Privacy Notices

Relevant Legal Basis

The following provides an overview of the legal basis of the EU General Data Protection Regulation ("GDPR"), on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or establishment. Should more specific legal bases be relevant in individual cases, we will inform you about them in the data protection notices.

• Consent (Art. 6 Para. 1 Sent. 1 lit. a) GDPR) - The data subject has given consent to the processing of personal data concerning them for a specific purpose or multiple specific purposes.

• Contractual Performance and Pre-contractual Requests (Art. 6 Para. 1 Sent. 1 lit. b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject.

• Legal Obligation (Art. 6 Para. 1 Sent. 1 lit. c) GDPR) – The processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate Interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR) - The processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided these interests do not override the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

• Application Process as Pre-contractual or Contractual Relationship (Art. 6 Para. 1 lit. b) GDPR) - To the extent that special categories of personal data within the meaning of Art. 9 Para. 1 GDPR (e.g. health data like disability status or ethnic origin) are requested from applicants as part of the application process so that the controller or the data subject can exercise the rights and fulfill their obligations arising from labor law and social security and social protection law, their processing occurs in accordance with Art. 9 Para. 2 lit. b. GDPR, in the case of protection of vital interests of the applicants or other persons pursuant to Art. 9 Para. 2 lit. c. GDPR or for purposes of health care or occupational medicine, for assessment of employee's capacity for work, for medical diagnostics, care or treatment in the health or social sector or management of systems and services in health or social sector according to Art. 9 Para. 2 lit. h. GDPR. In the case of voluntary consent-based submission of special categories of data, their processing is based on Art. 9 Para. 2 lit. a. GDPR.

In addition to the data protection regulations of the GDPR, national data protection regulations in Germany apply. This includes, in particular, the law on protection against the misuse of personal data during data processing (Federal Data Protection Act - BDSG). The BDSG contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, as well as transmission and automated decision-making in individual cases including profiling. Furthermore, it regulates data processing for purposes of employment relationship (§ 26 BDSG), especially with regard to initiation, execution, or termination of employment relationships, and the consent of employees. Additionally, state data protection laws of the individual federal states may apply.

Security Measures

We implement appropriate technical and organizational measures in accordance with statutory regulations, considering the state of the art, implementation costs, nature, scope, circumstances, and purposes of processing as well as varying probabilities of occurrence and severity of risks to the rights and freedoms of natural persons, to ensure a level of protection appropriate to the risk.

The measures particularly include securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as to the related access, input, conveyance, securing availability, and separation of data. Furthermore, we have established procedures ensuring the exercising of data subject rights, deletion of data, and responses to data threats. We also take into account protection of personal data during development or selection of hardware, software, and procedures according to the principle of privacy by design and default settings.

TLS Encryption (HTTPS): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in your browser's address line.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that data are transferred to other locations, companies, legally independent organizational units, or individuals, or disclosed to them. Recipients of such data may include, for example, service providers tasked with IT assignments or providers of services and content integrated into a website. In such cases, we comply with statutory regulations and, notably, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to it. If this transfer is for administrative purposes, it is based on our legitimate business and economic interests or occurs if necessary for the fulfillment of our contractual obligations, or if the data subjects have given consent or if it is legally permitted.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), European Economic Area (EEA)) or in the context of using services of third parties or disclosure or transfer of data to other persons, bodies, or companies, this only occurs in accordance with statutory regulations.

Subject to explicit consent or legally required transmission, we only process or have data processed in third countries with a recognized level of data protection, contractual obligations by so-called standard protection clauses of the EU Commission, certifications, or binding internal data protection regulations process (Art. 44 to 49 GDPR, EU Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Data Deletion

We will delete data we process in accordance with legal requirements as soon as their permissible processing consents are revoked or other permissions cease to apply (e.g., if the purpose of processing the data no longer exists or they are not necessary for the purpose). If the data are not deleted because they are needed for other legally permissible purposes, their processing will be restricted to those purposes. i.e., the data will be locked and not processed for other purposes. This applies, for instance, to data that must be retained for commercial or tax law reasons or whose storage is necessary to assert, exercise, or defend legal claims or to protect the rights of another natural or legal person.

In our data protection notices, we may provide users with additional information about deletion as well as retention of data, which specifically applies to the respective processing processes.

Use of Cookies

Cookies are small text files, or other storage markers, that store information on end devices and read information from end devices. For instance, to store login status in a user account, shopping cart content in an e-shop, accessed content, or used functions of an online offering. Cookies can also be used for different purposes, such as ensuring functionality, security, and comfort in online offerings, and creating analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless this is not legally required. Consent is particularly unnecessary if storing and reading the information, also by cookies, is absolutely essential to provide users with a telemedia service explicitly requested by them (i.e., our online offering). The revocable consent is clearly communicated to users and contains information on the respective cookie usage.

Notes on Data Protection Legal Basis: The legal basis on which we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing your data is the declared consent. Otherwise, data processed using cookies are processed based on our legitimate interests (e.g., in ensuring business economics operation of our online offering and improving its usability) or if it is necessary within the scope of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We provide information on purposes for which we process cookies in these data protection notes or within our consent and processing processes.

Storage Duration: With regard to storage duration, the following types of cookies are differentiated:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).

• Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, data collected using cookies can be used for audience measurement. Unless we provide users with specific information on the type and storage duration of cookies (e.g., in the context of obtaining consent), users should assume that cookies are permanent and storage duration can be up to two years.

General Notes on Withdrawal and Objection (Opt-Out): Users can withdraw the consent they have given at any time and, moreover, object to the processing in accordance with statutory provisions of Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g., by disabling the use of cookies (although this may limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com.

Business Services

We process data of our contractual and business partners, e.g., customers and interested parties (collectively referred to as "contractual partners") within the scope of contractual and comparable legal relationships as well as associated measures and within the scope of communication with the contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process these data to fulfill our contractual obligations. This includes, particularly, obligations to provide agreed services, any update obligations, and remedying warranty and other performance issues. Moreover, we process the data to uphold our rights and for purposes of administrative tasks connected to these obligations as well as business organization. Furthermore, we process data based on our legitimate interests in proper and economical business management and security measures to protect our contractual partners and business from misuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunication, transport, and other auxiliary services as well as subcontractors, banks, tax and legal consultants, payment service providers, or tax authorities). According to applicable law, we only disclose the data of contractual partners to third parties insofar as it is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about additional forms of processing, e.g., for marketing purposes, in our data protection notices.

Which data are necessary for the aforementioned purposes, we inform contractual partners before or during data collection, e.g., in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or personally.

We delete the data after the expiration of statutory warranty and comparable obligations, i.e., generally after four years, unless the data are stored in a customer account, e.g., as long as they must be retained for statutory archiving reasons. The statutory retention period for tax-related documents and trade books, inventories, opening balances, annual financial statements, work instructions and other organizational instructions necessary for understanding these documents, and booking documents is ten years, and six years for received trade and business letters and reproductions of sent trade and business letters. The period begins with the end of the calendar year in which the last entry in the book was made, the inventory, opening balance, annual financial statement, or management report was prepared, the trade or business letter was received or sent, or the booking document was created. Furthermore, the recording was made, or other documents were created.

To the extent that we use third parties or platforms to deliver our services, the terms and conditions and privacy policies of the respective third parties or platforms apply in the relationship between users and providers.

• Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Customers; Interested parties; Business and contractual partners; Clients.

• Processing Purposes: Provision of contractual services and customer service; Security measures; Contact inquiries and communication; Office and organizational procedures; Administration and response to inquiries.

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR); Legal obligation (Art. 6 Para. 1 Sent. 1 lit. c) GDPR); Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Customer Account: Contractual partners can create an account within our online offering (e.g., customer or user account, referred to as "customer account"). If the registration of a customer account is required, contractual partners are informed accordingly as well as about the required information for registration. Customer accounts are private and cannot be indexed by search engines. In the process of registration and subsequent log-ons and uses of the customer account, we store customers' IP addresses along with the access times to be able to prove registration and prevent potential misuse of the customer account. When customers have terminated their customer account, the data concerning the customer account will be deleted, provided their retention is required for legal reasons. It is up to the customers to secure their data upon termination of the customer account; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Online Courses and Online Training: We process the data of participants in our online courses and online training (collectively referred to as "participants"), to provide them our course and training services. The data processed here, type, scope, purpose, and necessity of their processing are determined by the underlying contractual relationship. The data generally include information about the courses and services taken and, where part of our service offering, personal requirements and results of participants. Processing forms also include performance evaluation and evaluation of our services and those of course and training leaders; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Legal Advice: We process data of our clients as well as interested parties and other contractors or contractual partners (collectively referred to as "clients"), to provide them our contractual or pre-contractual services, especially consulting services. The processed data, type, scope, purpose, and necessity of their processing are determined by the underlying contractual and mandate relationship. If our clients give consent, processing is essential for our contractual fulfillment, legal (e.g., pursuant to information obligations under money laundering regulations) or to protect vital interests, or considering clients' protective interests based on our legitimate interest in efficient and secure exercise of our activities, we disclose or transfer clients' data to third parties or agents, such as authorities, courts, or in IT, office or similar services sector under the relevant professional regulations; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Offering Software and Platform Services: We process data of our users, registered and potential test users (collectively referred to as "users"), to provide them our contractual services and based on legitimate interests, to ensure the security of our offering and further develop it. Required information is marked accordingly in the course of order, purchase or comparable contract conclusion and includes information needed for performance and billing, as well as contact information for possible follow-up; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Events and Conferences: We process data of participants of the events, conferences, and similar activities (collectively referred to as "participants" and "events"), to enable their participation in events and utilization of services or actions associated with participation. If we process health-related data, religious, political, or other special categories of data in this context, this occurs within the scope of public knowledge (e.g. at thematically oriented events or serves health care, security, or occurs with consent of those affected). Required information is marked accordingly in the course of order, purchase or comparable contract conclusion and includes information needed for performance and billing, as well as contact information for possible follow-up. If we receive access to information of end users, employees, or other persons, we process this in accordance with legal and contractual requirements; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

Use of Online Platforms for Offer and Distribution Purposes

We offer our services on online platforms operated by other service providers. In this context, our data protection notices apply in addition to the privacy statements of the respective platforms. This particularly applies in terms of payment processing and procedures for audience measurement and interest-based marketing used on the platforms.

• Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Contract data (e.g., subject matter, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Customers.

• Processing Purposes: Provision of contractual services and customer service; Marketing.

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

Providers and Services Used in Business Activities

In the course of our business activities, we use additional services, platforms, interfaces, or plugins from third-party providers (briefly "services") under statutory regulations. Their use is based on our interest in orderly, lawful, and economic management of our business activities and internal organization.

• Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Contract data (e.g., subject matter, term, customer category).

• Individuals Affected: Customers; Interested parties; Users (e.g., website visitors, online service users); Business and contractual partners.

• Processing Purposes: Provision of contractual services and customer service; Office and organizational procedures.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Lexoffice: Online software for invoicing, accounting, banking, and tax filing with document storage; Service Provider: Haufe Service Center GmbH, Munzinger Straße 9, 79111 Freiburg, Germany; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.lexoffice.de; Privacy Policy: https://www.lexoffice.de/datenschutz; Data Processing Agreement: https://www.lexoffice.de/auftragsverarbeitung.

• Timely: Time tracking; Service Provider: Memory AS, Karvesvingen 5, 0579 Oslo, Norway; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://timelyapp.com; Privacy Policy: https://timelyapp.com/privacy-policy.

• ClickUp: Project management - organization and management of teams, groups, workflows, projects, and processes; Service Provider: Mango Technologies, Inc., 580 Howard St, Suite 101, San Francisco, California 94105, USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://clickup.com; Privacy Policy: https://clickup.com/privacy; Data Processing Agreement: https://clickup.com/dpa.

• DocuSign: Digital signatures and signing procedures for documents; Service Provider: DocuSign, Inc., 221 Main Street Suite 1000 San Francisco, CA 94105, USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.docusign.com; Privacy Policy: https://www.docusign.com/company/privacy-policy; Additional Information: Processing as a processor and controller occurs based on approved binding internal data protection regulations that ensure a level of data protection compliant with the GDPR (English: "Binding Corporate Rules", Art. 47 GDPR): https://www.docusign.com/trust/privacy/binding-corporate-rules.

Payment Procedures

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer the affected individuals efficient and secure payment options and use, in addition to banks and credit institutions, other service providers (summarily "payment service providers").

Data processed by the payment service providers include inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums as well as contract, amount and recipient-related information. These data are required to conduct transactions. However, the entered data are only processed and stored by the payment service providers. i.e., we do not receive account or credit card-related information, only information regarding payment confirmation or negative statement. Under certain circumstances, payment service providers may transfer data to credit agencies. This transfer aims to check identity and creditworthiness. For this purpose, we refer to the terms and conditions and privacy policies of the payment service providers.

For payment transactions, the terms and conditions and privacy policies of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for further information and exercise of withdrawal, information, and other rights for those affected.

• Processed Data Types: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contract data (e.g., subject matter, term, customer category); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Customers; Interested parties.

• Processing Purposes: Provision of contractual services and customer service.

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• PayPal: Payment services (technical connection of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Service Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR); Website: https://www.paypal.com/de; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

• Stripe: Payment services (technical connection of online payment methods); Service Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR); Website: https://stripe.com; Privacy Policy: https://stripe.com/de/privacy.

Online Offering and Web Hosting Provision

We process users' data to provide them with our online services. To this end, we process the user's IP address, which is necessary for delivering content and functions of our online services to users' browsers or end devices.

• Processed Data Types: Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses); Content data (e.g., entries in online forms).

• Individuals Affected: Users (e.g., website visitors, online service users).

• Processing Purposes: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers etc.).); Security measures; Content Delivery Network (CDN).

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Provision of Online Offering on Rented Storage Space: For provision of our online offering, we use storage space, computing capacity, and software that we rent from a corresponding server provider (also referred to as "web host") or otherwise acquire; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

• Access Data and Logfiles Collection: Access to our online offering is logged in the form of so-called "server log files". Server log files may include address and name of accessed web pages and files, date and time of retrieval, transmitted data amounts, report of successful retrieval, browser type along with version, user's operating system, referring URL (previously visited page), and usually IP addresses and requesting provider's information. Server log files can be used, on one hand, for security purposes, e.g. to avoid server overload (particularly in abusive attacks, so-called DDoS attacks), and on the other hand, to ensure server utilization and its stability; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Data Deletion: Logfile information is saved for a maximum of 30 days and then deleted or anonymized. Data that require further retention for evidence purposes are excluded from deletion until final clarification of the respective incident.

• Email Sending and Hosting: Our web hosting services encompass email sending, receiving, and storage purposes. The addresses of recipients and senders, as well as additional information regarding email transmission (e.g., involved providers) and the contents of respective emails are processed for these purposes. The aforementioned data can also be processed for SPAM detection purposes. Please note that emails on the internet are generally not encrypted. Normally, emails are encrypted during transmission but not on the servers from which they are sent and received, unless end-to-end encryption is used. We cannot accept responsibility for email transmission from sender to reception on our server; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

• Content-Delivery-Network: We utilize a "Content-Delivery-Network" (CDN). A CDN is a service that facilitates faster and more secure delivery of content from an online offering, particularly large media files, like graphics or program scripts, through regionally distributed and interconnected servers; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

• Cloudflare: Content-Delivery-Network (CDN) – service that facilitates faster and safer delivery of content from an online offering, particularly large media files, like graphics or program scripts, through regionally distributed and interconnected servers; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa; Standard Contractual Clauses (Assurance Data Protection Level for Processing in Third Countries): https://www.cloudflare.com/cloudflare-customer-scc.

• Framer: Web hosting; Service Provider: Framer B.V., 1Rozengracht 207, 1016 LZ Amsterdam, Netherlands; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.framer.com; Privacy Policy: https://www.framer.com/legal/privacy-statement; Data Processing Agreement: https://www.framer.com/legal/data-processing-addendum.

Registration, Login, and User Account

Users can create a user account. During registration, users are informed of the required mandatory details and processed for the purpose of providing the user account based on contractual obligation fulfillment. Processed data particularly include login information (username, password, and an email address).

During utilization of our registration and login functions and user account use, we store the IP address and time of each user activity. This storage is based on our legitimate interests as well as users' protection from misuse and other unauthorized activity. These data are not disclosed to third parties unless necessary to pursue our claims or there is a legal obligation to do so.

Users may be informed via email about activities relevant to their user account, like technical changes.

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Users (e.g., website visitors, online service users).

• Processing Purposes: Provision of contractual services and customer service; Security measures; Administration and response to inquiries; Provision of our online offering and user-friendliness.

• Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR); Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Registration with Real Name: Due to the nature of our community, we ask users to use our offering only under their real names. i.e., use of pseudonyms is not permitted; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Data Deletion after Cancellation: When users have terminated their user account, their data concerning the user account are deleted, subject to a legal permission, obligation, or users' consent; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• No Data Retention Obligation: It is up to users to secure their data upon termination before the contract ends. We are entitled to irretrievably delete all data stored during the contract term; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

• Framer: Web hosting; Service Provider: Framer B.V., 1Rozengracht 207, 1016 LZ Amsterdam, Netherlands; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.framer.com; Privacy Policy: https://www.framer.com/legal/privacy-statement; Data Processing Agreement: https://www.framer.com/legal/data-processing-addendum.

Blogs and Publication Media

We use blogs or similar means of online communication and publication (hereinafter "publication medium"). The data of readers are processed only to the extent necessary for the presentation of the publication medium and communication between authors and readers or for security reasons. Otherwise, we refer to the information on processing of visitors to our publication medium in our data protection notices.

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Users (e.g., website visitors, online service users).

• Processing Purposes: Provision of contractual services and customer service; Feedback (e.g., collect feedback via online form); Provision of our online offering and user-friendliness; Security measures; Administration and response to inquiries.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Comments and Posts: If users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This serves our security in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In such cases, we can be held accountable for the comment or post, thus we have an interest in the author's identity. Furthermore, we reserve the right to process users' information for SPAM recognition based on our legitimate interests. On the same legal basis, we reserve the right to store users' IP addresses for the duration of surveys and use cookies to prevent multiple votes. Information provided within comments and posts about personal details, possible contact and website information, as well as content information are stored permanently until users object; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

• Framer: Web hosting; Service Provider: Framer B.V., 1Rozengracht 207, 1016 LZ Amsterdam, Netherlands; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.framer.com; Privacy Policy: https://www.framer.com/legal/privacy-statement; Data Processing Agreement: https://www.framer.com/legal/data-processing-addendum.

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, phone, or social media) and within existing user- and business relationships, we process the data of inquiring individuals as necessary for responding to contact inquiries and any requested actions.

• Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Communication partners.

• Processing Purposes: Contact inquiries and communication; Administration and response to inquiries; Feedback (e.g., collect feedback via online form); Provision of our online offering and user-friendliness.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Contact Form: When users contact us via our contact form, email, or other communication pathways, we process the data shared with us in relation to processing the communicated concern; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR), Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

• Tally.so: Provision of forms; Service Provider: Tally BV, August van Lokerenstraat 71, Gent 9050, Belgium; Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 Sent. 1 lit. b) GDPR); Website: https://tally.so; Privacy Policy: https://tally.so/help/privacy-policy.

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from other providers (subsequently referred to as "conference platforms") for conducting video and audio conferences, webinars, and other types of video and audio meetings (collectively referred to as "conference"). When selecting conference platforms and their services, we comply with statutory regulations.

Data processed by Conference Platforms: When participating in a conference, the conference platforms process the personal data outlined below of the participants. The extent of processing depends on which data are required in the context of a specific conference (e.g. providing access data or real names) and which optional information is provided by participants. In addition to processing for conducting the conference, participants' data may also be processed by the conference platforms for security purposes or service optimization. Processed data include personal data (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information about professional position/function, the IP address of the internet access, information about participants' end devices, their operating system, browser and its technical and language settings, information on content communication processes, i.e. entries in chats as well as audio and video data, and use of other available functions (e.g., surveys). Communication content is encrypted by the conference providers technical capabilities. If participants are registered as users with the conference platforms, additional data may be processed as agreed with the respective conference provider.

Logging and Recording: If text inputs, participation results (e.g. from surveys), as well as video or audio recordings, are logged, participants are transparently informed beforehand and asked for consent—if necessary.

Participants' Data Protection Measures: Please refer to the conference platforms' privacy policies for details on the processing of your data and choose optimal security and privacy settings within the conference platforms' preferences. For the duration of a video conference, please ensure data and privacy protection in your recording background (e.g., by notifying roommates, locking doors, and using, if technically possible, functionality to obscure backgrounds). Do not share conference room links and access data with unauthorized third parties.

Notes on Legal Bases: In addition to conference platforms, if we process user data and ask users for consent to use conference platforms or certain features (e.g., consent to conference recordings), the legal basis for processing is this consent. Furthermore, our processing may be necessary for fulfilling our contractual obligations (e.g., in participant lists, in the case of processing conversation results, etc.). Otherwise, users' data are processed based on our legitimate interest in efficient and secure communication with our communication partners.

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Communication partners; Users (e.g., website visitors, online service users); Individuals depicted.

• Processing Purposes: Provision of contractual services and customer service; Contact inquiries and communication; Office and organizational procedures.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Microsoft Teams: Messenger and conference software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, security notices: https://www.microsoft.com/de-de/trustcenter; Standard Contractual Clauses (Assurance Data Protection Level for Processing in Third Countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

• Zoom: Conference and communication software; Service Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.zoom.us; Privacy Policy: https://explore.zoom.us/de/privacy; Data Processing Agreement: https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf; Data Privacy Framework Basis for Third Country Transfers: https://www.dataprivacyframework.gov.

Application Process

The application process requires applicants to disclose the information needed for their assessment and selection. Required information is outlined in the job description or, in the case of online forms, from the given specifications.

Generally, required details include information about the person, such as name, address, a form of contact, and evidence of necessary qualifications for a position. On request, we can give additional details on required information.

If available, applicants can submit their applications through an online form. The data are transmitted to us using encryption, in accordance with the current state of technology. Additionally, applicants can send us their applications via email. However, please note that emails are not generally encrypted when sent over the internet. Typically, emails are encrypted during transmission but not on the servers from which they are sent or received. We cannot accept responsibility for the transmission route of the application between the sender and reception on our server.

For purposes of applicant search, submission of applications, and selection of applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants can contact us for details on submission methods or send applications by post.

Processing of Special Categories of Data: To the extent special categories of personal data within the meaning of Art. 9 Para. 1 GDPR (e.g. health data, such as disability status or ethnic origin) are requested during the application process, so that the controller or relevant person can exercise the rights and fulfill the obligations arising from labor law and social security and social protection law, processing occurs under Art. 9 Para. 2 lit. b. GDPR, in the case of protection of vital interests of applicants or other persons under Art. 9 Para. 2 lit. c. GDPR or for purposes of health care or occupational medicine, for assessment of the employee's capacity for work, medical diagnosis, or treatment in the health or social sector, or management of systems and services in the health or social sector under Art. 9 Para. 2 lit. h. GDPR. In the case of voluntary consent-based disclosure of special categories of data, their processing is based on Art. 9 Para. 2 lit. a. GDPR.

Data Deletion: Data provided by applicants may be further processed for employment relationship purposes in the event of a successful application. Otherwise, if the application for a job offer is not successful, applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, to which applicants are entitled at any time. Deletion occurs, subject to justified withdrawal from applicants, at the latest after six months, allowing for responses to follow-up questions regarding the application and fulfill obligations regarding applicant equal treatment. Invoices for travel expenses reimbursement are archived in accordance with tax regulations.

Inclusion in Interview Pool: Inclusion in the talent pool, if offered, is based on consent. Applicants are informed that their agreement to join the talent pool is voluntary, does not affect the ongoing application process, and they can revoke their consent at any time in the future.

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Applicant data (e.g. information about person, post and contact addresses, and application documents and contained information, such as cover letter, resume, certificates as well as other information provided voluntarily by applicants pertinent to a specific position or their person or qualifications).

• Individuals Affected: Applicants.

• Processing Purposes: Application process (initiation and potential later execution and possible termination of employment relationship).

• Legal Bases: Application process as pre-contractual or contractual relationship (Art. 6 Para. 1 lit. b) GDPR).

Cloud Services

We use software services accessible via the internet and executed on servers of their providers (so-called "cloud services", also referred to as "Software as a Service") for storing and managing content (e.g., document storage and management, exchange of documents, content, and information with specific recipients or publication of content and information).

In this context, personal data can be processed and stored on servers from providers, as long as these form part of communication processes with us or are otherwise processed by us as explained in our data protection notices. Such data can include stock data and contact data from users, data from processes, contracts, other processes and their content. Cloud service providers also process usage data and metadata, which is used for security purposes and service optimization.

If we provide forms or similar documents and content to other users or publicly accessible websites using cloud services, providers may store cookies on users' devices for web analysis purposes or to save users' settings (e.g., in case of media control).

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Customers; Employees (e.g., employees, applicants, former employees); Interested parties; Communication partners.

• Processing Purposes: Office and organizational procedures; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers etc.).).

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• Microsoft Cloud Services: Cloud storage, cloud infrastructure services, and cloud-based application software; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, parent company: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://microsoft.com/de-de; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, security notices: https://www.microsoft.com/de-de/trustcenter; Data Processing Agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard Contractual Clauses (Assurance Data Protection Level for Processing in Third Countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with recipients' consent or a legal authorization. If the contents of the newsletter are specifically outlined during registration, they determine users' consent. In other cases, our newsletters contain information on services and us.

To sign up for our newsletters, it's generally sufficient to provide your email address and name for personal address in the newsletter. We may ask for further information if required for newsletter purposes.

Double-Opt-In Process: Registration for our newsletter follows a so-called Double-Opt-In process. i.e., you will receive an email requesting confirmation of registration after signing up. This confirmation is necessary to prevent registration using third-party email addresses. Newsletter registrations are logged to comply with legal requirements. This includes storing the registration and confirmation time plus the IP address. Changes to your data stored with the mailing service provider are logged.

Deletion and Processing Restriction: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting, to prove consent was previously given. Processing of these data is limited to potential defense against claims. Individual requests for deletion are possible at any time if consent confirmation is provided simultaneously for previous existence of consent. In cases of obligations for permanent observation of objections, we reserve the right to store email addresses solely for this purpose in a block list.

Logging of the registration procedure is based on our legitimate interests to prove its compliance. If we engage a service provider to send emails, it is based on our legitimate interests in an efficient and secure email system.

Contents: We inform you about contractual matters as well as us, our services, products, campaigns, and offers.

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Meta/Communication data (e.g., device information, IP addresses); Usage data (e.g., visited websites, interest in content, access times).

• Individuals Affected: Communication partners.

• Processing Purposes: Direct marketing (e.g., via email or postal).

• Legal Bases: Consent (Art. 6 Para. 1 Sent. 1 lit. a) GDPR).

• Opt-Out Option: You can cancel our newsletter at any time, i.e., withdraw consent, or refuse further receipt. A link to cancel the newsletter is either found at the end of every newsletter or you may use one of the contact options mentioned above, preferably via email, to do this.

Further Notes on Processing Methods, Procedures, and Services:

• Tracking of Open Rates and Click Rates: Newsletters contain a so-called "web beacon“, i.e., a pixel-sized file retrieved from our server or, if a mailing service provider is engaged, from its server when the newsletter is opened. When this file is retrieved, initially technical information, such as browser and your system information, as well as your IP address and retrieval time are collected. These data are used to improve our newsletter via technical data or target groups and their reading behavior based on retrieval location (determinable through the IP address) or access times. This analysis also includes determining if newsletters are opened, when they are opened, and which links are clicked. This information is linked to individual newsletter recipients and stored in their profiles until deleted. Evaluations help recognize user reading habits and adjust content to them or send different content according to user interests. Measurement of open rates and click rates and storage of measurement results in users' profiles and further processing occur based on users' consent. A separate revocation of success measurement is not possible, in this case, the entire newsletter subscription must be canceled, or oppose its receipt. In such cases, stored profile information is deleted; Legal Bases: Consent (Art. 6 Para. 1 Sent. 1 lit. a) GDPR).

• EmailOctopus: Email Services; Service Provider: Three Hearts Digital Ltd, 186-90 Paul Street, London, EC2A 4NE, UK; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://emailoctopus.com; Privacy Policy: https://emailoctopus.com/legal/privacy; Data Processing Agreement: https://wordpress-media.emailoctopus.com/blog/uploads/2022/07/EmailOctopus-DPA-Final-4-July-22.pdf.

Commercial Communication by Email, Mail, Fax, or Phone

We process personal data for advertising communication, which can be carried out over various channels, such as email, phone, mail, or fax, in compliance with legal requirements.

Recipients have the right to revoke given consent at any time or object to advertising communication at any time.

After revocation or opposition, we store data needed to demonstrate previous authorization for contact or sending for up to three years after the year of revocation or opposition, grounded in our legitimate interests. Processing is limited to potential defense against claims. On the basis of legitimate interest, we store data needed to prevent renewed contact (e.g., depending on communication channel, email address, phone number, name).

• Processed Data Types: Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers).

• Individuals Affected: Communication partners.

• Processing Purposes: Direct marketing (e.g., via email or mail).

• Legal Bases: Consent (Art. 6 Para. 1 Sent. 1 lit. a) GDPR); Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") serves evaluating our online offering. With it, we can, for instance, determine how extensively our online offering is used. Similarly, we can assess which areas require optimization.

Alongside web analysis, we may use testing procedures to verify and optimize various versions of our online offering or its components.

The data captured include the visited web page(s) (Page URL), the website through which visitors access our online offering (HTTP Referrer), the browser used, the computer system used, device type, and country, region, and city details from which the access occurs.

• Processed Data Types: Usage data (e.g., visited websites); Meta/Communication data (e.g., browser).

• Individuals Affected: Users (e.g., website visitors, online service users).

• Processing Purposes: Reach measurement (e.g., access statistics).

• Security Measures: See subsequent information about the service provider.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• plausible.io: Reach measurement and web analytics; no use of cookies or comparable persistent online identifiers, recognition of returning visitors occurs with the help of a pseudonym identifier deleted after one day; otherwise, no personal data is stored (https://plausible.io/data-policy); no data is shared with third parties; processing occurs based on a data processing contract; Service Provider: Plausible Insights Oü, Västriku tn 2, 50403, Tartu, Estonia; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://plausible.io/; Privacy Policy: https://plausible.io/privacy; Data Processing Agreement: https://plausible.io/dpa.

• Pitch: Presentations (also as part of webinars); Service Provider: Pitch Software GmbH, Joachimstraße 7, 10119 Berlin, Germany; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://pitch.com/; Privacy Policy: https://pitch.com/privacy-policy; Data Processing Agreement: https://pitch.com/dpa.

Presence in Social Networks (Social Media)

We maintain online presences within social networks and process users' data in this context to communicate with active users there or provide information about us.

We indicate that users' data may be processed outside the European Union realm. As a result, this may exacerbate rights' enforcement for users.

Additionally, users' data are usually processed within social networks for market research and advertising purposes. For instance, user profiles can be created based on usage behavior and resulting interests. User profiles can be used to display, for example, advertisements within and outside networks that presumably align with interests of users. For these purposes, cookies are stored on users' computers in which usage behavior and interests of users are saved. Additionally, data independent of devices used by users can be stored in usage profiles (particularly if users are members of respective platforms and logged in).

For a detailed depiction of respective processing forms and objection options (Opt-Out), we refer to privacy policies and guidelines from operators of respective networks.

Also concerning information requests and exercise of affected rights, we state that these are most effective with operators. Only they have access to user data and can directly implement actions and provide information. However, should assistance be needed, users can contact us.

• Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta/Communication data (e.g., device information, IP addresses).

• Individuals Affected: Users (e.g., website visitors, online service users).

• Processing Purposes: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form); Marketing.

• Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR).

Further Notes on Processing Methods, Procedures, and Services:

• LinkedIn: Social network; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Ireland; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://legal.linkedin.com/dpa; Standard Contractual Clauses (Assurance Data Protection Level for Processing in Third Countries): https://legal.linkedin.com/dpa; Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• XING: Social network; Service Provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://www.xing.com; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

• Vimeo: Social network and video platform; Service Provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Website: https://vimeo.com; Privacy Policy: https://vimeo.com/privacy.

• YouTube: Social network and video platform; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Bases: Legitimate interests (Art. 6 Para. 1 Sent. 1 lit. f) GDPR); Privacy Policy: https://policies.google.com/privacy; Opt-Out Option: https://adssettings.google.com/authenticated.