Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") we process, for what purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Last updated: 16 April 2026

Table of Contents

• Preamble
• Controller
• Overview of Processing Activities
• Applicable Legal Bases
• Security Measures
• Transmission of Personal Data
• General Information on Data Retention and Erasure
• Rights of Data Subjects
• Business Services
• Payment Procedures
• Provision of the Online Offering and Web Hosting
• Provision of the Personal Cloud Storage
• Use of Cookies
• Web Analytics and Reach Measurement
• Registration, Log-in and User Account
• Blogs and Publication Media
• Contact and Enquiry Management
• Newsletter and Electronic Notifications
• Presence on Social Networks (Social Media)
• Changes and Updates
• Definitions

Controller

Good For Business UG (haftungsbeschränkt)
Schwanthalerstr. 123
80339 Munich, Germany

Authorised representative: Max von Tettenborn

Email address: contact@freeshard.net

Overview of Processing Activities

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

• Master data.
• Payment data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and procedural data.
• Log data.

Categories of Data Subjects

• Service recipients and clients.
• Prospective customers.
• Communication partners.
• Users.
• Business and contractual partners.

Purposes of Processing

• Provision of contractual services and fulfilment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Office and organisational procedures.
• Organisational and administrative procedures.
• Feedback.
• Provision of our online offering and user experience.
• Reach measurement.
• Provision of the personal cloud storage.
• Information technology infrastructure.
• Public relations.
• Business processes and business management procedures.

Applicable Legal Bases

Applicable legal bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection rules may apply in your or our country of residence or establishment. If more specific legal bases are applicable in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection rules in Germany: In addition to the data protection provisions of the GDPR, national data protection rules apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains in particular special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making including profiling. Furthermore, the data protection laws of the individual German federal states may apply.

Security Measures

We implement appropriate technical and organisational measures in accordance with the applicable legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access to, input of, disclosure of, ensuring of availability of and segregation of such data. We have also established procedures to ensure that the rights of data subjects are exercised, that data is erased and that responses are made to data threats. Furthermore, we take account of the protection of personal data already during the development or selection of hardware, software and processes in accordance with the principle of privacy by design and privacy by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): In order to protect the data of users transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the further developed and more secure version of SSL, ensures that all data transmissions comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is signalled by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and in encrypted form.

Transmission of Personal Data

In the course of processing personal data, such data may be transmitted to or disclosed to other entities, companies, legally independent organisational units or persons. Recipients of such data may include, for example, service providers entrusted with IT tasks, or providers of services and content that are integrated into a website. In such cases, we comply with the applicable legal requirements and in particular conclude appropriate contracts or agreements serving to protect your data with the recipients of your data.

General Information on Data Retention and Erasure

We erase personal data that we process in accordance with the statutory provisions as soon as the underlying consent is revoked or no further legal basis for the processing exists. This applies to cases where the original purpose of processing no longer applies or the data is no longer required. Exceptions to this rule exist where statutory obligations or special interests require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose retention is necessary for the assertion or defence of legal claims or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and erasure of data that apply specifically to certain processing activities.

Where multiple retention periods or erasure deadlines are stated for a piece of data, the longest period shall always apply. Where data is retained not for its originally intended purpose but due to statutory requirements or other reasons, we process it solely for the purposes that justify its retention.

Retention and erasure of data: The following general retention and archiving periods apply under German law:

• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, together with the working instructions and other organisational documents necessary for their understanding (§ 147(1) no. 1 in conjunction with (3) of the German Fiscal Code (AO), § 14b(1) of the German Value Added Tax Act (UStG), § 257(1) no. 1 in conjunction with (4) of the German Commercial Code (HGB)).
• 8 years – Accounting vouchers, such as invoices and expense receipts (§ 147(1) nos. 4 and 4a in conjunction with (3) sentence 1 AO and § 257(1) no. 4 in conjunction with (4) HGB).
• 6 years – Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are of relevance for taxation, e.g. hourly wage records, operating accounting sheets, calculation documents, price labels, payroll accounting documents (where not already accounting vouchers) and till rolls (§ 147(1) nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) nos. 2 and 3 in conjunction with (4) HGB).
• 3 years – Data required to take into account potential warranty and damages claims or similar contractual claims and rights, as well as to handle related enquiries, based on previous business experience and customary industry practice, are retained for the duration of the standard statutory limitation period of three years (§§ 195, 199 of the German Civil Code (BGB)).

Period commencing at end of year: Where a period does not expressly start on a specific date and is at least one year in length, it automatically commences at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships in the context of which data is stored, the triggering event is the time at which termination or other ending of the legal relationship takes effect.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject under the GDPR, you have various rights, which arise in particular from Arts. 15 to 21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent granted at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and to obtain access to that data as well as further information and a copy of the data in accordance with the statutory provisions.
• Right to rectification: You have the right, in accordance with the statutory provisions, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with the statutory provisions, to request that data concerning you be erased without undue delay, or alternatively, where further processing is required, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with the statutory provisions.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners (collectively "contractual partners"), in connection with the initiation, performance and completion of contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken at request, as well as communication in connection with the respective contractual relationship.

The processing serves in particular to fulfil our primary and ancillary contractual obligations. This includes the provision of agreed services, any update and information obligations, the handling of warranty claims and other service disruptions, the processing of revocations, terminations of continuing obligations, unwinding of transactions, refunds, and the handling of other contract-related declarations and enquiries. This covers both one-off contracts and ongoing contractual relationships.

The data processed includes in particular master data such as name, address and, where applicable, company name, contact data such as email address and telephone number, contract and service data such as the subject matter of the contract, contract term, order or transaction number, usage and service data, payment and billing data, as well as communication content and histories. Where required, we also process data disclosed or transmitted to us in the course of carrying out an order.

In addition, we process data to safeguard our rights and to comply with statutory obligations. This includes in particular retention and documentation obligations under commercial and tax law, as well as, where applicable, obligations to provide evidence and to account for our actions. Processing also takes place on the basis of our legitimate interests in proper business management, internal administration, risk management and IT security, as well as in the protection of our business operations and contractual partners against misuse, threats to data, secrets and other legal assets. This may include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax advisers, legal advisers or other agents, insofar as this is necessary for the performance of the contract or compliance with statutory obligations.

Personal data is only disclosed to third parties to the extent necessary for the performance of the contract, to carry out pre-contractual measures, to safeguard legitimate interests or to comply with statutory obligations. Any further processing, in particular for marketing purposes, will be communicated separately in this privacy policy.

We will inform contractual partners of the specific data required in the context of data collection, e.g. in online forms by means of appropriate labelling, or in personal contact.

Data will be erased as soon as it is no longer required for the aforementioned purposes and no statutory retention obligations apply. Statutory retention periods, in particular under commercial and tax law, may require longer storage. Data transmitted in the context of a specific order will be erased after completion of the order and expiry of any applicable retention periods, provided no further statutory or contractual retention obligations exist.

The legal basis for processing is Art. 6(1)(b) GDPR for the performance of pre-contractual measures and the fulfilment of the respective contractual relationship, and Art. 6(1)(c) GDPR for compliance with legal obligations. Where processing is based on legitimate interests, it is carried out pursuant to Art. 6(1)(f) GDPR in pursuit of our legitimate interests in proper and efficient business organisation, internal administration and documentation of business transactions, the assertion and defence of legal claims, ensuring IT and data security, the prevention of misuse and fraud, and the financial management and further development of our business operations.

• Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank account details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter of contract, term, customer category).
• Data subjects: Service recipients and clients; prospective customers; business and contractual partners.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; organisational and administrative procedures; business processes and business management procedures.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Payment Procedures

In the context of contractual and other legal relationships, on the basis of statutory obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use, in addition to banks and credit institutions, further service providers for this purpose (collectively "payment service providers"). Payment transactions are processed exclusively via encrypted connections using the current state of the art, so that the data entered is protected from unauthorised access during transmission.

Data processed by payment service providers includes master data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract-, amount- and recipient-related information. This information is required to carry out the transactions. The data entered is, however, processed only by the payment service providers and stored by them. We therefore do not receive account or credit card information, but only information confirming or rejecting the payment. Under certain circumstances, the data may be transmitted by payment service providers to credit agencies for the purposes of identity and creditworthiness checks. We refer to the terms and conditions and the privacy notices of the payment service providers in this regard.

The terms and conditions and the privacy notices of the respective payment service providers apply to payment transactions and are available on their respective websites or transaction applications. We also refer to these for further information and for the assertion of rights of withdrawal, access and other data subject rights.

• Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank account details, invoices, payment history); contract data (e.g. subject matter of contract, term, customer category); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Service recipients and clients; business and contractual partners; prospective customers.
• Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; business processes and business management procedures.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

• PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); Website: https://www.paypal.com/de. Privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full.

Provision of the Online Offering and Web Hosting

We process users' data in order to provide our online services. For this purpose we process the user's IP address, which is necessary to deliver the content and functionality of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); log data (e.g. log files relating to logins, data retrievals or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of our online offering and user experience; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

• Hosting of the landing page via GitHub Pages: The publicly accessible landing page is provided as a static website via GitHub Pages, a service of GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, USA (privacy notice). In this context, GitHub processes technically necessary access data (in particular IP addresses). The transfer to the USA takes place on the basis of the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, the date and time of access, the volume of data transferred, notification of successful retrieval, the browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, e.g. to prevent server overload (in particular in the event of abusive attacks, so-called DDoS attacks), and to ensure server stability and reliability; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Data erasure: Log file information is stored for a maximum of 30 days and then erased or anonymised. Data whose further retention is required for evidential purposes is exempt from erasure until the respective incident has been finally resolved.
• Content Delivery Network: We use a Content Delivery Network (CDN). A CDN is a service that enables the content of an online offering, in particular large media files such as graphics or program scripts, to be delivered faster and more securely with the aid of regionally distributed servers connected via the internet; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Personal Cloud Storage

We process the content that users place on their Freeshard instance exclusively for the provision of the cloud functionality in accordance with contractual performance.

• Legal basis: Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR).

Further notes on processing activities, procedures and services:

• Provision of the cloud service on rented infrastructure: The Freeshard instances and the user data stored on them (shards) are operated on servers of OVH SAS (2 rue Kellermann, 59100 Roubaix, France; privacy notice) within the European Union. In addition, we use Microsoft Azure (Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; privacy notice) for supporting services, namely the storage of end-to-end encrypted backups and the operation of the Freeshard Controller (management service). Due to the end-to-end encryption, Microsoft has no access to the content of the backups stored on Azure. All processing takes place exclusively on servers within the European Union; Legal basis: Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Use of Cookies

The term "cookies" refers to functions that store and retrieve information on users' devices. Cookies may be used for various purposes, including for the functionality, security and convenience of online offerings, as well as for the analysis of visitor traffic. We use cookies in accordance with the applicable legal requirements. Where necessary, we obtain users' consent in advance. Where consent is not required, we rely on our legitimate interests. This applies where the storage and retrieval of information is essential in order to provide content and functions expressly requested. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent may be withdrawn at any time. We provide clear information about the scope of cookies used.

Notes on the legal bases under data protection law: Whether we process personal data using cookies depends on consent. Where consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests as described above in this section and in the context of the respective services and procedures.

Storage duration: The following types of cookies are distinguished with regard to storage duration:

• Temporary cookies (also: session cookies): Temporary cookies are erased at the latest once a user has left an online offering and closed their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the log-in status can be saved and preferred content can be displayed directly when the user revisits a website. Usage data collected by means of cookies may also be used to measure reach. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), users should assume that they are permanent and that the storage duration may be up to two years.

General information on the right to withdraw consent and to object (opt-out): Users may withdraw any consent they have given at any time and may also object to processing in accordance with the statutory provisions, including by means of their browser's privacy settings.

• Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics and Reach Measurement

We use web analytics and reach measurement procedures on our landing page in order to optimise our online offering and to understand how it is used. Processing is designed to be privacy-preserving: the analytics procedure is cookieless, IP addresses are anonymised (truncated) before any storage, and no cross-site profiling or tracking of individual users takes place. We are unable to associate the measurements obtained with any identifiable person.

Objection (opt-out): Users may object to the processing at any time. The opt-out link specific to the analytics tool actually in use will be provided here as soon as a tool is deployed in production.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. anonymised IP addresses, browser information).
• Data subjects: Users (e.g. website visitors).
• Purposes of processing: Reach measurement; optimisation of our online offering.
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Registration, Log-in and User Account

Users may create a user account. In the course of registration, users are informed of the required mandatory details, which are processed for the purposes of providing the user account on the basis of contractual performance obligations. The data processed includes in particular log-in information (username, password and an email address).

In the context of our registration and log-in functions and the use of the user account, we store the IP address and the time of the respective user action. This is stored on the basis of our legitimate interests as well as those of users in protection against misuse and other unauthorised use. Such data is generally not disclosed to third parties unless it is necessary for the pursuit of our claims or there is a statutory obligation to do so.

Users may be informed by email of matters relevant to their user account, such as technical changes.

• Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts and information relating to them, such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); log data (e.g. log files relating to logins, data retrievals or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; security measures; organisational and administrative procedures; provision of our online offering and user experience.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure". Erasure upon account termination.
• Legal bases: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

• Registration with pseudonyms: Users may use pseudonyms as usernames instead of their real names; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).
• User profiles are not public: User profiles are not publicly visible or accessible.
• Two-factor authentication: Two-factor authentication provides an additional layer of security for your user account and ensures that only you can access your account, even if someone else knows your password. For this purpose, in addition to your password, you are required to carry out a second authentication step (e.g. entering a code sent to a mobile device). We will inform you of the procedure we use; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).
• Erasure of data upon termination: Where users have terminated their user account, their data relating to the account will be erased subject to a statutory permission, obligation or consent of the users; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).
• No obligation to retain data: It is the responsibility of users to back up their data before the contract ends following termination. We are entitled to irreversibly erase all data stored by the user during the contractual period; Legal basis: Performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter "publication medium"). Readers' data is processed for the purposes of the publication medium only to the extent necessary for its display and for communication between authors and readers, or for security reasons. In all other respects, we refer to the information on the processing of visitors to our publication medium within these privacy notices.

• Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts and information relating to them, such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing and legitimate interests: Feedback (e.g. collecting feedback via online form); provision of our online offering and user experience.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Enquiry Management

When contacting us (e.g. by post, email or via social media) and in the context of existing user and business relationships, the information provided by the enquiring persons is processed to the extent necessary to respond to contact enquiries and any requested measures.

• Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts and information relating to them, such as authorship or time of creation); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Communication; organisational and administrative procedures; feedback; provision of our online offering and user experience.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); performance of a contract and pre-contractual enquiries (Art. 6(1)(b) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or on the basis of a legal provision. Where the contents of a newsletter are specifically described when registering for it, those contents are determinative for users' consent. To register for our newsletter, providing your email address is generally sufficient. In order to offer you a personalised service, we may however ask you to provide your name for a personal salutation in the newsletter, or for further information if this is necessary for the newsletter's purpose.

Erasure and restriction of processing: We may retain unsubscribed email addresses for up to three years on the basis of our legitimate interests before erasing them, in order to be able to demonstrate that consent was previously given. The processing of this data is restricted to the purpose of potentially defending against claims. An individual erasure request is possible at any time, provided that the prior existence of consent is confirmed at the same time. Where we are under an obligation to permanently observe objections, we reserve the right to store the email address solely for this purpose on a blocklist.

The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of demonstrating that it has been conducted properly. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Contents:

Information about us, our services, promotions and offers.

• Types of data processed: Master data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features).
• Data subjects: Communication partners.
• Purposes of processing and legitimate interests: Direct marketing (e.g. by email or post).
• Legal basis: Consent (Art. 6(1)(a) GDPR).
• Right to object (opt-out): You may unsubscribe from our newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe from the newsletter is provided either at the end of each newsletter, or you may use one of the contact options given above, preferably by email.

Further notes on processing activities, procedures and services:

• Measurement of open and click rates: Our newsletters contain a so-called "tracking pixel" (also "web beacon"), a pixel-sized file that is retrieved when the newsletter is opened. In doing so, technical information such as browser type, operating system, your IP address and the time of retrieval are collected. We use this information solely for the statistical analysis of opening behaviour and for the technical improvement of our newsletters. The processing is carried out by our newsletter service provider Keila (Pentacent – Philipp Schmieder Medien). You can prevent the collection of this data by disabling the loading of images in your email client. Please note that this may affect the display of the newsletter; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Double opt-in procedure: Registration for our newsletter takes place using a double opt-in procedure. This means that after registering you will receive an email asking you to confirm your registration. This confirmation is required to ensure that no one can register using someone else's email address. Newsletter registrations are logged in order to demonstrate that the registration process has been carried out in accordance with legal requirements. This includes storing the time of registration and confirmation; Legal basis: Consent (Art. 6(1)(a) GDPR).
• Keila: Email newsletter sending and management; Service provider: Pentacent – Philipp Schmieder Medien, Hauptstraße 10, 95517 Seybothenreuth, Germany; Legal basis: Consent (Art. 6(1)(a) GDPR); Website: https://www.keila.io. Privacy policy: https://www.keila.io/legal/privacy.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in that context in order to communicate with users active on those platforms or to offer information about us.

We point out that user data may be processed outside the European Union in this context. This may give rise to risks for users, as it could, for example, make it more difficult to enforce users' rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created on the basis of users' usage behaviour and the interests arising from it. These profiles may in turn be used to place advertisements within and outside the networks that are presumed to correspond to users' interests. For this purpose, cookies are generally stored on users' devices in which usage behaviour and interests are recorded. Furthermore, data may also be stored in the usage profiles independently of the devices used by users (in particular if users are members of the respective platforms and logged into them).

For a detailed description of the respective forms of processing and the opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for access and the assertion of data subject rights, we also point out that these can most effectively be asserted with the providers themselves. Only the providers have access to user data in each case and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you are welcome to contact us.

• Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. text or image-based messages and posts and information relating to them, such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and features).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing and legitimate interests: Communication; feedback; public relations.
• Retention and erasure: Erasure in accordance with the information in the section "General Information on Data Retention and Erasure".
• Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures and services:

• LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors that is used to create "Page Insights" (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, and the actions they take. Details about the devices used are also captured, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority level, company size and employment status. Privacy information on the processing of user data by LinkedIn can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
  We have concluded a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which in particular sets out the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfil data subjects' rights (i.e. users can, for example, send requests for access or erasure directly to LinkedIn). Users' rights (in particular the right of access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company established in the EU. Further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, in particular as regards the transmission of data to the parent company LinkedIn Corporation in the United States; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Right to object (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Changes and Updates

We ask you to regularly review the content of our privacy policy. We update this privacy policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you as soon as such changes require an action on your part (e.g. consent) or another individual notification.

Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and we ask you to verify the details before making contact.

Definitions

This section provides an overview of the terms used in this privacy policy. Where terms are defined by law, the statutory definitions shall apply. The following explanations are primarily intended to aid comprehension.

• Employees: Employees are persons who are in an employment relationship, whether as workers, staff or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It includes the employer's obligation to pay the employee remuneration while the employee performs their work. An employment relationship encompasses various phases, including the establishment phase, in which the employment contract is concluded, the performance phase, in which the employee carries out their work, and the termination phase, when the employment relationship ends, whether by notice, mutual agreement or otherwise. Employee data refers to all information relating to these persons in the context of their employment. This includes aspects such as personal identification data, identification numbers, salary and bank data, working hours, holiday entitlements, health data and performance appraisals.
• Master data: Master data comprises essential information required for the identification and administration of contractual partners, user accounts, profiles and similar assignments. This data may include personal and demographic details such as names, contact information (addresses, telephone numbers, email addresses), dates of birth and specific identifiers (user IDs). Master data forms the basis for any formal interaction between persons and services, institutions or systems, by enabling unambiguous assignment and communication.
• Content data: Content data comprises information that users create, store, transmit or synchronize in connection with our services. This includes, on the one hand, user content stored on the Freeshard instance such as files, documents, images, videos and audio files, and on the other hand messages and posts (e.g. from contact forms, blog comments or social media interactions), along with associated metadata such as file name, authorship information or time of creation.
• Contact data: Contact data comprises essential information that enables communication with persons or organisations. It includes in particular telephone numbers, postal addresses and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
• Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information about how data is processed, transmitted and managed. Metadata, also known as data about data, comprises information that describes the context, origin and structure of other data. It may include details such as file size, creation date, the author of a document and revision histories. Communication data captures the exchange of information between users via various channels, such as email traffic, call logs, messages on social networks and chat histories, including the parties involved, timestamps and transmission paths. Procedural data describes the processes and workflows within systems or organisations, including workflow documentation, logs of transactions and activities, and audit logs used to track and verify processes.
• Usage data: Usage data refers to information that records how users interact with digital products, services or platforms. This data covers a broad range of information that shows how users use applications, which features they prefer, how long they stay on certain pages and the paths they take through an application. Usage data may also include the frequency of use, timestamps of activities, IP addresses, device information and location data. It is particularly valuable for analysing user behaviour, optimising user experiences, personalising content and improving products or services. In addition, usage data plays a key role in identifying trends, preferences and potential problem areas within digital offerings.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Log data: Log data is information about events or activities recorded in a system or network. This data typically contains information such as timestamps, IP addresses, user actions, error messages and other details about the use or operation of a system. Log data is often used for the analysis of system problems, security monitoring or the creation of performance reports.
• Controller: The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, whether collecting, evaluating, storing, transmitting or erasing it.
• Contract data: Contract data comprises specific information relating to the formalisation of an agreement between two or more parties. It documents the terms under which services or products are provided, exchanged or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include start and end dates of the contract, the type of services or products agreed upon, pricing arrangements, payment terms, cancellation rights, renewal options and special conditions or clauses. It serves as the legal basis for the relationship between the parties and is decisive for clarifying rights and obligations, enforcing claims and resolving disputes.
• Payment data: Payment data comprises all information required to process payment transactions between buyers and sellers. This data is of crucial importance for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank account details, payment amounts, transaction data, verification numbers and billing information. Payment data may also include information about payment status, chargebacks, authorisations and fees.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke