This privacy policy informs you about the type, scope, and purpose of processing personal data (hereinafter “data”) within the provision of our services and within our online offering and the related websites, features, and content, as well as external online presences (e.g., our social media profiles) (collectively referred to as the “Online Offering”). For the terms used (e.g., “processing” or “controller”), please refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Data processing within the scope of our online offering is carried out by the website operator:
Aham GmbH, represented by the Managing Director Raphael Nguyen
Address: Am Kohlfeld 17, 93468 Miltach, Germany
Email: kontakt@entspannungs-kongress.de

• Inventory data (e.g., master data, names, addresses)

• Contact data (e.g., email, telephone numbers)

• Content data (e.g., text entries, photographs, videos)

• Usage data (e.g., pages visited, interest in content, access times)

• Meta/communication data (e.g., device information, IP addresses)

Visitors and users of the Online Offering (hereinafter collectively referred to as “users”).

• Provision of the Online Offering, its functions and content

• Responding to contact requests and communication with users

• Security measures

• Reach measurement/marketing

“Personal data” means any information relating to an identified or identifiable natural person (the “data subject”). A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organisational measures.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

In accordance with Article 13 GDPR, we inform you of the legal bases of our data processing. For users from the EU/EEA, unless a specific legal basis is stated in this privacy policy, the following applies:

• Consent: Art. 6(1)(a) and Art. 7 GDPR

• Performance of a contract and pre-contractual measures: Art. 6(1)(b) GDPR

• Compliance with a legal obligation: Art. 6(1)(c) GDPR

• Protection of vital interests: Art. 6(1)(d) GDPR

• Performance of a task carried out in the public interest or in the exercise of official authority: Art. 6(1)(e) GDPR

• Legitimate interests: Art. 6(1)(f) GDPR

• Processing for purposes other than those for which the data were collected: Art. 6(4) GDPR

• Processing of special categories of data: Art. 9(2) GDPR

We take appropriate technical and organisational measures in accordance with the law, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as varying likelihood and severity of risks to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data as well as the related access, input, transfer, availability, and separation of data. We have established procedures to ensure the exercise of data subjects’ rights, deletion of data, and response to data incidents. We also consider the protection of personal data by means of privacy by design and by default.

If, in the course of processing, we disclose data to other persons and companies (processors, joint controllers, or third parties), transmit data to them, or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g., if transmission to third parties, such as payment service providers, is required to fulfil a contract), on the basis of user consent, if a legal obligation provides for this, or on the basis of our legitimate interests (e.g., when using commissioned service providers, web hosts, etc.).

If we disclose or transmit data to other companies within our group or grant them access, this is done for administrative purposes and on the basis of a legitimate interest and, moreover, on a legal basis.

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or if this occurs in the context of using third-party services or disclosure/transfer of data to other persons or companies, this will only occur if necessary for the performance of our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or allow data to be processed in a third country only where the legal requirements are met, e.g., on the basis of special safeguards such as an officially recognised adequacy decision or standard contractual clauses.

You have the right to obtain confirmation as to whether data concerning you are being processed, access to the data, and further information and a copy of the data in accordance with legal requirements.

You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you.

In accordance with legal requirements, you have the right to request that data concerning you be erased without delay or, alternatively, to request restriction of processing.

You have the right to receive the data concerning you that you have provided to us in accordance with legal requirements and to request their transmission to other controllers.

You also have the right to lodge a complaint with the competent supervisory authority in accordance with legal requirements.

You have the right to withdraw consent at any time with effect for the future.

You may object to the future processing of data concerning you at any time in accordance with legal requirements. In particular, you may object to processing for direct marketing purposes.

“Cookies” are small files stored on users’ devices. Various information can be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit within an online offering. “Session cookies” are cookies that are deleted after a user leaves an online offering and closes their browser. “Permanent” or “persistent” cookies remain stored even after the browser is closed. “Third-party cookies” are cookies offered by providers other than the controller operating the online offering (otherwise, if only the controller’s cookies are used, they are called “first-party cookies”).

We may use both temporary and permanent cookies and will inform you accordingly in this privacy policy.

If users do not wish cookies to be stored on their device, they can disable the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s settings. The exclusion of cookies may lead to functional limitations of this Online Offering.

A general objection to the use of cookies for online marketing purposes can be declared for many services, especially tracking, via the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. You can also prevent cookies from being stored by disabling them in your browser settings. Please note that not all functions of this Online Offering may then be available.

Data processed by us will be deleted or restricted in processing in accordance with legal requirements. Unless expressly stated in this privacy policy, data stored by us will be deleted as soon as it is no longer required for its intended purpose and there are no legal retention obligations.

If data are not deleted because they are required for other and legally permissible purposes, processing will be restricted. In this case, the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.

Please review the content of our privacy policy regularly. We will adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you if your cooperation (e.g., consent) or other individual notification is required.

Additionally, we process:

• Contract data (e.g., subject matter of the contract, term, customer category)

• Payment data (e.g., bank details, payment history)
  of our customers, prospects, and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.

We process our customers’ data as part of order processes in our online shop to enable them to select and order the chosen products and services, as well as payment and delivery or execution.

Processed data include inventory data, communication data, contract data, and payment data. Data subjects include our customers, prospects, and other business partners. Processing is carried out for the purpose of providing contractual services within the operation of an online shop, billing, delivery, and customer service. We use session cookies to store the shopping cart content and permanent cookies to store the login status.

Processing is carried out for the performance of our services and the fulfilment of contractual measures (e.g., processing orders) and to the extent legally required (e.g., legally required archiving for commercial and tax purposes). Required information is necessary to establish and fulfil the contract. We disclose data to third parties only within the scope of delivery, payment, or on the basis of legal permissions and obligations, or where based on our legitimate interests (e.g., to legal and tax advisors, financial institutions, carriers, and authorities).

Users may optionally create a user account, in which they can, in particular, view their orders. Required mandatory information is communicated during registration. User accounts are not public and are not indexed by search engines. If users have terminated their user account, the data relating to the user account will be deleted, subject to retention necessary for commercial or tax reasons. Information in the customer account remains until its deletion with subsequent archiving where legally required or where our legitimate interests apply (e.g., in case of legal disputes). It is the users’ responsibility to secure their data prior to the end of the contract.

In the context of registration and subsequent logins and use of our online services, we store the IP address and the time of the respective user action based on our legitimate interests and those of users in protection against misuse and other unauthorised use. This data is not transferred to third parties unless required to pursue our claims as a legitimate interest or there is a legal obligation.

Deletion occurs after the expiry of statutory warranty and other contractual rights or obligations (e.g., payment claims or performance obligations), whereby the necessity of retention is reviewed every three years; in the case of retention due to statutory archiving obligations, deletion occurs after their expiry.

We process our clients’ data within the scope of our contractual services which include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting, and training services.

We process inventory data (e.g., client master data such as names and addresses), contact data (e.g., email, phone numbers), content data (e.g., text entries, photos, videos), contract data (e.g., subject matter, term), payment data (e.g., bank details, payment history), usage and meta data (e.g., as part of evaluation and success measurement of marketing measures). We generally do not process special categories of personal data unless they are part of a commissioned processing. Data subjects include our clients, prospects, and their customers, users, website visitors, employees, and third parties. The purpose is to provide contractual services, billing, and customer service. Legal bases: Art. 6(1)(b) GDPR (contractual services), Art. 6(1)(f) GDPR (analysis, statistics, optimisation, security measures). We process data necessary for establishing and fulfilling contracts and point out the necessity of their provision where not evident. Disclosure to external parties occurs only if required under a contract. When processing data provided to us within a contract, we act in accordance with the client’s instructions and the legal requirements of Art. 28 GDPR.

We delete data after statutory warranty and comparable obligations expire. The necessity of retention is reviewed every three years; legal archiving periods apply (6 years under § 257(1) HGB; 10 years under § 147(1) AO). For data disclosed to us by clients within a contract, we delete the data in accordance with the contract, generally after the contract ends.

We process data of our clients and prospects and other customers or contracting parties (“clients”) pursuant to Art. 6(1)(b) GDPR to provide contractual or pre-contractual services. The nature, scope, and purpose of processing and its necessity are determined by the underlying contractual relationship. We process basic and master data (e.g., name, address), contact data (e.g., email, telephone), contract data (e.g., services used, fees, contact persons), and payment data (e.g., bank details, payment history).

We may also process special categories of data under Art. 9(1) GDPR (e.g., health data) where required. Where necessary, we obtain explicit consent under Art. 6(1)(a), Art. 7, and Art. 9(2)(a) GDPR, and otherwise process such data for healthcare purposes under Art. 9(2)(h) GDPR, § 22(1) no. 1(b) BDSG.

Where necessary for contract performance or by law, we disclose or transmit clients’ data in the context of communication with other professionals and third parties typically involved in fulfilment (e.g., billing services), where required by Art. 6(1)(b) GDPR, by law under Art. 6(1)(c) GDPR, by our or clients’ legitimate interests in efficient, cost-effective healthcare under Art. 6(1)(f) GDPR, to protect vital interests under Art. 6(1)(d) GDPR, or on the basis of consent under Art. 6(1)(a), Art. 7 GDPR.

Deletion occurs when data are no longer necessary for contractual or legal care obligations and handling of warranty and similar obligations; necessity is reviewed every three years; statutory retention obligations apply.

We process data of our contracting parties and prospects as well as other customers or partners (“contracting partners”) under Art. 6(1)(b) GDPR to provide contractual or pre-contractual services. Processed data include master data (e.g., names, addresses), contact data (e.g., emails, phone numbers), contract data (e.g., services used, content, communication, contact persons), and payment data (e.g., bank details, payment history).

We generally do not process special categories of personal data unless part of a commissioned or contractual processing.

We process data necessary to establish and fulfil contracts and indicate the necessity of their provision where not evident. Disclosure to external parties occurs only if required under a contract. When processing data provided to us within a contract, we act according to instructions and legal requirements.

In using our online services, we may store the IP address and the time of a user action based on our and users’ legitimate interests in protection against misuse. This data is not disclosed to third parties unless required to pursue claims (Art. 6(1)(f) GDPR) or by legal obligation (Art. 6(1)(c) GDPR).

Deletion occurs when data are no longer required for contractual or legal obligations and handling of warranty/claims; necessity is reviewed every three years; statutory retention obligations apply.

We use external payment service providers through whose platforms users and we can execute payment transactions (privacy policies linked):
PayPal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full),
Klarna (https://www.klarna.com/de/datenschutz/),
Skrill (https://www.skrill.com/de/fusszeile/datenschutzrichtlinie/),
Giropay (https://www.giropay.de/rechtliches/datenschutz-agb/),
Visa (https://www.visa.de/datenschutz),
Mastercard (https://www.mastercard.de/de-de/datenschutz.html),
American Express (https://www.americanexpress.com/de/content/privacy-policy-statement.html).

For contract fulfilment we use payment service providers under Art. 6(1)(b) GDPR; otherwise based on our legitimate interests under Art. 6(1)(f) GDPR to offer effective and secure payment options.

Data processed by payment providers include inventory data (name, address), bank data (account or card numbers), passwords, TANs, checksums, and contract-, amount- and recipient-related information. The information is required to carry out transactions. The data entered are processed and stored solely by the payment providers. We do not receive account or card details, only confirmations or negative notices. Data may be transmitted by payment providers to credit agencies for identity and credit checks. Please refer to the providers’ terms and privacy notices.

For payment transactions, the terms and privacy policies of the respective providers apply, accessible on their websites or transaction applications.

We process data in the context of administrative tasks, organisation of operations, financial accounting, and compliance with legal obligations (e.g., archiving). The same data are processed as for providing contractual services. Legal bases: Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR. Data subjects are customers, prospects, business partners, and website visitors. The purpose and our interest lie in administration, accounting, office organisation, and data archiving. Deletion of data regarding contractual services and communication follows the details stated above.

We may disclose or transmit data to tax authorities, advisors (e.g., tax consultants, auditors), and other fee bodies and payment service providers.

We also store information on suppliers, organisers, and other business partners for contact purposes based on our business interests. This data—mostly company-related—is generally stored permanently.

To operate our business economically, recognise market trends, and understand partners’ and users’ wishes, we analyse the data available to us regarding business transactions, contracts, enquiries, etc. We process inventory, communication, contract, payment, usage, and meta data under Art. 6(1)(f) GDPR. Data subjects include contracting partners, prospects, customers, visitors, and users.

Analyses serve business evaluations, marketing, and market research. We may consider profiles of registered users with information on services used. Analyses help improve usability, optimise our offering, and ensure economic efficiency. Analyses are for our internal use only and are not disclosed externally unless in anonymised, aggregated form.

If analyses or profiles are personal, they are deleted or anonymised upon termination by users, otherwise after two years from contract conclusion. In general, business analyses and trend assessments are created anonymously where possible.

Within our Online Offering, we use industry-standard tracking measures based on our legitimate interests (Art. 6(1)(f) GDPR) where necessary for the operation of affiliate systems. Services offered by our partners may be advertised and linked on other websites (affiliate links or after-buy systems). Operators of such websites receive a commission if users follow affiliate links and then use the offers.

It is necessary for our Online Offering to track whether users who are interested in affiliate links or offers subsequently use them. For this purpose, affiliate links and offers are supplemented with certain values, which may be part of the link or set elsewhere (e.g., in a cookie). Values include the originating website (referrer), time, online identifier of the website operator, online identifier of the offer, online identifier of the user, and tracking-specific values (ad ID, partner ID, categories).

The online identifiers we use are pseudonymous; they do not contain personal data such as names or email addresses. They only help determine whether the same user has taken up an offer. However, the identifier is personal insofar as the partner company and we have the identifier along with other user data.

We participate in the Amazon EU Partner Programme based on our legitimate interests (Art. 6(1)(f) GDPR). This programme enables the placement of advertisements and links to Amazon.de to earn advertising fees. As an Amazon partner, we earn from qualifying purchases.

Amazon uses cookies to trace the origin of orders. Among other things, Amazon can recognise that you clicked a partner link on this website and subsequently purchased a product.

For further information on Amazon’s data use and opt-out options, see Amazon’s privacy notice: https://www.amazon.de/gp/help/customer/display.html?nodeId=201909010.
Note: Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

We participate in the partner programme of Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim, Germany, based on our legitimate interests (Art. 6(1)(f) GDPR). Digistore24 uses cookies to trace the origin of contract conclusions. Among other things, Digistore24 can recognise that you clicked the partner link on this website and subsequently concluded a contract with or via Digistore24.

For more information on data use by Digistore24 and opt-out options, see: https://www.digistore24.com/page/privacyl.

We process applicant data only for the purpose and within the scope of the application procedure in accordance with legal requirements. Processing is carried out to fulfil our (pre-)contractual obligations under Art. 6(1)(b) GDPR and, where necessary, Art. 6(1)(f) GDPR (e.g., in legal proceedings). In Germany, § 26 BDSG additionally applies.

Applicants must provide us with the applicant data. Required data are marked where we provide an online form or otherwise derive from the job descriptions; they generally include personal details, postal and contact addresses, and supporting documents (cover letter, CV, certificates). Applicants may also voluntarily provide additional information.

By submitting the application, applicants consent to processing their data for the purposes of the application procedure as set out in this privacy policy.

Where special categories of personal data under Art. 9(1) GDPR are voluntarily provided, processing is additionally based on Art. 9(2)(b) GDPR (e.g., health data). Where such data are requested, processing is based on Art. 9(2)(a) GDPR.

If available, applicants may submit applications via an online form; transmission is encrypted according to the state of the art. Applicants may also submit by email (note: email is generally not encrypted; applicants should ensure encryption or use postal mail).

If an application is successful, the data may be further processed for employment purposes. Otherwise, applicant data are deleted. Applicants’ data are also deleted if an application is withdrawn, which is possible at any time.

Deletion generally occurs six months after conclusion of the application process, to answer any follow-up questions and fulfil our obligations under equal treatment laws. Invoices for any travel expense reimbursements are archived in accordance with tax regulations.

Users may create a user account. During registration, required mandatory information is indicated and processed under Art. 6(1)(b) GDPR for the purpose of providing the user account. Processed data include login information (name, password, email address). The data entered are used for the purposes of using and maintaining the account.

Users may receive email notifications about information relevant to their account (e.g., technical changes). If users cancel their account, the data related to the account are deleted, subject to statutory retention obligations. Users are responsible for backing up their data before the end of the contract. We are entitled to irreversibly delete all data stored during the contract term.

In connection with the use of our registration and login functions and the account, we store the IP address and time of the user action based on our and users’ legitimate interests in protection against misuse. This data is not shared with third parties unless required to pursue claims or by legal obligation. IP addresses are anonymised or deleted no later than 7 days.

When contacting us (e.g., via contact form, email, telephone, or social media), user information is processed to handle and respond to the contact request under Art. 6(1)(b) GDPR (contractual/pre-contractual) and Art. 6(1)(f) GDPR (other enquiries). User information may be stored in a CRM system or similar.

Requests are deleted when no longer necessary; necessity is reviewed every two years. Statutory archiving obligations apply.

To subscribe to our newsletter, we require your email address. We also ask for your name to personalise the newsletter. We use a double opt-in procedure (you receive a confirmation email with a link; only after clicking it are you added to the list).

Data you provide for the newsletter are used exclusively to send the newsletter and are not passed on to third parties (except our technical newsletter service provider; see below).

Processing is based solely on your consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time by unsubscribing via the link at the end of each newsletter. The lawfulness of processing prior to withdrawal remains unaffected.

Data provided for the newsletter are stored until you unsubscribe and are then deleted. Data stored for other purposes remain unaffected.

We use ActiveCampaign (USA) as a technical service provider for storage, use, and processing of newsletter data. The EU Commission recognises an “adequate level of protection” for Privacy Shield-certified companies. ActiveCampaign, LLC was certified under Privacy Shield. (Note: Please verify current transfer mechanism/DPAs due to Schrems II.)

Statistical Collection and Analyses
ActiveCampaign collects information on browser and OS, IP address, time of access, open times, and click behaviour. This can be assigned to individual subscribers, but neither ActiveCampaign nor we intend to monitor individuals. Analyses serve to understand general reading behaviour and optimise content.

For information on how ActiveCampaign handles data, see: https://www.activecampaign.com/tos/

Separation of newsletter and analytics is not possible. If you do not agree, please unsubscribe.

Processing is based on your consent (Art. 6(1)(a) GDPR). You can revoke your consent at any time by unsubscribing.

Data Processing Agreement
We have concluded a data processing agreement with ActiveCampaign to ensure protection of our customers’ data and prevent unauthorised disclosure.

On the basis of our legitimate interests (Art. 6(1)(f) GDPR — analysis, optimisation, and economic operation of our Online Offering), we use Google Analytics, a web analytics service of Google LLC (“Google”). Google uses cookies. The information generated by the cookie about users’ use of the Online Offering is usually transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield framework and thus offers a guarantee of compliance with European data protection law. (Note: Please verify current transfer mechanism/DPAs due to Schrems II.)

Google processes this information on our behalf to evaluate use of the Online Offering, to compile reports on activities, and to provide us with other services related to internet use. Pseudonymous usage profiles of users may be created from the processed data.

We use Google Analytics only with IP anonymisation enabled. This means that users’ IP addresses are shortened by Google within EU/EEA member states. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; they can also prevent Google’s collection and processing of data generated by the cookie by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout?hl=de.

Further information on data use by Google, settings, and opt-out options can be found in Google’s Privacy Policy (https://policies.google.com/privacy) and in Google’s Ads settings (https://adssettings.google.com/authenticated).

Personal data are deleted or anonymised after 14 months.

On the basis of our legitimate interests (Art. 6(1)(f) GDPR), we use Google AdSense (Google LLC, USA).

Google is certified under the Privacy Shield framework (note: verify current mechanism). We use AdSense to display ads on our website and receive compensation for their display or other use. For these purposes, usage data (e.g., clicks on ads) and IP addresses are processed (shortened by the last two digits), i.e., pseudonymised processing.

We use AdSense with personalised ads. Google draws conclusions about users’ interests based on visited websites/apps and user profiles. Advertisers use this information to tailor campaigns. Personalised ads may be based on previous searches, activity, website visits, app use, demographics, and location. This includes demographic targeting, interest categories, remarketing, and customer match audiences.

Further information: https://policies.google.com/technologies/ads and https://adssettings.google.com/authenticated.

Within our Online Offering, based on our legitimate interests (analysis, optimisation, economic operation), we use the Facebook Pixel of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or, if you are in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland.

Facebook is certified under Privacy Shield (note: verify current mechanism). The Facebook Pixel enables Facebook to determine visitors of our Online Offering as a target group for ads (“Facebook Ads”). We use the Pixel to display Facebook Ads only to users who have shown interest in our Online Offering or have certain characteristics (e.g., interests in specific topics) that we transmit to Facebook (“Custom Audiences”). The Pixel also helps measure the effectiveness of Facebook Ads for statistical and market research purposes by tracking whether users were redirected to our website after clicking a Facebook ad (“Conversion”).

Facebook’s data policy: https://www.facebook.com/policy
Information on the Facebook Pixel: https://www.facebook.com/business/help/651294705016616

You can object to collection via the Facebook Pixel and use of your data for Facebook Ads. To set which types of ads you see, visit: https://www.facebook.com/settings?tab=ads (applies across devices).

You can also oppose cookies used for reach measurement and advertising via the Network Advertising Initiative: http://optout.networkadvertising.org/, and additionally via http://www.aboutads.info/choices or http://www.youronlinechoices.com/uk/your-ad-choices/.

Generated using the privacy policy generator by RA Dr. Thomas Schwenke (German original referenced).