Privacy Policy

preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

As of October 15, 2023

Table of Contents

• preamble
• Responsible
• Overview of processing activities
• Relevant legal bases
• Security measures
• Transfer of personal data
• International data transfers
• Rights of data subjects
• Use of cookies
• Business services
• Provision of the online service and web hosting
• Contact and inquiry management
• Presences in social networks (social media)

Responsible

Gerd Balter
Village Street 9
54619 Üttfeld

E-mail address:

balter@hocheifel-alpakas.de

Overview of processing activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

• Bestatus data.
• Payment details.
• Contact details.
• Content data.
• Contract details.
• Usage data.
• Metadata, communication data and process data.

Categories of affected persons

• Customers.
• Interested parties.
• Communication partner.
• Users.
• Business and contractual partners.

Purposes of processing

• Provision of contractual services and fulfillment of contractual obligations.
• Contact requests and communication.
• Security measures.
• Office and organizational procedures.
• Managing and responding to inquiries.
• Feedback.
• Marketing.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.

Relevant legal bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Furthermore, should more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the GDPR data protection regulations, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfers, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may also apply.

Notice regarding the applicability of the GDPR and Swiss Federal Data Protection Act (FADP): This privacy notice serves to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). Therefore, please note that, due to its broader geographical scope and clarity, the terms used here are those of the GDPR. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "special categories of personal data" used in the FADP, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are employed. However, the legal meaning of these terms will continue to be determined according to the FADP when it applies.

Security measures

In accordance with legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the threat to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, transfer of, and ensuring the availability and separation of the data. Furthermore, we have established procedures that allow for the exercise of data subject rights, the deletion of data, and We ensure appropriate responses to data breaches. Furthermore, we consider the protection of personal data during the development and selection of hardware, software, and processes, in accordance with the principles of data protection by design and by default.

Transfer of personal data

As part of our processing of personal data, it may be necessary to transfer or disclose data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.

International data transfers

Data processing in third countries: If we process data in a third country (i.e., outside the European Union (EU) and the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies, or companies, this is done only in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is ensured by other means, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of a contractual or legally required transfer (Art. 49 para. 1 GDPR). We will inform you of the legal basis for third-country transfers with the individual providers. from third countries, with adequacy decisions taking precedence. Information on third-country transfers and existing adequacy decisions can be found on the European Commission's information website: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain US companies as adequate in its adequacy decision of 015120105171. The list of certified companies and further information on the DPF can be found on the US Department of Commerce website at [website address missing]. https://www.dataprivacyframework.gov/ (in English). We inform you in our privacy policy which of our service providers are certified under the Data Privacy Framework.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right of withdrawal for consents: You have the right to withdraw any consent you have given at any time.
• Right to information: You have the right to request confirmation as to whether data concerning you is being processed, and to access this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of your personal data or the correction of inaccurate personal data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without undue delay, or alternatively, in accordance with legal requirements, to request a restriction of the processing of the data.
• Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with the legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.
• 
  

Use of cookies

Cookies are small text files or other storage markers that store information on and read information from end devices. For example, they can be used to save login status in a user account, shopping cart contents in an online store, accessed content, or used functions of an online service. Cookies can also be used for various other purposes, such as improving the functionality, security, and user-friendliness of online services, as well as analyzing visitor traffic.

Information on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless legally required. In particular, consent is not necessary if the storage and reading of information, including cookies, is strictly necessary to provide users with a telemedia service (i.e., our online service) they have expressly requested. Strictly necessary cookies generally include those with functions that serve the display and operation of the online service, load balancing, security, the storage of user preferences and choices, or similar purposes related to providing the main and secondary functions of the online service requested by the user. The revocable consent is clearly communicated to users and includes information on the respective cookie usage.

Information on the legal basis for data protection: The legal basis for processing users' personal data using cookies depends on whether we request user consent. If users consent, the legal basis for processing their data is their explicit consent. Otherwise, data processed using cookies is processed based on our legitimate interests (e.g., in the efficient operation of our online services and improving their usability) or, if this is necessary for fulfilling our contractual obligations, if the use of cookies is required to meet these obligations. We explain the purposes for which we process cookies in this privacy policy or within the framework of our consent and processing procedures.

Storage duration: The following types of cookies are distinguished with regard to storage duration:

• Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g., browser or mobile application).
• Persistent cookies: Persistent cookies remain stored even after the user closes their device. This allows, for example, login status to be saved or preferred content to be displayed directly when the user revisits a website. Similarly, user data collected using cookies can be used for audience measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are persistent and can be stored for up to two years.

General information on revocation and objection (so-called "opt-out"): Users can revoke their consent at any time and object to processing in accordance with legal requirements. To do this, users can, among other things, restrict the use of cookies in their browser settings (although this may also limit functionality). (Our online services may be limited). You can also object to the use of cookies for online marketing purposes via the websites. https://optout.aboutads.info and https://www.youronlinechoices.com/ will be explained.

• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing procedures, methods and services:

• Processing of cookie data based on consent: We use a cookie consent management process to obtain, manage, and revoke user consent for the use of cookies and the processing activities and providers mentioned within the cookie consent management process. The consent declaration is stored to avoid having to request it again and to be able to demonstrate consent in accordance with legal requirements. Storage can be server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to assign consent to a user or their device. Subject to individual information regarding the providers of cookie management services, the following applies: The storage period for consent can be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, information on the scope of consent (e.g., which categories of cookies and/or service providers), and the browser, operating system, and device used. Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).


Business services

We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), within the framework of contractual and similar legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractually), e.g. to answer inquiries.

We process this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations, and remedying warranty claims and other service disruptions. Furthermore, we process the data to protect our rights and for the purposes of the administrative tasks associated with these obligations, as well as for company organization. We also process the data based on our legitimate interests in proper and efficient business management and security measures to protect our contractual partners and our business operations from misuse, compromise of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other support services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the framework of applicable law, we only disclose contractual partner data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.

We will inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special markings (e.g. colors) or symbols (e.g. stars or similar), or personally.

We delete data after the expiry of statutory warranty periods and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, for example, as long as it must be retained for legal archiving purposes. The statutory retention period is ten years for tax-relevant documents, as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions necessary for understanding these documents, and other organizational documents and accounting records. For received commercial and business correspondence and copies of sent commercial and business correspondence, the retention period is six years. This period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance sheet, annual financial statement, or management report was prepared, the commercial or business correspondence was received or sent, the accounting record was created, the record was made, or the other documents were created.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply to the relationship between users and the providers.

• Types of data processed: Inventory data (e.g., names, addresses); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., email addresses, telephone numbers); Contract data (e.g., subject matter of the contract, term, customer category); Usage data (e.g., websites visited, interest in content, access times); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Customers; prospective customers; business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; handling contact requests and communication; office and organizational procedures. Administration and response to inquiries.
• Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

• Shop and e-commerce: We process our customers' data to enable them to select, purchase, or order the chosen products, goods, and related services, as well as to facilitate payment and delivery or fulfillment. If necessary for order fulfillment, we use service providers, in particular postal, freight forwarding, and shipping companies, to carry out delivery or fulfillment for our customers. We utilize the services of banks and payment service providers for processing payments. The required information is marked as such during the ordering or similar purchase process and includes the information needed for delivery, provision, and invoicing, as well as contact information to allow for any necessary follow-up. Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).


Provision of the online service and web hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures. Provision of contractual services and fulfillment of contractual obligations.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

• Collection of Access Data and Log Files: Access to our online services is logged in the form of so-called "server log files." Server log files may include the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to prevent server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server capacity and stability. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
• 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.dePrivacy Policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.


Contact and inquiry management

When you contact us (e.g. by mail, contact form, email, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the requesting persons is processed to the extent necessary to answer the contact requests and any requested measures.

• Types of data processed: Contact data (e.g., email addresses, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Communication partners.
• Purposes of processing: Contact requests and communication; managing and responding to inquiries; feedback (e.g., collecting feedback via online form). Provision of our online services and user-friendliness.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).


Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about ourselves.

Please note that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on usage patterns and the resulting user interests. These user profiles can then be used to display advertisements, both within and outside the networks, that are likely to correspond to the users' interests. For these purposes, cookies are typically stored on users' computers, recording their usage patterns and interests. Additionally, user profiles can also store data independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).

For a detailed description of the respective processing methods and the options for objecting (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Regarding requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively addressed directly with the service providers. Only the providers have access to user data and can take appropriate action and provide information directly. However, should you require assistance, you can contact us.

• Types of data processed: Contact data (e.g., email addresses, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., websites visited, interest in content, access times); Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Users (e.g., website visitors, users of online services).
• Purposes of processing: Contact requests and communication; feedback (e.g., collecting feedback via online form). Marketing.
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods and services:

• Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.comPrivacy Policy: https://instagram.com/about/legal/privacy.
• Facebook Pages: Profiles within the Facebook social network - We, together with Meta Platforms Ireland Limited, are responsible for collecting (but not further processing) data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see "Things you and others do and provide" in the Facebook Data Policy). https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/policyAs explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Page Insights," to page administrators so they can gain insights into how people interact with their pages and the content associated with them. We have a specific agreement with Facebook ("Information about Page Insights"). https://www.facebook.com/legal/terms/page_controller_addendum), which specifically regulates which security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, submit requests for information or deletion directly to Facebook). The rights of users (in particular, the rights to information, deletion, objection, and lodging a complaint with the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information on Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.comPrivacy Policy: https://www.facebook.com/about/privacy; Basis for third-country transfers: EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendumFurther information: Joint responsibility agreement: https://www.facebook.com/legal/terms/information_about_page_insights_dataJoint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which includes, in particular, the transfer of data to its parent company, Meta Platforms.ms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  
  

Created with the free privacy policy generator Datenschutz-Generator.de by Dr. Thomas Schwenke