HESHE.DE

Privacy Policy


Privacy Policy
This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as „data“) within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as „online offering“). Regarding the terminology used, such as „processing“ or „controller,“ we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR)

Further information on the German GDPR can be found on Wikipedia.
https://de.wikipedia.org/wiki/Datenschutz-Grundverordnung

Full text on eur-lex.europa.eu:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (selected in German)
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)


Controller
Sissi Stabernack
Neubrunner Dorfstraße 33
D-96166 Kirchlauter
email: sissi@sissijasmin


Types of data processed
– Inventory data (e.g., names, addresses) > not collected.
– Contact data (e.g., email, phone numbers) > not collected.
– Content data (e.g., text inputs, photographs, videos) > not collected.
– Usage data (e.g., visited websites, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).


Categories of data subjects
Visitors and users of the online offering (hereinafter, we collectively refer to the data subjects as „users“).


Purpose of processing
– Provision of the online offering, its functions, and content.
– Responding to contact inquiries and communicating with users.
– Security measures.
– Reach measurement/marketing


Terminology Used

„Personal data“ refers to any information relating to an identified or identifiable natural person (hereinafter „data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

No „personal data“ is collected that would allow the identification of a person as defined by the GDPR.

„Processing“ means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.

„Pseudonymization“ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

„Profiling“ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

„Controller“ refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

„Processor“ means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.


Relevant Legal Bases

In accordance with Article 13 of the GDPR, we inform you of the legal bases for our data processing. Unless the legal basis is specified in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR; the legal basis for processing to fulfill our services and carry out contractual measures as well as to respond to inquiries is Article 6(1)(b) GDPR; the legal basis for processing to comply with our legal obligations is Article 6(1)(c) GDPR; and the legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) GDPR. In cases where the vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.


Security Measures

In accordance with Article 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, disclosure, and ensuring availability and separation of data. Furthermore, we have established procedures to ensure the exercise of data subjects‘ rights, the deletion of data, and responses to data threats. Additionally, we consider the protection of personal data during the development or selection of hardware, software, and processes, in line with the principle of data protection by design and by default (Article 25 GDPR).


Collaboration with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons or companies (processors or third parties), transfer it to them, or otherwise grant them access to the data, this is done only on the basis of legal permission (e.g., if the transfer of data to third parties, such as payment service providers, is necessary for contract fulfillment pursuant to Article 6(1)(b) GDPR), your consent, a legal obligation, or our legitimate interests (e.g., when using agents, web hosts, etc.).

If we engage third parties to process data on the basis of a so-called „data processing agreement,“ this is done in accordance with Article 28 GDPR.


Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transferring data to third parties, this is done only to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have data processed in a third country only if the special requirements of Articles 44 et seq. GDPR are met. This means, for example, that processing is carried out on the basis of special guarantees, such as an officially recognized determination of a data protection level equivalent to that of the EU (e.g., for the USA through the „Privacy Shield“) or compliance with officially recognized special contractual obligations (so-called „standard contractual clauses“).


Rights of Data Subjects

You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about this data, as well as further information and a copy of the data in accordance with Article 15 GDPR.

Pursuant to Article 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.

In accordance with Article 17 GDPR, you have the right to request that data concerning you be deleted without delay or, alternatively, to request a restriction of the processing of the data in accordance with Article 18 GDPR.

You have the right to request that the data concerning you, which you have provided to us, be received in accordance with Article 20 GDPR and to request its transfer to other controllers.

Furthermore, pursuant to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.


Right of Revocation

You have the right to revoke consents given pursuant to Article 7(3) GDPR with effect for the future.


Right to Object

You may object to the future processing of data concerning you at any time in accordance with Article 21 GDPR. The objection may, in particular, be made against processing for the purposes of direct marketing.


Cookies and Right to Object to Direct Marketing

„Cookies“ are small files stored on users‘ devices. Various types of information can be stored within cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, also known as „session cookies“ or „transient cookies,“ are cookies that are deleted after a user leaves an online offering and closes their browser. Such cookies may, for example, store the contents of a shopping cart in an online store or a login status. Cookies referred to as „permanent“ or „persistent“ remain stored even after the browser is closed. For instance, a login status can be saved if users revisit the site after several days. Such cookies may also store users‘ interests for purposes of reach measurement or marketing. „Third-party cookies“ are cookies offered by providers other than the controller operating the online offering (otherwise, if they are only the controller’s cookies, they are referred to as „first-party cookies“).

We may use temporary and permanent cookies and provide information about this in our privacy policy.

If users do not want cookies to be stored on their device, they are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Disabling cookies may lead to functional limitations of this online offering.

A general objection to the use of cookies for online marketing purposes can be declared for many services, particularly in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by disabling them in the browser settings. Please note that this may result in not all functions of this online offering being fully usable.


Deletion of Data

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

In accordance with legal requirements in Germany, data retention is carried out in particular for 10 years pursuant to Sections 147(1) AO, 257(1) Nos. 1 and 4, and (4) HGB (books, records, management reports, accounting documents, commercial books, documents relevant for taxation, etc.) and for 6 years pursuant to Section 257(1) Nos. 2 and 3, and (4) HGB (commercial letters).

In accordance with legal requirements in Austria, data retention is carried out in particular for 7 years pursuant to Section 132(1) BAO (accounting records, receipts/invoices, accounts, documents, business papers, statements of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years for documents related to electronically provided services, telecommunications, radio, and television services provided to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.


Contact

When contacting us (e.g., via contact form, email, telephone, or social media), the user’s information is processed for the purpose of handling the contact request and its processing in accordance with Article 6(1)(b) GDPR. User information may be stored in a Customer Relationship Management system („CRM system“) or similar inquiry organization system.

We delete the inquiries if they are no longer necessary. We review the necessity every two years; statutory archiving obligations also apply.


Hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space, and database services, security services, and technical maintenance services, which we use for the operation of this online offering.

In this context, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, and meta- and communication data of customers, interested parties, and visitors to this online offering based on our legitimate interests in efficiently and securely providing this online offering in accordance with Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).


Collection of Access Data and Log Files

We, or our hosting provider, collect data on every access to the server on which this service is hosted (so-called server log files) based on our legitimate interests as per Article 6(1)(f) GDPR. Access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Log file information is stored for security reasons (e.g., to investigate misuse or fraudulent activities) for a maximum period of 7 days and then deleted. Data that must be retained further for evidentiary purposes is exempt from deletion until the respective incident is fully resolved.


Google Analytics

Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC („Google“). Google uses cookies. The information generated by the cookie about the use of the online offering by users is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and internet usage. Pseudonymous user profiles may be created from the processed data.

We use Google Analytics only with activated IP anonymization. This means that the IP address of users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by adjusting their browser software settings accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offering to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

Further information on data usage by Google, as well as settings and opt-out options, can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Users‘ personal data is deleted or anonymized after 14 months.


Google Universal Analytics

We use Google Analytics in the form of „Universal Analytics.“ „Universal Analytics“ refers to a Google Analytics process in which user analysis is based on a pseudonymous user ID, creating a pseudonymous user profile with information from the use of various devices (so-called „cross-device tracking“).


Online Presence in Social Media

We maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators apply.

Unless otherwise stated in our privacy policy, we process users‘ data if they communicate with us within social networks and platforms, e.g., by posting on our online presences or sending us messages.


Integration of Third-Party Services and Content

Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR), we integrate content or service offerings from third-party providers to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as „content“).

This always requires that the third-party providers of this content perceive the users‘ IP address, as they could not send the content to their browser without the IP address. The IP address is therefore necessary for the display of this content. We strive to use only content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. These „pixel tags“ can evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, visit time, and other details about the use of our online offering, and may also be linked to such information from other sources.


YouTube

We embed videos from the „YouTube“ platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.


Google Maps

We embed maps from the „Google Maps“ service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, users‘ IP addresses and location data, which are not collected without their consent (usually provided through the settings of their mobile devices). The data may be processed in the USA. Privacy Policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.


Use of Facebook Social Plugins

Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering as per Article 6(1)(f) GDPR), we use social plugins („plugins“) from the social network facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland („Facebook“). The plugins may display interaction elements or content (e.g., videos, graphics, or text posts) and are recognizable by one of the Facebook logos (white „f“ on a blue tile, the terms „Like,“ „I like,“ or a „thumbs up“ icon) or are marked with the addition „Facebook Social Plugin.“ The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

When a user accesses a function of this online offering that contains such a plugin, their device establishes a direct connection with Facebook’s servers. The content of the plugin is transmitted directly from Facebook to the user’s device and integrated into the online offering. Usage profiles of users may be created from the processed data. We therefore have no influence on the scope of data that Facebook collects with the help of this plugin and inform users according to our knowledge.

By integrating the plugins, Facebook receives information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can associate the visit with their Facebook account. When users interact with the plugins, for example, by clicking the Like button or posting a comment, the corresponding information is transmitted directly from their device to Facebook and stored there. Even if a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and settings options to protect users‘ privacy, can be found in Facebook’s privacy policy: https://www.facebook.com/about/privacy/.

If a user is a Facebook member and does not want Facebook to collect data about them through this online offering and link it with their membership data stored on Facebook, they must log out of Facebook and delete their cookies before using our online offering. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. The settings are platform-independent, i.e., they are applied to all devices, such as desktop computers or mobile devices.


Twitter

Functions and content from the Twitter service, offered by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, may be integrated into our online offering. This may include, for example, content such as images, videos, or texts and buttons with which users can express their liking of the content, subscribe to the content creators, or our posts. If users are members of the Twitter platform, Twitter can associate the access to the aforementioned content and functions with the users‘ profiles there. Twitter is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy Policy: https://twitter.com/en/privacy, Opt-Out: https://twitter.com/personalization.

Partially created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke (modified)
Modifications are underlined