HomePrivacy Policy

Privacy Policy

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to briefly as “data”) we process for which purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, mobile, as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Status: 07.11.2020

Table of Contents

Controller

dorothee lehnen GmbH
Owner: Dorothee Lehnen-Martins

Schlager Chaussee 21a
30900 Wedemark

Managing Director/CEO: Dorothee Lehnen-Martins, Rainer Martins

Authorized Representatives: Dorothee Lehnen-Martins

Email Address:[email protected]

Phone: 0049 (0)5130 9283180

Imprint

 

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

  • Inventory data (e.g. names, addresses).
  • Content data (e.g. entries in online forms).
  • Contact data (e.g. email, phone numbers).
  • Meta/communication data (e.g. device information, IP addresses).
  • Usage data (e.g. visited websites, interest in content, access times).
  • Location data (information about the geographical position of a device or person).
  • Contract data (e.g. contract subject, duration, customer category).
  • Payment data (e.g. bank connections, invoices, payment history).

Categories of Data Subjects

  • Business and contractual partners.
  • Prospects.
  • Communication partners.
  • Customers.
  • Users (e.g. website visitors, users of online services).

Purposes of Processing

  • Assessment of creditworthiness and solvency.
  • Provision of our online offer and user-friendliness.
  • Visit action evaluation.
  • Office and organizational procedures.
  • Cross-device tracking (cross-device processing of user data for marketing purposes).
  • Direct marketing (e.g. by email or post).
  • Interest-based and behavioral marketing.
  • Contact requests and communication.
  • Conversion measurement (measuring the effectiveness of marketing measures).
  • Profiling (creating user profiles).
  • Remarketing.
  • Reach measurement (e.g. access statistics, recognition of returning visitors).
  • Security measures.
  • Tracking (e.g. interest/behavioral profiling, use of cookies).
  • Provision of contractual services and customer service.
  • Administration and answering of inquiries.
  • Target group formation (determination of target groups relevant for marketing purposes or other output of content).

Automated Decisions in Individual Cases

  • Credit information (decision based on a credit check).

Relevant Legal Bases

In the following, we share the legal bases of the General Data Protection Regulation (GDPR) on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence and headquarters. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR) – The data subject has given consent to the processing of personal data relating to him or her for a specific purpose or several specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, securing availability and their separation. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data and responses to data threats. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and through privacy-friendly default settings.

SSL encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

 

Transmission and Disclosure of Personal Data

In the context of our processing of personal data, it happens that the data is transmitted to other bodies, companies, legally independent organizational units or persons or disclosed to them. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and in particular conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or disclosure or transmission of data to other persons, bodies or companies, this only takes place in accordance with legal requirements.

Subject to express consent or contractually or legally required transmission, we process or have the data processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de ).

Use of Cookies

Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie primarily serves to store information about a user during or after his visit within an online offer. The stored information may include, for example, language settings on a website, login status, a shopping cart or the location where a video was watched. The term cookies also includes other technologies that fulfill the same functions as cookies (e.g., when user information is stored using pseudonymous online identifiers, also referred to as “user IDs”)

The following cookie types and functions are distinguished:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes his browser.
  • Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, the interests of users that are used for reach measurement or marketing purposes can be stored in such a cookie.
  • First-party cookies: First-party cookies are set by us ourselves.
  • Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
  • Necessary (also: essential or absolutely required) cookies: Cookies may be absolutely necessary for the operation of a website (e.g., to store logins or other user inputs or for security reasons).
  • Statistics, marketing and personalization cookies: Furthermore, cookies are also regularly used in the context of reach measurement as well as when the interests of a user or his behavior (e.g., viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles serve to show users, for example, content that corresponds to their potential interests. This process is also referred to as “tracking”, i.e., tracking the potential interests of users. . Insofar as we use cookies or “tracking” technologies, we will inform you separately in our privacy policy or in the context of obtaining consent.

Notes on legal bases: On which legal basis we process your personal data with the help of cookies depends on whether we ask for your consent. If this applies and you consent to the use of cookies, the legal basis for processing your data is the declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g., in a business operation of our online offer and its improvement) or, if the use of cookies is necessary to fulfill our contractual obligations.

Storage duration: Unless we provide you with explicit information on the storage duration of permanent cookies (e.g., in the context of a so-called cookie opt-in), please assume that the storage duration can be up to two years.

General notes on revocation and objection (opt-out): Depending on whether the processing is based on consent or legal permission, you have the possibility at any time to revoke a given consent or to object to the processing of your data by cookie technologies (collectively referred to as “opt-out”). You can initially declare your objection by means of the settings of your browser, e.g., by deactivating the use of cookies (whereby this may also limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking, via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/. In addition, you can receive further objection notices in the context of the information on the service providers and cookies used.

Processing of cookie data based on consent: Before we process or have data processed in the context of the use of cookies, we ask users for revocable consent. Before consent is not given, at most cookies are used that are absolutely necessary for the operation of our online offer.

Cookie settings/ objection possibility:

  • Types of data processed: Usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Commercial and Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships as well as associated measures and in the context of communication with the contractual partners (or pre-contractually), e.g., to answer inquiries.

We process this data to fulfill our contractual obligations, to secure our rights and for purposes of the administrative tasks associated with this information as well as business organization. We only pass on the data of contractual partners to third parties within the framework of applicable law to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations or with the consent of the affected persons (e.g., to involved telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the framework of this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or in the context of data collection, e.g., in online forms, through special marking (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.

We delete the data after expiry of legal warranty and comparable obligations, i.e., generally after expiry of 4 years, unless the data is stored in a customer account, e.g., as long as it must be kept for legal reasons of archiving (e.g., for tax purposes, generally 10 years). We delete data disclosed to us in the context of an order by the contractual partner according to the specifications of the order, generally after the end of the order.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy notices of the respective third-party providers or platforms apply in the relationship between users and providers.

Customer account: Contractual partners can create an account within our online offer (e.g., customer or user account, briefly “customer account”). If registration of a customer account is required, contractual partners will be informed of this as well as the information required for registration. Customer accounts are not public and cannot be indexed by search engines. In the context of registration as well as subsequent logins and uses of the customer account, we store the IP addresses of customers along with the access times in order to be able to prove registration and prevent any misuse of the customer account.

When customers have canceled their customer account, the data concerning the customer account will be deleted, provided that their retention is required for legal reasons. It is the responsibility of customers to back up their data upon termination of the customer account.

Economic analyses and market research: For business reasons and in order to be able to recognize market trends, wishes of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc., whereby the group of affected persons may include contractual partners, prospects, customers, visitors and users of our online offer.

The analyses are carried out for the purpose of business evaluations, marketing and market research (e.g., to determine customer groups with different characteristics). Where available, we may consider the profiles of registered users along with their information, e.g., on services used. The analyses serve us alone and are not disclosed externally, unless they are anonymous analyses with summarized, i.e., anonymized values. Furthermore, we respect the privacy of users and process the data for analysis purposes as pseudonymously as possible and, if feasible, anonymously (e.g., as summarized data).

Shop and e-commerce: We process the data of our customers to enable them to select, purchase, or order the selected products, goods and related services, as well as their payment and delivery, or execution. If necessary for the execution of an order, we use service providers, in particular postal, shipping and shipping companies, to carry out the delivery or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is marked as such in the context of the order or comparable acquisition process and includes the information required for delivery or provision and billing as well as contact information in order to be able to hold any consultation.

  • Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank connections, invoices, payment history), contact data (e.g. email, phone numbers), contract data (e.g. contract subject, duration, customer category), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Prospects, business and contractual partners, customers.
  • Purposes of processing: Provision of contractual services and customer service, contact requests and communication, office and organizational procedures, administration and answering of inquiries, security measures, visit action evaluation, interest-based and behavioral marketing, profiling (creating user profiles).
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 sentence 1 lit. c. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Payment Service Providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer the affected persons efficient and secure payment options and use other payment service providers in addition to banks and credit institutions (collectively “payment service providers”).

The data processed by payment service providers includes inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, sum and recipient-related information. The information is required to carry out the transactions. However, the entered data is only processed by the payment service providers and stored with them. I.e., we do not receive any account or credit card-related information, but only information with confirmation or negative information about the payment. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies. This transmission is intended for identity and creditworthiness checks. For this we refer to the terms and conditions and privacy notices of the payment service providers.

The terms and conditions and privacy notices of the respective payment service providers apply to payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information and other rights of data subjects.

  • Types of data processed: Inventory data (e.g. names, addresses), payment data (e.g. bank connections, invoices, payment history), contract data (e.g. contract subject, duration, customer category), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Customers, prospects.
  • Purposes of processing: Provision of contractual services and customer service.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Services and service providers used:

  • PayPal: Payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Website: https://www.paypal.com/de; Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
  • Novalnet AG: Payment institution (ZAG), Feringastraße 4, DE-85774 Unterföhring, Germany, Website: www.novalnet.de; Privacy policy: https://www.novalnet.de/datenschutz

Provision of Online Offer and Web Hosting

In order to provide our online offer safely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be retrieved. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed in the context of providing the hosting offer may include all information relating to users of our online offer that arises in the context of use and communication. This regularly includes the IP address, which is necessary to be able to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.

Email sending and hosting: The web hosting services we use also include the sending, receiving and storage of emails. For these purposes, the addresses of recipients and senders as well as other information concerning email sending (e.g., the providers involved) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of recognizing SPAM. We ask you to note that emails on the Internet are generally not sent encrypted. As a rule, emails are encrypted on the transport route, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not take responsibility for the transmission path of emails between the sender and reception on our server.

Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, transferred data volumes, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

The server log files can be used for security purposes, e.g., to avoid server overload (especially in case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of servers and their stability.

  • Types of data processed: Content data (e.g. entries in online forms), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Contact

When contacting us (e.g., via contact form, email, phone or via social media), the information of the inquiring persons is processed to the extent necessary to answer the contact inquiries and any requested measures.

The answering of contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise on the basis of legitimate interests in answering the inquiries.

  • Types of data processed: Inventory data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. entries in online forms), usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Communication partners, prospects.
  • Purposes of processing: Contact requests and communication, administration and answering of inquiries.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Services and service providers used:

Web Analytics, Monitoring and Optimization

Web analytics (also referred to as “reach measurement”) serves to evaluate the visitor flows of our online offer and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, recognize at what time our online offer or its functions or content are most frequently used or invite reuse. Likewise, we can understand which areas need optimization.

In addition to web analytics, we can also use test procedures to test and optimize, for example, different versions of our online offer or its components.

For these purposes, so-called user profiles can be created and stored in a file (so-called “cookie”) or similar procedures with the same purpose can be used. This information may include, for example, viewed content, visited websites and elements used there as well as technical information such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, these may also be processed depending on the provider.

The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored in the context of web analytics, A/B testing and optimization, but pseudonyms. I.e., we as well as the providers of the software used do not know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economic and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g. visited websites, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors), tracking (e.g. interest/behavioral profiling, use of cookies), visit action evaluation, profiling (creating user profiles).
  • Security measures: IP masking (pseudonymization of IP address).
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).

Services and service providers used: