Privacy Policy

Privacy policy

In this privacy policy, we inform you about the processing of personal data when using our website or platform. 

Personal data is information that relates to an identified or identifiable person. This primarily includes information that allows conclusions to be drawn about your identity, such as your name, telephone number, address or email address. However, personal data also includes certain identifiers such as your IP address or the device ID of the device you are using.

1. Responsible Person and Contact Person

The contact person and so-called data controller for the processing of your personal data within the meaning of the United Kingdom General Data Protection Regulation (UK GDPR) when you visit this website is

Fotografen Online Service GmbH
Hausvogteiplatz 12
10117 Berlin
Phone: +49 (0) 30 364 288 950
E-mail: privacy@gotphoto.com 

If you have any questions about data protection in connection with our services or the use of our website, you can contact our data protection officer at any time. He can be contacted at the above postal address and at the email address provided (please indicate “c/o data protection officer” in the subject line). We would like to point out that any messages sent and content shared, when using this email address, are not exclusively viewed by our data protection officer. If you wish to exchange confidential information, we would ask you to contact us directly via this email address as a first step before sharing any further information.

2. Data Storage and Integration

2.1 AWS Aurora and AWS DynamoDB

We use AWS Aurora and AWS DynamoDB from Amazon Web Services EMEA Sarl, 38 John F. Kennedy, L-1855, Luxemburg (“AWS”) to store your data. These databases may store the following information:

Data processing by AWS is necessary to provide you with the secure storage of your data. The legal basis for the use of AWS is Art. 6 para. 1 sentence 1 lit. b UK GDPR, performance of our contract with you, or Art. 6 para. 1 lit. f UK GDPR, justified by our interest in fulfilling the legal requirements for secure storage of personal data. 

The AWS Data Processing Addendum (https://d1.awsstatic.com/legal/aws-dpa/aws-dpa.pdf) is incorporated into the AWS service terms. Amazon Web Services, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information can be found in AWS’ privacy policy at https://aws.amazon.com/privacy/.

2.2 Snowflake

We use Snowflake provided by Snowflake Computing Netherlands B.V., FOZ Building, Gustav Mahlerlaan 300-314,  1082 ME Amsterdam, Netherlands (“Snowflake”) as a data warehouse. Snowflake enables us to securely store and analyse all data.

All data in Snowflake is anonymized and encrypted.

Further information can be found at https://www.snowflake.com/privacy-policy/.

2.3 Airbyte

Airbyte provided by Airbyte, Inc., 2261 Market Street, Suite 4381, San Francisco, CA 94114, United States (“Airbyte”) is a powerful data integration engine that enables us to consolidate all of the data processed and stored in the databases and data warehouse listed above.

For our core data we have deployed the self-managed version of Airbyte in our own infrastructure. The data does not leave our servers and Airbyte has no access to any of the data processed.

The legal basis for the use of Airbyte is Art. 6 para. 1 lit. f UK GDPR, justified by our interest in identifying changes in the source file and replicating them in the target system, thus properly synchronizing the data across all systems we use.

2.4 Metabase

Metabase provided by Metabase, Inc., 9740 Campo Rd. Suite 1029, Spring Valley, CA 91977 (“Metabase”) is a data intelligence tool that we use to visualize data, gain insights from such data and share the corresponding reports with our team for collaborative data analysis.

The legal basis for the use of Airbyte is Art. 6 para. 1 lit. f UK GDPR, justified by our interest in analyzing data and drawing conclusions regarding our business needs.

We self-host Metabase on our servers and Metabase has no access to any of the data processed.

Further information on data processing by Metabase can be found at https://www.metabase.com/privacy-policies

3. Data Processing on our Website

3.1 Accessing our Website / Technical Information

Each time you use our website, we collect technical information that your browser automatically transmits to enable you to visit the website. This technical information consists of the so-called HTTP header information, including the user agent, and includes in particular

The processing of this technical information is absolutely necessary to enable your visit of the website, to ensure the permanent functionality and security of our systems and to maintain our website. The technical information is temporarily stored in internal log files for the purposes described above, limited in content to what is absolutely necessary, in order to find the cause and take action in the event of repeated or criminal access that jeopardises the stability and security of our website. For these storage purposes your IP address will be anonymised immediately.

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f UK GDPR reflecting our legitimate interest in enabling website access and the permanent functionality and security of our systems. The automatic transmission of the technical information and the log files developed from it does not constitute access to the information in the end device within the meaning of regulation 6 PECR. Otherwise, such access to information in the end device would be strictly necessary.

3.2 Contact

You have several options to contact us. These include email, telephone, our contact form and our live chat. In this context, we process data exclusively for the purpose of communicating with you.

The legal basis is Art. 6 para. 1 sentence 1 lit. b UK GDPR, insofar as your information is required to initiate or execute a contract with you, and otherwise Art. 6 para. 1 sentence 1 lit. f UK GDPR reflecting our legitimate interest to communicate with you based on your enquiry. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of regulation 6 para. 4 lit. b PECR.

We only make promotional telephone calls if you have given your consent. If you are not an existing customer, we will only send you promotional emails on the basis of your consent. The legal basis in these cases is Art. 6 para. 1 sentence 1 lit. a UK GDPR.

The data collected by us when you contact us will be automatically deleted after your enquiry has been fully processed, unless we still need this data to fulfil contractual or legal obligations (see section 7 “Storage period”). 

3.2.1 Contact Form

The contact form, which can be accessed via our Help Centre (https://help.gotphoto.com/hc/de), is provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States, who process your data on our behalf. We have a data processing agreement in place with Freshworks Inc. In the event that personal data is transferred to the US or other third countries, we have implemented standard contractual clauses with Freshworks Inc. in accordance with Art. 46 para. 2 lit. c UK GDPR. Freshworks, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

3.2.2 Live Chat (HubSpot)

Our live chat, which is used to improve communication with website visitors, is provided by HubSpot Ireland Limited, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland (“HubSpot”).

In order to answer live enquiries, the chat content you provide is collected and stored for the duration of the chat. We only collect your email address and telephone number, if you voluntarily provide them to us and give us permission to contact you subsequently. The chat will be deleted immediately as soon as the chat conversation has ended.

We have concluded a data processing agreement with HubSpot. The data collected in this context may be transferred by HubSpot to HubSpot, Inc. in the US. HubSpot, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information can be found in HubSpot’s privacy policy.

3.3 Registration for Photographers and User Authentication

We manage registration, user logins, access permissions and security protocols with cidaas, an authentication tool provided by Widas ID GmbH, Maybachstrasse 2, 71299 Wimsheim, Germany (“cidaas”). 

You have the option to register for a user account in order to use the full range of functionalities of our software and to operate a photography online shop via our platform. 

The data fields first and last name, the selection criteria (professional or amateur photographer or photo order), email address, telephone number (optional), desired domain or shop name must be provided by you. Registration is not possible without the provision of this data.

Moreover, cidaas processes the following information for authentication and security purposes:

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. b UK GDPR, the fulfillment of a contract.

We have concluded a data processing agreement with Widas ID GmbH. Further information on data processing by cidaas can be found here: https://www.cidaas.com/privacy-policy/.

3.4 Orders 

Photographers have the option to order software licences or physical products in our online shop. During the ordering process we collect the mandatory information required to fulfil the contract:

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. b UK GDPR.

3.5 Newsletter

You have the option to subscribe to our newsletter, in which we regularly inform you about webinars, new guides, innovations to our products and promotions. 

We use the so-called double opt-in procedure for the subscription to our newsletter, i.e. we will only send you newsletters by email, if you click on a link in our notification email, thereby confirming that you are the owner of the email address provided. If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. The sole purpose of this storage is to send you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in every newsletter. A message to the contact details given above or in the newsletter (e.g. by email or letter) is also sufficient for this purpose. The legal basis for processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR.

3.6 Advertising to Existing Customers by Email

If you register for a user account or make a purchase from us, we will also use your contact details to send you further information about our products and services by email (“existing customer advertising”). This may include news, promotions and offers as well as feedback and other surveys. 

The legal basis for this data processing is Art. 6 para. 1 lit. f UK GDPR, according to which data processing is permitted to safeguard legitimate interests.

You can object to the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the contact details given above (e.g. by email or letter) without incurring any costs other than the transmission costs according to the basic rates.

3.7 Surveys

You have the opportunity to take part in one of our surveys. We use the results of these surveys to improve our service.

The legal basis for data processing as part of the survey is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. We base the sending of the surveys on Art. 6 para. 1 lit. f UK GDPR, reflecting our legitimate interest in customising and continuously improving our services. 

You can object to receiving a satisfaction survey and the use of your data for advertising purposes at any time by clicking on the corresponding link in the emails or by sending a message to the above-mentioned contact details (e.g. by e-mail or letter) without incurring any costs other than the transmission costs according to the basic rates.

3.8 Contests

In the context of contests, we use your data for the purpose of organising the contest and notifying the winners. Detailed information can be found in the terms and conditions for the respective contest. The legal basis for processing is the contest contract in accordance with Art. 6 para. 1 sentence 1 lit. b UK GDPR.

3.9 Job Applications

You can apply for open job positions by email or via our career portal. The purpose of data collection is the selection of applicants for the possible establishment of an employment relationship. In order to process your application, we collect the data you provide (usually: first and last name; email address; application documents such as references and CV; earliest possible starting date for the job; channel through which you became aware of the job advertisement; telephone number; salary expectations). We would like to point out that confidentiality cannot be guaranteed if application documents are sent by email without encryption.

Ashby, Inc, 49 Geary Street, Suite 411, San Francisco, CA, 94108, United States, is providing our career portal and managing applications. We have concluded a data processing contract with the provider. The transfer of data to the US takes place on the basis of standard data protection clauses. The provider’s privacy policy can be accessed here: https://www.ashbyhq.com/resources/privacy.

The legal basis for the processing of your application documents is Art. 6 para. 1 lit. b UK GDPR.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is required for the employment relationship and to comply with statutory regulations.

If we reject your application, we will store your application data for a maximum of three months following the rejection, unless you give us your consent to store it for longer. If you have given us explicit consent, we will store your data in our pool of applicants for a further twelve months after the end of the application process in order to identify any other interesting positions for you and to contact you again if necessary. After this period, the data will be deleted. You can revoke this consent at any time for the future by sending us an email to jobs@fotograf.de.

4. Use of Tools on the Website

This website uses various services and applications (collectively “tools”) that are provided either by us or by third parties. 

The tools we use are listed below organised by category. We inform you about the providers of the tools, the collection of data and the transfer of data to third parties. We also explain to you in which cases we must obtain your voluntary consent to use the tools and how you can revoke this consent once given.

In the event that the information in the consent banner contradicts the information in this privacy policy, the information in this privacy policy shall take precedence.

4.1 Technologies Used

Some of the tools used on this website use technologies to store or access information on your device:

Information about the cookies we use can be found in our cookie declaration at https://app.gotphoto.co.uk/cookie_declaration. This cookie declaration is automatically generated by Usercentrics.

4.2 Legal Basis and Revocation

4.2.1 Legal Basis

We use tools strictly necessary for the operation of our website on the basis of our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f UK GDPR to customise the use of our website and to make it more convenient and as time-saving as possible. In certain cases, these tools may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures, in which case the processing is carried out in accordance with Art. 6 para. 1 sentence 1 lit. b UK GDPR. Access to and storage of information on your device is absolutely necessary in these cases and is carried out based on Regulation 6 para. 4 lit. b Privacy and Electronic Communications Regulations (PECR).

We use all other tools, in particular those for marketing purposes, on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. In these cases, access to and storage of information on your device is subject to consent and takes place based on Regulation 6 par. 2 PECR. These tools will only process your data, if we have received your consent in advance.

Any transfer of personal data to third countries is associated with certain risks. Please read Section 7 (“Data transfer to third countries”). For each provider in question, we will inform you whether a) an adequacy decision exists for the third country, b) standard contractual clauses or c) other guarantees have been put in place. If you have given your consent for the use of certain tools, we will (also) use this consent to transfer the data processed by the tools to third countries.

4.2.2 Obtaining Your Consent

We use the Cookiebot tool from Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark (“Usercentrics”) to obtain and manage your consent. The tool generates a consent banner that informs you about the data processing on our website and gives you the opportunity to consent to all, individually elected or no data processing when using optional tools. This banner appears the first time you visit our website and when you call up the selection of your settings again in order to change them or revoke your consent. The banner will also appear on subsequent visits to our website if you have deactivated the storage of cookies or if the cookies or information in Usercentrics’ local storage have been deleted or have expired.

When you visit our website, your consent or revocation, your IP address, information about your browser, your device and the time of your visit are transmitted to Usercentrics. Usercentrics also stores the necessary information on your device in order to retain the consents and revocations you have given. If you delete your cookies or information in local storage, we will ask you for your consent again when you visit the site at a later date.

Data processing by Usercentrics is necessary to provide you with the legally required consent management and to fulfil our documentation obligations. The legal basis for the use of Usercentrics is Art. 6 para. 1 sentence 1 lit. f UK GDPR, justified by our interest in fulfilling the legal requirements for consent management. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out based on Regulation 6 para. 4 lit. b PECR.

4.2.3 Revoking Your Consent or Changing Your Selection

You can revoke your consent given for certain tools at any time. To do so, click on the following button:

Change cookie settings

By clicking the button you can also change the selection of tools you wish to consent to and obtain additional information on the tools used. Alternatively, you can revoke your consent for the use of certain tools directly with the provider.

4.3 Essential Tools

We use certain tools to enable the basic functions of our website (“essential tools”). Without these tools, we would not be able to provide our service. Therefore, essential tools are used without consent. The legal basis for the implementation of essential tools is our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f UK GDPR or the fulfilment of a contract or the implementation of pre-contractual measures pursuant to Art. 6 para. 1 sentence 1 lit. b UK GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is based on Regulation 6 para. 4 lit. b PECR.

4.3.1 Google Tag Manager

Our website uses Google Tag Manager, a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by Google Tag Manager with your consent.

The legal basis is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our legitimate interest to easily integrate and manage several tags on our website.

Google collects information about the tags integrated through our website for the purpose of ensuring stability and functionality for the use of Google Tag Manager, but generally no personal data is collected, in particular no data about user behaviour, the IP address or the pages visited.

We have concluded a data processing agreement with Google Ireland Limited. The data collected in this context may be transmitted by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

Further information can be found in Google’s privacy policy.

4.3.2 Freshdesk (HelpCentre)

We use Freshdesk provided by Freshworks Inc, 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, United States (“Freshworks”) for our HelpCentre.

In our HelpCentre you can, for example, ask questions about our services, the website or our company and leave us a comment.

When using Freshdesk, the IP address of the device and the address of the subpage from which you access Freshdesk are recorded. Moreover, Freshdesk processes all data, messages and other material provided by you through the HelpCentre. This may include your first name, last name, business name, telephone number and email address.

The legal basis is Art. 6 para. 1 sentence 1 lit. b UK GDPR, insofar as the data is required to answer your enquiry in the context of the initiation or execution of a contract, and otherwise Art. 6 para. 1 sentence 1 lit. f UK GDPR, covering our legitimate interest in communicating with (potential) customers and providing rapid access to our employees.

We have a data processing agreement in place with Freshworks Inc. In the event that personal data is transferred to the US or other third countries, we have implemented standard contractual clauses with Freshworks Inc. in accordance with Art. 46 para. 2 lit. c UK GDPR. Freshworks, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information on data protection can be found here: https://www.freshworks.com/legal/.

4.3.3 jam.dev

We use jam.dev by Jam, Inc., 4806 Ribbecke Ave, Unit B, Austin, TX 78721, United States (“jam.dev”) for incident reporting.

The tool enables us to capture bugs reported by you, diagnose them and resolve technical issues brought to our attention. The bug reports provided by you may include screen recordings displaying personal data. Personal data that may appear on screen recordings, includes names, images, or other identifying information. Recordings are automatically deleted after a specified retention period.

The legal basis for processing personal data in jam.dev is Art. 6 para. 1 sentence 1 lit. b UK GDPR in order to provide you with state of the art and error-free services.

4.4 Functional Tools

We also use optional tools to improve the user experience on our website and to offer you more functions (“functional tools”). Although these are not absolutely essential for the basic functionality of the website, they can bring significant benefits to visitors, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels.

The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. To revoke your consent, see 4.2.3: “Revoking your consent or changing your selection”. In these cases, access to and storage of information in your device is subject to consent and takes place based on Regulation 6 par. 2 PECR.

In the event that personal data is transferred to the US or other third countries, your consent also expressly extends to the transfer of data (Art. 49 para. 1 sentence 1 lit. a UK GDPR). Please refer to section 7 (“Data transfer to third countries”) for the associated risks.

4.4.1 FIN AI Chatbot

Our website uses FIN, a service provided in the United States by Intercom, Inc., 55 2nd Street, 4th Floor, San Francisco, CA 94105, United States and for all other geographical areas by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2, Ireland (together „Intercom“).

FIN is an AI chatbot that uses sophisticated AI language models to automatically solve customer service issues. The AI chatbot understands complex queries, asks clarifying questions and fully converses with the user.

The following information is processed: any personal data contained in questions, data, content or information submitted by you during each conversation with FIN.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR. 

The data collected in this context may be processed by Intercom in the US. Intercom, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

FIN uses OpenAI as a sub-processor of any personal data submitted to FIN. Any processing of personal data by OpenAI is governed by a data processing agreement in place between Intercom and OpenAI. OpenAI is based in the US and any international transfer of personal data from Intercom to OpenAI is covered by the relevant and up-to-date Standard Contractual Clauses for international transfers under UK GDPR.

OpenAI has activated zero retention for all customer inputs and outputs. As a result, the inputs and outputs will not be stored by OpenAI. OpenAI is contractually prohibited from using customer data to improve or train its AI model.

4.4.2 tl;dv

We use the meeting assistant tl;dv provided by tldx Solutions GmbH, Kaiser-Friedrich-Allee 51, 52074 Aachen, Germany (“tl;dv”). 

tl;dv records, transcribes and summarizes meetings. It provides valuable insights from the meetings. tl;dv processes the following data:

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR. 

More information on data processing by tl;dv can be found here: https://tldv.io/privacy/.

4.4.3 Gong

Gong is a revenue intelligence platform provided by Gong.io, Inc., 201 Spear Street, 13th Floor, San Francisco, CA 94105, United States (“Gong”).

We use Gong to record, transcribe and analyze sales calls. The call recordings are also used for internal training purposes to improve the communication with our (potential) customers.


“Gong bot” joins each scheduled sales call to record the session (both audio and video are recorded). Each call is transcribed from speech to text and analyzed by conversation analytics technology.

Gong processes the following data:

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR. 

We have concluded a data processing agreement with Gong.io, Inc. The data collected in this context may be transferred by Gong.io, Inc. to the US. Any international transfer of personal data from Europe to the United States is covered by the relevant and up-to-date Standard Contractual Clauses for international transfers under UK GDPR.

4.5 Analysis Tools

In order to improve our website, we use optional tools for statistical recording and analysis of general user behaviour based on access data (“analysis tools”). We also use analysis services to analyse the use of our various marketing channels.

The legal basis for the analysis tools is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR. However, consent is not required, if an analysis tool only processes anonymized personal data. To revoke your consent, see 4.2.3: “Revoking your consent or changing your selection”. In these cases, access to and storage of information in your device is subject to consent and takes place based on Regulation 6 par. 2 PECR.

4.5.1 Google Universal (Google Analytics)

Our website uses Google Analytics, a service provided in Europe, the Middle East and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other geographical areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (together “Google”).

Google Analytics uses JavaScript and pixels to read information on your device, as well as cookies to store information on your device. Google Analytics serves to evaluate your usage behaviour and improve our website. We will process the information obtained to analyse your use of the website and to compile reports on website activity for the website operator. The data collected in this context may be transmitted by Google to a server in the US and stored there.

We have chosen the following data protection settings for Google Analytics:

The following data is processed by Google Analytics:

We have concluded a data processing agreement with Google Ireland Limited. The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information can be found in Google’s privacy policy.

4.5.2 Hotjar

Our website uses Hotjar, a web analysis service provided by Hotjar Ltd, Elia Zammit Street 3, St Julians STJ 1000, Malta (“Hotjar”).

Hotjar is used to create so-called heat maps. Heat maps graphically display statistics about mouse movements and clicks on our site in order to analyse our website with regard to user behaviour. This enables us to recognise frequently used functions of our website and to further improve the site. However, your IP address is truncated before the usage statistics are analysed so that no conclusions can be drawn about your identity. In addition to mouse movements and clicks, information about the operating system, browser, incoming and outgoing links, geographical origin, resolution and type of device are analysed for statistical purposes. This information is pseudonymous and is not passed on to third parties by us or Hotjar. Data entered by you in form fields on our website is hidden and not recorded by Hotjar.

The following information is set and read by Hotjar in the local storage:

Further information can be found in Hotjar’s privacy policy.

Hotjar also offers the option of objecting to data processing by Hotjar cookies in general for the future using the “Do Not Track” function of browsers. You can find out how to activate this function at: https://www.hotjar.com/policies/do-not-track/.

NOTE: If you accept Hotjar cookies and subsequently wish to remove those cookies, you must do so manually from your own browser. A change of the cookie settings will not remove a cookie previously set.

4.5.3 PostHog

Our website uses PostHog, an analysis tool provided by PostHog, Inc., 2261 Market Street #4008, San Francisco, CA 94114, United States (“PostHog”). 

PostHog tracks user behaviour on and interaction with our website. We use this information to improve product performance, troubleshoot issues and optimize the overall user experience.

PostHog processes anonymized behavioral data such as clicks, page views, session duration, and interaction events. 


Further information on data processing by PostHog can be found in https://posthog.com/privacy.

4.5.4 HubSpot

Our website uses an analysis and tracking tool from Hubspot. This tool can be used to monitor and analyse visitors’ interactions with our website. This helps us to attribute your visits to specific campaigns we have created and generally analyze the sources for our website traffic. The tool can recognize and differentiate between new and returning visitors.

The following data is processed by HubSpot:

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR.

We have concluded a data processing agreement with HubSpot. The data collected in this context may be transferred by HubSpot to HubSpot, Inc. in the US. HubSpot, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

Further information can be found in HubSpot’s privacy policy.

4.5.5 Microsoft Clarity 

Our website uses Clarity, a service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States (“Microsoft”).

Clarity is a behavioral analysis tool that captures how you use and interact with our website through metrics, heatmaps, and session replay. In order to do so, the following information is processed: IP address, location, browser information, visited website and subpages, date and time of access to the website, clicks, scrolls and mouse movements. Clarity assigns each user a unique user ID and uses tracking technologies to determine online activity. We use this information for site optimization and advertising.  

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR. 

The data collected in this context will be processed by Microsoft in the US. Microsoft Corporation has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-gb/privacystatement.

4.5.6 Google Meet

Google Meet is a service provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

We use Google Meet to conduct and record interviews with our (prospective) customers in order to get feedback on our products and services. Google processes the customer’s name and email to set up the interview as well as audio and video recording of the customer during the interview.


The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR. 

The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information can be found in Google’s privacy policy: https://policies.google.com/privacy.

4.6 Marketing Tools

We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when you use our website is used for interest-based advertising. By analysing and evaluating this access data, we are able to show you personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers.

In the following section, we would like to explain these technologies and the providers used for this in more detail. The data collected may include in particular

However, the data collected is only stored under a pseudonym, so that no direct conclusions can be drawn about individuals.

4.6.1 Hubspot

We use Hubspot for tracking and remarketing purposes. Hubspot processes your pseudonymized email address and shares it with Meta Platforms and Google Ads. 

This allows us to achieve conversion tracking and optimize our marketing campaigns. By sharing the data with the platforms we are able to retarget a specific audience.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a UK GDPR. Access to and storage of information in your device takes place based on Regulation 6 par. 2 PECR.

We have concluded a data processing agreement with HubSpot. The data collected in this context may be transferred by HubSpot to HubSpot, Inc. in the US. HubSpot, Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

Further information can be found in HubSpot’s privacy policy.

4.6.2 Meta- Pixel (formerly Facebook- Pixel)

Our website uses the Meta-Pixel service for marketing purposes, which is offered outside the US and Canada by Meta Platforms Ireland Ltd, Serpentine Avenue, Block J, Dublin 4, Ireland and in the US and Canada by Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, United States (together “Meta Platforms”).

We use Meta-Pixel to analyse the general use of our website and to track the effectiveness of Facebook advertising (“conversion tracking”). We also use Meta-Pixel to display personalised advertising messages based on your interest in our products (“retargeting”). This also involves target group remarketing through custom audiences.

Meta Platforms processes data that the service collects via JavaScript, cookies and other technologies on our website. This includes in particular

Meta Platforms acts as our processor for matching, measurement and analysis services, in particular for analysing the use of our website, matching user IDs and creating reports on our advertising campaigns. We have concluded a data processing agreement with Meta Platforms.

The data collected in this context may be transferred by Meta Platforms Ireland Limited to Meta Platforms Inc. in the US. Meta Platforms Inc. has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

In addition, we and Meta Platforms are jointly responsible for the processing of event data for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery and the personalisation of functions and content when using Meta-Pixel. The mutual obligations were set out in a joint contract, which can be accessed at the following address: https://www.facebook.com/legal/controller_addendum.

Meta Platforms also processes the event data for the protection and security of Meta Platforms’ products, for research and development purposes and to maintain the integrity of the products and improve them.

If you are a member of Facebook or Instagram and have allowed Meta Platforms to do so via the privacy settings of your account, Facebook or Instagram may also link the information collected about your visit to our website to your member account and use it for targeted advertising. You can view and change the privacy settings of your Facebook profile at any time: https://www.facebook.com/settings/?tab=ads. You can prevent the linking of data collected outside Instagram for the display of personalised advertising in Instagram as described here: https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE.

If you have not consented to the use of Meta-Pixel, Meta Platforms will only display generic adverts that are not selected based on the information collected about you on this website.

Further information, e.g. regarding joint responsibility and contact details, can be found in Meta Platforms’ privacy policy, in particular for the social networks Facebook and Instagram: https://www.facebook.com/about/privacy/.

4.6.3 Google Ads

Our website uses the Google Ads service, which is offered in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, United States (together “Google”).

Applying Google Ads Conversion Tracking we define customer actions (such as clicking on an ad, page views, downloads) that are recorded and analysed. We use Google Ads Remarketing to show you individualised advertising messages for our products on Google partner websites. Both services use cookies, JavaScript, pixels and other technologies for this purpose.

The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.

If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 4.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:

4.6.4 Google AdSense

Our website uses the service Google AdSense, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland in Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (“Google”) in all other geographic areas.

Google AdSense enables the placement of adverts on third-party sites and is based on an algorithm that selects the adverts displayed on third-party sites to match the content of the respective third-party site. This allows an interest-based approach to visitors (“targeting”), which is implemented by generating individual user profiles. When you visit our website, your use is analysed and evaluated for this purpose. Each time a subpage is accessed, data is automatically transmitted to Google for the purposes of online advertising, generating advertising revenue and billing commissions. In the process, Google obtains knowledge of personal data, such as your IP address, which Google uses, among other things, to trace the origin of visitors and clicks on adverts. For this purpose, Google AdSense uses cookies, which are stored on your device, and pixels, which establish a connection to the Google server.

The data collected in this context may be transferred by Google Ireland Limited to Google LLC in the US. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. If you do not desire a link to your Google account, you must log out of Google before visiting our website.

If you have not consented to the use of Google AdSense, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 4.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:

4.6.5 Google Marketing Platform and Ad Manager (formerly DoubleClick)

Our website uses Google Marketing Platform and Google Ad Manager, services provided in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and in all other geographic areas by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, US (together “Google”).

These services use cookies and other technologies to show you adverts that are relevant to you. The use of the services enables Google and its partner websites to display adverts based on previous visits to our or other websites on the Internet. 

Google may transfer the data collected in this context for analysis to a server in the US and store the data there. Google LLC has undergone the certification process in accordance with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

If you have not consented to the use of Google Marketing Platform and Ad Manager, Google will only display generic advertising that has not been selected based on the information collected about you on this website. In addition to revoking your consent (see 4.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate personalised advertising in Google’s advertising settings: https://adssettings.google.com/anonymous?hl=de.

Further information can be found here:

4.6.6 Microsoft Advertising (formerly Bing Ads)

Our website uses Microsoft Advertising, a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (“Microsoft”). Microsoft uses JavaScript, cookies and local storage to present you with adverts that are relevant to you. The use of these technologies enables Microsoft and its partner websites to display adverts based on previous visits to our or other websites on the Internet. Microsoft  may transfer the data collected in this context for analysis to a server in the US and store the data there.

The following information in the Local Storage is stored and read by Microsoft Advertising: 

The data collected in this context may be transferred by Microsoft Ireland Operations Limited to Microsoft Corporation in the US. Microsoft Corporation has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

In addition to revoking your consent (see 4.2.3: “Revoking Your Consent or Changing Your Selection”), you may deactivate the personalised ads in Microsoft Advertising or in the settings for ads in your Microsoft account:

Further information can be found in Microsoft’s privacy policy: https://privacy.microsoft.com/en-gb/privacystatement. 

4.7 External Media

We also use external media in the form of embedded videos. 

Unless otherwise stated, the legal basis for this is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a UK GDPR, which you give via the consent banner or via a banner (“overlay”) placed over the respective tool itself.

In these cases, access to and storage of information in the device is subject to consent and takes place based on Regulation 6 par. 2 PECR.

4.7.1 Wistia

We use the service for hosting and embedding videos from Wistia, Inc., 120 Brookline Street, Cambridge, Massachusetts 02139, US on our website. 

Wistia collects data about video usage by the visitor, e.g. how much of the video was viewed, at what point the video was paused or whether it was continued at another point, how many videos were viewed and how often they were viewed. The IP address, device class (desktop, mobile), operating system, browser, embedded URL (page on which the video is played), internet provider, location, region and country, session start time (date and time of the first video view per video) are processed. 

The following information is stored in the Local Storage:

The data collected in this context may be transferred to Wistia, Inc. in the US. Wistia, Inc. has undergone the certification procedure according to the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework and can therefore rely on the adequacy decision of the EU Commission and the UK-US Data Bridge (Art. 45 UK GDPR) for the US. 

Further information can be found in Wistia’s privacy policy.

5. Online Presences in Social Networks

We maintain an online presence on social networks in order to communicate with customers and interested parties and to provide information about our services. User data is generally processed by the relevant social networks for market research and advertising purposes. This allows the creation of user profiles based on the interests of users. Cookies and other identifiers are stored on the devices of the data subjects for this purpose. Based on these user profiles, adverts are placed, for example within the social networks as well as on third-party websites.

For our online presences we may have access to information such as statistics on the use of such online presences provided by the social networks. These statistics are aggregated and may contain demographic information (e.g. age, gender, region), data on the interaction with our online presence (e.g. likes) and the posts and content distributed. Statistics may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can be used to adapt the design, and optimise our activities and content for our audience. Please refer to the list below for details and links to the social network data that we can access as the operator of the online presence. The collection and use of these statistics are generally subject to joint responsibility.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 lit. b UK GDPR, in order to stay in contact with and inform our customers, and to take pre-contractual steps with interested parties. 

If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This can be done via direct messages or posted contributions. Communication via the social network is subject to the responsibility of the social network as a messenger and platform service. Content-related communication via the social network and the processing of content data is the responsibility of the social network as a messenger and platform service. As soon as we transfer personal data from you to our own systems or process it further, we are independently responsible for the data processing and this is done to perform pre-contractual activities or to fulfil a contract in accordance with Art. 6 Para. 1 lit. b UK GDPR.

The legal basis for the data processing carried out by the social networks can be found in the data protection information of the respective social network. The links below will also provide you with further information on the respective data processing and the options to object. 

We would like to point out that data protection requests can be made most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. If you contact us with your request, we will forward your enquiry to the provider of the social network.

Below is a list with information on the social networks where we have an online presence:

6. Disclosure of Data

The data collected by us will only be passed on if:

Data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular, photo labs, data centres that host our website and store our databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may only use the data to fulfil their specific tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.

In addition, data may be passed on in connection with official enquiries, court orders and legal proceedings, if necessary.

7. Data Transfer to Third Countries

As previously disclosed in this privacy policy, we use services whose providers may be located or process personal data in so-called third countries (outside the European Union, the European Economic Area and the UK), i.e. countries whose level of data protection does not correspond to that of the European Union, the European Economic Area and the UK. If this is the case and the European Commission and the UK Government have not issued an adequacy decision for these countries (Art. 45 UK GDPR), we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include the standard contractual clauses of the European Union and the International Data Transfer Addendum (to the European Commission’s Standard Contractual Clauses for International Data Transfers) or binding internal data protection regulations.

Where this is not possible, we base the transfer of data on exceptions under Art. 49 UK GDPR, in particular your express consent or the necessity of the transfer for the fulfilment of a contract or for the implementation of pre-contractual measures.

If a transfer to a third country is planned and no adequacy decision or suitable guarantees exist, there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. We will provide you with specific information, when requesting your consent via the consent banner.

8. Storage Period

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we still need to retain the data as evidence for civil law claims (until the statutory limitation period expires) or due to statutory retention obligations.

In accordance with the statutory limitation period, claims expire at the earliest three years from the end of the year in which the business relationship with you ends. For evidence purposes, we must retain contract data for that long. 

Thereafter, we still have to store some of your personal data for accounting reasons. We are obliged to comply with statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods specified for the retention of documents are between two to ten years.

9. Your Data Subject Rights

You have the following data subject rights: 

To assert your rights described here, you can contact us at any time using the contact details above. This also applies if you wish to receive copies of guarantees to demonstrate an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.

Your requests for the assertion of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, beyond this period if there is a reason to assert, exercise or defend legal claims. The legal basis is Art. 6 para. 1 sentence 1 lit. f UK GDPR, based on our interest to defend ourselves against any civil law claims pursuant to Art. 82 UK GDPR, the avoidance of fines pursuant to Art. 83 UK GDPR and the fulfilment of our accountability obligation pursuant to Art. 5 para. 2 UK GDPR.

You have the right to revoke your consent at any time. As a result, we will no longer process your data based on this consent. The revocation of consent does not affect the lawfulness of processing your data before the revocation of your consent.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it concerns an objection to data processing for direct marketing purposes, you have a general right to object and we will comply with your wishes. You do not need to give any reasons.

If you would like to exercise your right of cancellation or objection, simply send an informal message to the contact details above.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. You can assert this right, for example, with a supervisory authority in the state of your place of residence, your place of work or the place of the alleged infringement. The competent supervisory authority in the UK is: 

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

10. Changes to the Privacy Policy

We occasionally update this privacy policy, for example when we customise our website or when legal or regulatory requirements change.

Updated: November 2024