Privacy Policy

1. Privacy at a Glance

1.1 General Information

The following information provides a simple overview of what happens to your personal data when you visit our website. Personal data is any data that can be used to personally identify you.

We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy. We maintain up-to-date technical measures to ensure data security, in particular to protect your personal data against risks during data transmission and against access by third parties. These measures are adapted to the current state of the art.

When you use this website, various personal data is collected. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done. We point out that data transmission over the Internet (e.g. when communicating by email) may have security gaps. Complete protection of data against access by third parties is not possible.

Without personal data, we are unable to fulfil your wishes, maintain you as a contractual partner, or provide you with information about our travel offers. Naturally, we will only collect the data necessary for this purpose. We do not conduct automated decision-making procedures.

1.2 Responsible Entity

Data processing on this website is carried out by:

Natucate GmbH
Jakobstr. 181-183
52064 Aachen, Germany
Phone: +49 241 - 91 99 43 57
Email: info@natucate.com

The responsible entity is the natural or legal person who alone or jointly with others decides on the purposes and means of processing personal data (e.g. names, email addresses, etc.).

1.3 Data Protection Officer

Natucate GmbH
Data Protection Officer
Jakobstr. 181-183
52064 Aachen, Germany
Email: datenschutz@natucate.de

1.4 How Do We Collect Your Data?

Your data is collected in part by you providing it to us. This may be data that you enter in a contact form, for example. We process the personal data you provide in accordance with the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) for the fulfilment of the travel contract or for the implementation of pre-contractual measures at your request. In accordance with legal regulations and the principle of data minimisation, only such data is generally collected that is required to provide the specific service.

Other data is collected automatically by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page access). This data is collected automatically as soon as you enter our website.

1.5 What Do We Use Your Data For?

Part of the data is collected to ensure error-free provision of the website. Other data may be used to analyse your user behaviour. We also process your personal data for the fulfilment of travel contracts or for creating offers.

For the fulfilment of a travel contract,theswebsiteoisnprovidedeerror-freedata: name, address/other contact data (telephone number, email address), date of birth, gender, and depending on the travel destination, nationality and passport data.

In essence, we process personal data for the following purposes:

• Customer and supplier management
• Applicant management
• Travel mediation and organisation
• Booking management and processing
• Operation of our website and apps
• Communication (analogue and digital)
• Sending company information (only with your consent)
• Newsletter distribution (only with your consent)
• Fulfilment of legal requirements (tax laws, etc.)
• Archiving data for backup and fulfilment of documentation obligations
• Disclosure in the context of official/judicial measures

2. Your Rights

2.1 Information, Rectification, Erasure and Restriction

Within the framework of applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipients and the purpose of data processing and, if applicable, a right to rectification, blocking or erasure of this data. For this purpose and for further questions on the subject of personal data, you can contact us at any time at the address given in the legal notice.

2.2 Right to Data Portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.

2.3 Withdrawal of Your Consent

Many data processing operations are only possible with your express consent. You can withdraw consent already given at any time. An informal notification by email to us (datenschutz@natucate.de) is sufficient. The legality of the data processing carried out until the withdrawal remains unaffected by the withdrawal.

2.4 Right to Lodge a Complaint with the Supervisory Authority

In the event of data protection violations, you have the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority for data protection matters is the state data protection officer of the federal state in which our company is based.

List of data protection officers: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

2.5 Objection to Promotional Emails

The use of contact data published as part of the legal notice obligation for sending unsolicited advertising and information materials is hereby objected to. The operators of the pages expressly reserve the right to take legal action in the event of unsolicited sending of advertising information, such as spam emails.

3. Data Collection on Our Website

3.1 Cookies and Consent Management

Our website uses so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offering more user-friendly, effective and secure. Cookies are small text files that are stored on your computer and saved by your browser.

We use a cookie consent tool (CookieConsent v3) with Google Consent Mode V2. On your first visit to our website, you will be informed about the use of cookies and can give or refuse your consent. You can adjust your cookie settings at any time via the cookie link in the website footer.

Technically necessary cookies are stored on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in storing cookies for the technically error-free and optimised provision of its services. All other cookies (e.g. analytics or marketing cookies) are only set with your express consent pursuant to Art. 6(1)(a) GDPR.

3.2 Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are:

• Browser type and browser version
• Operating system used
• Referrer URL
• Hostname of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources. The basis for data processing is Art. 6(1)(f) GDPR.

3.3 SSL/TLS Encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

3.4 Contact and Booking Forms

If you send us enquiries or bookings via the contact form, your details from the enquiry form, including the contact data you provide there, will be stored by us for the purpose of processing the enquiry and in case of follow-up questions. We will not pass on this data without your consent.

The processing of data entered in the contact and/or booking form is based on Art. 6(1)(b) GDPR (contract initiation and fulfilment) and Art. 6(1)(f) GDPR (legitimate interest in processing enquiries).

For the personalised answering of messages and questions, we require, among other things: first and last name, email address, telephone number, street and house number, postcode/city and country.

For the fulfilment of a travel contract, we also process: date of birth, gender, and depending on the travel destination, nationality and passport data. In addition, emergency contact data and project-specific details may be collected. The data of travel participants collected in connection with the trip is used exclusively for carrying out the stay abroad, all contractually owed services and for customer support.

4. Disclosure of Personal Data

4.1 Disclosure to Third Parties

If we transfer personal data to a processor, you have the right to be informed about the appropriate safeguards in connection with the transfer.
Your personal data will only be disclosed within the relevant, in particular competition and data protection law provisions. Insofar as this is necessary for the provision of the contractual services owed by us (accommodation, meals, leisure activities/excursions, supervision, orientation days on site if applicable) or legal obligations, your data will also be passed on to subcontractors or service providers to provide the service on our behalf.

Data processing agreements pursuant to Art. 28 GDPR are in place with all processors, containing EU Standard Contractual Clauses.

4.2 Transfer Abroad

We must transmit data to the above-mentioned partners in order to organise all contractual services owed by us in connection with the stay abroad. For the same purpose, our partners may also have to forward the data independently. Our partners work independently and do not belong to Natucate GmbH. For this reason, we have no influence on the data processing of third parties.

A third country is a country in which the GDPR is not directly applicable law. This generally includes all countries outside the EU or the European Economic Area. For transfers to the USA, we rely, where the respective provider is certified, on the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023). In addition or alternatively, EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply.

4.3 Storage of Your Data

As a general rule, we only store personal data for as long as is necessary to fulfil contractual or legal obligations for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidentiary purposes for civil law claims or due to statutory retention obligations.

We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the Fiscal Code, the Banking Act, the Money Laundering Act and the Securities Trading Act. The retention periods specified there for documents are two to ten years.

5. Form Services

Jotform

Provider: Jotform Inc., 111 Pine Street, Suite 1815, San Francisco, CA 94111, USA
Purpose: Online form tool for collecting enquiries, bookings and surveys
Legal basis: Art. 6(1)(b) GDPR (contract initiation) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: Until deletion of form data or according to retention periods
Third country transfer: USA (EU-U.S. Data Privacy Framework, EU Standard Contractual Clauses)
Privacy policy: https://www.jotform.com/privacy/

Typeform

Provider: TYPEFORM S.L., Bac de Roda 163, 08018 Barcelona, Spain
Purpose: Collection and transmission of form data (e.g. newsletter registration, surveys)
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in appealing presentation)
Storage duration: According to retention periods
Third country transfer: EU (Spain) – Data processing agreement in place
Privacy policy: https://www.typeform.com/help/a/what-happens-to-my-data-360029581691/

6. Functional Services

WhatsApp Business

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Purpose: Direct customer communication via WhatsApp
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 1 year
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.whatsapp.com/legal/privacy-policy

Zendesk

Provider: Zendesk, Inc., 989 Market Street, San Francisco, CA 94103, USA
Purpose: Live chat support and ticket system for processing and managing enquiries
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: Session to 2 years
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.zendesk.com/company/privacy-and-data-protection/

Zoom

Provider: Zoom Video Communications, Inc., 55 Almaden Blvd, 6th Floor, San Jose, CA 95113, USA
Purpose: Video consultation and online meetings
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://explore.zoom.us/en/privacy/

7. Analytics Services

Google Analytics 4

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Web analysis, user behaviour, website performance
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 2 months (automatic deletion activated)
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy
Note: IP anonymisation active
Opt-out: https://tools.google.com/dlpage/gaoptout

Microsoft Clarity

Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Purpose: Session recording, heatmaps, user behaviour analysis
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 1 year
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://privacy.microsoft.com/en-us/privacystatement

Matomo (Jetpack Stats)

Provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA
Purpose: Web analysis with enhanced privacy options
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 13 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://automattic.com/privacy/
Note: IP anonymisation active

SEMrush

Provider: Semrush Inc., 800 Boylston Street, Suite 2475, Boston, MA 02199, USA
Purpose: SEO analysis, website optimisation
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: Aggregated data
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.semrush.com/company/legal/privacy-policy/

8. Marketing & Advertising

Google Ads (AdWords) & Conversion Tracking

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Online advertising programme with conversion tracking to measure advertising effectiveness
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: 3 months (conversion cookies)
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy

Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Tag management system for managing website tags and marketing services
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: No data storage of its own
Privacy policy: https://www.google.com/intl/en/tagmanager/use-policy.html

Note: The Tag Manager itself does not process any personal data of users.

Microsoft Bing Ads

Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Purpose: Conversion and tracking tool to measure advertising effectiveness
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: Session
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.microsoft.com/en-us/privacy/privacystatement
Opt-out: https://account.microsoft.com/privacy/ad-settings/signedout

Meta Pixel (Facebook & Instagram)

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Purpose: Conversion tracking, remarketing, custom audiences
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 3 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.facebook.com/policy
Ad settings: https://www.facebook.com/settings?tab=ads

LinkedIn Marketing Services & Insight Tag

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Purpose: B2B marketing, remarketing, conversion measurement, insight tags
Legal basis: Art. 6(1)(a) GDPR (consent) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: 3 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Note: User data is processed pseudonymously. LinkedIn does not store or process the name or email address of users, but processes the relevant data on a cookie-related basis within pseudonymous user profiles.

TikTok Pixel

Provider: TikTok Technology Limited, 10 Earlsfort Terrace, Dublin 2, Ireland
Purpose: Retargeting, conversion tracking
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: 13 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.tiktok.com/legal/privacy-policy

9. External Media & Content

YouTube

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Embedding of videos
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session to 6 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy

Vimeo

Provider: Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA
Purpose: Embedding of videos. When you visit one of our pages equipped with a Vimeo plugin, a connection to the Vimeo servers is established. The Vimeo server is informed which of our pages you have visited. Vimeo also obtains your IP address.
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session to 12 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://vimeo.com/privacy

Note: If you are logged into your Vimeo account, you enable Vimeo to assign your browsing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account.

Mapbox

Provider: Mapbox Inc., 740 15th Street NW, 5th Floor, Washington, DC 20005, USA
Purpose: Interactive maps and map visualisation. When you access a page that contains Mapbox maps, your browser establishes a direct connection to Mapbox servers. The map content is transmitted directly from Mapbox to your browser.
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session to 12 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.mapbox.com/legal/privacy

Note: If you do not want Mapbox to collect, process or use data about you via our website, you can deactivate JavaScript in your browser settings. In this case, however, you will not be able to use the map display.

Instagram Embeds

Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
Purpose: Embedding of social media content
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session to 1 year
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://instagram.com/about/legal/privacy/

Google Maps

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Interactive maps, location display
Legal basis: Art. 6(1)(a) GDPR (consent)
Storage duration: Session to 6 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy

10. CRM & Backend Services

Pipedrive

Provider: Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia
Purpose: CRM system, customer relationship management, sales administration
Legal basis: Art. 6(1)(b) GDPR (contract initiation/fulfilment) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: As long as commercially required, then according to retention periods
Third country transfer: EU provider (Estonia), servers in EU selectable
Privacy policy: https://www.pipedrive.com/en/privacy

Note: Pipedrive is a backend CRM system without frontend cookies. No cookies are set on the website.

Google reCAPTCHA

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Bot protection for forms
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in website security)
Storage duration: Session to 6 months
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy

Zapier

Provider: Zapier Inc., 548 Market St #62411, San Francisco, California 94104, USA
Purpose: Integration and automation of various tools
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in efficient structuring)
Storage duration: According to retention periods
Third country transfer: USA (EU-U.S. Data Privacy Framework, data processing agreement in place)
Privacy policy: https://www.zapier.com/privacy

Make (formerly Integromat)

Provider: Celonis SE (Make), Theresienstraße 6, 80333 Munich, Germany
Purpose: Workflow automation and tool integration
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: According to retention periods
Third country transfer: EU (Germany)
Privacy policy: https://www.make.com/en/privacy-notice

Notion

Provider: Notion Labs Inc., 2300 Harrison Street, San Francisco, CA 94110, USA
Purpose: Collaboration and project management tool for internal team organisation
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: As long as commercially required
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://www.notion.so/privacy

11. Payment & Accounting Services

PayPal

Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg
Purpose: Online payment processing
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment)
Storage duration: According to statutory retention periods (up to 10 years)
Third country transfer: EU (Luxembourg), possible data transfer to the USA
Privacy policy: https://www.paypal.com/webapps/mpp/ua/privacy-full

Revolut

Provider: Revolut Ltd, 7 Westferry Circus, E14 4HD London, United Kingdom
Purpose: Payment processing, business account
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment)
Storage duration: According to statutory retention periods
Third country transfer: UK (EU Commission adequacy decision)
Privacy policy: https://www.revolut.com/legal/privacy/

DATEV

Provider: DATEV eG, Paumgartnerstraße 6-14, 90429 Nuremberg, Germany
Purpose: Accounting, tax consulting, payroll
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) and Art. 6(1)(c) GDPR (legal obligation)
Storage duration: According to statutory retention periods (up to 10 years)
Third country transfer: EU (Germany)
Privacy policy: https://www.datev.de/web/de/datev/datenschutz/

SevDesk

Provider: sevDesk GmbH, Hauptstraße 115, 77652 Offenburg, Germany
Purpose: Cloud-based accounting software
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) and Art. 6(1)(c) GDPR (legal obligation)
Storage duration: According to statutory retention periods (up to 10 years)
Third country transfer: EU (Germany)
Privacy policy: https://sevdesk.de/datenschutz/

12. Cloud Services & Communication

pCloud

Provider: pCloud AG, Place de la Gare 6, 1003 Lausanne, Switzerland
Purpose: Cloud storage for documents, files and backups
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) and Art. 6(1)(f) GDPR (legitimate interest in secure data storage)
Storage duration: As long as commercially required
Third country transfer: Switzerland (EU Commission adequacy decision) – Data can be stored exclusively in EU data centres on request
Privacy policy: https://www.pcloud.com/privacy_policy.html

Note: pCloud offers the option of explicitly choosing the EU as the storage location and using client-side encryption (pCloud Crypto).

Google Workspace

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Purpose: Email, cloud storage, document editing
Legal basis: Art. 6(1)(b) GDPR (contract fulfilment) and Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: As long as commercially required
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://policies.google.com/privacy

Microsoft 365 (Teams, OneDrive, SharePoint)

Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Purpose: Email, cloud storage, document editing, video conferencing
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: As long as commercially required
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://privacy.microsoft.com/en-us/privacystatement

Slack

Provider: Slack Technologies Limited, One Park Place, Hatch Street Upper, Dublin 2, Ireland
Purpose: Internal communication, team coordination
Legal basis: Art. 6(1)(f) GDPR (legitimate interest)
Storage duration: As long as commercially required
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://slack.com/trust/privacy/privacy-policy

13. Newsletter & Email Marketing

MailChimp

Provider: Intuit Inc. (Mailchimp), 2700 Coast Ave., Mountain View, CA 94043, USA
Purpose: Newsletter distribution, email marketing
Legal basis: Art. 6(1)(a) GDPR (consent) or Section 7(3) UWG (existing customers)
Storage duration: Until unsubscription
Third country transfer: USA (EU-U.S. Data Privacy Framework)
Privacy policy: https://mailchimp.com/legal/privacy/
Unsubscribe: Link in every newsletter or by email to datenschutz@natucate.de

If you wish to receive a newsletter offered by us, we require a valid email address from you. To address you personally, we also ask you to provide your salutation and your name. We use this data exclusively for sending our newsletter. When registering for our newsletter, data is collected that enables us to make the registration process verifiable.

14. Social Networks and Media

Natucate GmbH operates online presences within social networks and platforms in order to communicate with customers and users active there and to inform them about our services.

We point out that user data may be processed outside the European Union. This may result in risks for users, as the enforcement of user rights could be made more difficult, for example.

The processing of personal data of users is based on our legitimate interests in effective user information and communication with users pursuant to Art. 6(1)(f) GDPR. If users are asked by the respective providers of the platforms for consent to the data processing described above, the legal basis is Art. 6(1)(a), Art. 7 GDPR.

We refer to the privacy policies of the respective providers:

• Facebook/Meta: https://www.facebook.com/about/privacy/
• Instagram: https://instagram.com/about/legal/privacy/
• YouTube/Google: https://policies.google.com/privacy
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• TikTok: https://www.tiktok.com/legal/privacy-policy
• Xing: https://privacy.xing.com/de/datenschutzerklaerung

15. Job Applications

We process applicant data solely for the purpose and within the scope of the application process in accordance with legal requirements. The processing of applicant data is carried out to fulfil our (pre-)contractual obligations within the scope of the application process within the meaning of Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR, insofar as data processing becomes necessary for us in the context of legal proceedings (Section 26 BDSG additionally applies in Germany).

The application process requires that applicants provide us with application data. The necessary application data is marked if we offer an online form, otherwise results from job descriptions. Generally, this includes personal details, postal and contact addresses and documents belonging to the application such as cover letter, CV and certificates.

The data provided by applicants may be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is unsuccessful, the data of applicants will be treated in accordance with statutory retention and deletion periods.

16. General Information

16.1 EU-U.S. Data Privacy Framework

All US services mentioned in this privacy policy are, where indicated, certified under the EU-U.S. Data Privacy Framework (adequacy decision of the EU Commission of 10 July 2023). The list of participants can be viewed at https://www.dataprivacyframework.gov/list

16.2 Data Processing Agreements