Privacy policy

1. Introduction and contact details of the person responsible

1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we will inform you about how we handle your personal data when you use our website. Personal data is all data with which you can be personally identified.

1.2 The controller in charge of data processing on this website, within the meaning of the General Data Protection Regulation (GDPR), is nunc. GmbH, Oberlohnstr. 3, 78467 Constance, Germany, Tel.: +49 7531 5848177, E-Mail: information@nunc.coffee. The controller in charge of the processing of personal data is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

2 Data collection when visiting our website

2.1 When you use our website for information purposes only, i.e. if you do not register or otherwise provide us with information, we only collect the data that your browser transmits to the site server (so-called "server log files"). When you visit our website, we collect the following data, which is technically necessary for us to display the website to you:

  • Our visited website
  • Date and time at the time of access
  • Amount of data sent in bytes
  • Source/reference from which you reached the page
  • Browser used
  • Operating system used
  • IP address used (if applicable: in anonymised form)

When you access our website, corresponding information may be stored in your end device and/or corresponding information that is already stored on your end device may be accessed. The storage or access takes place on the basis of Section 25 (2) No. 2 of the Telecommunications Digital Services Data Protection Act (hereinafter "TDDDG"), as this information is absolutely necessary to ensure the operation of our website and IT security and to be able to provide you with our website as requested.

Your data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to subsequently check the server log files if there are concrete indications of unlawful use.

We cannot object to the collection and storage of your server log data, as this data is essential for the smooth operation of the website.

2.2 This website uses SSL or TLS encryption for security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to the controller). You can recognise an encrypted connection by the character string "https://" and the lock symbol in your browser line.

3) Hosting & content delivery network

Shopify

3.1 We use the system of the following provider to host our website and display the page content: Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify"). Data is also transferred to: Shopify Inc, 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc, Shopify Payments (USA) Inc or Shopify (USA) Inc.

All data collected on our website is processed on the provider's servers. We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties. In the case of data transfer to Canada, an appropriate level of data protection is guaranteed by an adequacy decision of the European Commission. For the transfer of data to the USA, the provider relies on standard contractual clauses of the European Commission, which are intended to ensure compliance with the European level of data protection. Further information on the processing of your data in third countries can be found in section 14.

Cloudflare

3.2 Another provider for the above-mentioned purposes is Cloudflare, Inc, 101 Townsend St. San Francisco, CA 94107, USA ("Cloudflare"). We have concluded an order processing contract with Cloudflare, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.

For data transfers to the USA, Cloudflare has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14. Data processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in a smooth presentation of our website. We cannot object to data processing, as this is absolutely necessary for the smooth operation of the website.

Vimeo

3.3 We use the following provider to display and play videos: Vimeo, LLC, 555 West 18th Street, New York, New York 10011, USA ("Vimeo"). If you have consented to this, your browser will establish a direct connection to the Vimeo servers when you access a page on our website in order to load the Vimeo plugin. Certain information, including your IP address, is transmitted to Vimeo. The integration of Vimeo takes place with a so-called "do-no-track" function, which means that Vimeo cannot track any session data, including all cookies and analytics. Data processing and any storage and/or reading of information on/from your end device is based on your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR. For the transfer of data to the USA, the provider relies on standard contractual clauses of the European Commission, which are intended to ensure compliance with the European level of data protection. Further information on the processing of your data in third countries can be found in section 14. You can revoke your consent to the storage and use of cookies in connection with the integrated videos in the cookie settings of our website (see section 4 below). You can also technically prevent the storage and use of cookies at any time by making the appropriate browser settings (see section 4 below).

Integration of Spotify content

3.4 On our website, we integrate content from the music streaming service of Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden (hereinafter "Spotify") to enable you to play audio files (e.g. playlists) directly on our website. The integration takes place via a so-called "iframe", via which the content is loaded directly from Spotify. If you use this function, a connection to Spotify's servers is established, whereby your IP address, the type of browser used, device information and possibly other technical data are transmitted to Spotify and processed by Spotify. Spotify may also set cookies and store corresponding information on your end device and/or access corresponding information that is already stored on your end device.

Spotify is independently responsible for this under data protection law. We have no influence on the data processing by Spotify and expressly distance ourselves from all content of all linked third-party offers. We cannot rule out the possibility that your data may be transmitted to Spotify servers outside the European Union (EU) or the European Economic Area (EEA). According to Spotify, in such situations Spotify ensures that the special requirements of Art. 44 et seq. GDPR are complied with. According to Spotify, any data transfer to Spotify servers outside the EU or the EEA is based on an existing adequacy decision pursuant to Art. 45 para. 1 GDPR or on the basis of EU standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR. Further information on the processing of your data by Spotify can be found in Spotify's privacy policy available at

https://www.spotify.com/de/legal/privacy-policy/.

The transmission of your data to Spotify is based on our legitimate interests in providing the functionalities you have requested on the basis of Art. 6 para. 1 lit. f GDPR.

Insofar as your data is processed on the basis of our legitimate interests, you can object to the transfer of data to Spotify at any time with effect for the future via the footer of our website under "Object to data transfer to Spotify". You can also technically prevent the transfer of data to Spotify at any time by selecting "Do not accept cookies" in your browser settings. The procedures for the technical management and deletion of cookies in the settings of your browser can be found in the help function of your browser. Please note that Spotify content cannot be displayed and used in this case.

4. Cookies

In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your end device or comparable technologies. Some of these cookies are automatically deleted after you close your browser (so-called "session cookies"), while others remain on your device for longer and allow you to save page settings (so-called "persistent cookies"). In the latter case, you can find the storage period in the cookie settings overview of your web browser. Cookies can be used to determine whether your end device has already communicated with us. In this way, they serve the purpose of making the use of more convenient for you and optimising our offer by evaluating the use of our website. Cookies can be set by us or by third-party providers, such as our partners, for analyses, marketing and social media.

If the use of cookies is absolutely necessary, cookies are stored and used on the basis of Section 25 (2) No. 2 TDDDG in conjunction with Art. 6 (1) lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the page visit. If you have expressly consented to the storage and use of cookies, cookies are stored and used on the basis of Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR. Personal data may be stored in cookies if this is technically necessary or if you have given your consent. We expressly reserve the right to use other legal bases. If you give us your consent to the use and storage of cookies that are not absolutely necessary, you can revoke this consent at any time with effect for the future in the cookie settings of this website.You can also technically prevent the storage of strictly necessary cookies at any time by setting your browser so that you are informed about the setting of cookies and can decide individually whether to accept them or to exclude the acceptance of cookies for certain cases or in general. The procedures for the technical management and deletion of cookies in the settings of your browser can be found in the help function of your browser.

Please note that if you do not accept cookies, the functionality of our website may be restricted. The following categories of cookies are used

Strictly necessary cookies

These cookies are necessary for the functionality of our website. We have a legitimate interest in the use and storage of these cookies, as otherwise we would not be able to offer our website with certain basic functionalities (e.g. you would otherwise have to make new website settings every time you change pages). Please refer to the overview in the cookie settings for the cookies that are absolutely necessary on our website. For detailed settings, please use the drop-down function of the individual cookie categories.

Strictly necessary cookies can only be deactivated technically via your browser settings or browser add-ons. This can lead to functional restrictions on the website.

Analytics and statistics

These cookies help us to better understand how visitors interact with our website and our content by analysing usage information. We also use cookies from third-party providers, which may enable them to obtain information about your usage behaviour and use it for their own purposes (see the following sections of this privacy policy). Please also visit the websites of the third-party providers to obtain further information on their use of cookies. The analytics and statistics cookies used on our website can be found in the overview in the cookie settings. For detailed settings, please use the drop-down function for the individual cookie categories. The storage and use of analytics and statistics cookies is based on your consent, provided you have given it to us. For further details, please refer to the above passages of this section 4. You can revoke this consent at any time with effect for the future in the cookie settings of this website.

Marketing and Retargeting

Marketing and retargeting for the use of marketing services (see in particular Section 10) and for linking with social media offers in particular, we also use cookies from third-party providers, which enable them, for example, to obtain information about your usage behaviour and use it for their own purposes. Please also visit the websites of the third-party providers to obtain further information on their use of cookies. The marketing and retargeting cookies used on our website can be found in the overview in the cookie settings. For detailed settings, please use the drop-down function for the individual cookie categories. The storage and use of marketing and retargeting cookies is based on your consent, provided you have given it to us. For further details, please refer to the above passages of this section 4 and the following descriptions of the individual services and functions that are based on the use of such cookies. You can revoke your consent at any time with effect for the future in the cookie settings of this website.

Functional cookies

Additional cookies that are not absolutely necessary in order to use the website nevertheless fulfil important tasks. They enable comfortable surfing on our website. Functional cookies enable a website to remember information that effect the way a website behaves or looks, such as pre-filled forms or the region you are in. The functional cookies used on our website can be found in the overview in the cookie settings. For detailed settings, please use the drop-down function for the individual cookie categories. The storage and use of functional cookies is based on your consent, provided you have given it to us. For further details, please refer to the above passages of this section 4. You can revoke this consent at any time with effect for the future in the cookie settings of this website. You can revoke your consent at any time with effect for the future by deactivating this service in the "cookie consent tool" provided on the website. You can view or change your settings at any time via the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop-down function of the individual cookie categories.

5. Contacting Us

Microsoft Outlook

5.1 We use the email ticketing system of the following provider to process customer enquiries: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.If you submit contact requests by email via our website, these are stored and organised in the ticket system to enable chronological processing and improve the service experience. You can always view the current status of the processing of your enquiry via the individually assigned ticket number. For the organisation and processing of enquiries, personal data is collected, transmitted to the provider, stored there and read out according to the scope of its provision, but in any case surname, first name and e-mail address. When you contact us (e.g. via contact form or email), personal data is processed exclusively for the purpose of processing and responding to your enquiry and only to the extent necessary for this purpose.

The legal basis for the processing of this data is our legitimate interest in the efficient design of our customer service, the fastest possible response to your request and the optimisation of our service offer in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted if it can be inferred from the circumstances that the matter in question has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.

We have concluded an order processing agreement with the provider that ensures the protection of our website visitors' data and prohibits unauthorised disclosure to third parties. For the transfer of data to the USA, the provider relies on standard contractual clauses of the European Commission, which are intended to ensure compliance with the European level of data protection. In addition, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

You can object to the processing to protect our legitimate interests at any time with effect for the future. In this case, we will no longer process your data unless we can prove that we have a legitimate interest in doing so or are otherwise legally obliged to store it. To exercise your right of cancellation regarding storage, please contact us in writing or by email.

WhatsApp communication via "charles"

5.2 For communication with our customers and interested parties via the WhatsApp messaging service, we use the software solution provided by charles (Charles GmbH, Gartenstr. 86–87, 10115 Berlin, Germany). For this purpose, the official WhatsApp Business API is used.

Nature and scope of data processing: When you contact us via WhatsApp, we collect and store your mobile phone number, your name as stored in WhatsApp, and the content of the conversation (including any transmitted files such as photos, voice messages, or locations). Depending on the context of the inquiry, further data (e.g., order number, e-mail address, or customer number) may be processed in order to assign your inquiry to a specific transaction.

Purposes and Legal Basis:

  • Contractual inquiries: If the contact is made in the context of an order or for the initiation of a contract, the legal basis is Art. 6 (1) (b) GDPR.

  • General inquiries: For general service inquiries, processing is based on our legitimate interest in efficient and timely customer communication in accordance with Art. 6 (1) (f) GDPR.

  • Marketing (WhatsApp Newsletter): If you have expressly subscribed to receive newsletters or promotional messages via WhatsApp, processing is based on your consent in accordance with Art. 6 (1) (a) GDPR. This consent can be revoked at any time with effect for the future (e.g., by sending the message "Stop" in the chat or by clicking a corresponding unsubscribe button).

Data Processing and Data Security: We have concluded a data processing agreement with Charles GmbH in accordance with Art. 28 GDPR. Charles GmbH processes the data strictly according to our instructions. The use of the API interface ensures that there is no automatic access to private address book contacts on our end devices. Communication via the API is transport-encrypted.

Third-country transfer: Within the framework of providing the service, data is passed on to WhatsApp Ireland Limited. This may involve a transfer to servers of Meta Platforms Inc. in the USA. Charles also uses sub-processors (such as Google Cloud or Cloudflare), the current list of which can be found in the provider's documentation. For data transfers to the USA, the providers involved rely on the EU-US Data Privacy Framework, which ensures an adequate level of data protection. In addition, EU Commission Standard Contractual Clauses have been concluded. Further information can be found under Section 14.

Possibility of Objection and Deletion: You can object to processing based on our legitimate interests at any time with effect for the future. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for processing or are otherwise legally obliged to store it. To exercise your right of objection, please contact us in writing or by e-mail. Your data will be deleted as soon as it is no longer required for the purpose for which it was collected (e.g., after final processing of your inquiry) and no legal retention periods apply.

Tidio

5.3 Tidio offers a communication platform that enables companies to communicate with their customers. The platform includes features such as live chat, bots, integration with Messenger and email.

During the interaction, we may collect and process your personal data. We process any personal data that you provide on the website or that we collect about you when you use our services as a data controller in accordance with the GDPR. Personal data includes any information by which we can identify you as a specific person, such as your name, surname, email address or billing information, but also any other information relating to you.

You can object to the processing for the protection of our legitimate interests at any time with effect for the future. In this case, we will no longer process your data unless we can prove that we have a legitimate interest in doing so or are otherwise legally obliged to store it. To exercise your right of cancellation regarding storage, please contact us in writing or by e-mail.

Zendesk

5.4 Zendesk offers a communication platform that enables companies to communicate with their customers. The platform includes features such as live chat, bots, integration with Messenger and email.

During the interaction, we may collect and process your personal data. We process any personal data that you provide on the website or that we collect about you when you use our services as a data controller in accordance with the GDPR. Personal data includes any information by which we can identify you as a specific person, such as your name, surname, email address or billing information, but also any other information relating to you. You can object to the processing for the protection of our legitimate interests at any time with effect for the future. In this case, we will no longer process your data unless we can prove that we have a legitimate interest in doing so or are otherwise legally obliged to store it. To exercise your right of cancellation regarding storage, please contact us in writing or by e-mail.

6 Data processing when opening a customer account

In accordance with Art. 6 para. 1 lit. b GDPR, personal data will continue to be collected and processed to the extent necessary if you provide it to us when opening a customer account. The data required to open an account can be found in the input mask of the corresponding form on our website. Your customer account can be cancelled at any time by sending a message to the above address of the controller. After deletion of your customer account, your data will be deleted, provided that all contracts concluded through it have been fully processed, there are no legal retention periods to the contrary and we have no legitimate interest in further storage.

7 Use of customer data for direct advertising

Registration for our e-mail newsletter

7.1 If you subscribe to our e-mail newsletter or to a live product presentation ("live demo"), we will send you regular information about our offers. To do this, we need your first and last name and your e-mail address. We use the so-called double opt-in procedure for sending newsletters, which ensures that you only receive newsletters if you have expressly confirmed your consent to receive the newsletter by clicking on a verification link sent to the email address provided.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6 para. 1 lit. a GDPR. We store your IP address entered by the Internet service provider (ISP) as well as the date and time of registration in order to be able to prove the registration process and the consent given in accordance with the legal requirements. The logging of the registration and the necessary processing of the data entered by you during registration is carried out accordingly on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

The data collected by us when you register for the newsletter is used strictly for the intended purpose. You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending us a corresponding message (in writing or by e-mail). Once you have cancelled your subscription, your e-mail address will be deleted from our newsletter mailing list immediately, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

Klaviyo

7.2 Our e-mail newsletters are sent via this provider: Klaviyo, 225 Franklin St, Boston, MA 02110, USA ("Klaviyo"). Based on our legitimate interest in effective and user-friendly newsletter marketing, we pass on the data you provide when registering for the newsletter to Klaviyo in accordance with Art. 6 para. 1 lit. f GDPR so that Klaviyo can send the newsletter on our behalf.

Subject to your express consent pursuant to § 25 para. 1 TDDDG in conjunction with Art. 6 para. 1 lit. f GDPR. Art. 6 para. 1 lit. a GDPR, the provider also carries out a statistical evaluation of the success of newsletter campaigns using web beacons or tracking pixels in the emails sent, which can measure opening rates and specific interactions with the content of the newsletter. End device information (e.g. time of access, IP address, browser type and operating system) is also collected and analysed, but not merged with other data sets.With the revocation of consent to receive the newsletter, consent to tracking is also revoked. Newsletter tracking using web beacons is not possible if you have deactivated the display of images in your email programme by default.

In this case, however, our promotional emails will not be displayed in full and you may not be able to use all the functions. If you display the images manually, the above-mentioned tracking will take place. You can only prevent click tracking by not clicking on links in the respective email. We have concluded an order processing contract with the provider that protects the data of our website visitors and prohibits it from being passed on to third parties.

For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

Shopping basket reminders by e-mail

7.3 If you cancel your purchase with us before completing the order, you have the option of receiving a one-off reminder of the contents of your virtual shopping basket by e-mail. The only mandatory information for sending this reminder is your e-mail address. The provision of further data is voluntary and may be used to address you personally. We use the so-called double opt-in procedure for sending emails, which ensures that you only receive a notification if you have expressly confirmed your consent to this by activating a verification link sent to the email address provided.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6 para. 1 lit. a GDPR for sending a shopping basket reminder. We store your IP address entered by the Internet service provider (ISP) as well as the date and time of registration in order to be able to prove the registration process and the consent given in accordance with the legal requirements. The logging of the registration and the necessary processing of the data entered by you during registration is carried out accordingly on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR.

The data we collect when you register for our email notification service is used strictly for the intended purpose. You can unsubscribe from the shopping basket reminders at any time by sending us a corresponding message (in writing or by email). After cancellation, your e-mail address will be deleted immediately from our mailing list set up for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

Advertising by letter post

7.4 On the basis of our legitimate interest in personalised direct advertising, we reserve the right to store your first and last name, your postal address and - if we have received this additional information from you as part of the contractual relationship - your title, academic degree, year of birth and your professional, industry or business name in accordance with Art. 6 para. 1 lit. f GDPR and to use them to send you interesting offers and information about our products by post.

You can object to the storage and use of your data for this purpose at any time.

Advertising via WhatsApp Messenger

7.5 Insofar as you have given us your express consent, we use your mobile phone number for advertising purposes via the WhatsApp messaging service. This is handled via the service provider "charles". Details on this data processing, the legal bases, and your options for revocation can be found in the specific explanations under Section 5.2 of this privacy policy.

Data processing in the context of live demos

7.6 If you would like to take part in a live demo, we will process your e-mail address and your name for the purpose of the product demonstration. For this purpose, we use the service providers Typeform (see section 11.2) to collect your personal data, Calendly (Calendly LLC, 115 E Main St., Ste A1B Buford, GA 30518, USA) to arrange an appointment for the live demo and Zoom (Zoom Video Communications, Inc., Almaden Blvd 55, 95113 San Jose, USA) to conduct the live demo via video conference.

We have concluded a data processing agreement with Calendly and Zoom, which ensures the protection of our website visitors' data and prohibits unauthorised disclosure to third parties. For data transfers to the USA, Calendly and Zoom have joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

8. Data processing for order processing

Order processing

8.1 We process the personal data provided by you during the ordering process for the purpose of contract processing as well as for delivery and shipping purposes on the basis of Art. 6 para. 1 lit. b GDPR. If necessary for contract processing for delivery and payment purposes, this data will be passed on to the shipping service provider commissioned by us and the payment service provider commissioned by us on the basis of Art. 6 para. 1 lit. b GDPR (see the following passages).

If we owe you updates for goods with digital elements or for digital products on the basis of a corresponding contract, we process the contact data (name, address, email address) provided by you when ordering in order to inform you personally by suitable means of communication (e.g. by post or email) about upcoming updates within the legally prescribed period as part of our statutory information obligations pursuant to Art. 6 para. 1 lit. c GDPR. Your contact details will be used strictly for the purpose of notifying you of updates owed by us and will only be processed by us for this purpose to the extent necessary for the respective information.

Dispatch service provider

8.2 For the purpose of delivery on the basis of Art. 6 para. 1 lit. b GDPR, we pass on the name of the recipient, the delivery address, e-mail address and telephone number to the shipping service provider. The information is only passed on if this is necessary for the delivery of goods.

Merchandise management system

8.3 We use a merchandise management system to automate our business processes. The data you provide during the ordering process is transferred to our merchandise management system for optimisation purposes. Your data will be passed on to the provider of the merchandise management system. The legal basis is our legitimate interest in optimising our business processes in accordance with Art. 6 para. 1 lit. f GDPR.

Use of payment service providers (payment services)

8.4 We use various payment services.

Apple Pay

If you opt for the "Apple Pay" payment method from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, payment is processed via the "Apple Pay" function of your device operated with iOS, watchOS or macOS by debiting a payment card stored with "Apple Pay". Apple Pay uses security functions that are integrated into the hardware and software of your device to protect your transactions. To authorise a payment, you therefore need to enter a code that you have previously defined and verify it using the Face ID or Touch ID function on your device.

For the purpose of payment processing, the information you provide during the order process, together with information about your order, will be forwarded to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is transmitted to the payment service provider of the payment card stored in Apple Pay to process the payment. The encryption ensures that only the website via which the purchase was made can access the payment data. After the payment has been made, Apple sends your device account number and a transaction- specific, dynamic security code to the source website to confirm the success of the payment.

If personal data is processed during the described transmissions, the processing is carried out exclusively for the purpose of payment processing in accordance with Art. 6 para. 1 lit. b GDPR.

Apple stores anonymised transaction data, including the approximate purchase amount, the approximate date and time and whether the transaction was successfully completed. This anonymisation completely excludes any personal reference. Apple uses the anonymised data to improve Apple Pay and other Apple products and services.

If you use Apple Pay on your iPhone or Apple Watch to complete a purchase that you have made via Safari on your Mac, the Mac and the authorisation device communicate via an encrypted channel on the Apple servers. Apple does not process or store any of this information in a format that can be used to identify you personally. You can disable the ability to use Apple Pay on your Mac in your iPhone settings. Go to "Wallet & Apple Pay" and deactivate "Allow payments on Mac".

You can find further information on data protection with Apple Pay at the following

Internet address: https://support.apple.com/de-de/HT203027

Mollie

We also use the payment service "Mollie" from Mollie B.V., Keizersgracht 126, 1015CW Amsterdam, Netherlands (hereinafter "Mollie") to process payments in our online shop.

If you decide to process the payment via Mollie, we will pass on the data you provide during the ordering process and which is necessary for processing the payment transaction to the provider Mollie, which acts on our behalf as part of order processing, insofar as this is necessary for processing the payment. This serves the fulfilment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.

If necessary, Mollie collects the data required to process the payment itself, e.g. via the Mollie website or via a technical integration in the ordering process. In this case, please refer to the information on the processing of your personal data by Mollie, which can be found in Mollie's privacy policy.

Further information on data protection at Mollie can be found at the following

Internet address: https://www.mollie.com/de/privacy

Electronic cancellation option for continuing obligations with consumers

8.5 Consumers who have entered into contracts for continuing obligations subject to payment (such as subscription contracts) on this website have the option of cancelling these via an electronic button in accordance with the applicable notice periods.

Clicking on the button leads to a confirmation page on which the consumer can provide more detailed information about the cancellation, clearly identify themselves and then declare their cancellation electronically. The collection of personal data and its transmission to us is carried out in accordance with Art. 6 para. 1 lit. b GDPR and only to the extent that it is necessary for the proper processing of the cancellation. The personal data provided will also be used on the basis of Art. 6 para. 1 lit. b GDPR to confirm receipt of the cancellation notice and the time of cancellation electronically in text form. Another legal basis for the processing isArt. 6 para. 1 lit. c GDPR. We are legally obliged to provide an electronic cancellation option for consumer contracts concluded by means of electronic business transactions for continuing obligations for which a fee is payable.

Sufio

8.6 We use the cloud-based software of the provider Sufio s.r.o., Bottova 1, 811 09 Bratislava, Slovakia (hereinafter "Sufio") for invoice management. We use Sufio for the automated creation of our outgoing invoices and the allocation of outgoing invoices to the respective customers as well as to optimise our fulfilment process in a partially automated manner. In doing so, we process the personal data provided by you during the ordering process, in particular your contact and payment data, and transmit this to Sufio to fulfil the above-mentioned purposes. The processing and transmission of your data is based on our legitimate interest in the efficient organisation and documentation of our business processes in accordance with Art. 6 para. 1 lit. f GDPR.

We have concluded an order processing contract with Sufio, which ensures the protection of your data and prohibits unauthorised disclosure to third parties. You can object to the processing to protect our legitimate interests at any time with effect for the future. In this case, we will no longer process your data unless we can prove that we have a legitimate interest in doing so or are otherwise legally obliged to store it. To exercise your right of cancellation regarding storage, please contact us in writing or by e-mail.

9. Web analysis services

Google Analytics 4

9.1 This website uses Google Analytics 4, a web analysis service of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"), which enables your use of our website to be analysed. By default, Google Analytics sets 4 cookies when you visit the website, which are stored as small text modules on your end device and collect certain information. The scope of this information also includes your IP address, which, however, is shortened by Google by the last digits in order to exclude a direct personal reference.

The information is transferred to Google servers and processed there. Transmission to Google LLC, based in the USA, is also possible.

Google uses the information collected on our behalf to analyse your use of the website, to compile reports on website activity for us and to provide other services relating to website activity and internet usage. The abbreviated IP address transmitted by yourbrowser as part of Google Analytics will not be merged with other Google data. The data collected as part of the use of Google Analytics 4 is stored for a period of two months and then deleted.

All the processing described above, in particular the setting of cookies on the end device used, will only take place if you have given us your express consent to do so in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. f GDPR. Art. 6 para. 1 lit. a GDPR.

Without your consent, Google Analytics 4 will not be used during your visit to our website. You can revoke your consent at any time with effect for the future. To exercise your right of cancellation, please deactivate this service using the "cookie consent tool" provided on the website. To do this, use the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop-down function for the individual cookie categories.

We have concluded an order processing contract with Google, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties. Further legal information on Google Analytics 4 can be found at

https://policies.google.com/privacy?hl=de&gl=en and at

https://policies.google.com/technologies/partner-sites

Demographic characteristics

Google Analytics 4 uses the special function "demographic characteristics" and can use it to create statistics that make statements about the age, gender and interests of site visitors. This is done by analysing advertising and information from third-party providers. This allows target groups to be identified for marketing activities. However, the data collected cannot be assigned to a specific person and is deleted after being stored for a period of two months.

Google Signals

As an extension to Google Analytics 4, Google Signals can be used on this website to generate cross-device reports. If you have activated personalised ads and have linked your devices to your Google account, Google may, subject to your consent to the use of Google Analytics in accordance with Section 25 (1) TDDSG in conjunction with Art. 6 (1) (a) GDPR, analyse your usage behaviour across devices and create reports. Art. 6 para. 1 lit. a GDPR, Google may analyse your usage behaviour across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics.

If you wish to stop the cross-device analysis, you can deactivate the "Personalised advertising" function in the settings of your Google account. To do this, follow the instructions on this page: https://support.google.com/ads/answer/2662922?hl=de. You can find more information about Google Signals at the following link:

https://support.google.com/analytics/answer/7532985?hl=de

UserIDs

As an extension to Google Analytics 4, the "UserIDs" function can be used on this website. If you consent to the use of Google Analytics 4 pursuant to Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. Art. 6 para. 1 lit. a GDPR, have set up an account on this website and log in with this account on different devices, your activities, including conversions, can be analysed across devices.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

Cloudflare Web Analytics

9.2 This website uses the web analytics service of the following provider: Cloudflare, Inc, 101 Townsend St. San Francisco, CA 94107, USA. With the help of cookies and/or comparable technologies (tracking pixels, web beacons, algorithms for reading end device and browser information), the service collects and stores pseudonymised visitor data, including information about the end device used, such as the IP address and browser information, in order to evaluate it for statistical analyses of usage behaviour on our website and to create pseudonymised usage profiles. Among other things, this makes it possible to analyse movement patterns (so-called heat maps), which show the duration of page visits and interactions with page content (e.g. text input, scrolling, clicks and mouse-overs).

Pseudonymisation rules out the possibility of direct personal identification. Your personal data is not merged with clear data collected in any other way. All of the processing described above, in particular the reading or saving of information on the end device used, is only carried out if you have given us your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (f) GDPR. Art. 6 para. 1 lit. a GDPR have given us your express consent to do so.

You can revoke your consent at any time with effect for the future by deactivating this service in the "Cookie Consent Tool" provided on the website. To do this, use the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop-down function for the individual cookie categories.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

Google Tag Manager

9.3 This website uses the "Google Tag Manager", a service of the following provider:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: "Google").

Google Tag Manager provides a technical basis for bundling various web applications, including tracking and analysis services, and for calibrating, controlling and linking them to conditions via a standardised user interface. Google Tag Manager itself does not store or read any information on user devices. The service also does not carry out any independent data analyses. However, Google Tag Manager transmits your IP address to Google when you access a page and may store it there. It may also be transmitted to servers of Google LLC. in the USA is possible.

This processing is only carried out if you have given us your consent in accordance with § 25 para. 1 TDDDG i.V.m. Art. 6 para. 1 lit. a GDPR have given us your express consent. Without this consent, Google Tag Manager will not be used during your visit to our website.

You can revoke your consent at any time with effect for the future. To exercise your revocation, please deactivate this service in the "cookie consent tool" provided on the website. To do this, use the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop-down function for the individual cookie categories.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.

For data transfers to the USA, the provider has signed up to the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

VWO (Visual Website Optimiser)

9.4 This website uses the software solution VWO (Visual Website Optimizer) of the provider Wingify Software Pvt. Ltd. operating as VWO, Hamburg Office, Heidenkampsweg 58, Hamburg, 20097, Germany (hereinafter "Wingify") to optimise its online presence, with which the use of the website is evaluated by measuring anonymised data.On the basis of the information thus obtained about the needs of website users, the user-friendliness of the online presence is subsequently permanently increased. The software uses cookies for this purpose. You can refuse the use of cookies at any time by selecting the appropriate settings on your browser.

Further information on this can be found in VWO's privacy policy. If you do not wish VWO to collect data, you can object to this here.

Use of Polar Analytics for Data Analysis and Reporting

9.5 We use the Polar Analytics analysis platform to analyze data about the use of our services. The goal is to create aggregated, internal business reports to improve our services, marketing measures, and to better understand customer behavior. This processing serves exclusively to improve our offerings and increase efficiency. No automated individual decision-making, including profiling, as defined in Art. 22 GDPR, which would have a legal effect on you, takes place. 

The processing is based on our legitimate interest in efficient and data-driven business management pursuant to Art. 6(1)(f) GDPR. After careful consideration, our interest in the analysis prevails, as we apply protective measures such as the extensive pseudonymization of data, limit the processing to internal purposes, and fully respect your rights, especially the right to object.

Our website visitors and customers are affected by this processing. Pseudonymization is carried out in such a way that an association with your person is not possible without the use of additional information. The following categories of data may be processed: 

  • Usage Data (e.g., websites visited, click behavior, duration of visit) 
  • Transaction Data (e.g., order value, products purchased, time of order) 
  • Technical Data (e.g., browser type used, device category, pseudonymized IP address) 

We have concluded a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR with the provider of Polar Analytics, THE GROWTH TEAM, 15 Rue Raynouard, 75016 Paris, France. This agreement ensures that the service provider processes your data only on our instruction and implements appropriate technical and organizational security measures pursuant to Art. 32 GDPR. 

For the creation of specific analyses, we use the technology of the AI provider Anthropic, PBC, 500 Howard Street, San Francisco, CA 94105, USA. For this purpose, selected, pseudonymized data is transmitted to the "Claude" AI model. As this involves a data transfer to the USA, we have secured this transfer by concluding EU Standard Contractual Clauses (SCCs) pursuant to Art. 46 GDPR. As additional protective measures, it is contractually ensured that Anthropic does not use the transmitted data for training its AI models and deletes it after 30 days. We point out that despite these measures, a residual risk of possible access by US authorities cannot be completely excluded in the case of a data transfer to the USA. 

The data transmitted to Anthropic for analysis is deleted there after 30 days. The storage duration of the data at Polar Analytics is governed by our contract and is limited to the extent necessary for the purpose of the analysis. 

Leadfeeder (Dealfront) 

9.6 This website uses the Leadfeeder service for B2B lead generation and analysis. The provider is Liidio Oy / Dealfront Group, Mikonkatu 17 C, 00100 Helsinki, Finland (hereinafter: "Leadfeeder"). By means of cookies and/or comparable technologies, the service collects and stores data about your visit, including your IP address, subpages visited, duration of visit, and the referrer URL. The IP address is matched against a global database to determine company names and corporate information. The goal is to identify company visits to our website; direct identification of natural persons is not intended. All processing described above, in particular the setting of cookies or the reading of information on the end device used, will only be carried out if you have given us your express consent to do so pursuant to § 25 (1) TDDDG in conjunction with Art. 6(1)(a) GDPR. Without your consent, Leadfeeder will not be used during your visit to the site. You can revoke your consent at any time with effect for the future. To exercise your right of revocation, please deactivate this service via the "Cookie Consent Tool" provided on the website. Use the footer of our homepage – keyword "Cookie Settings". For detailed settings, please use the drop-down function of the individual cookie categories. We have concluded a Data Processing Agreement with the provider, which ensures the protection of our site visitors' data and prohibits unauthorized disclosure to third parties. Data processing takes place on servers within the European Union / EEA. Further legal information on Leadfeeder can be found at https://www.dealfront.com/privacy-notice/

 

Your Rights as a Data Subject Regarding your data, you have the right to access (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), data portability (Art. 20 GDPR), and the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

In particular, you have the right to object at any time, on grounds relating to your particular situation, to the processing based on Art. 6(1)(f) GDPR. You can submit your objection informally, for example, by email to information@nunc.coffee.

10. Retargeting/Remarketing and conversion tracking

Facebook pixel for the creation of custom audiences with extended data synchronisation (with cookie consent tool)

10.1 Within our online offering, we use the "Facebook Pixel" service of the following provider in extended data synchronisation mode: Meta Platforms Ireland Limited, 4 Grand Canal Quare, Dublin 2, Ireland ("Facebook"). If a user clicks on an advert placed by us on the Facebook platform, "Facebook Pixel" is used to add a parameter to the URL of our linked page. This URL parameter is then entered into the user's browser after redirection by a cookie that our linked page sets itself. In addition, this cookie collects specific customer data such as the email address that we collect on our website linked to the Facebook advert during processes such as purchase transactions, account logins or registrations (extended data synchronisation).

The cookie is then read and enables the data, including specific customer data, to be transmitted to Facebook.

We use "Facebook Pixel" with extended data matching to make our Facebook adverts (so-called "Facebook Ads") more effective and to ensure that they correspond to the interests of users or have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Facebook (so-called "Custom Audiences").

In addition, we analyse the effectiveness of our advertisements by tracking whether users were redirected to our website after clicking on an advertisement (conversion).

Compared to the standard version of "Facebook Pixel", the extended data synchronisation function helps us to better measure the effectiveness of our advertising campaigns by recording more associated conversions. All transmitted data is stored and processed by Facebook so that an assignment to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with Facebook's data usage guidelines https://www.facebook.com/about/privacy/. The data may enable Facebook and its partners to place adverts on and off Facebook.

All processing described above, in particular the setting of cookies for reading information on the end device used, will only be carried out if you have given us your consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) lit. f GDPR. Art. 6 para. 1 lit. a GDPR have given us your express consent to do so.

You can revoke your consent at any time with effect for the future by deactivating this service in the "cookie consent tool" provided on the website. To do this, use the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop- down function for the individual cookie categories.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our site visitors and prohibits unauthorised disclosure to third parties. The information generated by Facebook is usually transferred to a Facebook server and stored there; in this context, it may also be transferred to servers of Meta Platforms Inc. in the USA.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

Google Ads conversion tracking

10.2 This website uses the online advertising programme "Google Ads" and, as part of Google Ads, the conversion tracking of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). We use Google Ads to draw attention to our attractive offers with the help of advertising material (so-called Google Adwords) on external websites. We can determine how successful the individual advertising measures are in relation to the advertising campaign data. Our aim is to show you adverts that are of interest to you, to make our website more interesting for you and to achieve a fair calculation of the advertising costs incurred.

The conversion tracking cookie is set when a user clicks on an Ads advert placed by Google. Cookies are small text files that are stored on your end device. These cookies generally lose their validity after 30 days and are not used for personal identification. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognise that the user has clicked on the ad and has been redirected to this page. Each Google Ads customer receives a different cookie. Cookies can therefore not be tracked via the websites of Google Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Customers are told the total number of users who clicked on their advert and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users.As part of the use of Google Ads, personal data may also be transmitted to the servers of Google LLC. in the USA.

Details on the processing triggered by Google Ads Conversion Tracking and how Google handles data from websites can be found here:

https://policies.google.com/technologies/partner-sites

All of the processing described above, in particular the setting of cookies for reading information on the end device used, will only be carried out if you have given us your

consent in accordance with Section 25 (1) TDDDG in conjunction with Art. 6 (1) (f) GDPR. Art. 6 para. 1 lit. a GDPR have given us your express consent to do so.

You can revoke your consent at any time with effect for the future by deactivating this service in the "Cookie Consent Tool" provided on the website. To do this, use the footer of our homepage - keyword "Cookie settings". For detailed settings, please use the drop-down function for the individual cookie categories.

You can also permanently object to the setting of cookies by Google Ads Conversion

Tracking by downloading and installing the Google browser plug-in available at the following link: https://www.google.com/settings/ads/plugin?hl=de

In order to target users whose data we have received in the context of business or business-like relationships with advertising that is even more relevant to their interests,

we use a customer matching function as part of Google Ads. For this purpose, we transmit one or more files with aggregated customer data (primarily e-mail addresses and telephone numbers) to Google electronically. Google does not have access to clear data, but automatically encrypts the information in the customer files during the transmission process using a special algorithm. The encrypted information can then only be used by Google to assign it to existing Google accounts that the data subjects have set up. This enables the display of personalised advertising across all Google services linked to the respective Google account.

Further information on Google's data protection measures in relation to the customer matching function can be found here: https://support.google.com/google-

ads/answer/6334160?hl=de&ref_topic=10550182

Google's privacy policy can be viewed here: https://www.google.de/policies/privacy/

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

11. Page Functionalities

Cloudflare Turnstile

11.1 On this website, we use the CAPTCHA service of the following provider: Cloudflare, Inc, 101 Townsend St. San Francisco, CA 94107, USA.

The service checks whether an entry is made by a natural person or abusively by machine and automated processing, and blocks spam, DDoS attacks and similar automated malicious access. To ensure that an action is carried out by a human and not by an automated bot, Cloudflare Turnstile collects the IP address of the end device used, identification data of the browser and operating system type used as well as the date and duration of the visit and transmits these to the provider's servers for evaluation.

The legal basis is our legitimate interest in determining individual responsibility on the Internet and the prevention of abuse and spam in accordance with Art. 6 para. 1 lit. f GDPR.

We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission. Further information on the processing of your data in third countries can be found in section 14.

Typeform

11.2 We use the services of the following provider to conduct surveys or online forms: TYPEFORM SL Carrer Bac de Roda, 163, local, 08018 Barcelona, Spain. The provider enables us to design and analyse surveys and online forms. In addition to the respective personal data that you enter in the forms, information about your operating system, browser, date and time of your visit, referrer URL and your IP address is also collected, transmitted to the provider and stored on the provider's servers. The information you enter in the forms is stored under password protection to ensure that third parties cannot access it and that only we can analyse the data for the purpose stated in the form. When processing personal data that is necessary for the fulfilment of a contract with you (this also applies to processing operations that are necessary for the implementation of pre-contractual measures), Art. 6 para. 1 lit. b GDPR serves as the legal basis. If you have given us your consent to process your data, the processing is carried out on the basis of Art. 6 para. 1 lit. a GDPR.

Any consent given can be revoked at any time with effect for the future.We have concluded an order processing contract with the provider, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.

12. Tools and other

DATEV

12.1 We use the cloud-based accounting software service of the following provider to handle our accounting: DATEV eG, Paumgartnerstr. 6-14, 90429 Nuremberg, Germany.

The provider processes incoming and outgoing invoices and, where applicable, our company's bank transactions in order to automatically record invoices, match them to the transactions and create the financial accounts from this in a semi-automated process. If personal data is also processed in this process, the processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in the efficient organisation and documentation of our business transactions.

Cookie consent tool (Consentmo)

12.2 This website uses the cookie consent tool "Consentmo of the provider iSense LLC, Professor Georgi Bradistilov 3, 1756 Studentski Kompleks, Sofia, Bulgaria (hereinafter "iSense") to obtain effective user consent for cookies and cookie-based applications requiring consent. The "Cookie Consent Tool" is displayed to users when they access the website in the form of an interactive user interface on which consent for certain cookies and/or cookie-based applications can be given by ticking a box. By using the tool, all cookies/services requiring consent are only loaded if the respective user gives their consent by ticking the appropriate box. This ensures that such cookies are only set on the user's end device if consent has been granted.

The tool sets technically necessary cookies to save your cookie preferences. Personal data (such as the IP address) may be processed for the purpose of storing, assigning or logging cookie settings. This is done in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in legally compliant, user-specific and user-friendly consent management for cookies and thus in a legally compliant design of our website.

Another legal basis for the processing is Art. 6 para. 1 lit. c GDPR. As the controller, we are subject to the legal obligation to make the use of technically unnecessary cookies dependent on the respective user consent.

We have concluded an order processing contract with the provider iSense, which ensures the protection of the data of our website visitors and prohibits unauthorised disclosure to third parties.Further information on the setting options of the cookie consent tool can be found directly in the corresponding user interface on our website and in section 4 of this privacy policy.

Zapier

12.3 For easier processing between systems, we use the automation software of the following provider for our processes: Zapier Inc, 548 Market Street 6241, San Francisco, CA 94104, USA.

The data processing conditions (Data Process Agreements) of Zapier, which correspond to the standard contractual clauses, can be found here:

https://zapier.com/legal/standard-contractual-clauses

Further data protection information on Zapier can be found here:

https://zapier.com/privacy

Consent can be revoked at any time with effect for the future by sending a message to us or to the provider.

13. Recipients of personal data

We will only pass on your personal data to external recipients if this is necessary for the processing or handling of your request, if we have your consent to do so or if another legal authorisation exists.

External recipients may in particular be affiliated companies or external service providers that we use as our processors for the provision of services, for example in the areas of technical infrastructure and maintenance of our website. These processors are carefully selected and regularly reviewed by us. They may only use the data for the purposes specified by us and in accordance with our instructions.

Data is passed on within our group of companies for sales and marketing purposes on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f GDPR or, if you have given us your consent, on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. It is also possible that we may have to transfer personal data to authorities and state institutions, such as public prosecutors, courts or tax authorities, for compelling legal reasons. In this respect, the transfer takes place on the basis of Art. 6 para. 1 lit. c GDPR.

Furthermore, we may transfer your personal data to service providers and auxiliary persons on the basis of a legal obligation or to safeguard legitimate interests, for example tax consultants or auditors. The transfer then takes place on the basis of your consent (Art. 6 para. 1 lit. a GDPR), the necessity to fulfil a contractual (Art. 6 para. 1 lit.b GDPR) or legal obligation (Art. 6 para. 1 lit. c GDPR) or our legitimate interests (Art. 6 para. 1 lit. f GDPR).

14 Data processing in third countries

If we transfer your data to third countries outside the EU or the EEA as described above, we ensure that, apart from legally permitted exceptions, the recipient either has an adequate level of data protection or you consent to the data transfer. An adequate level of data protection is guaranteed, for example, by certification of the recipient under the EU-U.S. Data Privacy Framework, the conclusion of EU standard contractual clauses or the existence of so-called Binding Corporate Rules (BCR). Please contact us using the communication channels mentioned in section 1.2 to obtain a copy of the specific guarantees for the transfer of your data to third countries.

15 Rights of the data subject

15.1 The applicable data protection law grants you the following data subject rights (information and intervention rights) vis-à-vis the controller with regard to the processing of your personal data, whereby reference is made to the stated legal basis for the respective exercise requirements:

Right of access pursuant to Art. 15 GDPR;

Right to rectification pursuant to Art. 16 GDPR;

Right to erasure pursuant to Art. 17 GDPR;

Right to restriction of processing pursuant to Art. 18 GDPR;

Right to information pursuant to Art. 19 GDPR;

Right to data portability pursuant to Art. 20 GDPR;

Right to withdraw consent granted pursuant to Art. 7 para. 3 GDPR;

Right to object to data processing based on legitimate interests pursuant to Art. 21 GDPR;

Right to lodge a complaint pursuant to Art. 77 GDPR.

15.2 RIGHT OF CANCELLATION

IF YOU HAVE GIVEN US YOUR CONSENT TO THE PROCESSING OF YOUR DATA, YOU MAY WITHDRAW THIS CONSENT AT ANY TIME WITH EFFECT FOR THE FUTURE THIS DOES NOT AFFECT THE LAWFULNESS OF THE PROCESSING OF YOUR DATA UP TO THE POINT OF REVOCATION. IF YOU WISH TO WITHDRAW YOUR CONSENT TO THE USE OF CERTAIN COOKIES; PLEASE REFER TO OUR EXPLANATIONS UNDER NO. 4.

15.3 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA AS PART OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING. YOU CAN EXERCISE YOUR RIGHT TO OBJECT BY SENDING A CORRESPONDING MESSAGE TO THE COMMUNICATION CHANNELS LISTED UNDER POINT. 1.2 ABOVE. IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA

CONCERNED FOR DIRECT MARKETING PURPOSES.

Right to lodge a complaint with the supervisory authority

You can lodge a complaint with the competent supervisory authority if you believe that the processing of your data violates applicable law. To do so, you can either contact the data protection authority responsible for your place of residence, your workplace or the location of the suspected infringement, or the data protection authority responsible for us. The data protection supervisory authority responsible for us is the Baden- Württemberg State Commissioner for Data Protection (www.baden-wuerttemberg.datenschutz.de).

16. Duration of the storage of personal data

The duration of the storage of personal data is determined by the respective legal basis, the purpose of processing and - if relevant - additionally by the respective statutory retention period (e.g. retention periods under commercial and tax law). When processing personal data on the basis of express consent in accordance with Art. 6 para. 1 lit. a GDPR, the data concerned will be stored until you withdraw your consent. If there are statutory retention periods for data that is processed within the scope of legal or similar obligations on the basis of Art. 6 para. 1 lit. b GDPR, this data will be routinely deleted after the retention periods have expired, provided that it is no longer required for contract fulfilment or contract initiation and/or we no longer have a legitimate interest in further storage. When processing personal data on the basis of Art. 6 para. 1 lit. f GDPR, this data is stored until you exercise your right to object in accordance with Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defence of legal claims. When processing personal data for the purpose of direct marketing on the basis of Art. 6 para. 1 lit. f GDPR, this data will be stored until you exercise your right to object in accordance with Art. 21 para. 2 GDPR.Unless otherwise stated in the other information in this statement on specific processing situations, stored personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.