Data protection

Introduction and Overview
We have prepared this Privacy Policy (version 25.04.2024-322778470) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (hereinafter "data") we, as controllers – and the processors we engage (e.g., service providers) – process, will process in the future, and what legal options you have. The terms used are to be understood as gender-neutral. In short: we provide you with comprehensive information about the data we process about you.

Privacy policies usually sound very technical and use legal jargon. This privacy policy, however, aims to describe the most important points as simply and transparently as possible. Where it supports transparency, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics are used. We aim to clearly and simply inform you that, in the course of our business activities, we only process personal data if there is a corresponding legal basis. This is generally not possible if explanations are kept as short, unclear, and legally-technical as is often the standard on the internet regarding data protection. We hope you find the following explanations interesting and informative, and perhaps there is some information that you did not know before.

If you still have questions, we kindly ask you to contact the responsible entity listed below or in the imprint, follow the provided links, or view additional information on third-party sites. Of course, our contact details are also provided in the imprint.

Scope of Application
This Privacy Policy applies to all personal data processed within our company and to all personal data processed by companies we commission (processors). By personal data, we mean information in the sense of Article 4(1) GDPR, such as a person’s name, email address, and postal address. Processing personal data enables us to offer and bill our services and products, both online and offline. The scope of this Privacy Policy includes:

all online presences (websites, online shops) operated by us
social media accounts and email communications
mobile apps for smartphones and other devices

In short: this Privacy Policy applies to all areas in which personal data is structured and processed within the company via the channels mentioned above. Should we engage with you in legal relationships outside these channels, we will inform you separately if necessary.

Legal Bases
In the following Privacy Policy, we provide you with transparent information on the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that allow us to process personal data.

Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online at EUR-Lex, the access portal to EU law, under https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R067

We process your data only if at least one of the following conditions applies:

Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be storing the information you enter in a contact form.
Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we conclude a purchase agreement with you, we need personal information beforehand.
Legal Obligation (Article 6(1)(c) GDPR): We process your data if we are subject to a legal obligation. For example, we are legally required to retain invoices for accounting purposes, which usually contain personal data.
Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not infringe on your fundamental rights, we reserve the right to process personal data. For instance, we need to process certain data to operate our website securely and efficiently. This processing thus constitutes a legitimate interest.

Other conditions, such as processing in the public interest, exercising official authority, or protecting vital interests, generally do not apply to us. Should such a legal basis be relevant, it will be explicitly indicated in the corresponding section.

In addition to the EU regulation, national laws also apply:

In Austria, this is the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act, DSG).
In Germany, the Federal Data Protection Act (BDSG) applies.

If additional regional or national laws are applicable, we will inform you in the following sections.

Contact Details of the Data Controller
If you have any questions regarding data protection or the processing of personal data, you can contact the responsible person or entity at the following address:

Hirsch & Reisacher GbR - Earebel Creative
Managing Partners: Dietmar Hirsch & Manuel Reisacher
Römerstraße 27 | 87474 Buchenberg | Germany
Tel.: +49 8378 9323960
Email: hello@earebel-creative.de
Imprint: www.earebel-creative.de/impressum/

Data Retention Period
We generally retain personal data only as long as it is strictly necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing no longer exists. In some cases, we are legally obliged to retain certain data even after the original purpose has expired, for example for accounting purposes.

If you wish to have your data deleted or revoke your consent for data processing, the data will be deleted as quickly as possible, provided there is no legal obligation to retain it.

We will provide further information below regarding the specific duration of data processing where such information is available.

Rights under the General Data Protection

According to Articles 13 and 14 GDPR, we inform you of the following rights to ensure fair and transparent processing of data:

Right of access (Article 15 GDPR): You have the right to know whether we process your data. If this is the case, you are entitled to receive a copy of the data and the following information:
- the purpose for which we process your data;
- the categories of data being processed;
- who receives this data, and if data is transferred to third countries, how security is ensured;
- how long the data will be stored;
- the existence of the right to rectification, erasure, or restriction of processing, and the right to object to processing;
- the right to lodge a complaint with a supervisory authority (links to these authorities are provided below);
- the origin of the data if we did not collect it from you;
- whether profiling is carried out, i.e., whether data is automatically analyzed to create a personal profile.
Right to rectification (Article 16 GDPR): You have the right to have your data corrected if you identify any errors.
Right to erasure (“right to be forgotten”) (Article 17 GDPR): You may request the deletion of your data.
Right to restriction of processing (Article 18 GDPR): You may request that data is only stored but no longer used.
Right to data portability (Article 20 GDPR): Upon request, we must provide your data in a commonly used format.
Right to object (Article 21 GDPR): You may object to the processing, which may result in changes to how we process your data.
- If data processing is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object. We will review your objection as soon as possible to determine if it can be legally accommodated.
- If your data is used for direct marketing, you may object at any time. We will then no longer use your data for direct marketing.
- If your data is used for profiling, you may object at any time. We will then no longer use your data for profiling.
Right not to be subject to automated decision-making (Article 22 GDPR): In certain cases, you have the right not to be subject to decisions based solely on automated processing, including profiling.
Right to lodge a complaint (Article 77 GDPR): You may contact a supervisory authority if you believe that the processing of personal data violates the GDPR.

In short: You have rights — do not hesitate to contact the responsible party listed above!

If you believe that the processing of your data violates data protection laws or that your privacy rights have otherwise been infringed, you can lodge a complaint with the supervisory authority.

In Austria: The Data Protection Authority, accessible at https://www.dsb.gv.at/
In Germany: Each federal state has its own data protection officer. For more information, you may contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the local data protection authority responsible is:

Bavaria Data Protection Authority
State Commissioner for Data Protection: Prof. Dr. Thomas Petri
Address: Wagmüllerstr. 18 | 80538 Munich | Germany
Tel.: +49 89 21 26 72-0
Email: poststelle@datenschutz-bayern.de
Website: https://www.datenschutz-bayern.de/

Communication

Summary of Communication Processing

Subjects: Anyone contacting us via phone, email, or online form
Processed data: e.g., phone number, name, email address, entered form data. More details depend on the communication channel used
Purpose: Handling communication with customers, business partners, etc.
Retention period: Duration of the business case and statutory requirements
Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interests)

When you contact us via phone, email, or online form, personal data may be processed.

The data is processed to handle and respond to your inquiry and any associated business transaction. Data is stored only as long as necessary or as required by law.

Data Subjects
All individuals who contact us through the communication channels we provide are affected.

Phone
If you call us, call data is pseudonymized on the device used and by the telecommunications provider. Additionally, data such as name and phone number may be sent via email and stored to respond to your inquiry. Data will be deleted once the business case is concluded and legal requirements allow.

If you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and may also be stored on the email server. The data will be deleted once the business case has been concluded and as soon as legal requirements allow.

Online Forms
If you communicate with us using an online form, data will be stored on our web server and, if applicable, forwarded to one of our email addresses. The data will be deleted once the business case has been concluded and as soon as legal requirements allow.

Legal Basis
The processing of data is based on the following legal grounds:

Art. 6(1)(a) GDPR (Consent): You give us consent to store your data and use it for purposes related to the business case;
Art. 6(1)(b) GDPR (Contract): Processing is necessary to fulfill a contract with you or a processor (e.g., the telephone provider), or we need the data for pre-contractual activities, such as preparing a quotation;
Art. 6(1)(f) GDPR (Legitimate Interests): We aim to handle customer inquiries and business communication professionally. For this, certain technical systems, such as email programs, Exchange servers, and mobile providers, are necessary to ensure efficient communication.

Application Data

Summary of Application Data Processing

Subjects: Users applying for a position with us
Purpose: Processing of an application procedure
Processed data: Name, address, contact details, email address, phone number, qualification certificates, possibly special categories of data
Retention period: If hired, until the end of employment; otherwise, data will be deleted after the application process or stored for a certain period with your consent
Legal basis: Art. 6(1)(a) GDPR (Consent), Legitimate Interest (Art. 6(1)(f) GDPR), Art. 6(1)(b) GDPR (Contract), Art. 9(2)(a) GDPR (Processing of special categories of data)

What are application data?
You can apply for a position in our company via email, online form, or a recruiting tool. All data we receive and process as part of your application is considered application data. This always includes personal data such as your name, date of birth, address, and phone number.

Why do we process application data?
We process your data to conduct a proper selection procedure for the advertised position. Additionally, with your consent, we may keep your application documents in our application archive. Often, the fit for a particular role does not work out for various reasons, but if we are impressed by your application, we may consider you for future opportunities. Archiving your documents allows us to easily contact you for future roles within our company.

We guarantee that we handle your data carefully and always process it within the legal framework. Within our company, your data is only shared with individuals directly involved in the application process. In short: your data is safe with us!

What data is processed?
If you apply via email, we will naturally receive personal data, as mentioned above. Even your email address counts as personal data. However, only the data relevant to our decision on whether to welcome you to our team is processed during the application procedure.

Which data is processed?
The exact data processed mainly depends on the job posting. Usually, this includes your name, date of birth, contact information, and qualification certificates. If you submit your application via an online form, the data is transmitted to us encrypted. If you send your application by email, this encryption does not occur. Therefore, we cannot assume responsibility for the transmission path. Once the data reaches our servers, we are responsible for the lawful handling of your data.

During the application process, in addition to the data mentioned above, information about your health or ethnic origin may be requested to ensure that both you and we can exercise rights related to labor law, social security, and social protection while fulfilling the corresponding obligations. This constitutes special categories of data.

Possible data we may receive and process includes:

Name
Contact address
Email address
Phone number
Date of birth
Information from your cover letter and CV
Qualification certificates (e.g., diplomas, references)
Special categories of data (e.g., ethnic origin, health data, religious beliefs)
Usage data (visited websites, access data, etc.)
Metadata (IP address, device information)

Data retention period

If you join our company as an employee, your data will continue to be processed for employment purposes and retained at least until the end of your employment. All application documents will then be added to your personnel file.

If we do not offer you the position, you decline our offer, or you withdraw your application, we may retain your data for up to six months after the application process based on our legitimate interest (Art. 6(1)(f) GDPR). After this period, all electronic data as well as any physical application documents will be completely deleted or destroyed. We retain data during this period to answer any follow-up questions or to provide evidence in the event of a legal dispute. If a legal dispute arises and we still need the data after six months, it will only be deleted once there is no longer a reason for retention. Legal retention obligations may require us to store certain data for longer than six months.

We may also retain your data for a longer period if you have given specific consent, for example, if we envision a future collaboration with you. In this case, your data is stored in our applicant pool. You may withdraw your consent for extended storage at any time. If no withdrawal or new consent is given, your data will be deleted no later than two years after submission.

Legal basis
The legal bases for processing your data are Art. 6(1)(a) GDPR (Consent), Art. 6(1)(b) GDPR (Contract or pre-contractual measures), Art. 6(1)(f) GDPR (Legitimate Interests), and Art. 9(2)(a) GDPR (Processing of special categories of data).

If you are added to our applicant tool, this is based on your consent (Art. 6(1)(a) GDPR). Your consent is voluntary, does not affect the application process, and may be revoked at any time. The lawfulness of processing up to the point of withdrawal remains unaffected.

For the protection of vital interests, data processing is carried out under Art. 9(2)(c) GDPR. For purposes of health care, occupational medicine, medical diagnostics, provision or treatment in the health or social sector, or the administration of health or social services and systems, data is processed under Art. 9(2)(h) GDPR. If you voluntarily provide special categories of data, processing is based on Art. 9(2)(a) GDPR.

Web Hosting Introduction

Summary of Web Hosting Data Processing

Subjects: Website visitors
Purpose: Professional website hosting and operational security
Processed data: IP address, time of website visit, browser used, and other data (more details below or from the respective web hosting provider)
Retention period: Depends on the provider, usually around 2 weeks
Legal basis: Art. 6(1)(f) GDPR (Legitimate Interests)

What is web hosting?
When you visit websites today, certain information—including personal data—is automatically generated and stored, including on this website. This data should be processed sparingly and only for valid reasons. By "website," we mean the entirety of all web pages under a domain, from the homepage to the last subpage. A domain may be, for example, beispiel.de or sampleexample.com.

To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You probably know some browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. We will simply refer to them as "browser."

To display the website, the browser must connect to another computer where the website code is stored: the web server. Operating a web server is complex and usually handled by professional providers offering web hosting. They ensure reliable and error-free storage of website data.

During the connection of your browser to our servers and while data is transmitted to and from the web server, personal data may be processed. Your computer stores some data, and the web server must also temporarily store data to ensure proper operation.

Why do we process personal data?
The purposes of data processing are:

Professional website hosting and operational security
Maintenance of IT and operational security
Anonymous analysis of access behavior to improve our offerings and, if necessary, for legal enforcement or claims

Which data is processed?
Even while visiting our website, the web server (the computer where this website is stored) typically automatically stores
data such as:

Full internet address (URL) of the visited page
Browser and browser version (e.g., Chrome 87)
Operating system (e.g., Windows 10)
URL of the previously visited page (Referrer URL)
Hostname and IP address of the device accessing the website (e.g., COMPUTERNAME and 194.23.43.121)
Date and time
Log files on the web server

Data retention period

Data Retention – Web Hosting
As a rule, the above-mentioned data is stored for two weeks and then automatically deleted. We do not share this data; however, we cannot rule out that authorities may access it in case of illegal activity.

In short: Your visit is logged by our provider (the company that hosts our website on dedicated servers), but we do not share your data without your consent.

Legal Basis
The legal basis for processing personal data in the context of web hosting is Art. 6(1)(f) GDPR (legitimate interests), as professional hosting by a provider is necessary to present our company securely and user-friendly on the Internet and to potentially track attacks or claims.

We usually have a contract for commissioned data processing (Art. 28 GDPR) with our hosting provider, which ensures compliance with data protection and guarantees data security.

1&1 IONOS Web Hosting Privacy Policy – Summary

Subjects: Website visitors
Purpose: Website storage and online accessibility
Processed data: IP address and technical data
Retention period: Visitor data is deleted after 8 weeks
Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

What is 1&1 IONOS Web Hosting?
To host our website, we use web hosting services from IONOS by 1&1. In Germany, IONOS SE is located at Elgendorfer Str. 57, 56410 Montabaur, and in Austria at Gumpendorfer Straße 142/PF 266, 1060 Vienna. IONOS offers services including domain registration, websites & shops, hosting & WordPress, marketing, email & office, IONOS Cloud, and servers. With over 22 million domains, nearly 9 million customer contracts, and 100,000 servers, IONOS is one of the largest hosting providers in Germany.

As mentioned, hosting also stores data from your device on IONOS servers. This includes your IP address (personal data) and technical information such as the URL visited, browser type, and operating system.

Why use IONOS?
Founded in 1988, IONOS combines experience with technological innovation, providing reliable 24/7 website operation and high security. Monthly data traffic is unlimited, and plenty of storage ensures high performance even with many visitors.

Data processed by 1&1 IONOS Web Hosting:

Previously visited website (referrer)
Requested website (our site)
Browser type and version
Operating system and device type
Time of access
Anonymized IP address

These data improve website security, detect errors, and allow anonymous statistical analysis. IONOS uses the anonymized IP only to determine the approximate location of access.

Data storage location and duration
Data is stored on IONOS servers. Visitor data is usually deleted after 8 weeks, but may be kept longer for legal reasons. Data is not shared with third parties or transferred outside the EU.

Rights regarding your data:
You may request access, correction, deletion, or restriction of your personal data. Consent for data processing can be revoked at any time. Cookie settings can also be managed in your browser.

Legal basis
Our legitimate interest is using IONOS to provide our online services securely and user-friendly. Professional hosting is required for website security and to track potential cyberattacks (Art. 6(1)(f) GDPR). More information is available at IONOS Privacy Policy. For questions, contact datenschutz@ionos.de.

Commissioned Data Processing Agreement (AVV) with IONOS

In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have concluded a Data Processing Agreement (DPA) with IONOS. You can read more about what a DPA is and what it must include in our general section “Data Processing Agreement (DPA). This agreement is legally required because IONOS processes personal data on our behalf. It ensures that IONOS may only process the data we provide according to our instructions and in compliance with the GDPR. You can find the link to the Data Processing Agreement (DPA) here: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/

Online Map Services – Introduction

Summary of Online Map Services Privacy Policy
👥 Data Subjects: Website visitors
🤝 Purpose: Improving user experience
📓 Data Processed: The data processed depends on the services used. Typically, this includes IP addresses, location data, search queries, and/or technical data. More details are available from the respective tools.
📅 Retention Period: Depends on the tools used
⚖️ Legal Basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What are online map services?

We use online map services on our website as an extended feature. Google Maps is likely the service you are most familiar with, but there are other providers specializing in digital maps. These services allow locations, route plans, or other geographic information to be displayed directly on our website. By embedding a map service, you don’t need to leave our website to, for example, view a route to a location.

To make the map work on our site, map sections are embedded via HTML code. The services can display street maps, the Earth's surface, or aerial/satellite images. When you use the embedded map feature, data is transmitted to the respective service and stored there. This data may include personal information.

Why do we use online map services on our website?

Our general goal is to provide you with an enjoyable experience on our website. This is only possible if you can navigate easily and find the information you need quickly. That’s why we believe an online map system can significantly improve our website service.

Without leaving our website, you can view routes, locations, or points of interest easily. It’s also very convenient to see at a glance where our company is located, helping you find us quickly and safely. As you can see, there are many advantages, and we clearly consider online map services part of our customer service.

What data is stored by online map services?

When you open a page with an embedded map, personal data may be transmitted to and stored by the service. Usually, this includes your IP address, which can approximate your location. Other data, such as search queries and latitude/longitude coordinates, may also be stored. If you enter an address for route planning, these details are saved as well. The data is stored on the servers of the embedded tools, not on our servers. Essentially, while you remain on our website, interactions with the map occur on the service’s website.

To function properly, at least one cookie is usually set in your browser. For example, Google Maps uses cookies to record user behavior, optimize its services, and provide personalized advertising. More about cookies can be found in our Cookies section.

How long and where is the data stored?

Each online map service processes user data differently. Where possible, we provide details on retention periods in the respective tool sections. Generally, personal data is only stored as long as necessary to provide the service. For instance, Google Maps stores certain data for defined periods, while some data must be deleted manually. Mapbox stores IP addresses for 30 days, after which they are deleted.

Cookies may also be used to track user behavior. For more information, see our Cookies section or the privacy policies of the respective providers.

Right to object

You always have the right to access your personal data and object to its use and processing. You may revoke any consent you have given at any time, usually via the cookie consent tool. Other opt-out tools may also be available. Cookies can be managed, deleted, or deactivated in your browser, though some service functions may then not work as intended. Instructions for managing cookies depend on your browser. Links are provided in the Cookies section.

Legal basis

If you have consented to the use of an online map service, this consent forms the legal basis for processing personal data (Art. 6(1)(a) GDPR). We also have a legitimate interest in using map services to optimize our website services (Art. 6(1)(f) GDPR). However, we only use an online map service after you have given consent.

Google Maps Privacy Policy

Summary
👥 Data Subjects: Website visitors
🤝 Purpose: Optimizing our services
📓 Data Processed: Data such as search queries, IP address, latitude/longitude coordinates
📅 Retention Period: Depends on stored data
⚖️ Legal Basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)

What is Google Maps?

We use Google Maps by Google Inc. In Europe, Google Ireland Limited is responsible. Google Maps allows us to show locations and adapt our services to your needs. Data is transmitted to Google and stored on their servers.

Google Maps lets users search for cities, attractions, accommodations, or businesses online. If a business is listed on Google My Business, additional information is displayed. Maps can be embedded via HTML code, showing street maps or aerial/satellite images. Street View and high-resolution images provide very accurate views.

Why do we use Google Maps?

Our goal is to provide a useful and meaningful experience on our website. Embedding Google Maps allows us to provide important location information. You can see our company location at a glance and access routes by car, public transport, walking, or cycling. Google Maps is part of our customer service.

What data is stored by Google Maps?

Google Maps collects and stores data to provide the service, including search queries, IP address, and latitude/longitude. Using the route planner stores the start address. This data is stored on Google servers. We have no control over this.

A Google cookie (NID) is set in your browser, storing user behavior to optimize services and provide personalized advertising:

Name: NID
Value: unique identifier
Purpose: Google uses it to personalize ads based on your search activity
Expiration: 6 months

Data storage and deletion

Google servers are worldwide, mostly in the USA. Some data is stored for set periods; others can be deleted manually. Some information is anonymized after 9–18 months. You can manage or disable cookies in your browser. Location and activity data can also be managed via your Google account.

Legal basis for Google Maps

Consent is the legal basis if you agree to Google Maps use (Art. 6(1)(a) GDPR). We also have a legitimate interest to optimize our services (Art. 6(1)(f) GDPR), but Google Maps is only used with your consent.

Google may process data in the USA under the EU-US Data Privacy Framework and Standard Contractual Clauses, ensuring GDPR-level protection.

Closing note

Congratulations! If you’ve read this far, you’ve made it through our full privacy policy. As you can see, we take the protection of your personal data seriously.

We aim to inform you in plain language about how and why we process your data. If you have questions, please contact us or the responsible party. We hope to welcome you back to our website soon.

All texts are copyrighted.

Source: Created with the Privacy Policy Generator Germany by AdSimple