Privacy Policy​

 

Controller
Stefan Steinemann
Großbeerenstr. 6
86167 Augsburg, Germany
Email address: info@stefan-steinemann.de

​

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

​

Types of Data Processed

• Inventory data

• Location data

• Contact data

• Content data

• Usage data

• Meta, communication, and procedural data

• Log data

​

Categories of Data Subjects

• Communication partners

• Users

• ​

Purposes of Processing

• Communication

• Security measures

• Reach measurement

• Tracking

• Audience segmentation

• Organizational and administrative procedures

• Feedback

• Marketing

• Provision of our online offering and user-friendliness

• Information technology infrastructure

• Public relations

​

Relevant Legal Bases

Legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection laws in your or our country of residence may also apply. If more specific legal bases are applicable in individual cases, we will inform you of them in this privacy notice.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

​

National Data Protection Laws in Germany

In addition to the GDPR, national data protection regulations apply in Germany, especially the Federal Data Protection Act (BDSG), which includes specific provisions on access rights, deletion rights, objection rights, processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making, including profiling. Data protection laws of individual German states may also apply.

Note on Applicability of the GDPR and the Swiss DPA
This privacy policy serves to comply with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). Therefore, GDPR terminology is used throughout for broader application and better comprehensibility. Specifically, instead of the Swiss terms "processing" of "personal data", "overriding interest", and "sensitive personal data", the GDPR terms "processing", "legitimate interest", and "special categories of data" are used. However, under the scope of the Swiss FADP, the legal meaning of terms remains defined by the FADP.

Security Measures
We implement appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.
These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access, access rights, input, transfer, availability security, and separation of data. We also maintain procedures to ensure data subject rights, data deletion, and responses to data threats. Furthermore, we incorporate data protection principles into the development or selection of hardware, software, and processes through privacy-by-design and privacy-by-default approaches.

Disclosure of Personal Data
In the course of processing personal data, it may be disclosed to or transferred to other entities, companies, legally independent organizational units, or individuals. These may include IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and enter into appropriate contracts or agreements to protect your data.

International Data Transfers
Processing in Third Countries: If we transfer data to a third country (i.e., outside the EU or EEA) or this occurs in the context of using third-party services or disclosures, it is always done in compliance with legal requirements.
For transfers to the USA, we primarily rely on the EU-U.S. Data Privacy Framework (DPF), recognized by the EU Commission’s adequacy decision on July 10, 2023. Additionally, we use standard contractual clauses approved by the EU Commission to ensure protection.
This two-layered approach provides robust data protection: the DPF serves as the primary safeguard, while the standard contractual clauses provide additional security. If the DPF framework changes, the clauses remain a fallback.
We inform you about DPF certification and standard clauses for each provider. More info and a list of certified companies can be found at: https://www.dataprivacyframework.gov/
For other third countries, we apply appropriate safeguards such as standard clauses, explicit consent, or legal obligations. See the EU Commission’s guidance here: EU Commission Data Transfers

General Information on Data Retention and Deletion
We delete personal data in accordance with legal requirements when consent is withdrawn or when no other legal basis for processing remains—e.g., when the original purpose no longer applies or the data is no longer needed.
Exceptions include legal retention requirements or special interests justifying longer storage or archiving.
For instance, data required for commercial or tax reasons or for legal claims or to protect third-party rights must be archived accordingly.
Our privacy policy includes additional details on retention specific to certain processing procedures.
If multiple retention or deletion periods apply, the longest period takes precedence.
If a period is not explicitly tied to a specific date and is at least one year long, it begins at the end of the calendar year in which the triggering event occurred. In ongoing contracts, the trigger is the effective date of termination or other ending of the legal relationship.
Data retained not for the original purpose but due to legal or other reasons will only be processed for those purposes justifying its retention.

Further Information on Processing, Procedures, and Services:

Retention and Deletion of Data – General Periods under German Law:

​

• 10 years – Books and records, annual financial statements, inventories, management reports, opening balance sheets, and related documentation (§ 147(1) No. 1, (3) AO; § 14b(1) UStG; § 257(1) No. 1, (4) HGB)

• 8 years – Accounting records such as invoices and cost receipts (§ 147(1) No. 4, 4a, (3) AO; § 257(1) No. 4, (4) HGB)

• 6 years – Other business documents: received and sent commercial letters, relevant documents for tax purposes, such as timesheets, cost sheets, payroll records not already covered under accounting (§ 147(1) No. 2, 3, 5, (3) AO; § 257(1) No. 2, 3, (4) HGB)

• 3 years – Data relevant for potential warranty or compensation claims or similar contractual rights and related inquiries, based on typical statutes of limitation (§§ 195, 199 BGB)

​

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, in particular Articles 15 to 21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data which is carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing.

• Right to withdraw consent: You have the right to withdraw any consent you have given at any time.

• Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed, and, if so, to access this data along with further information and a copy of the data in accordance with legal requirements.

• Right to rectification: You have the right, in accordance with legal requirements, to request the completion of your data or the correction of inaccurate data concerning you.

• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request the immediate deletion of data concerning you or, alternatively, to request a restriction of the processing of the data.

• Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to request the transmission of this data to another controller, in accordance with legal requirements.

• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you believe that the processing of your personal data violates the provisions of the GDPR.

​

Provision of Online Services and Web Hosting

We process users’ data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functionalities of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved); log data (e.g. log files related to logins or data access or access times).

• Data subjects: Users (e.g. website visitors, users of online services).

• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); security measures.

• Storage and deletion: Deletion in accordance with the information in the section "General information on data storage and deletion".

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

​

Further information on processing operations, procedures and services:

​

• Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files.” These may include the address and name of the accessed web pages and files, date and time of access, data volumes transferred, success messages, browser type and version, user operating system, referrer URL (previously visited page), IP addresses, and the requesting provider. Server log files are used for security purposes (e.g. to prevent server overload, especially in cases of abuse such as DDoS attacks) and to ensure server load and stability.

  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

  • Data deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is excluded from deletion until the respective incident is fully clarified.

​

Use of Cookies

The term “cookies” refers to technologies that store and access information on users’ devices. Cookies may serve various purposes, such as ensuring the functionality, security, and convenience of online services or enabling visitor traffic analysis. We use cookies in accordance with legal requirements and obtain user consent where required. Where consent is not necessary, processing is based on our legitimate interests, particularly when the storage and access of information is essential to deliver specifically requested content and features. This includes storing settings and ensuring functionality and security of our online offering. Consent can be withdrawn at any time. We provide clear information about the scope of cookie use and which cookies are used.

Legal basis for processing: Whether we process personal data using cookies depends on the user’s consent. Where consent has been granted, it is the legal basis for processing. Without consent, processing is based on our legitimate interests as explained in this section and in the context of specific services and procedures.

​

Storage duration:

 

The following types of cookies are distinguished in terms of their duration:

• Temporary cookies (also: session cookies): These are deleted at the latest once the user leaves the online offering and closes their device (e.g. browser or mobile application).

• Permanent cookies: These remain stored even after the device is closed. For example, the login status can be stored and preferred content displayed automatically upon revisiting a site. Data collected through cookies may also be used for reach measurement. Unless otherwise specified (e.g. when obtaining consent), users should assume that cookies are permanent and may be stored for up to two years.

• ​

General information on revocation and objection (opt-out):

 

Users may revoke previously given consent at any time and object to data processing, in accordance with legal requirements, for example via their browser privacy settings.

• Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, parties involved).

• Data subjects: Users (e.g. website visitors, users of online services).

• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

• ​

Further information on processing operations, procedures and services:

​

• Processing of cookie data based on consent: We use a consent management solution to obtain user consent for the use of cookies or for the procedures and providers listed in the consent management solution. This process serves to obtain, record, manage, and revoke consent, particularly regarding the use of cookies and similar technologies for storing, reading, and processing information on users' devices. Within this process, users' consents are collected for the use of cookies and related data processing, including those specified within the consent management procedure. Users can manage and withdraw their consents. Consent declarations are stored to avoid repeated requests and to provide legal proof of consent. Storage may occur on the server side and/or in a cookie (so-called opt-in cookie) or using similar technologies, to assign the consent to a specific user or their device. Unless specific information is provided regarding consent management providers, the following applies: Consent is stored for up to two years. A pseudonymous user identifier is created and stored along with the time of consent, information about the scope of consent (e.g. relevant cookie categories and/or service providers), as well as browser, system, and device information.

  • Legal basis: Consent (Art. 6(1)(a) GDPR).

​​

Contact and Inquiry Management

When contacting us (e.g. by mail, contact form, email, telephone or via social media), as well as within the context of existing user and business relationships, the data provided by the inquiring persons will be processed to the extent necessary to respond to the contact requests and any requested actions.
Types of data processed: Inventory data (e.g. full name, home address, contact information, customer number, etc.); contact data (e.g. postal and email addresses, telephone numbers); content data (e.g. text or image-based messages and posts, and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
Data subjects: Communication partners.
Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collection of feedback via online form); provision of our online offering and user-friendliness.
Storage and deletion: Deletion in accordance with the information provided in the section “General Information on Data Retention and Deletion.”
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Further notes on processing operations, procedures and services:
Contact form: When contacting us via our contact form, email or other communication channels, we process the personal data provided to us in order to respond to and handle the respective concern. This typically includes information such as name, contact details and possibly other information communicated to us that is necessary for appropriate handling. We use this data solely for the stated purpose of contact and communication.
Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Presence on Social Media
We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.
Please note that user data may be processed outside the territory of the European Union. This may result in risks for users, for example, making it more difficult to enforce users’ rights.
Furthermore, user data is generally processed within social networks for market research and advertising purposes. For example, usage profiles can be created based on user behavior and resulting interests. These profiles may in turn be used to display advertisements inside and outside the networks that presumably match users’ interests. As a result, cookies are typically stored on users’ devices in which usage behavior and interests are saved. Additionally, usage profiles may also store data independent of the devices used by the users (especially if they are members of the respective platforms and are logged in).
For a detailed presentation of the respective processing forms and opt-out options, please refer to the privacy policies and information provided by the respective network providers.
Also, in the case of information requests and the assertion of data subject rights, we point out that these are most effectively exercised with the respective providers. Only the providers have access to the users’ data and can directly take appropriate measures and provide information. Should you still require assistance, you may contact us.
Types of data processed: Contact data (e.g. postal and email addresses or phone numbers); content data (e.g. text or image-based messages and contributions, including related metadata such as authorship or time of creation); usage data (e.g. page views, dwell time, click paths, usage frequency and intensity, device types, operating systems, interactions with content and features).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Communication; feedback (e.g. collecting feedback via online forms); public relations.
Storage and deletion: Deletion in accordance with the information provided in the section “General Information on Data Retention and Deletion.”
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Further notes on processing operations, procedures and services:
Instagram: Social network allowing photo and video sharing, commenting, favoriting posts, messaging, subscribing to profiles and pages.
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://www.instagram.com;
Privacy Policy: https://privacycenter.instagram.com/policy/.
Third country transfer basis: Data Privacy Framework (DPF).

Facebook Pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook Page (“Fan Page”). This includes information about the types of content users view or interact with, or the actions they take (see “Things you and others do and provide” in Facebook’s Data Policy: https://www.facebook.com/privacy/policy/), as well as device information (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy). As described under “How do we use this information?” in Facebook’s Data Policy, Facebook also collects and uses information to provide analytics services called “Page Insights” to page operators to help them understand how people interact with their pages and the content associated with them.
We have entered into a specific agreement with Facebook ("Page Insights Controller Addendum", https://www.facebook.com/legal/terms/page_controller_addendum) that sets out, in particular, the security measures Facebook must observe and in which Facebook agrees to fulfill data subject rights (i.e. users can, for example, address requests for information or deletion directly to Facebook). The rights of users (especially to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights Data” (https://www.facebook.com/legal/terms/information_about_page_insights_data).
Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, an EU-based company. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, particularly with regard to any transfer of data to the parent company Meta Platforms, Inc. in the USA.
Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://www.facebook.com;
Privacy Policy: https://www.facebook.com/privacy/policy/;
Third country transfer basis: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).

 

Plugins and Embedded Features and Content

We incorporate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may include, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).
Such integration always requires that the third-party providers of this content process the IP address of the users, as they would not be able to send the content to their browser without the IP address. The IP address is thus required for the presentation of this content or functionality. We endeavor to use only content whose providers use the IP address solely for delivering the content.
Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymized information may also be stored in cookies on the user's device and may contain, among other things, technical details about the browser and operating system, referring websites, time of visit and other details regarding the use of our online offering. This data may also be combined with similar information from other sources.
Legal basis notes: If we ask users for their consent to use third-party providers, the legal basis for the processing of data is that consent. Otherwise, user data is processed based on our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). We also refer to the cookie usage information in this privacy policy.

Types of data processed:

 

Usage data (e.g. page views, dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); location data (information on the geographic position of a device or person).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offering and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); audience building; marketing.
Storage and deletion: Deletion in accordance with the information provided in the section “General Information on Data Retention and Deletion.” Cookies may be stored for up to 2 years on users’ devices (unless stated otherwise).
Legal bases: Consent (Art. 6(1)(a) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures and services:

Google Maps: We integrate maps from the "Google Maps" service provided by Google. The data processed may include IP addresses and location data of users.
Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland;
Legal basis: Consent (Art. 6(1)(a) GDPR);
Website: https://mapsplatform.google.com/;
Privacy Policy: https://policies.google.com/privacy;
Third country transfer basis: Data Privacy Framework (DPF).

YouTube Videos: Video content;
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland;
Legal basis: Consent (Art. 6(1)(a) GDPR);
Website: https://www.youtube.com;
Privacy Policy: https://policies.google.com/privacy;
Third country transfer basis: Data Privacy Framework (DPF);
Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en;
Ad settings: https://myadcenter.google.com/personalizationoff.