This Site is on a Beta Phase

Data Privacy

1. Preamble

With this Privacy Policy, we inform you about which personal data we process when you use our website and online services, the purposes for which this processing takes place, the legal basis on which it is carried out, and the rights to which you are entitled as a data subject. These notices apply to our website, including any subpages, functions, online forms, newsletter registrations, customer accounts, order processes, as well as integrated third-party services and content.

Personal data means any information relating to an identified or identifiable natural person. We process personal data in accordance with the principles of lawfulness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Where we use wording such as “as a rule” or “typically” in this Privacy Policy, this is because certain technical processes depend on configurations (e.g., browser, device, selected payment method, or cookie settings). If details cannot be determined with certainty in individual cases, we make conservative assumptions in favor of data protection.

2. Definitions

The definitions of the General Data Protection Regulation (GDPR) apply in particular. In addition, we explain key terms below:

“Processing” means any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, or destruction.

“Controller” means the natural or legal person who alone or jointly with others determines the purposes and means of processing personal data.

“Processor” means a service provider that processes personal data on behalf of the controller (e.g., a hosting provider).

“Data subject” means any identified or identifiable natural person whose personal data is processed.

“Consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data relating to them.

“Cookies” are small text files stored on your device that may contain information. In addition to cookies, similar technologies are used (e.g., local storage, pixels, tags, SDKs). In addition to the GDPR, the provisions of the Telecommunications-Digital Services Data Protection Act (TDDDG) apply in particular to access to and storage of information on your device.

“Third country” means a state outside the European Economic Area (EEA). A transfer to a third country also exists if a service provider is located within the EEA but can access personal data from a third country.

“Profiling” means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. Rights of the Data Subject

If we process your personal data, you are a data subject within the meaning of the GDPR and have the following rights:

You have the right of access pursuant to Art. 15 GDPR regarding the personal data we process about you. This includes, in particular, information about the purposes of processing, categories of personal data, recipients or categories of recipients, planned storage period or criteria for determining it, origin of the data, existence of automated decision-making (including profiling), and, where applicable, appropriate safeguards for transfers to third countries.

You have the right to rectification pursuant to Art. 16 GDPR if your data is inaccurate or incomplete.

You have the right to erasure pursuant to Art. 17 GDPR (“right to be forgotten”), unless statutory retention obligations, overriding legitimate interests, or other exceptions apply.

You have the right to restriction of processing pursuant to Art. 18 GDPR, for example if the accuracy of the data is contested or the processing is unlawful.

You have the right to data portability pursuant to Art. 20 GDPR where the processing is based on your consent or a contract and is carried out by automated means.

You have the right to object pursuant to Art. 21 GDPR if we process your data on the basis of Art. 6(1)(e) or (f) GDPR. This applies in particular to processing for direct marketing purposes; in such cases, we will no longer process your data for these purposes after your objection.

You have the right to withdraw your consent at any time with effect for the future (Art. 7(3) GDPR). The lawfulness of processing carried out until withdrawal remains unaffected.

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). Further information can be found in Section 29.

4. Name and Address of the Controller

The controller within the meaning of the GDPR and other data protection laws is:

Impressum Hosting
c/o waldemaster.com
Nico Eberhardt
Pfotenhauerstraße 65
01307 Dresden
Germany

Email: datenschutz@waldemaster.com

The above contact address serves as a legally valid service and contact point.
Postal and official inquiries are received and forwarded to the actual website operator.
Nico Eberhardt acts exclusively as a service and contact point and is not the controller within the meaning of the GDPR.

Please refer to the website’s imprint (legal notice) for further contact options (e.g., email address, telephone number).

If a data protection officer were required to be appointed, their contact details would be published here. Currently, no data protection officer is appointed, unless legally required in individual cases.

5. Cookies

Our website uses cookies and similar technologies. We distinguish between technically necessary cookies required for the operation of the website and cookies or technologies used for statistical, convenience, or marketing purposes, which generally require consent.

5.1 Technically Necessary Cookies

Technically necessary cookies are required to provide essential functions of our website, such as page navigation, language settings, shopping cart and checkout functions, login status, security features (e.g., protection against misuse), and the storage of your cookie preferences.

Processing is carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in a secure and functional online service) and – insofar as access to information stored on your device or its storage is concerned – pursuant to Section 25(2) TDDDG, because the storage or access is strictly necessary to provide the digital service expressly requested by you.

5.2 Statistics and Analytics Cookies (Google Site Kit / Google Analytics)

If we use analytics and statistical technologies, this is done to measure and improve the reach, usage, and technical performance of our website. This may in particular be carried out via Google services (e.g., Google Analytics), which can be integrated through the WordPress plugin “Google Site Kit.”

Processing – where not technically required – is generally carried out only on the basis of your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

If Google Analytics is used, cookies may be set, usage data may be collected (e.g., pages visited, duration of visit, interactions, technical information about the device/browser), and such data may be transmitted to Google. Where available, we configure such services in a privacy-friendly manner, in particular by activating IP anonymization or IP address truncation. Nevertheless, data may be transferred to the United States; see Section 10 for details.

Further information about Google can be found at https://policies.google.com/privacy?hl=en and about Google technologies/partner websites at https://policies.google.com/technologies/partner-sites?hl=en. A browser add-on for opting out of Google Analytics is available at https://tools.google.com/dlpage/gaoptout.

5.3 Marketing and Convenience Cookies

If we use marketing or convenience features (e.g., embedded videos, social media content, external font/media libraries, conversion tracking, advertising services), this is generally done only on the basis of consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG, unless the function is strictly necessary for the use of the website.

5.4 Cookie Consent Management

We use a cookie consent tool to obtain, manage, and document consent (opt-in) and to enable you to withdraw or subsequently modify your selection easily.

We typically use CCM19 for this purpose. Depending on the operating mode (cloud/service or on-premise/download), data may be transmitted to the provider or processed exclusively on our own server. As a conservative assumption, we assume that at least consent logs are processed, which may include, for example, timestamps, selection/status, banner interactions, technical identifiers (e.g., consent ID), domain/page reference, and possibly a shortened or hashed IP address.

The legal basis for documenting your consent is Art. 6(1)(c) GDPR (compliance obligations, in particular pursuant to Art. 5(2) GDPR – accountability) and Art. 6(1)(f) GDPR (legitimate interest in legally compliant consent management). The legal basis for setting or accessing non-essential cookies is your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Further information can be found in the CCM19 provider’s privacy policy at https://www.ccm19.de/datenschutzerklaerung.html. Information regarding the data processing agreement (DPA) is available at https://www.ccm19.de/auftragsverarbeitungsvertrag-ccm19.html.

6. Applicable Legal Bases

We process personal data only where a legal basis under the GDPR exists. Depending on the type of processing, the following legal bases may apply in particular:

Art. 6(1)(a) GDPR (consent), e.g., for non-essential cookies/tracking, newsletters (double opt-in), embedded third-party content, or optional marketing measures.

Art. 6(1)(b) GDPR (contract or pre-contractual measures), e.g., for orders, customer accounts, provision of digital content/downloads, payment processing, support, and communication processes.

Art. 6(1)(c) GDPR (legal obligation), e.g., commercial and tax retention obligations, documentation requirements, IT security obligations, or defense against attacks, where applicable.

Art. 6(1)(f) GDPR (legitimate interests), e.g., operational security, prevention of misuse and fraud, provision and optimization of our online services, legal enforcement, and defense against unjustified claims.

For applications, Art. 88 GDPR in conjunction with Section 26 BDSG also applies if the processing is necessary for the decision on establishing an employment relationship.

For the storage of information on your device and access thereto (e.g., cookies, similar technologies), the provisions of the TDDDG also apply, in particular Section 25(1) and (2) TDDDG.

Recitals of the GDPR further clarify the interpretation of the provisions. For example, processing to ensure IT security is often based on Recital 49 (network and information security). Legitimate interests are explained, among others, in Recital 47.

7. SSL or TLS Encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. You can recognize an encrypted connection by “https://” in your browser’s address bar and the lock symbol.

If SSL or TLS encryption is activated, the data you transmit to us (e.g., form entries, login data, order data) cannot be read by third parties.

“`html

8. Security Measures

We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. These measures include in particular:

Access controls, role and authorization concepts, and logging of administrative access where required.

Encryption of data during transmission (SSL/TLS) and – where possible – encryption or secure storage of sensitive data.

Regular updates of systems, components, and plugins (patch management), secure configuration (hardening), and protective mechanisms against common web attacks.

Security solutions for WordPress (e.g., web application firewall, brute-force protection, IP blocking, malware scanning, rate limiting), which may process IP addresses and technical usage data to detect and prevent attacks.

Backups, recovery and emergency concepts, as well as monitoring/logging for error analysis.

Data protection by design and by default in accordance with Art. 25 GDPR, where practicable.

Processing in the context of security measures is generally carried out on the basis of Art. 6(1)(f) GDPR (legitimate interest in securing our online services) and – where applicable – Art. 6(1)(c) GDPR (legal obligations, e.g., ensuring IT security under general compliance duties).

9. Cooperation with Processors, Joint Controllers, and Third Parties

Where we use service providers that process personal data on our behalf, we conclude – where required – data processing agreements (DPAs) pursuant to Art. 28 GDPR.

Processors may include, in particular, hosting providers, IT service providers, newsletter tools, or consent management providers (depending on the operating model). Processing is carried out exclusively in accordance with our instructions and within the scope of the agreed purposes.

For certain platforms, especially social media presences (e.g., Facebook fan pages), joint controllership pursuant to Art. 26 GDPR may exist where the platform and we jointly determine the purposes and means of certain processing activities (e.g., “Insights” statistics). In such cases, we refer to the specific information provided in Section 22.

Where third-party providers independently determine the purposes and means of processing (e.g., PayPal or social media platforms), they generally act as independent controllers. In such cases, their respective privacy policies also apply.

10. Transfers to Third Countries

Personal data may be transferred to countries outside the EEA (third countries) if we use or integrate services whose providers are based in third countries or may access data from there. This particularly concerns certain Google services (USA) as well as embedded content and social media platforms operating globally.

If a transfer to a third country takes place, we ensure that the requirements of Art. 44 et seq. GDPR are met. Depending on the case, the following mechanisms may apply:

For certain recipients in the United States, an adequacy decision of the European Commission regarding the EU–U.S. Data Privacy Framework (DPF) may apply, provided that the recipient is appropriately certified.

Alternatively or additionally, Standard Contractual Clauses (SCCs) of the European Commission pursuant to Art. 46(2)(c) GDPR may be used. In such cases, we also assess whether supplementary measures are required.

Please note that transfers to third countries may involve residual risks, in particular because public authorities in third countries may request access to personal data and legal remedies may be limited.

11. Registration on Our Website

We may offer you the opportunity to register on our website and create a user account (e.g., for access to tools, content, downloads, order history, digital miniatures, magic item vault functions, or comparable services).

In this context, we process in particular master data (e.g., username, name), contact data (e.g., email address), access data (e.g., password hash), content data (e.g., profile information, settings), usage data (e.g., login times, account actions), meta/communication data (e.g., IP address, technical data), and, where applicable, contract data.

The purposes of processing are the provision and management of the user account, authentication, prevention of misuse, provision of personalized functions, and fulfillment of contractual obligations.

The legal basis is Art. 6(1)(b) GDPR (contract or pre-contractual measures) and Art. 6(1)(f) GDPR (legitimate interest in security and prevention of misuse). Where optional profile settings or community features are available, your consent pursuant to Art. 6(1)(a) GDPR may also apply.

We generally store your account data for the duration of the user account. After deletion of the account, data will be deleted or anonymized unless statutory retention obligations or legitimate interests (e.g., documentation, defense against claims) prevent deletion.

12. Changes and Updates to This Privacy Policy

We amend this Privacy Policy whenever changes in our data processing activities or legal requirements make this necessary. Please review this Privacy Policy regularly. Where we require your consent or make material changes, we will inform you separately where required.

13. Contact via the Website

If you contact us (e.g., via contact form, email, telephone, or support functions), we process the data you provide in order to handle your request.

This may include in particular contact and communication data (name, email address, telephone number), content data (message text, attachments), meta/communication data (e.g., IP address when using forms, timestamps), and contract data (e.g., order number).

The purposes of processing are communication, handling of inquiries, support, contract processing, and documentation.

The legal bases are Art. 6(1)(b) GDPR (contractual communication), Art. 6(1)(f) GDPR (legitimate interest in efficient communication and traceability), and – where your inquiry relates to the fulfillment of a legal obligation – Art. 6(1)(c) GDPR.

We generally store inquiries only as long as necessary to process them. Longer storage may result from statutory retention obligations, for evidentiary purposes, or for the defense or enforcement of legal claims.

14. Routine Erasure and Restriction of Personal Data

We process and store personal data only for the period necessary to achieve the respective purposes or as required by statutory provisions.

If the purpose of storage ceases to apply or statutory retention periods expire, personal data will be routinely deleted or restricted (i.e., its processing limited), unless further legal grounds for continued processing exist.

Restriction may occur in particular where data may not be deleted for legal reasons (e.g., tax or commercial retention obligations) but is no longer required for operational purposes.

15. Order Processing in the Online Shop and Customer Account

If our website includes an online shop (e.g., for digital products, miniatures, content, tools, plugins, or subscriptions), we process personal data in order to accept, process, deliver, and invoice orders.

15.1 Order Process

In the context of orders, we process in particular master data (name), contact data (email, possibly telephone number), address data (billing address, possibly delivery address), contract data (ordered products, prices, terms), payment data (e.g., payment status, transaction identifiers), communication data (support inquiries), usage and metadata (e.g., IP address, timestamps, technical data).

The purpose is contract performance, delivery/provision of digital content, billing, fraud and misuse prevention, and support.

The legal basis is Art. 6(1)(b) GDPR (performance of a contract). Where we must fulfill legal obligations (e.g., tax retention, invoicing), Art. 6(1)(c) GDPR applies. For fraud and misuse prevention or optimization of internal processes, Art. 6(1)(f) GDPR may apply.

15.2 Customer Account

If you create a customer account, we process the necessary data for account management, order history, download provision, license management, and to facilitate future orders.

The legal basis is Art. 6(1)(b) GDPR. The provision of a customer account is generally voluntary; depending on the shop configuration, orders may also be placed as a guest. Where certain functions are available only with a customer account (e.g., license or download management), the provision of the necessary data is required for these functions.

15.3 Storage Duration and Retention

We store order and invoice data in accordance with statutory retention obligations (in particular commercial and tax law requirements). In addition, we store data insofar as this is necessary for contract processing, assertion or defense of claims, or fraud prevention.

16. Contractual Services

We process personal data of our customers, prospective customers, and users in order to provide contractual services, manage contracts, and deliver our services. This particularly concerns the provision of digital content, in-browser tools, downloads, subscriptions, licenses, as well as support and maintenance services.

The data processed includes in particular master data, contact data, contract data, payment data, usage data, and communication data.

The purposes are contract performance, service provision, billing, customer support, technical administration, and prevention of misuse.

The legal basis is Art. 6(1)(b) GDPR. Where we fulfill legal obligations (e.g., retention duties), Art. 6(1)(c) GDPR applies. Certain security and misuse prevention measures may be based on Art. 6(1)(f) GDPR.

16.1 Own WordPress Plugin (Local Processing at the Customer)

If we offer our own WordPress plugin (e.g., as a product/service), we strictly distinguish between data processing on our website (prospective customers/customers, orders, support, communication) and data processing carried out by the plugin within the customer’s own system.

Working time or employee data processed by the plugin at the customer (e.g., times, shifts, employee assignments, absences) are processed and stored exclusively within the customer’s system. According to our concept, the plugin does not establish a connection to our servers (“does not phone home”). No transfer of such working time or employee data to us takes place.

The customer is generally the controller for the processing of such employee data within their own system and must fulfill the corresponding information obligations toward their employees and, where applicable, assess the relevant legal bases (e.g., Art. 88 GDPR in conjunction with Section 26 BDSG).

If customers technically modify or extend the plugin, this may result in independent data flows for which we are not responsible.

17. External Payment Service Providers

To process payments, we may use external payment service providers. Depending on the selected payment method, the data necessary for payment processing will be transmitted to the respective payment service provider.

This may include in particular master data (name), contact data (email), contract data (payment amount, currency, shopping cart/order number), payment data (e.g., bank/card details, PayPal account, transaction identifiers), and technical data (e.g., IP address, device/browser data, insofar as collected by the payment service provider).

The legal basis is Art. 6(1)(b) GDPR (performance of a contract), as the transmission is necessary in order to use the payment method you have selected.

Please note that payment service providers generally also process data for their own purposes (e.g., fraud prevention, risk assessment, compliance with legal obligations) and provide their own privacy policies for this purpose.

18. Data Protection Information for Applications

If you apply to us (e.g., by email or via an application form), we process the personal data you provide for the purpose of carrying out the application procedure.

The following categories of data may be processed in particular: master data (name), contact data (email, telephone number, address), application documents and content data (cover letter, CV, references, qualifications), communication data, and meta/communication data (e.g., timestamps, IP address when submitting via form).

The purpose is to decide on the establishment of an employment relationship and to communicate within the application process.

The legal basis is Art. 6(1)(b) GDPR (initiation of an employment relationship) in conjunction with Art. 88 GDPR and Section 26 BDSG, insofar as the processing is necessary for the decision on establishing an employment relationship. If you voluntarily provide special categories of personal data (e.g., health data), we process such data only where a legal basis exists or where you have given explicit consent (Art. 9(2) GDPR).

Recipients may include internal departments (HR personnel) and, where applicable, processors (e.g., hosting/email providers).

We generally store application data until the completion of the application process. Further storage may take place for an appropriate period where necessary to defend or enforce legal claims (e.g., under the General Equal Treatment Act). Longer storage in a candidate pool will occur only with your consent.

19. Hosting and Email Services

We host our website and use email mailboxes with a hosting provider based in Germany or the EU. The hosting provider processes personal data as a processor in the context of providing its services.

As a conservative assumption, we assume that we use IONOS as our hosting provider.

In particular, technical access data (see Section 20), server log files, and—depending on usage—content that you transmit via our website (e.g., forms, uploads) as well as email communications may be processed.

The purposes are provision of the website, operation, maintenance, error analysis, security, and prevention of misuse.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in a secure, efficient, and functional online service) and Art. 6(1)(b) GDPR, insofar as hosting/email services are necessary for the performance of a contract.

Further information can be found in the IONOS privacy policy at https://www.ionos.de/terms-gtc/datenschutzerklaerung/.

20. Collection of Access Data and Log Files

Each time our website is accessed, our server or hosting provider automatically processes data and information from your device’s system. This data is stored in so-called server log files.

The following data may in particular be processed: IP address (possibly shortened), date and time of access, requested URL/page, referrer URL, HTTP status code, amount of data transferred, browser type and version, operating system, language settings, provider, device type, and possibly additional technical header information.

The purposes are delivery of the website, ensuring stability and security, defense against and analysis of attacks (e.g., brute force, DDoS), error analysis, prevention of misuse, and optimization.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in security and operation). Where log files are required to fulfill legal obligations, Art. 6(1)(c) GDPR may apply.

Storage duration: Log files are generally stored for a limited period (often a few days to a few weeks). In the event of security incidents, relevant log data may be retained longer until final clarification or evidentiary preservation.

21. Integration of Third-Party Services and Content

We may integrate third-party services and content in order to provide functions, display content, or optimize our offering. In this context, personal data (in particular IP address, usage data, technical data) may be transmitted to third parties or third parties may gain access to information stored on your device.

Where such integrations are not strictly necessary, they are generally carried out only after your consent (Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG). Technically necessary integrations may be based on Art. 6(1)(f) GDPR in conjunction with Section 25(2) TDDDG.

21.1 Google Services (Site Kit, Analytics, Search Console, YouTube)

We may use Google Site Kit as a WordPress plugin to integrate Google services such as Google Analytics, Google Search Console, or PageSpeed Insights in the backend and to obtain evaluations. For website visitors, analysis and tracking functions (e.g., Google Analytics) as well as embedded content (e.g., YouTube) are particularly relevant.

If Google Analytics is used, Google may process usage data, cookie IDs, device/browser information, and IP addresses. Google may transfer data to the United States. The legal basis is generally your consent pursuant to Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Google Search Console primarily serves technical/SEO analysis from the perspective of the website operator. As a rule, no additional cookies are set for website visitors; however, technical connections to Google cannot be completely excluded.

When embedding YouTube videos, YouTube/Google may set cookies, collect device and usage data, and possibly create user profiles, especially if you are logged into your Google account.

Further information can be found in Google’s privacy policy at https://policies.google.com/privacy?hl=en.

21.2 Cookie Consent Tool

We use a consent management tool (see Section 5.4) to obtain, document, and manage consents in a legally compliant manner.

Further information can be found at CCM19: https://www.ccm19.de/datenschutzerklaerung.html.

21.3 Own Plugin (Local, No Data Transmission)

If we use or provide our own WordPress plugin that processes data exclusively locally on the server and does not transmit data to external servers, processing takes place within our technical infrastructure or within the infrastructure of the respective customer.

On our website, this particularly concerns the processing of prospective customer/customer data in connection with orders, support, and communication. Working time data of our customers’ employees is not transmitted to us (see Section 16.1).

21.4 Security Plugins / Firewall

We use security solutions (e.g., WAF, brute-force protection, IP blocking, logging) to protect our website. In this context, IP addresses, timestamps, requested URLs, device/browser information, and possibly indications of suspicious patterns are processed.

The legal basis is Art. 6(1)(f) GDPR (IT security; cf. Recital 49 GDPR).

21.5 WooCommerce

We may use WooCommerce as a shop system within WordPress. WooCommerce processes the data necessary for order processing within our website/server environment (e.g., shopping cart, checkout, customer account).

Depending on configuration and extensions used, WooCommerce or Automattic (e.g., for certain services such as Shipping & Tax, Jetpack features, payment or tax services) may process additional data. As a conservative assumption, we point out that when using such additional services, data may be transmitted to Automattic or affiliated companies.

Further information can be found in Automattic’s privacy policy at https://automattic.com/privacy/ and in the WooCommerce privacy documentation at https://woocommerce.com/documentation/woocommerce/get-help/privacy/.

21.6 BeyondSEO (rankingCoach)

We may use BeyondSEO as an SEO/marketing service. Based on common market integration, BeyondSEO is often a solution provided by rankingCoach. Depending on usage, website and company data, contact data, and technical data may be processed and transmitted to rankingCoach in order to provide SEO analyses, recommendations, or campaign functions.

The legal basis is Art. 6(1)(f) GDPR (legitimate interest in optimizing our online offering) or – where consent is required – Art. 6(1)(a) GDPR.

Further information can be found in rankingCoach’s privacy policy at https://www.rankingcoach.com/en/privacy.

21.7 Extendify

We may use services/plugins from Extendify that enhance WordPress functionality (e.g., design libraries, assistance features, AI-supported or guided content creation, onboarding and optimization functions). In this context, technical data (e.g., IP address, device/browser data), usage data (interactions), content data (e.g., drafts/page content), and account data may be processed and transmitted to Extendify.

The legal basis is – depending on the function – Art. 6(1)(f) GDPR (legitimate interest in efficient provision/optimization) and, for consent-based cookies/tracking, Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG.

Further information can be found in Extendify’s privacy policy at https://extendify.com/privacy-policy/.

22. Data Protection Provisions on the Use of Facebook, Instagram, YouTube, TikTok, XING, and LinkedIn

We maintain online presences on social media platforms and may link to these profiles from our website. Depending on the design of the website, content from these platforms may also be embedded (e.g., YouTube videos).

When you visit our social media profiles or use embedded content, platform providers generally process personal data as independent controllers. This may include profiling, reach measurement, personalized advertising, and tracking across different websites/apps.

22.1 Facebook (Meta)

When visiting our Facebook page, Meta Platforms Ireland Limited processes personal data. For certain functions (in particular “Page Insights”), joint controllership pursuant to Art. 26 GDPR may exist.

Further information can be found in Meta/Facebook’s privacy policy at https://www.facebook.com/privacy/policy/. Information on the Page Controller Addendum is available at https://www.facebook.com/legal/terms/page_controller_addendum.

22.2 Instagram

Similar information applies to Instagram, as Instagram is also operated by Meta.

Further information can be found in Instagram’s privacy policy at https://www.instagram.com/legal/privacy/.

22.3 YouTube

YouTube is a Google service. When embedding or using YouTube, Google may process personal data, set cookies, and create usage profiles.

Further information can be found in Google’s privacy policy at https://policies.google.com/privacy?hl=en.

22.4 TikTok

In Europe, TikTok is provided, among others, by TikTok Technology Limited and TikTok Information Technologies UK Limited. When used, extensive usage, device, and interaction data may be processed.

Further information can be found in TikTok’s EEA privacy policy at https://www.tiktok.com/legal/page/eea/privacy-policy/en.

22.5 XING

XING is operated by New Work SE. When used, usage and interaction data may be processed.

Further information can be found in XING’s privacy policy at https://privacy.xing.com/en/privacy-policy.

22.6 LinkedIn

In Europe, LinkedIn is operated by LinkedIn Ireland Unlimited Company. When used, usage, device, and interaction data may be processed, in particular for advertising and analytics purposes.

Further information can be found in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.

22.7 Linking vs. Embedding

If we merely provide links, no data is generally transmitted to social media providers when loading our website, provided that no resources from these providers are automatically loaded. In the case of embedded content (e.g., YouTube iFrames), data transmission may occur when the page is accessed or at the latest when the content is played.

We recommend reviewing and, if necessary, adjusting your privacy settings in your browser and within the respective platform accounts.

23. Legitimate Interests Pursued by the Controller or a Third Party

Where we process personal data on the basis of Art. 6(1)(f) GDPR, we pursue in particular the following legitimate interests:

Secure and stable operation of the website, protection against misuse, fraud, and attacks (e.g., WAF, log files, rate limiting).

Improvement and optimization of our services, error analysis, performance and reach measurement (where not subject to consent or after consent).

Enforcement of our own claims and defense against unjustified claims.

Efficient communication and handling of inquiries.

In all cases, we conduct a balancing test to determine whether your interests or fundamental rights and freedoms override our legitimate interests.

24. Period for Which Personal Data Is Stored

The storage period depends on the purpose of processing, statutory retention obligations, and our legitimate interests.

Server log files are generally stored only for a short period and longer if necessary (e.g., for attack analysis).

Communication data (inquiries, support) is stored as long as processing is necessary and, if applicable, beyond that for evidentiary purposes or legal defense.

Order and invoice data are stored in accordance with statutory retention periods.

Account and profile data are generally stored until the account is deleted; thereafter, we delete or anonymize the data unless there are grounds for longer storage.

Consent logs are generally stored for a period aligned with statutory limitation periods and documentation obligations.

25. Legal or Contractual Requirements to Provide Personal Data; Necessity for Contract Conclusion; Obligation of the Data Subject to Provide Personal Data; Possible Consequences of Failure to Provide

The provision of personal data may be legally or contractually required.

For orders and contractual services, you must provide the data necessary to perform the contract (e.g., contact and payment data). Without this data, the contract cannot be concluded or the service provided.

When creating a customer account, certain information is required (e.g., email address, login credentials). Without this data, the customer account cannot be provided.

For contact inquiries, you must provide the data necessary to process your request. Without this data, processing may be limited or not possible.

The provision of data for non-essential cookies/tracking is voluntary. If not provided, certain convenience or analytics functions may not be available, but the website remains generally usable.

26. Existence of Automated Decision-Making

As a rule, no exclusively automated decision-making within the meaning of Art. 22 GDPR takes place.

If, in individual cases, automated procedures are used (e.g., automated fraud prevention in the payment process by third-party providers), this takes place within the framework of the respective services and in compliance with legal requirements. Please refer to the respective providers’ privacy policies (e.g., PayPal) for details.

27. Note on the EU AI Act (Regulation (EU) 2024/1689)

Regulation (EU) 2024/1689 (“AI Act”) establishes requirements for the development, provision, and use of artificial intelligence systems within the EU.

Where we use AI-supported functions in our services or in tools employed (e.g., for website/content creation or assistance functions provided by third parties), we ensure privacy-friendly settings, purpose limitation, and transparency. We do not use such functions to make decisions with legal or similarly significant effects for website visitors based solely on automated processing.

If third-party providers use AI systems (e.g., Extendify), their data protection and terms of use policies also apply. Further information can be found at https://extendify.com/privacy-policy/.

28. Notice on the EU Data Act (Regulation (EU) 2023/2854)

Regulation (EU) 2023/2854 (“Data Act”) contains provisions on the fair use of and access to data, in particular in the context of connected products and related services.

Where our services may involve data arising from the use of digital products or services (e.g., usage data from tools, digital content, or plugins), data protection requirements (GDPR, TDDDG) remain unaffected. We observe the principle that personal data may only be processed on a valid legal basis and that the rights of data subjects must be safeguarded.

If, in individual cases, claims to data access or data portability exist, we will review and implement such claims in accordance with the applicable legal requirements.

29. Right to Lodge a Complaint and Supervisory Authority

Pursuant to Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. This right exists without prejudice to any other administrative or judicial remedy.

You may lodge a complaint with any data protection supervisory authority within the EU, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

The competent supervisory authority for the controller’s registered office in the Free State of Saxony is:

Saxon Data Protection and Transparency Commissioner
P.O. Box 11 01 32
01330 Dresden
Germany
Website: https://www.datenschutz.sachsen.de/

In addition, you may also contact us directly in order to clarify your concerns.

a Bug

Found a bug or have feedback? Let us know — we’d love to hear from you.

Enjoying the tools?

If you’d like to support the project, consider buying me a coffee so I can keep working on new features and updates.

By me a Coffee