagram, the interactions users engage in on our websites and online presence, to display personalized advertisements based on your usage behavior, and to measure the reach of our advertisements.
 With the help of Meta Pixels—which are graphics embedded in our websites that are automatically loaded when you visit our websites and enable tracking of user behavior—your browser automatically establishes a direct connection to Meta’s server. Through the integration of Meta pixels, Meta processes the information generated about your use of our websites via your device—e.g., that you have visited a specific webpage—and processes, in particular, your IP address, browser information, the Meta ID, device ID, language settings, date and time of the server request, and event data such as page views, button clicks, and other interactions for the purpose of analyzing our websites and online presence, analyzing user interactions, displaying user-specific advertisements, and measuring the reach of our advertisements. For these purposes, it may also be determined whether different devices belong to you or your household. If you are registered with a Meta service, Meta may associate the collected information with your account or with you as a user. Even if a user is not registered with Meta or is not logged in, there is a possibility that Meta may obtain and process the IP address and other identifying characteristics.
 We also use Meta’s “Custom Audience via Your Website” feature for ad targeting. Through the Meta Pixel, information about your usage behavior is collected on our website based on your user ID and processed by Meta.
 The information processed in this manner is converted into checksums (“hash values”) using cryptographic methods (“Secure Hashing Algorithm 256” (“SHA 256”)) when transmitted to Meta. This pseudonymized customer information is then automatically matched and evaluated by Meta against available information from Meta accounts after transmission. If this comparison results in a match, target audience segments are created based on this information, which are used for targeted advertising on the social networks Facebook and Instagram. If the comparison does not result in a match, the hash values are deleted. This allows interest-based advertisements (Meta Ads) to be displayed to website users and Meta users who belong to a comparable target group when they visit the social networks Facebook and Instagram, and their interactions with our website to be analyzed.
 With regard to the storage of and access to information on your device, consent serves as the legal basis pursuant to Section 25(1) of the TDDDG; for further processing, consent pursuant to Article 6(1)(a) of the GDPR serves as the legal basis. Meta also processes the data in part in the United States. An adequacy decision by the European Commission exists for data transfers to the United States. Meta is certified under this decision. Additionally, standard data protection clauses have been concluded with Meta to commit Meta to an adequate level of data protection. You can request a copy of the Standard Data Protection Clauses from Meta at https://www.facebook.com/help/contact/341705720996035. The retention period for the information stored in Meta cookies is 90 days. For more information on data protection and retention periods at Meta, please visit: https://www.facebook.com/privacy/explanation and https://www.facebook.com/policies/cookies/.

You may withdraw your consent to the processing of your data at any time by disabling the use of cookies and similar tracking technologies on our

decline or toggle the relevant switch back in the “Advanced Settings” of the Consent Tool. The lawfulness of the processing remains unaffected until the withdrawal is exercised.

When you use Meta Business Tools, your personal data (“Business Tool Data”) is processed by both us and Meta. The processing of personal data described above in connection with the use of Meta Business Tools, as well as the processing of, in particular, hashed contact information and event data—i.e., information generated in connection with the analysis of your interactions with our websites or online presence, is carried out under joint responsibility in accordance with Art. 26 GDPR, whereby responsibility for fulfilling data protection obligations under the GDPR may vary depending on the processing phase. The purposes of the processing are to optimize the respective marketing campaigns and analyses, in particular the matching with Meta user IDs for the targeted display of advertisements, for which we use the Meta Business Tools as a means of implementation.
We have entered into a joint controller agreement with Meta pursuant to Article 26(1)(2) of the GDPR and have determined who fulfills the applicable obligations under the GDPR for each processing phase. You may exercise your rights as data subjects with respect to both us and Meta. We and Meta will promptly inform each other of all rights exercised by data subjects. We will provide each other with all information necessary to respond to the respective requests from data subjects. Regardless of responsibility for the respective processing phase in connection with the use of Meta Business Tools, we provide data subjects with the necessary information pursuant to Articles 13 and 14 of the GDPR within the scope of this privacy notice, as well as information regarding joint controllership pursuant to Article 26(2) of the GDPR upon separate request to the contact information provided by us. In doing so, we and Meta mutually provide each other with all necessary information from our respective areas of responsibility.
The legal basis for the processing is consent pursuant to Section 25(1) TDDDG or, for further processing, Article 6(1)(a) GDPR. Further information on the processing, particularly in the context of joint responsibility with Meta, is available at https://www.facebook.com/legal/terms/businesstools_jointprocessing as well as https://www.facebook.com/legal/terms/businesstools/preview?_rdr and https://www.facebook.com/about/privacy. You can access the agreement concluded with Meta regarding joint controllership in connection with the Meta Business Tools at https://www.facebook.com/legal/controller_addendum.
Copyright by Spirit Legal