Background

Privacy

Lukas Wiesehan

Lukas Wiesehan

Designer & Developer

Introduction

This privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the "Online Offering").

The terms used are not gender-specific. Date: February 15, 2022

Controller

LW Works GmbH
Mühlenbruchsweg 5
27432 Oerel
Germany

Contact | Imprint

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the individuals affected.

Types of Data Processed

  • Inventory data.
  • Contact data.
  • Content data.
  • Usage data.
  • Meta/communication data.

Categories of Individuals Affected

  • Customers.
  • Employees.
  • Interested parties.
  • Communication partners.
  • Users.

Purposes of Processing

  • Provision of contractual services and customer service.
  • Contact inquiries and communication.
  • Direct marketing.
  • Range measurement.
  • Office and organizational procedures.
  • Feedback.
  • Marketing.
  • Provision of our online offering and user-friendliness.

Below, you will find an overview of the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or business. If specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 Abs. 1 S. 1 lit. a. DSGVO) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6 Abs. 1 S. 1 lit. b. DSGVO) - Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject's request.
  • Legal obligation (Art. 6 Abs. 1 S. 1 lit. c. DSGVO) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains special provisions regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission as well as automated decision-making in individual cases, including profiling. It also regulates data processing for the purposes of employment relationships (§ 26 BDSG), especially with regard to the establishment, implementation, or termination of employment relationships and the consent of employees. In addition, state data protection laws of individual federal states may apply.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing takes place in the context of using the services of third parties or the disclosure or transfer of data to other persons, entities, or companies, this only occurs in compliance with legal requirements.

Subject to explicit consent or contractual or legal requirements, we process or have data processed in third countries only with an established level of data protection, contractual obligations through standard data protection clauses of the EU Commission, certifications, or binding corporate rules on data protection (Art. 44 bis 49 DSGVO, EU Commission's information page).

Deletion of Data

The data processed by us will be deleted or their processing will be restricted in accordance with legal requirements, as soon as their storage is no longer necessary for the purpose and the revocation of any consents granted, or other permissions cease to apply (e.g., if the purpose of processing the data has been achieved or they are no longer required for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, their processing will be restricted. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

Within the framework of our data protection notices, we provide users with additional information regarding the deletion and retention of data, which are specific to the respective processing processes.

Use of Cookies

Cookies are small text files or other storage methods that store information on end devices and retrieve information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or used functions of an online offering. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offerings, as well as for generating visitor flow analyses.

We do not use cookies on our website.

Provision of Online Services and Web Hosting

To securely and efficiently provide our online services, we utilize the services of one or more web hosting providers, from whose servers (or servers managed by them) our online services can be accessed. For this purpose, we may use infrastructure and platform services, computing capacity, storage space, database services, security services, and technical maintenance services.

Data processed in the context of providing the hosting services may include information related to all users of our online services that arises during usage and communication. This typically includes the IP address, which is necessary to deliver online content to web browsers, and any inputs made within our online services or on web pages.

  • Processed Data Types: Content Data (e.g., entries in online forms), Usage Data (e.g., visited web pages, interest in content, access times), Meta/Communication Data (e.g., device information, IP addresses).
  • Data Subjects: Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of our online services and user-friendliness.
  • Legal Bases: Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO).

Additional information on processing procedures, methods, and services:

Content Delivery Network

We employ a Content Delivery Network (CDN). A CDN is a service that allows content of an online service, especially large media files like graphics or program scripts, to be delivered more quickly and securely via regionally distributed servers connected through the internet.

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, telephone, or social media) and in the context of existing user and business relationships, the details of the inquiring parties are processed as far as required to respond to contact inquiries and any requested measures.

The response to contact inquiries and the management of contact and inquiry data in the context of contractual or pre-contractual relationships are carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and, furthermore, on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.

  • Processed Data Types: Master Data (e.g., names, addresses), Contact Data (e.g., email, phone numbers), Content Data (e.g., entries in online forms).
  • Data Subjects: Communication Partners.
  • Purposes of Processing: Contact inquiries and communication, provision of contractual services and customer support.
  • Legal Bases: Contractual Performance and Pre-contractual Inquiries (Art. 6 Abs. 1 S. 1 lit. b. DSGVO), Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO), Legal Obligation (Art. 6 Abs. 1 S. 1 lit. c. DSGVO).

Contact Form

When users contact us via our contact form, email, or other communication methods, we process the data provided to us in this context for the purpose of handling the respective inquiry. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, as far as this is necessary for their fulfillment, and otherwise based on our legitimate interests as well as the interests of communication partners in responding to inquiries and our legal obligation to retain records.

Video Conferences, Online Meetings, Webinars, and Screen Sharing

We use platforms and applications from other providers (hereinafter referred to as "conference platforms") to conduct video and audio conferences, webinars, and other types of video and audio meetings (collectively referred to as "conferences"). When selecting the conference platforms and their services, we comply with legal requirements.

Data Processed by Conference Platforms: During participation in a conference, conference platforms process the personal data of participants as listed below. The extent of processing depends, on one hand, on the data required for a specific conference (e.g., provision of access data or real names) and on optional information provided by participants. In addition to processing for conducting the conference, the data of participants may also be processed by conference platforms for security purposes or service optimization. The processed data includes personal information (first name, last name), contact information (email address, phone number), access data (access codes or passwords), profile pictures, information about the professional position or function, the IP address of the internet access, information about the participants' devices, their operating system, browser, and its technical and language settings, information on the content of communication processes, such as inputs in chats, as well as audio and video data, and the use of other available functions (e.g., surveys). The content of the communications is encrypted to the extent provided technically by the conference providers. If participants are registered as users with the conference platforms, additional data may be processed in accordance with the agreement with the respective conference provider.

Logging and Recordings: If text entries, participation results (e.g., from surveys), as well as video or audio recordings are logged, this is communicated transparently to participants in advance, and their consent is requested if necessary.

Participants' Data Protection Measures: Please refer to the conference platforms' data protection notices for details on how your data is processed by these platforms and select the optimal security and data protection settings within the conference platforms' settings. During video conferences, please ensure data and personal protection in the background of your recording (e.g., by informing roommates, locking doors, and using, if technically possible, the background blurring function). Links to the conference rooms and access data should not be shared with unauthorized third parties.

Legal Bases: If we process users' data in addition to the conference platforms and ask users for their consent to use the conference platforms or certain functions (e.g., consent to record conferences), the legal basis for processing is this consent. Our processing may also be necessary to fulfill our contractual obligations (e.g., in participant lists, in the case of processing conversation results, etc.). Furthermore, user data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Processed Data Types: Master Data (e.g., names, addresses), Contact Data (e.g., email, phone numbers), Content Data (e.g., entries in online forms), Usage Data (e.g., visited web pages, interest in content, access times), Meta/Communication Data (e.g., device information, IP addresses).
  • Data Subjects: Communication Partners, Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Provision of contractual services and customer support, contact inquiries and communication, office and organizational procedures.
  • Legal Bases: Consent (Art. 6 Abs. 1 S. 1 lit. a. DSGVO), Contractual Performance and Pre-contractual Inquiries (Art. 6 Abs. 1 S. 1 lit. b. DSGVO), Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO).

Zoom

Video conferences, web conferences, and webinars; Service Provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Website; Privacy Policy; Standard Contractual Clauses (Ensuring data protection level when processing in third countries, referred to as Global DPA); Data Processing Agreement (referred to as Global D

PA).

Cloud Services

We use software services accessible via the internet and executed on the servers of their providers (so-called "cloud services," also referred to as "Software as a Service") for the following purposes: document storage and management, calendar management, email delivery, spreadsheets and presentations, exchange of documents, content, and information with specific recipients, or publication of web pages, forms, or other content and information, as well as chats and participation in audio and video conferences. Within this context, personal data may be processed and stored on the providers' servers, to the extent that they are part of communication processes with us or are otherwise processed by us, as described in this data protection notice. This data may include, in particular, master data and contact data of users, data on processes, contracts, or other procedures and their contents. The providers of cloud services also process usage data and metadata for security and service optimization purposes.

If we provide forms or other documents and content for other users or publicly accessible websites through cloud services, the providers may store cookies on users' devices for the purpose of web analysis or remembering users' settings (e.g., for media control).

Legal Bases: If we request consent for the use of cloud services, the legal basis for processing is consent. In other cases, the processing of user data is based on our legitimate interests (i.e., our interest in efficient and secure administrative and collaborative processes).

  • Processed Data Types: Master Data (e.g., names, addresses), Contact Data (e.g., email, phone numbers), Content Data (e.g., entries in online forms), Usage Data (e.g., visited web pages, interest in content, access times), Meta/Communication Data (e.g., device information, IP addresses).
  • Data Subjects: Customers, Employees (e.g., employees, applicants, former employees), Interested Parties, Communication Partners.
  • Purposes of Processing: Office and organizational procedures.
  • Legal Bases: Consent (Art. 6 Abs. 1 S. 1 lit. a. DSGVO), Contractual Performance and Pre-contractual Inquiries (Art. 6 Abs. 1 S. 1 lit. b. DSGVO), Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO).

Dropbox

Cloud storage service; Service Provider: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Website; Privacy Policy; Standard Contractual Clauses (Ensuring data protection level when processing in third countries); Data Processing Agreement.

Google Workspace

Cloud-based application software (e.g., text and spreadsheet processing, calendar and contact management), cloud storage, and cloud infrastructure services; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website; Privacy Policy, Security Notes; Standard Contractual Clauses (Ensuring data protection level when processing in third countries); Data Processing Agreement.

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") only with the consent of the recipients or legal permission. If the content of newsletters is specifically described during registration, it is authoritative for the consent of users. Otherwise, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide your name for personalization purposes in the newsletter or other details if they are required for the purposes of the newsletter.

Double Opt-In Procedure: Newsletter subscriptions generally take place using a double opt-in procedure. This means that after registration, you will receive an email in which you are asked to confirm your registration. This confirmation is necessary to prevent someone else from registering using a different email address. Newsletter subscriptions are logged in order to prove that the registration process has taken place in accordance with legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to your data stored with the shipping service provider are also logged.

Deletion and Restriction of Processing: We can store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them to demonstrate previously given consent. The processing of these data is limited to the purpose of a possible defense against claims. Individual requests for deletion are possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe contradictions, we reserve the right to store the email address alone for this purpose in a blocklist (so-called "blocklist").

The registration process is recorded based on our legitimate interests to prove that it was carried out in accordance with the law. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure email delivery system.

Legal Bases: The sending of newsletters is based on consent of the recipients or, if consent is not required, on our legitimate interests in direct marketing, provided and to the extent that this is permitted by law, e.g., in the case of advertising to existing customers. If we commission a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure email delivery. The registration process is recorded based on our legitimate interests to prove that it was carried out in accordance with the law.

  • Processed Data Types: Master Data (e.g., names, addresses), Contact Data (e.g., email, phone numbers), Meta/Communication Data (e.g., device information, IP addresses), Usage Data (e.g., visited web pages, interest in content, access times).
  • Data Subjects: Communication Partners, Users (e.g., website visitors, users of online services).
  • Purposes of Processing: Direct Marketing (e.g., by email or postal), Provision of contractual services and customer support.
  • Legal Bases: Consent (Art. 6 Abs. 1 S. 1 lit. a. DSGVO), Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO).
  • Option to Object (Opt-Out): You can unsubscribe from our newsletter at any time, i.e., withdraw your consent or object to further receipt. You will find a link to unsubscribe from the newsletter at the end of each newsletter, or you can use one of the contact options listed above, preferably by email.

SendGrid

Email marketing platform; Service Provider: SendGrid, Inc. 1801 California Street, Suite 500 Denver, Colorado 80202, USA; Website; Privacy Policy; Standard Contractual Clauses (Ensuring data protection level when processing in third countries).

Measurement of Open and Click Rates

The newsletters contain a so-called "web beacon," i.e., a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a mailing service provider, from their server. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for the technical improvement of our newsletter based on technical data or the target audience and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is associated with individual newsletter recipients and stored in their profiles until deleted. The evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of open rates and click rates and the storage of the measurement results in the profiles of the users and their further processing are based on the consent of the users. Unfortunately, a separate revocation of the success measurement is not possible; in this case, the entire newsletter subscription must be canceled, or it must be objected to. In this case, the stored profile information will be deleted.

Requirement for Availing Free Services

Consent to receive mailings can be made a requirement to avail of free services (e.g., access to certain content or participation in specific promotions). If users wish to avail of the free service without signing up for the newsletter, we kindly ask you to contact us.

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offering and can include the behavior, interests, or demographic information of visitors, such as age or gender, as pseudonymous values. Reach analysis helps us, for example, to recognize when our online offering or its functions or content are most frequently used or to invite reuse. We can also use test procedures to test and optimize different versions of our online offering or its components.

The IP addresses of users are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect the users. In general, in the context of web analysis, A/B testing, and optimization, no clear data of the users (such as email addresses or names) is stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Notes on Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Fathom

Web analytics and reach measurement (no use of cookies, measurement is limited to our online offering, use of privacy-friendly pseudonymization methods); Service Provider: Conva Ventures Inc. BOX 37058 Millstream PO, Victoria, BC, V9B 0E8, Canada; Website; Privacy Policy.

Presence on Social Media

We maintain online presences within social networks and process user data in this context to communicate with active users or to provide information about us.

Please note that user data may be processed outside the European Union. This can result in risks for users because, for example, the enforcement of users' rights may be more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage behavior and resulting user interests can be used to create user profiles. These user profiles can then be used for targeted advertising both within and outside the networks, which presumably corresponds to the users' interests. For these purposes, cookies are usually stored on users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data can also be stored in the user profiles regardless of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For a detailed representation of the respective processing methods and the possibilities of objection (Opt-Out), we refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of inquiries and the assertion of data subject rights, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.

  • Processed Data Types: Contact Data (e.g., email, phone numbers); Content Data (e.g., entries in online forms); Usage Data (e.g., visited web pages, interest in content, access times); Meta/Communication Data (e.g., device information, IP addresses).
  • Data Subjects: Users (e.g., website

visitors, users of online services).

  • Purposes of Processing: Contact Inquiries and Communication; Feedback (e.g., collecting feedback via online form); Marketing.
  • Legal Bases: Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f. DSGVO).

Instagram

Social network; Service Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; Website; Privacy Policy.

LinkedIn

Social network; Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website; Privacy Policy; Standard Contractual Clauses (Ensuring data protection level when processing in third countries); Opt-Out; Data Processing Agreement.

Twitter

Social network; Service Provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, Parent Company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy Policy; (Privacy Settings).

Changes and Updates to the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as the changes to the data processing carried out by us make this necessary. We will inform you as soon as your cooperation (e.g., consent) or another individual notification is required as a result of the changes.

If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that the addresses may change over time, and we ask you to check the information before contacting us.

Rights of Data Subjects

You have various rights as data subjects under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR.

  • Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data relating to you, which is carried out on the basis of Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising, including profiling insofar as it is associated with such direct marketing.
  • Right to Withdraw Consent: You have the right to withdraw your consent at any time.
  • Right to Information: You have the right to request confirmation as to whether relevant data is being processed and information about this data and further information and a copy of the data in accordance with legal requirements.
  • Right to Rectification: You have the right, in accordance with the law, to request the completion of data concerning you or the rectification of incorrect data concerning you.
  • Right to Erasure and Restriction of Processing: You have the right, subject to the legal requirements, to demand that relevant data be deleted immediately or, alternatively, to demand a restriction of processing of the data in accordance with the legal requirements.
  • Right to Data Portability: You have the right to receive data relating to you, which you have provided to us, in a structured, commonly used, and machine-readable format in accordance with legal requirements or to request that it be transmitted to another controller.
  • Complaint to Supervisory Authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

Definitions

In this section, you will find an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and are mainly defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are intended to help you understand these terms. The terms are sorted alphabetically.

  • Personal Data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Profiles with user-related information: The processing of "profiles with user-related information," or simply "profiles," includes any form of automated processing of personal data that involves the use of this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, different information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). For the purpose of profiling, cookies and web beacons are often used.
  • Reach Measurement: Reach measurement (also referred to as web analytics) serves to analyze visitor flows of an online offering and may include behavior or interests of visitors regarding specific information, such as content of web pages. With the help of reach analysis, website owners can, for example, determine when visitors visit their website and what content interests them. This allows them to better tailor the content of the website to the needs of their visitors. For the purposes of reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and obtain more accurate analyses of the use of an online offering.
  • Controller: The "controller" is the natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, including collection, analysis, storage, transmission, or deletion.