COLOSSOS

Privacy Policy

Last updated: April 10, 2026

1. General information

Thank you for your interest in our offering and in ALLEHERZEN GmbH ("ALLEHERZEN"). The protection of your privacy is very important to us.

We process your personal data in accordance with the applicable statutory data-protection requirements for the purposes set out below. Personal data within the meaning of this privacy policy is any information relating to you as an individual. Relevant personal data is in particular your personal information (e.g. name, address, contact details, and date of birth), your billing data (e.g. bank details), information about your financial situation (e.g. credit-score data), and advertising and sales data (i.e. insights from customer-data analysis).

Below we inform you in detail about how we handle your data.

Controller and contact:

The controller responsible for processing your personal data is ALLEHERZEN GmbH, Alwinenstrasse 3, 65189 Wiesbaden, Germany, phone: +49 (0)611 / 16 75 10 9-0

If you have questions or comments regarding data protection at ALLEHERZEN (for example regarding access to and updating of your personal data), you can also contact us at datenschutz@alleherzen.de.

When you access our website or retrieve a file, data about this process is stored in a log file on our web server. Specifically, the following data is stored:

  • IP address
  • the domain name of the website you came from
  • the pages you visited within our offering
  • the names of the files retrieved
  • the date and time of a request
  • the name of your internet service provider
  • where applicable, the operating system and browser version of your PC or device.

2. IP addresses

We store IP addresses for a maximum period of seven days. They are stored to ensure the stability and operational security of our system. In particular, this serves to protect against load peaks from individual IP addresses. We reserve the right to statistically analyze anonymized data sets.

3. Recipients of your personal data

3.1 Third parties and processors

Your personal data is also used by other companies acting on behalf of ALLEHERZEN ("processors") or within business partnerships with ALLEHERZEN ("third parties"). These can also be external companies and partners of ALLEHERZEN. Possible recipients of your data are IT service providers, address service providers, debt-collection companies, network operators, shipping service providers, call centers, marketing and media agencies, market-research institutes, social-media companies, consultants or consulting firms, logistics companies, providers of on-site installation services, providers for billing and payment activities, telephone customer support, companies involved in the use of cookies and tracking pixels, and other service and cooperation partners.

For details, please refer to the detailed descriptions of data processing in this privacy notice.

The processors mentioned in this privacy notice have been commissioned by ALLEHERZEN and bound to ALLEHERZEN's data-protection and data-security standards. As part of this obligation, it has been determined, among other things, that the service providers only receive data that is necessary for the respective task.

3.2 Recipients outside the European Union (EU)

ALLEHERZEN has selected service providers based outside the European Economic Area ("third country") — e.g. IT service providers — to perform certain services. In these cases a third-country transfer takes place. Where legally required to establish an adequate level of protection for your data, ALLEHERZEN applies safeguards in line with statutory requirements to establish an adequate level of data protection, including EU standard contractual clauses. You can request further information at any time and request copies of the relevant model agreements (contact details see section 1).

4. "Cookies" – information that is automatically stored on your device

When you visit one of our websites we may place information in the form of a "cookie" on your computer that we automatically recognize the next time you visit. We use cookies to optimize our website, to develop services further, or for marketing purposes. If you do not want us to recognize your computer, please set your internet browser to delete cookies from your computer's hard drive, block all cookies, or warn you before a cookie is stored. We point out, however, that the use and especially the user experience of the website is restricted without cookies.

For information about cookies from other providers or those set by third parties (see below), there is generally a link via which you can declare your objection. As part of this, the provider sets an opt-out cookie on your computer that prevents further data from being collected. As long as you wish to maintain your objection, you should not delete the opt-out cookie. If you delete this cookie, you will need to opt out again. You can also object to data collection and storage by many other services at any time, with effect for the future, at http://www.youronlinechoices.com/uk/your-ad-choices.

5. Notes on web analytics

To continuously improve and optimize our offering, and to display interest-based personalized advertising, we use the following third-party web-tracking and analytics services:

Google Analytics 4

Subject to your consent, this website uses Google Analytics 4, a web-analytics service of Google LLC. The controller responsible for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google").

Nature and purpose of processing

Google Analytics uses cookies that allow an analysis of your use of our websites. The information generated by the cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.

We use the User-ID feature. With the User-ID we can assign a unique, persistent ID to one or more sessions (and to activities within those sessions) and analyze user behavior across devices.

We use Google Signals. With Google Signals, additional information about users who have enabled personalized ads is recorded in Google Analytics (interests and demographic data) and ads can be served to these users in cross-device remarketing campaigns.

With Google Analytics 4, IP anonymization is enabled by default. Because of IP anonymization, your IP address is shortened by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your website visit, your user behavior is captured as "events". Events can be:

  • Page views
  • First visit to the website
  • Session start
  • Pages visited
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the bottom of the page (90%))
  • Clicks on external links
  • Internal searches
  • Interaction with videos
  • File downloads
  • Ads seen / clicked
  • Language settings

The following is also captured:

  • Your approximate location (region)
  • Date and time of the visit
  • Your IP address (in shortened form)
  • Technical information about your browser and the devices you use (e.g. language settings, screen resolution)
  • Your internet service provider
  • The referrer URL (which website / advertising medium brought you to this website)

Purposes of processing

On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyze the performance of our website and the success of our marketing campaigns.

Recipients

Recipients of the data are / may be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 GDPR)
  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Third-country transfer

For the USA, the European Commission adopted its adequacy decision on July 10, 2023. Google LLC is certified under the EU-U.S. Data Privacy Framework. As Google's servers are globally distributed and a transfer to third countries (e.g. Singapore) cannot be entirely ruled out, we have additionally concluded EU standard contractual clauses with the provider.

Storage duration

The data we send that is linked to cookies is automatically deleted after 14 months. The maximum lifespan of the Google Analytics cookies is 2 years. Deletion of data whose retention period has been reached happens automatically once a month.

Legal basis

The legal basis for this data processing is your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR and § 25 (1) sentence 1 TTDSG.

Withdrawal

You can withdraw your consent at any time with effect for the future by opening the cookie settings and changing your selection there. The lawfulness of any processing carried out on the basis of your consent before its withdrawal remains unaffected.

You can also prevent the storage of cookies upfront by configuring your browser software accordingly. If you configure your browser to reject all cookies, you may experience reduced functionality on this and other websites. In addition, you can prevent the collection by Google of data generated by the cookie and relating to your use of the website (including your IP address) and the processing of this data by Google by

a. not granting your consent for the cookie to be set, or

b. downloading and installing the browser add-on to disable Google Analytics HERE.

For more information on Google Analytics terms of use and on data protection at Google see:

https://marketingplatform.google.com/about/analytics/terms/en/ and https://policies.google.com/.

Google Ads

This website uses the online marketing tool Google Ads ("Google Ads"). Google Ads uses cookies to display ads that are relevant to users, to improve campaign-performance reports, or to prevent a user from seeing the same ads multiple times. Via a cookie ID, Google records which ads are displayed in which browser and can thus prevent them from being shown multiple times. In addition, Google Ads can use cookie IDs to record so-called conversions related to ad queries. This happens, for example, when a user sees a Google Ads ad and later visits the advertiser's website with the same browser and makes a purchase there. According to Google, Google Ads cookies do not contain any personal information.

Due to the marketing tools used, your browser automatically establishes a direct connection with Google's server. Through the integration of Google Ads, Google receives the information that you have called up the relevant part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or are not logged in, it is possible that Google will obtain and store your IP address.

You can prevent participation in this tracking procedure in several ways:

a) by adjusting your browser software accordingly — in particular, suppressing third-party cookies means that you will not receive ads from third-party providers;

b) by disabling the cookies for conversion tracking by setting your browser to block cookies from the domain "www.googleadservices.com", https://adssettings.google.com, noting that this setting is deleted when you delete your cookies;

c) by disabling the interest-based ads of providers that are part of the self-regulation campaign "About Ads" via the link

https://www.aboutads.info/choices, noting that this setting is deleted when you delete your cookies;

d) by permanently disabling tracking in your browsers Firefox, Safari, Internet Explorer, Microsoft Edge, or Google Chrome via the link https://www.google.com/settings/ads/plugin. Please note that in this case you may not be able to use all features of this offering to their full extent.

The legal basis for processing your data is a balancing of interests, according to which the processing described above of your personal data for improving online-marketing activities or reducing the multiple display of ads is not outweighed by your overriding interests (Art. 6 (1) sentence 1 lit. f GDPR). For more information on Google Ads see https://ads.google.com/intl/en/home/ and on Google data protection in general: https://www.google.com/intl/en/policies/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org.

Google Remarketing

This website uses the Remarketing feature of Google. This feature serves to present interest-based ads to website visitors within the Google advertising network. Cookies are used to recognize individual visitors when they access websites that belong to Google's advertising network. On these websites, visitors can then be shown ads that relate to content the visitor previously accessed on websites that use Google's Remarketing feature. According to Google, no personal data is collected in this process. The legal basis for processing your data to improve online-marketing activities or to deliver targeted marketing is a balancing of interests, according to which the processing described above of your personal data is not outweighed by your overriding interests (Art. 6 (1) sentence 1 lit. f GDPR).

If you do not want Google Remarketing, you can disable it by adjusting your settings at https://adssettings.google.com/. Alternatively, you can disable the use of cookies for interest-based advertising via the Network Advertising Initiative by following the instructions at https://optout.networkadvertising.org. Further information on Google Remarketing and Google's privacy policy is available at https://policies.google.com/technologies/ads.

LinkedIn

https://www.linkedin.com/company/alleherzen

The account is operated by ALLEHERZEN GmbH (hereinafter "we"). It is run as a general information medium, in particular on current IT topics and on topics relevant to us, and on our company in general. For the service offered on LinkedIn, we use both the technical platform and the services of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn").

Data processing by LinkedIn

The detailed privacy policy of LinkedIn, in which you are informed about data processing and your rights vis-à-vis LinkedIn, can be found at the following link: https://www.linkedin.com/legal/privacy-policy. We have no influence on the nature, scope, or purposes of the data processing carried out by LinkedIn. Nor do we have any influence on LinkedIn's use or transfer of personal data. There are also no effective control options here.

Data processed by us via LinkedIn

The processing of data on this LinkedIn page is based on an agreement on joint processing of personal data with LinkedIn. LinkedIn and ALLEHERZEN GmbH are therefore joint controllers within the meaning of Art. 26 GDPR.

Service providers used

To operate our corporate presence on LinkedIn we use service providers that take on various tasks for us. We have bound them to data-protection rules through an agreement on data processing on our behalf under Art. 28 GDPR.

Entries on LinkedIn

We only use your personal data when you react to posts of ours (legal basis Art. 6 (1) lit. b GDPR). For example, when you press the "Like" button under one of our posts, your name appears including a link to your profile and the type of "Like" you chose. Your username is therefore displayed. A thumbnail of your profile picture is also displayed.

Your comments, which you can enter via the "Comment" function, also appear on our page, as provided by LinkedIn, including your username and the profile picture you have set. This information is also visible to people who are not "connected" to you on LinkedIn. In addition, these notes may also be visible to visitors of our page who are not logged in to LinkedIn. LinkedIn is not a platform on which to send us confidential information, especially not about your health or similar matters. You should treat entries and comments on our page like any other public post.

Contacting us

If you contact us via our electronic contact options (e.g. by email), we store your message. The data you provide about yourself is used to handle your request and to communicate with you (legal basis Art. 6 (1) lit. b GDPR).

Technical data collection by LinkedIn: LinkedIn also provides operators of company pages, including us, with anonymized statistics on an unsolicited basis. This concerns anonymized data such as:

  • Page activities
  • Page views
  • Number of subscribers
  • "Like" counts
  • Reach
  • Interactions such as clicks on certain information, elements, or links.

A reference to you as an individual is not possible for us from this. We use the statistical data provided to us, based on our interest in improving our social-media presence and websites and their design, and in maintaining security and cooperating with authorities in case of violations (legal basis is Art. 6 (1) lit. c and f GDPR).

Advertising on LinkedIn

We place advertising on LinkedIn and use statistical data we receive from LinkedIn to determine an audience-appropriate delivery. A reference to you as an individual does not arise from this for us. LinkedIn provides information about which settings you can make for ad displays on LinkedIn and other pages, insofar as these are controlled by LinkedIn (https://www.linkedin.com/psettings/advertising-data).

6. General information about usage-based online advertising

Usage-based online advertising, also called targeting, allows advertising companies to identify the user when delivering ads and to assign them to a target group. With the help of this information it is possible to show users more relevant ads. Usage-based advertising takes place in three steps: data collection via so-called tracking pixels, storage and processing of the log-file information, and the eventual use of this information for re-targeting or look-alike retargeting. We explain these steps in more detail below.

For information on your rights under the GDPR, see section "11. Your rights" below.

6.1 Use of tracking pixels on the page

Tracking pixels are small graphics on websites that enable log-file recording and log-file analysis, which is used for statistical evaluation. When a website is visited, the tracking pixels write information into the cookie file in the user's browser.

6.2 Storing log-file information in the cookie file

To record your user behavior, a cookie is stored on your device when you visit our page. Cookies are small text files that are placed on your computer's hard drive and that allow a website to recognize your browser, but do not allow personal identification of you. Information about your activities on the websites you visit is captured (e.g. browsing behavior, sub-pages of the online offering visited, ad banners clicked, etc.). All usage data is stored using a pseudonym, so that a conclusion about you as an individual and thus a personal identification is excluded.

6.3 Use of cookie information for retargeting and look-alike retargeting

The cookie containing the relevant information allows the anonymous recognition of the user's browser and a corresponding re-engagement on external websites, so-called retargeting.

In addition, statistical twins of the original cookie profiles are identified and addressed on the basis of the aggregated cookie information. This is called look-alike retargeting.

The usage profiles enabled by this so-called retargeting technology are created in accordance with statutory provisions in such a way that a conclusion about you as an individual and thus a personal identification is not readily possible. For more on usage-based advertising, see http://www.youronlinechoices.com/uk/your-ad-choices.

7. Newsletter

Below we inform you about the contents of our newsletter as well as about the registration, dispatch, and statistical evaluation procedure, and about your right to object. By subscribing to our newsletter, you agree to the receipt of the newsletter and to the procedures described below.

Newsletter content: We only send newsletters, emails, and other electronic notifications with promotional information (hereinafter "newsletters") with the consent of the recipients or with statutory permission. To the extent that the content of the newsletter is specifically described during sign-up, this description is decisive for the user's consent. Otherwise our newsletters contain information about our services, selected projects, and about us.

Double-opt-in and logging: Registration for our newsletter follows a so-called double-opt-in procedure. That means: after sign-up, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can sign up using someone else's email address. Newsletter sign-ups are logged in order to demonstrate compliance with the legal requirements for the sign-up process. This includes the storage of the sign-up and confirmation times as well as the IP address. Changes to your data stored at our delivery service provider are also logged.

Sign-up data: To register for the newsletter, your email address is sufficient. Optionally we ask you for a name to allow personal addressing in the newsletter.

The dispatch of the newsletter and the related performance measurement are based on the recipients' consent pursuant to Art. 6 (1) lit. a, Art. 7 GDPR in conjunction with § 7 (2) no. 3 UWG (German Act against Unfair Competition), or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art. 6 (1) lit. f GDPR in conjunction with § 7 (3) UWG.

The logging of the sign-up process is based on our legitimate interests pursuant to Art. 6 (1) lit. f GDPR. Our interest is in operating a user-friendly and secure newsletter system that serves both our business interests and the expectations of our users, and that further allows us to demonstrate consent.

Cancellation / withdrawal — you can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. A link to cancel the newsletter is included at the end of every newsletter. We may store the unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to demonstrate previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual deletion request is possible at any time, provided that the prior existence of consent is confirmed at the same time.

The newsletter is dispatched via the dispatch service provider "CleverReach", a newsletter dispatch platform of CleverReach GmbH & Co. KG, CRASH Building, Schafjückenweg 2, 26180 Rastede, Germany. The privacy policy of the dispatch service provider is available at: https://www.cleverreach.com/en/legal-notice/

The dispatch service provider is used on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR and a data-processing agreement pursuant to Art. 28 (3) sentence 1 GDPR.

The dispatch service provider may use the data of recipients in pseudonymous form, i.e. without assignment to a user, to optimize or improve its own services, e.g. for technical optimization of dispatch and presentation of the newsletter, or for statistical purposes. The dispatch service provider does not, however, use the data of our newsletter recipients to write to them itself or to pass this data on to third parties.

8. Online appointment booking and online meetings

8.1 Google Meet

We use the tool Google Meet to conduct phone conferences, online meetings, video conferences, and/or webinars (hereinafter: online meetings). Google Meet is a service of Google Ireland Ltd, a service company of Google LLC based in the USA.

Various types of data are processed when using Google Meet. The scope of the data also depends on what data you provide before or during participation in an online meeting. The following personal data is subject to processing: user details: first name, last name, phone (optional), email address, password (if single sign-on is not used), profile picture (optional). Meeting metadata: subject, description (optional), participant IP addresses, device/hardware information. For dial-in by phone: information about the incoming and outgoing phone number, country name, start and end time. Where applicable, further connection data of the device may be stored. Text, audio, and video data: you may have the option to use the chat function in an online meeting. To this extent, the text input you make can be processed in order to display it in the online meeting and, if applicable, to log it. To enable the display of video and the playback of audio, the data from the microphone of your device and from any video camera of the device are processed for the duration of the meeting. You can switch off or mute the camera or microphone at any time via the Google Meet settings. To participate in an online meeting, you must at least provide information about your name in order to enter the meeting room.

For participants in online meetings — to the extent the meetings are conducted within contractual relationships — Art. 6 (1) lit. b GDPR is the legal basis for the data processing. If there is no contractual relationship, the legal basis is Art. 6 (1) lit. f GDPR. Here, too, our interest lies in the effective conduct of online meetings.

Personal data processed in connection with participation in online meetings is generally not passed on to third parties unless it is specifically intended to be passed on. Please note that, as with in-person meetings, the contents of online meetings often serve precisely to communicate information with customers, prospects, or third parties and are therefore intended to be passed on.

Further recipients: the provider of Google Meet necessarily learns the above-mentioned data to the extent provided for in our data-processing agreement with Google Meet. Google Meet is a service provided by a provider in the USA. The processing of personal data therefore also takes place in a third country. We have concluded a data-processing agreement with the provider of Google Meet that meets the requirements of Art. 28 GDPR. For data transfers to the USA, an adequacy decision of the EU Commission exists (EU-U.S. Data Privacy Framework).

8.2 MS Teams

We use Microsoft Teams to conduct phone conferences, online meetings, video conferences, and/or webinars (hereinafter: online meetings). In the context of our online meetings using Microsoft Teams, we process the following personal data:

  • Communication data (e.g. your email address, if you provide it personally)
  • Log files, protocol data
  • Metadata (e.g. IP address, time of participation, etc.)
  • Profile data (e.g. your username, if you provide it on your own initiative)

The video-conference function of Microsoft Teams allows us to offer you participation via video / audio in our online appointments / events. We use Microsoft Teams to conduct these. We use the Team Meetings mode in Microsoft Teams. In Team Meetings, audio input and video recordings are prevented through our Microsoft Teams settings. As a rule, no recording of the appointments takes place.

In exceptional cases a recording can take place under the following conditions:

1. Prior twofold explicit announcement of the planned recording to the participants (firstly with the invitation and secondly before the start of the event to be recorded)

2. The participants are provided with the following additional data-protection information:

  • Specific purpose of the recording
  • Controller of the recording (function, role)
  • Persons authorized to access the recording, or recipients to whom the
  • Recording is to be made available
  • Place of storage and duration of the recording

For participants in online meetings — to the extent the meetings are conducted within contractual relationships — Art. 6 (1) lit. b GDPR is the legal basis for the data processing. If there is no contractual relationship, the legal basis is Art. 6 (1) lit. f GDPR. Here, too, our interest lies in the effective conduct of online meetings.

Microsoft Teams is part of Microsoft Office 365. Microsoft Teams is a productivity, collaboration, and exchange platform for individual users, teams, communities, and networks that is used across the corporate group. It includes, among other things, a video-conference function.

Microsoft Office 365 is a software of

Microsoft Ireland Operations Limited

One Microsoft Place

South County Business Park

Leopardstown

Dublin 18

D18 P521

Ireland

Microsoft Teams is part of the cloud application Office 365, for which a user account must be created.

Data processing with Office 365 takes place on servers in data centers in the European Union in Ireland and the Netherlands. For this we have concluded a data-processing agreement with Microsoft pursuant to Art. 28 GDPR. Accordingly we have agreed extensive technical and organizational measures with Microsoft for Office 365 that correspond to the current state of the art of IT security, e.g. with regard to access-authorization and end-to-end encryption concepts for data lines, databases, and servers.

Microsoft reserves the right to process customer data for its own legitimate business purposes. We have no influence on these processing activities by Microsoft. To the extent that Microsoft Teams processes personal data in connection with the legitimate business purposes, Microsoft is an independent controller for these processing activities and as such responsible for compliance with all applicable data-protection regulations. If you need information about the processing by Microsoft, please consult the corresponding statement from Microsoft.

8.3 Fathom Video Inc.

The Fathom platform is an AI meeting assistant that records, transcribes, highlights, and summarizes video calls. Fathom joins calls as a registered participant, is visible to all participants, and offers the user a live panel to capture key moments during the meeting, to set highlights or leave bookmarks, and to identify important action items for later reference. At the end of the meeting, the call recordings are turned into AI-generated summaries and the key moments become accessible in the platform's web application. They can be shared with the participants. The recordings and notes may be synchronized with the CRM or similar systems.

For the service, only the user ID — either email address or used username — is required. Only this data is transmitted before the meeting. Due to the nature of the service, Fathom captures all content communicated in the meeting. Therefore, care should be taken in the conversation not to mention either personal data of third parties or confidential information without explicit necessity.

We use the service to optimize the documentation of meetings. Our interest in optimization, simplification, reduction of work, and increase of meaningfulness outweighs the legitimate interests of the data subject. It is always possible to abort the recording or not to start it in advance.

We have concluded a data-processing agreement, including standard contractual clauses, with Fathom. Fathom relies essentially on services of Google LLC to provide the service. If you want to know more about the service: https://fathom.video/

8.4 YouCanBookMe service

We additionally use the online booking system "YouCanBookMe" to simplify appointment booking via our website. This service is provided by the British company YouCanBookMe Ltd., 38 Mill Street, Bedfort, MK40 3HD, UK.

Due to the United Kingdom's exit from the European Union, the data transfer takes place under the European Commission's adequacy decision. The service provider also confirms compliance with the GDPR. If you want to know more about the data and its use: https://youcanbook.me/privacy

9. Security

ALLEHERZEN takes appropriate precautions to ensure the security of your personal data. Your data is conscientiously protected against loss, destruction, falsification, manipulation, and unauthorized access or unauthorized disclosure.

10. Links to other websites

The ALLEHERZEN websites contain links to other websites. ALLEHERZEN is not responsible for the privacy strategies or the content of these other websites.

11. Your rights

In accordance with the statutory provisions (including any applicable restrictions under the GDPR and/or the German Federal Data Protection Act (BDSG)), you can assert the following rights against us:

11.1 Access

You have the right to obtain information from us about the data stored about you.

11.2 Rectification

Upon your request we will rectify the data stored about you if it is inaccurate or incorrect.

11.3 Erasure

If you wish, we will delete your data, unless other statutory provisions (e.g. statutory retention periods) or a prevailing interest on our part (e.g. for the defense of our rights and claims) prevent this.

11.4 Restriction

Taking into account the statutory requirements, you can request us to restrict the processing of your data.

11.5 Data portability

You also have the right to receive your data in a structured, common, and machine-readable format, or to transmit it to a third party, under the statutory requirements.

11.6 Complaint

You also have the right to lodge a complaint with a data-protection supervisory authority. You may also contact our data protection officer first.

11.7 Objection

You may also object to the processing of your data.

Right to object

Insofar as we process personal data as explained above to safeguard our legitimate interests, which, on balance of interests, prevail, you may object to this processing with effect for the future. If the processing is carried out for direct-marketing purposes, you may exercise this right at any time as described above. To the extent the processing is for other purposes, you only have a right to object if there are grounds arising from your particular situation.

After exercising your right to object, we will no longer process your personal data for these purposes, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves the assertion, exercise, or defense of legal claims.

This does not apply if the processing is carried out for direct-marketing purposes. In that case we will no longer process your personal data for this purpose.

To exercise the rights mentioned above, you can contact us using one of the contact details set out in section 1.