Table of Contents

  1. Controller
  2. Applicable Legal Bases
  3. Overview of Processing Activities
  4. Security Measures
  5. Transmission of Personal Data
  6. International Data Transfers
  7. Deletion of Data
  8. Rights of Data Subjects
  9. Use of Cookies
  10. Business Services
  11. Providers and Services Used in the Course of Business Activities
  12. Provision of the Online Service and Web Hosting
  13. Blogs and Publication Media
  14. Contact and Inquiry Management
  15. Communication via Messenger
  16. Video Conferences, Online Meetings, Webinars and Screen Sharing
  17. Cloud Services
  18. Newsletters and Electronic Notifications
  19. Advertising Communication via Email, Post, Fax or Telephone
  20. Surveys and Questionnaires
  21. Web Analytics, Monitoring and Optimization
  22. Online Marketing
  23. Customer Reviews and Rating Procedures
  24. Presence on Social Networks (Social Media)
  25. Plugins and Embedded Functions and Content
  26. Changes and Updates to this Privacy Policy

Controller

metodic GmbH
Gießerallee 19
47877 Willich
Germany

Authorized representatives: Dirk Busse, Marcus Schmidt

Email address: datenschutz@metodic.de

Imprint: metodic.de/en/imprint

The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Where more specific legal bases are applicable in individual cases, we will inform you of these in this privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
  • Compliance with a legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National Data Protection Regulations in Germany

In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, the processing for other purposes, and the transmission as well as automated individual decision-making, including profiling. Furthermore, state data protection laws of the individual German federal states may apply.

Note on the applicability of the GDPR and the Swiss DPA

These privacy notices serve to provide information pursuant to both the Swiss Federal Act on Data Protection (Swiss DPA) and the General Data Protection Regulation (GDPR). For this reason, we use the terminology of the GDPR for broader applicability and clarity. The legal meaning of the terms under the Swiss DPA continues to be determined in accordance with that law.

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Data Processed

  • Master data (inventory data)
  • Payment data
  • Contact data
  • Content data
  • Contract data
  • Usage data
  • Meta, communication and process data
  • Applicant data
  • Event data (Facebook)

Special Categories of Data

  • Health data
  • Data concerning sex life or sexual orientation
  • Religious or philosophical beliefs
  • Data revealing racial or ethnic origin

Categories of Data Subjects

  • Customers
  • Employees
  • Prospective customers
  • Communication partners
  • Users
  • Applicants
  • Business and contractual partners
  • Pupils / Students / Participants
  • Persons depicted in images or recordings

Purposes of Processing

  • Provision of contractual services and customer support
  • Contact requests and communication
  • Security measures
  • Direct marketing
  • Reach measurement
  • Tracking
  • Office and organizational procedures
  • Remarketing
  • Conversion measurement
  • Target group formation
  • Management and response to inquiries
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online service and user experience
  • Information technology infrastructure

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

Such measures include in particular securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, entry, disclosure, securing availability, and the separation thereof. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data threats.

Truncation of IP addresses: Where IP addresses are processed by us or by the service providers and technologies we use, and where the processing of a full IP address is not necessary, the IP address is truncated (also known as "IP masking").

TLS encryption (https): To protect the data you transmit via our online service, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in the address bar of your browser.

Transmission of Personal Data

In the course of processing personal data, data may be transmitted to or disclosed to other parties, companies, legally independent organizational units or persons. Recipients of such data may include, for example, service providers tasked with IT-related duties, or providers of services and content that are embedded in a website. In such cases, we observe the legal requirements and in particular conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

International Data Transfers

Where we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs as part of using third-party services or disclosing or transferring data to other persons, entities, or companies, this is done only in accordance with legal requirements.

Subject to express consent or contractually or legally required transfer, we process or have data processed in third countries only where an adequate level of data protection is recognized, contractual obligations are established through so-called standard contractual clauses of the EU Commission, or where certifications or binding internal data protection rules exist (Art. 44 to 49 GDPR).

Deletion of Data

The data processed by us is deleted in accordance with legal requirements as soon as the consent granted for processing is revoked or other permissions cease to apply (e.g., when the purpose for processing such data no longer exists or is no longer required for such purpose). Where data is not deleted because it is required for other and legally permissible purposes, its processing is restricted to those purposes.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR.
  • Right to withdraw consent: You have the right to withdraw consent given at any time.
  • Right of access: You have the right to request confirmation of whether relevant data is being processed and to obtain access to such data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased immediately, or alternatively to request restriction of the processing of the data.
  • Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with legal requirements.
  • Right to lodge a complaint with a supervisory authority: You also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the member state of your habitual residence, place of work, or place of the alleged infringement.
    Competent supervisory authority: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf, Germany.

Use of Cookies

Cookies are small text files, or other storage markers, that store information on end devices and read information from those end devices. For example, to store login status in a user account, shopping cart contents in an e-shop, the content accessed, or functions used by an online service. Cookies may also be used for various purposes, such as the functionality, security, and comfort of online services, as well as the creation of analyses of visitor flows.

Storage duration: In terms of storage duration, the following types of cookies are distinguished:

  • Temporary cookies (session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed their end device.
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. The storage duration can be up to two years.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Users can restrict the use of cookies in their browser settings. Objection to the use of cookies for online marketing purposes can be declared at optout.aboutads.info and youronlinechoices.com.

Business Services

We process data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as "contractual partners") in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually), e.g., to respond to inquiries.

We process this data to fulfill our contractual obligations. These include in particular the obligations to provide the agreed services, any update obligations, and remedies in the case of warranty defects and other service disruptions.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after 4 years. The statutory retention period for documents relevant for tax purposes and for commercial books is ten years, and for received commercial and business letters six years.

Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Compliance with a legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Providers and Services Used in the Course of Business Activities

In the course of our business activities, we use additional services, platforms, interfaces, or plug-ins from third parties in compliance with legal requirements. Their use is based on our interests in a proper, lawful, and economically efficient management of our business operations.

DATEV: Software for accounting, communication with tax advisors and authorities, and document storage; Service provider: DATEV eG, Paumgartnerstr. 6–14, 90429 Nürnberg, Germany; Website: datev.de; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Provision of the Online Service and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

Webflow: Creation, management, and hosting of websites; Service provider: Webflow, Inc. 208 Utah, Suite 210, San Francisco, CA 94103, USA; Website: webflow.com; Privacy policy: webflow.com/legal/eu-privacy-policy; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Blogs and Publication Media

We use blogs or comparable means of online communication and publication. Readers' data is processed for the purposes of the publication medium only to the extent necessary for its presentation and for communication between authors and readers, or for security reasons.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, telephone, or via social media) and in the context of existing user and business relationships, the information provided by the inquiring persons is processed to the extent necessary to respond to contact inquiries and any requested measures.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Communication via Messenger

We use messaging services for communication purposes. Where end-to-end encryption of content applies, we note that the content of messages is encrypted end-to-end. This means the content of messages is not viewable, not even by the messenger service providers themselves.

Services used: Instagram (Meta Platforms Ireland Limited), Microsoft Teams (Microsoft Ireland Operations Limited), Slack (Slack Technologies, Inc.), WhatsApp (WhatsApp Ireland Limited).

Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Video Conferences, Online Meetings, Webinars and Screen Sharing

We use platforms and applications from third-party providers for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings. As part of participation in a conference, the conference platforms process personal data of participants, including first and last name, email address, IP address, and information about the end devices used.

Microsoft Teams: Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland; Privacy policy: privacy.microsoft.com.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Cloud Services

We use software services accessible over the Internet (so-called "cloud services") for the storage and management of content. In this context, personal data may be processed and stored on the providers' servers.

Microsoft Cloud Services: Service provider: Microsoft Ireland Operations Limited, Dublin, Ireland; Privacy policy: privacy.microsoft.com; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications only with the consent of the recipients or with a legal authorization. Registration for our newsletter is generally carried out using a so-called double opt-in procedure.

Brevo: Email marketing platform; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Website: brevo.com; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Advertising Communication via Email, Post, Fax or Telephone

We process personal data for the purposes of advertising communication, which may be carried out via various channels, such as email, telephone, post, or fax, in accordance with legal requirements. Recipients have the right to withdraw consent given at any time or to object to advertising communication at any time.

Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Surveys and Questionnaires

We conduct surveys and questionnaires to gather information for the respective communicated survey or questionnaire purpose. The surveys and questionnaires we conduct are evaluated anonymously.

Typeform: Creation of forms and surveys; Service provider: TYPEFORM SL, Carrer Bac de Roda 163, 08018 Barcelona, Spain; Website: typeform.com; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring and Optimization

Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online service and may include behavior, interests, or demographic information about visitors as pseudonymous values. Users' IP addresses are also stored. We use an IP masking procedure to protect users.

Services used: Google Analytics in consent mode and Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland); Privacy policy: policies.google.com/privacy.

Legal basis: Consent (Art. 6(1)(a) GDPR).

Online Marketing

We process personal data for the purposes of online marketing, which may include in particular the marketing of advertising space or the presentation of advertising and other content (collectively referred to as "content") based on potential interests of users and the measurement of their effectiveness.

Services used: Facebook Pixel and custom audiences (Meta Platforms Ireland Limited), Google Ads and conversion measurement, Google Ads Remarketing, Instagram ads, LinkedIn Insight Tag.

Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize, and promote our services. To ensure that the reviewing persons have actually used our services, we transmit, with the consent of the customers, the data required for this purpose to the respective rating platform.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process users' data in this context in order to communicate with users active there or to offer information about us.

We note that users' data may be processed outside the area of the European Union. For a detailed description of the respective processing forms and the possibilities of objection, we refer to the privacy policies of the operators of the respective networks.

Networks used: Instagram, Facebook, LinkedIn, TikTok, Twitter / X, YouTube, Xing.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Plugins and Embedded Functions and Content

We embed functional and content elements into our online service that are retrieved from the servers of their respective providers. The embedding always requires that the third-party providers of this content process the IP address of users, as without the IP address they would be unable to send content to their browser.

Google Fonts: Retrieval of fonts for the purpose of a technically secure, maintenance-free, and efficient use of fonts; Service provider: Google Ireland Limited, Dublin 4, Ireland; Privacy policy: policies.google.com/privacy; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Changes and Updates to this Privacy Policy

We ask that you regularly review the content of our privacy policy. We adapt the privacy policy as soon as changes in the data processing activities we carry out make this necessary. We will inform you as soon as the changes require a participation action on your part (e.g., consent) or other individual notification.