Data protection

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both within the scope of providing our services and in particular on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used are not gender-specific.

Status: September 19, 2025

Table of Contents

Controller

Marta Mielcarek / spark-coaching.ch

Authorized Representatives:

Marta Mielcarek

E-Mail-Address: hello@spark-coaching.ch

Terms: spark-coaching.ch

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of their processing, and the categories of data subjects involved.

Types of Data Processed

  • Inventory data.
  • Contact data.
  • Content data.
  • Usage data.
  • Meta, communication and procedural data.
  • Image and/or video recordings.
  • Audio recordings.
  • Log data.

Categories of Data Subjects

  • Service recipients and clients.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Depicted individuals.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Office and organizational procedures.
  • Organizational and administrative procedures.
  • Content Delivery Network (CDN).
  • Feedback.
  • Marketing.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.
  • Public relations and informational purposes.
  • Public relations.

    • Relevant Legal Bases

    Relevant legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations may apply in your or our country of residence or business location in addition to the GDPR. If more specific legal bases are applicable in individual cases, we will inform you of them in our privacy policy.

    • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
    • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
    • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

    Relevant legal bases under the Swiss Federal Act on Data Protection (FADP): If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (FADP). Unlike the GDPR, the FADP generally does not require a legal basis to be specified for the processing of personal data. Processing must be conducted in good faith, lawfully, and proportionately (Art. 6 paras. 1 and 2 FADP). Furthermore, personal data may only be collected for a specific, recognizable purpose and processed only in a manner compatible with that purpose (Art. 6 para. 3 FADP).

    Note on applicability of GDPR and Swiss FADP: These privacy notices are intended to provide information in accordance with both the Swiss FADP and the GDPR. Therefore, please note that for broader applicability and clarity, the terminology of the GDPR is used. Specifically, instead of the terms used in the Swiss FADP such as “processing” of “personal data,” “overriding interest,” and “sensitive personal data,” we use the corresponding GDPR terms: “processing” of “personal data,” “legitimate interest,” and “special categories of data.” However, the legal meaning of the terms is still determined according to the FADP where applicable.

    Security Measures

    In accordance with legal requirements and considering the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

    These measures specifically include safeguards to maintain the confidentiality, integrity, and availability of data. This is achieved through control of physical and electronic access to the data, as well as controls over access rights, data input, transmission, availability assurance, and data segregation. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and effective responses to data security threats. In line with the principles of data protection by design and by default, we also incorporate data protection considerations into the development or selection of hardware, software, and processes.

    Securing online connections via TLS/SSL encryption technology (HTTPS): To protect user data transmitted through our online services from unauthorized access, we utilize TLS/SSL encryption. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are foundational technologies for secure data transmission on the Internet. These technologies encrypt the data exchanged between the website or app and the user’s browser (or between two servers), thereby preventing unauthorized access. TLS, as the more advanced and secure successor to SSL, ensures that all data transmissions comply with the highest security standards. A website secured by an SSL/TLS certificate is indicated by the presence of HTTPS in the URL, signaling to users that their data is being transmitted securely and in encrypted form.

    Rights of Data Subjects

    Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, particularly as set out in Articles 15 to 21 of the GDPR:

    • Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing; this also applies to profiling, insofar as it is related to direct marketing.
    • Right to Withdraw Consent: You have the right to withdraw any consent given at any time.
    • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed and, if so, access to that data and further information, as well as a copy of the data in accordance with legal requirements.
    • Right to Rectification: In accordance with legal requirements, you have the right to request the completion or correction of inaccurate personal data concerning you.
    • Right to Erasure and Restriction of Processing: Subject to legal requirements, you have the right to request the immediate deletion of data concerning you, or alternatively, to request the restriction of processing in accordance with legal provisions.
    • Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller, as permitted by law.
    • Right to Lodge a Complaint with a Supervisory Authority: In accordance with legal provisions and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

    Rights of data subjects under the Swiss Federal Act on Data Protection (FADP):

    As a data subject, you are entitled to the following rights under the Swiss FADP:

    • Right of Access: You have the right to request confirmation as to whether personal data concerning you is being processed, and to receive the information necessary to assert your rights under the FADP and to ensure transparent data processing.
    • Right to Data Disclosure or Transfer: You have the right to request the disclosure of personal data that you have provided to us, in a commonly used electronic format.
    • Right to Rectification: You have the right to request the correction of inaccurate personal data concerning you.
    • Right to Object, Erasure, and Destruction: You have the right to object to the processing of your data, as well as to request that your personal data be deleted or destroyed.

      • Provision of Online Services and Web Hosting

      We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to deliver the content and functions of our online services to the user's browser or device.

      • Types of Data Processed: Usage data (e.g., page views, time spent, click paths, usage frequency and intensity, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved parties); Log data (e.g., log files regarding logins or data retrieval or access times); Content data (e.g., text or image messages and posts, including related information such as author or time of creation).
      • Data Subjects: Users (e.g., website visitors, users of online services); Business and contractual partners.
      • Purposes of Processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures; Content Delivery Network (CDN).
      • Retention and Deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
      • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

      Further Notes on Processing Activities, Procedures, and Services:

      • Provision of Online Services on Rented Hosting Space: To provide our online services, we use storage space, computing capacity, and software rented or otherwise obtained from a server provider (also called "web host"); Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
      • Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called "server log files." These log files may include the addresses and names of accessed web pages and files, date and time of access, data volumes transferred, messages about successful access, browser type and version, the user's operating system, referrer URL (previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes (e.g., to prevent server overload, particularly in the case of abusive attacks such as DDoS attacks) and to ensure the stability and performance of the server; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
      • Cloudflare: Content Delivery Network (CDN) service that helps deliver content, especially large media files such as graphics or scripts, faster and more securely using regionally distributed servers connected via the internet; Service Provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/; Legal Basis for Third-Country Transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (SCC), Switzerland – DPF, SCC.
      • Showit: Hosting and software service for creating, delivering, and operating websites, blogs, and other online services; Service Provider: Showit, Inc., 2490 S Gilbert Rd #200, Chandler, AZ 85286 USA; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://showit.com/; Privacy Policy: https://showit.com/privacy/.
      • Amazon Web Services (AWS): Services in the area of IT infrastructure provisioning and related services (e.g., storage and/or computing capacity); Service Provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855, Luxembourg; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://aws.amazon.com/de/; Privacy Policy: https://aws.amazon.com/de/privacy/; Data Processing Agreement: https://aws.amazon.com/de/compliance/gdpr-center/; Legal Basis for Third-Country Transfers: EU/EEA – DPF, SCC (https://aws.amazon.com/service-terms/), Switzerland – DPF, SCC.
      • METANET: Services in the area of IT infrastructure provisioning and related services (e.g., storage and/or computing capacity); Service Provider: METANET AG, Josefstrasse 218, CH-8005 Zurich, Switzerland; Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Website: https://www.metanet.ch/; Privacy Policy: https://www.metanet.ch/de/ueber-metanet/rechtliches; Data Processing Agreement: https://www.metanet.ch/about_metanet/rechtliches.
      • consentmanager: Consent management tool: a procedure for obtaining, logging, managing, and revoking consents, especially for the use of cookies and similar technologies for storing, accessing, and processing information on users' devices and for further processing; Service Provider: Jaohawi AB, Håltegelvägen 1b, 72348 Västerås, Sweden; Website: https://www.consentmanager.de/; Privacy Policy: https://www.consentmanager.net/; Data Processing Agreement: https://www.consentmanager.net/tac.php; Additional Information: The following data is stored on the service provider's servers in the EU: identification number (for the user, browser, operating system, and device used), IP address, date and time, country, language, type, scope, and purpose of consent, browser cookie settings, website on which consent was given, technical information about the browser and operating system.

      Use of Cookies

      The term "cookies" refers to functions that store information on users’ end devices and retrieve it from them. Cookies can be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as for analyzing visitor traffic. We use cookies in accordance with legal regulations. Where necessary, we obtain users' consent in advance. If consent is not required, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We provide clear information about the scope of use and which cookies are used.

      Notes on data protection legal bases: Whether we process personal data using cookies depends on the presence of consent. If consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as outlined above in this section and in the context of the respective services and processes.

      Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

      • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user has left the online service and closed their device (e.g., browser or mobile application).
      • Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, login status can be saved and preferred content can be displayed directly when the user revisits a website. User data collected through cookies may also be used for reach measurement. If we do not explicitly inform users about the type and duration of cookies (e.g., during the consent process), they should assume these are persistent cookies with a storage duration of up to two years.

      General notes on withdrawal and objection (opt-out): Users can withdraw any consent they have given at any time and also object to the processing of data in accordance with legal requirements, including via their browser's privacy settings.

      • Types of Data Processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
      • Data Subjects: Users (e.g. website visitors, users of online services).
      • Legal Bases: Legitimate interests (Art. 6(1)(1)(f) GDPR). Consent (Art. 6(1)(1)(a) GDPR).

      Further information on processing activities, procedures, and services:

      • Processing of cookie data based on consent: We use a consent management solution through which users' consent is obtained for the use of cookies or for the procedures and providers specified within the consent management system. This process serves to obtain, log, manage, and revoke consents, especially in relation to the use of cookies and similar technologies that store, access, and process information on users’ end devices. Within this framework, users' consents are obtained for the use of cookies and associated processing of information, including specific processing operations and providers listed in the consent management procedure. Users also have the option to manage and revoke their consents. Consent declarations are stored to avoid repeated queries and to provide legal proof of consent. The storage takes place server-side and/or in a cookie (so-called opt-in cookie) or using similar technologies, in order to associate the consent with a specific user or device. If no specific providers are mentioned, the following general information applies: Consent is stored for up to two years. This creates a pseudonymous user identifier, which is stored together with the time of consent, details of the scope of consent (e.g. relevant categories of cookies and/or service providers) and information about the browser, system and terminal device used.

        Communication via Messenger

        We use messengers for communication purposes and therefore ask you to take note of the following information regarding how messengers function, encryption, the use of communication metadata, and your options to object.

        You may also contact us through alternative means, such as by phone or email. Please use the contact options provided to you or those listed within our online services.

        In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we point out that the communication content (i.e., the message text and attached images) is encrypted from end to end. This means the content of the messages cannot be viewed — not even by the messenger providers themselves. You should always use an up-to-date version of the messenger app with encryption enabled to ensure that your messages are properly encrypted.

        However, we also inform our communication partners that, although messenger providers cannot view the content, they may still learn when and with whom communication is taking place. They may also process technical information about the communication partners’ devices and, depending on the settings of their devices, location data (so-called metadata).

        Notes on Legal Bases: If we request permission from communication partners before communicating with them via messenger services, the legal basis for processing their data is their consent. Otherwise, if we do not request consent and, for example, they contact us on their own initiative, we use messenger services in relation to our contractual partners and in the context of contract initiation as a contractual measure. In the case of other interested parties and communication partners, the processing is based on our legitimate interest in fast and efficient communication and fulfilling the needs of our communication partners for messenger-based contact. Furthermore, we inform you that we will not transmit contact details to messenger services for the first time without your consent.

        Revocation, Objection, and Deletion: You may revoke any consent given at any time and object to communication with us via messenger services at any time. In case of communication via messenger, we delete the messages in accordance with our general deletion policies (e.g., as mentioned above, after the end of contractual relationships, within the context of archiving obligations, etc.), and otherwise, as soon as we can assume that the inquiry of the communication partner has been answered and no further reference to a previous conversation is expected, unless legal retention obligations prevent deletion.

        Reservation of Alternative Communication Channels: To ensure your security, please understand that we may not be able to respond to certain inquiries via messenger services. This applies to situations where contract details must be handled with particular confidentiality or where a reply via messenger does not meet formal requirements. In such cases, we recommend using more appropriate communication channels.

        • Types of Data Processed: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and related information such as authorship or time of creation); usage data (e.g., page views and time spent, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).
        • Data Subjects: Communication partners.
        • Purposes of Processing: Communication. Direct marketing (e.g., by email or postal mail).
        • Storage and Deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion".
        • Legal Bases: Consent (Art. 6(1)(1)(a) GDPR); Contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR); Legitimate interests (Art. 6(1)(1)(f) GDPR).

        Further Information on Processing Activities, Procedures, and Services:

        • Apple iMessage: Sending and receiving text messages, voice messages, and video calls. Conducting group conversations. Sharing files, photos, videos, and locations. Securing communication through end-to-end encryption. Synchronizing messages across multiple devices. Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.apple.com/de/. Privacy Policy: https://www.apple.com/legal/privacy/de-ww/.
        • Microsoft Teams: Used for conducting online events, conferences, and communication with internal and external participants. Functions include voice transmission, direct messaging, group communication, and collaboration. Data processed includes name, business contact details, work profile, participation, and content (audio/video, voice, chat, files, voice transcription) for purposes such as efficiency and productivity improvement, cost-efficiency, flexibility, mobility, enhanced communication, IT security, use of a central platform, and business operations of Microsoft. Audio is not stored unless recording is enabled. Meeting recordings are stored for 90 days by default unless otherwise specified. Chat and file content is stored according to administrator or user-defined policies; no automatic deletion is preset. Channels must be renewed every 180 days or their contents will be deleted. System-generated logs, diagnostic, and metadata are also processed, as well as diagnostic data for product stability, security, and improvement. Service providers: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-365; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Info: https://www.microsoft.com/de-de/trustcenter. Data Transfer Mechanisms: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (link), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (link).
        • Signal: Signal messenger with end-to-end encryption. Service provider: Privacy Signal Messenger, LLC, 650 Castro Street, Suite 120-223, Mountain View, CA 94041, USA; Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://signal.org/de/. Privacy Policy: https://signal.org/legal/.
        • WhatsApp: Text messages, voice and video calls, sending of images, videos, and documents, group chat functionality, end-to-end encryption for enhanced security. Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate interests (Art. 6(1)(1)(f) GDPR); Website: https://www.whatsapp.com/; Privacy Policy: https://www.whatsapp.com/legal. Data Transfer Mechanisms: EU/EEA – Data Privacy Framework (DPF), Switzerland – Data Privacy Framework (DPF).

        Video Conferences, Online Meetings, Webinars, and Screen Sharing

        We use platforms and applications provided by third-party providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (collectively referred to hereinafter as "conferences"). When selecting conference platforms and their services, we comply with legal requirements.

        Data Processed by Conference Platforms: In the course of participating in a conference, the conference platforms process the following personal data of participants. The scope of processing depends on the specific conference requirements (e.g., provision of login credentials or real names) and the optional information provided by participants. In addition to processing for the purpose of conducting the conference, participant data may also be processed by the conference platforms for security or service optimization purposes. Processed data may include personal information (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, job title/position, IP address of the internet connection, device details, operating system, browser and its technical and language settings, communication content (e.g., chat inputs, audio and video data), as well as use of other available functions (e.g., polls). The content of communications is encrypted to the extent technically supported by the respective conference platform. If participants are registered users with the conference platforms, additional data may be processed in accordance with their agreement with the respective provider.

        Logging and Recordings: If text inputs, participation results (e.g., from polls), or video/audio recordings are logged, this will be transparently communicated to the participants in advance, and consent will be obtained where required.

        Data Protection Measures for Participants: Please refer to the privacy policies of the respective conference platforms for details on how your data is processed and use the platform settings to select the security and privacy settings that are most appropriate for you. Additionally, during video conferences, please ensure that your personal space is protected in the background of your video stream (e.g., by informing housemates, closing doors, and using background blurring features if technically possible). Links to conference rooms and access credentials must not be shared with unauthorized third parties.

        Legal Basis Information: If, in addition to the conference platforms, we also process users’ data and request their consent to use such platforms or specific features (e.g., consent to recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary for the performance of contractual obligations (e.g., maintaining participant lists, documenting meeting outcomes, etc.). Otherwise, the data of users is processed based on our legitimate interest in efficient and secure communication with our communication partners.

        • Types of Data Processed: Master data (e.g., full name, residential address, contact details, customer number, etc.); Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., text or image-based messages and posts, including information such as authorship or time of creation); Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); Image and/or video recordings (e.g., photographs or video recordings of individuals); Audio recordings. Log data (e.g., log files relating to logins or access to data, timestamps).
        • Data Subjects: Communication partners; Users (e.g., website visitors, users of online services); Individuals depicted in media.
        • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures.
        • Storage and Deletion: Deletion in accordance with the details provided in the section "General Information on Data Retention and Deletion".
        • Legal Bases: Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR).

        Further Information on Processing Operations, Procedures, and Services:

        • Microsoft Teams: Used for conducting online events, conferences, and communication with internal and external participants. Functions include voice transmission, direct messaging, group communication, and collaboration features. Data processed includes name, business contact details, work profile, participation, and content (audio/video, speech, chat, files, speech-to-text) for purposes of efficiency, productivity, cost-effectiveness, flexibility, mobility, improved communication, IT security, use of a centralized platform, and business operations. Audio signals are generally not stored unless recording is activated. Meeting and conference recordings are stored for 90 days by default, unless another duration is specified. Chat and file contents are stored according to policies defined by the administrator or user; no automatic deletion is preset. Channels must be renewed every 180 days, otherwise content is deleted. Additionally, system-generated log, diagnostic, and metadata are processed, and diagnostic data is collected for product stability, security, and improvement purposes; Service Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal Basis: Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement; Security Information: https://www.microsoft.com/de-de/trustcenter; Third Country Transfer Basis: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses (DPA), Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses.
        • Zoom: Video conferences, online meetings, webinars, screen sharing, optional session recording, chat functionality, integration with calendars and other apps; Service Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal Basis: Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR); Website: https://zoom.us; Privacy Policy: https://explore.zoom.us/de/privacy/; Data Processing Agreement: Zoom Global DPA; Third Country Transfer Basis: EU/EEA - Data Privacy Framework (DPF), Standard Contractual Clauses, Switzerland - Data Privacy Framework (DPF), Standard Contractual Clauses.

        Digital Badges

        Digital badges, also known as Open Badges (hereinafter referred to as "badges"), are digital certificates that confirm the skills, achievements, and interests of individuals or organizations. They are issued by credible organizations. Badges are embedded with metadata and information about the acquired competencies and achievements. Typically, badges are represented by an image or digital certificate that includes information about the recipient, the issuer, metadata, and other relevant data.

        When badges are issued individually to specific persons, the metadata stored in the badges and used for attribution purposes, such as details about skills, achievements, and interests, is processed accordingly.

        If cookies and similar technologies that are not technically necessary are used in connection with badges and user consent is therefore required, we obtain the respective consent from the users and inform them accordingly.

        • Types of Data Processed: Master data (e.g., full name, residential address, contact details, customer number, etc.); Content data (e.g., textual or visual messages and posts as well as associated information such as authorship or time of creation); Usage data (e.g., page views and session duration, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, persons involved).
        • Data Subjects: Service recipients and clients; Users (e.g., website visitors, users of online services); Business and contractual partners.
        • Purposes of Processing: Marketing; Provision of our online offering and user-friendliness; Public relations and informational purposes; Provision of contractual services and fulfillment of contractual obligations.
        • Storage and Deletion: Deletion in accordance with the section "General Information on Data Retention and Deletion". Deletion after termination.
        • Legal Bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR); Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR).

        Further Information on Processing Operations, Procedures, and Services:

        • Embedding Digital Badges: Within our online offering, we integrate badges from third-party sources (so-called “embedding”). This means both the visual display of the badge and the associated metadata are presented within our service. The content is loaded in real time from the respective badge provider’s servers to ensure the badge is always up to date. For this purpose, a data connection is established between our platform and the badge provider’s server. The technical data transferred includes the IP address, badge metadata, information about the visited webpage, the time of access, and technical details about the browser and system as transmitted by the user’s device. This data transfer also informs the badge provider that a user has accessed our online service; Legal Basis: Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR).

        Presence on Social Networks (Social Media)

        We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about our organization.

        Please note that user data may be processed outside the European Union. This may pose certain risks for users, for example, because it could make it more difficult to enforce user rights.

        Furthermore, user data is typically processed within social networks for market research and advertising purposes. For example, user behavior and the resulting interests can be used to create usage profiles. These profiles may in turn be used to display advertisements within and outside of the networks that are presumably aligned with users' interests. For this purpose, cookies are generally stored on users’ devices, in which the usage behavior and interests of users are recorded. In addition, data may also be stored in user profiles regardless of the devices used by the users (especially if they are registered and logged in members of the respective platforms).

        For detailed information on the respective processing activities and options to object (opt-out), we refer to the privacy policies and statements of the operators of the respective social networks.

        In the case of requests for information or the assertion of data subject rights, please note that these are most effectively addressed directly to the respective providers. Only the providers themselves have access to user data and can take direct action and provide the requested information. However, if you need assistance, you are welcome to contact us.

        • Types of data processed: Contact data (e.g., postal and email addresses or telephone numbers); content data (e.g., text or image messages and posts, including related information such as authorship details or time of creation); usage data (e.g., page views and time spent, click paths, usage frequency and intensity, types of devices and operating systems used, interactions with content and features).
        • Data subjects: Users (e.g., website visitors, users of online services).
        • Purposes of processing: Communication; feedback (e.g., collecting feedback via online forms); public relations.
        • Storage and deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion".
        • Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR).

        Further information on processing operations, procedures and services:

        • LinkedIn: Social network – We share joint responsibility with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data from visitors used to generate “Page Insights” (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and their actions on the platform. It also includes details about the devices used, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as profile information such as job role, country, industry, seniority level, company size, and employment status. For more information on how LinkedIn processes user data, please refer to LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
          We have entered into a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum) that outlines the security measures LinkedIn is required to implement and states that LinkedIn has agreed to fulfill data subject rights (i.e., users may direct requests for information or deletion directly to LinkedIn). These agreements do not restrict users’ rights (in particular the right of access, erasure, objection, and complaint to the supervisory authority). Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, an entity based in the EU. Further data processing is carried out exclusively by LinkedIn Ireland Unlimited Company, including any data transfers to the parent company LinkedIn Corporation in the USA.
          Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
          Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR);
          Website: https://www.linkedin.com;
          Privacy policy: https://www.linkedin.com/legal/privacy-policy;
          Third-country transfer basis: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa), Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa).
          Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

        Plugins and Embedded Functions and Content

        We incorporate functional and content elements into our online offering that are retrieved from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter collectively referred to as "content").

        Embedding always requires that the third-party providers of this content process users' IP addresses, as they would not be able to send the content to the users' browsers without the IP address. The IP address is therefore necessary to display this content or functionality. We strive to only use content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. Pixel tags can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymized information may also be stored in cookies on the users' devices and may contain technical details about the browser and operating system, referring websites, time of visit, and other details regarding the use of our online offering. This information may also be linked with such data from other sources.

        Information on legal basis: Where we ask users for their consent to use third-party providers, the legal basis for data processing is that consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e., interest in providing efficient, cost-effective, and user-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

        • Types of data processed: Usage data (e.g., page views and time spent, click paths, frequency and intensity of use, device types and operating systems used, interactions with content and features). Meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
        • Data subjects: Users (e.g., website visitors, users of online services).
        • Purposes of processing: Provision of our online offering and user-friendliness.
        • Storage and deletion: Deletion in accordance with the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (Unless otherwise specified, cookies and similar storage methods may be stored on users' devices for a period of up to two years).
        • Legal basis: Consent (Art. 6(1)(1)(a) GDPR). Legitimate interests (Art. 6(1)(1)(f) GDPR).

        Further information on processing operations, procedures, and services:

        • Google Fonts (hosted locally): Provision of font files for the purpose of user-friendly presentation of our online offering;
          Service provider: Google Fonts are hosted on our own server; no data is transmitted to Google;
          Legal basis: Legitimate interests (Art. 6(1)(1)(f) GDPR). <

          Changes and Updates

          We kindly ask you to regularly review the content of our privacy policy. We update the privacy policy whenever changes in the data processing activities we carry out make it necessary. We will inform you as soon as these changes require any action on your part (e.g., consent) or any other individual notification.

          Where this privacy policy provides addresses and contact information of companies and organizations, please note that these addresses may change over time, and we kindly ask you to verify the information before making contact.

          Definitions

          This section provides an overview of the terms used in this privacy policy. Where the terms are legally defined, their legal definitions apply. The following explanations primarily serve to aid understanding.

          • Master Data: Master data includes essential information necessary for the identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic information such as names, contact details (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Master data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling clear assignment and communication.
          • Content Delivery Network (CDN): A Content Delivery Network (CDN) is a service that helps deliver content from an online offering—especially large media files such as graphics or program scripts—more quickly and securely by using geographically distributed servers connected via the internet.
          • Content Data: Content data comprises information generated in the course of creating, editing, and publishing content of any kind. This category may include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited to the actual content but also includes metadata that provides information about the content itself, such as tags, descriptions, author details, and publication dates.
          • Contact Data: Contact data are essential details that enable communication with individuals or organizations. These include phone numbers, postal addresses, email addresses, as well as communication means like social media handles and instant messaging identifiers.
          • Meta, Communication, and Procedural Data: Meta, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information describing the context, origin, and structure of other data. It may include file size, creation date, document author, and revision histories. Communication data records information exchanged between users via various channels such as email traffic, call logs, social media messages, and chat histories, including involved persons, timestamps, and transmission paths. Procedural data describes processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, as well as audit logs used for tracking and reviewing operations.
          • Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a wide range of information showing how users use applications, which features they prefer, how long they stay on certain pages, and through which paths they navigate an application. Usage data may also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experience, personalizing content, and improving products or services. Furthermore, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
          • Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
          • Log Data: Log data is information about events or activities recorded within a system or network. This data typically includes timestamps, IP addresses, user actions, error messages, and other details about system use or operation. Log data is often used for analyzing system issues, security monitoring, or generating performance reports.
          • Controller: The "controller" is the natural or legal person, authority, institution, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
          • Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.