Privacy policy

Outline

• Preamble
• Person in charge
• Overview of processing
• Relevant legal bases
• Safety measures
• Transfer of personal data
• International data transfers
• General information on data storage and deletion
• Rights of data subjects
• Provision of the online offer and web hosting
• Use of cookies
• Contact and request management
• Modification and updating
• Definitions

1. Preamble

With the following privacy policy, we would like to inform you about the types of your personal
data (hereinafter also referred to as "data") we process, for what purposes and to what extent.
The Privacy Policy applies to all processing of personal data carried out by us, both in the context
of the provision of our services and in particular on our websites, in mobile applications and within
external online presences, such as our social media profiles (hereinafter collectively referred to as
the "Online Offer").
The terms used are not gender-specific.

2. Controller

We have appointed a data protection officer for our company.

Herold Unternehmensberatung GmbH

Mr. Philipp Herold
Hafenstraße 1a
23568 Lübeck
E-Mail: datenschutz@hub24.de

www.hub24.de

Hosting services by a third-party provider

As part of processing on our behalf, a third-party service provider provides us with the services for
hosting and displaying the website. This serves to safeguard our legitimate interests, which
outweigh the legitimate interests in a correct presentation of our offer in the context of a
balancing of interests. All data collected in the context of the use of this website or in the forms
provided for this purpose in the online shop, as described below, are processed on its servers.
Processing on other servers only takes place within the scope explained here.

This service provider is located within a country of the European Union or the European Economic
Area.

3. Overview of processing

The following overview summarises the types of data processed and the purposes of their
processing, and refers to the data subjects.
Types of data processed

• Inventory data.
• Contact details.
• Content Data.
• Usage.
• Meta, communication and procedural data.
• Log.

Categories of data subjects

• Communication.
• User.

Purposes of processing

• Communication.
• Security Measures.
• Organisational and administrative procedures.
• Feedback.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.

4. Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of
the GDPR on the basis of which we process personal data. Please note that in addition to the
regulations of the GDPR, national data protection regulations may apply in your or our country of
residence or domicile. Furthermore, if more specific legal bases are relevant in individual cases, we
will inform you of these in the privacy policy.

•
 • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given his or her
consent to the processing of personal data concerning him or her for a specific purpose or
purposes.
• Performance of a contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b)
GDPR) - Processing is necessary for the performance of a contract to which the data
subject is a party or to take steps at the request of the data subject prior to entering into a
contract.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - the processing is necessary for
the purposes of the legitimate interests pursued by the controller or by a third party,
provided that the interests, fundamental rights and freedoms of the data subject which
require the protection of personal data are not overridden.

National data protection regulations in Germany: In addition to the data protection regulations of
the GDPR, national regulations on data protection apply in Germany. These include, in particular,
the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection
Act – BDSG). In particular, the BDSG contains special provisions on the right to information, the
right to erasure, the right to object, the processing of special categories of personal data,
processing for other purposes and transmission as well as automated decision-making in individual
cases, including profiling. In addition, state data protection laws of the individual federal states can
be applied.

5. Security measures

In accordance with the legal requirements, we take appropriate technical and organisational
measures to ensure a level of protection appropriate to the risk, taking into account the state of
the art, the implementation costs and the type, scope, circumstances and purposes of the
processing, as well as the different probabilities of occurrence and the extent of the threat to the
rights and freedoms of natural persons.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of
data by controlling physical and electronic access to the data, as well as access, input, disclosure,
availability and separation. We have also put in place procedures to ensure that the rights of data
subjects are exercised, that data is deleted and that data is endangered. Furthermore, we take the
protection of personal data into account as early as the development or selection of hardware,
software and processes in accordance with the principle of data protection, through technical
design and through data protection-friendly default settings.

Securing online connections with TLS/SSL encryption technology (HTTPS): In order to protect
users' data transmitted via our online services from unauthorized access, we rely on TLS/SSL
encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the
cornerstones of secure data transmission on the Internet. These technologies encrypt the
information transmitted between the website or app and the user's browser (or between two
servers), which protects the data from unauthorized access. TLS, as the evolved and more secure
version of SSL, ensures that all data transfers meet the highest security standards. If a website is
secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as
an indicator for users that their data is being transmitted securely and encrypted.

6. Transfer of personal data

As part of our processing of personal data, it may be transmitted to or disclosed to other bodies,
companies, legally independent organisational units or persons. The recipients of this data may
include, for example, service providers commissioned with IT tasks or providers of services and
content that are integrated into a website. In such cases, we observe the legal requirements and,
in particular, conclude appropriate contracts or agreements with the recipients of your data that
serve to protect your data.

7. International Data Transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European
Union (EU), the European Economic Area (EEA)) or if the processing takes place in the context of
the use of third-party services or the disclosure or transfer of data to other persons, bodies or
companies, this will only take place in accordance with the legal requirements. If the level of data
protection in the third country has been recognised by means of an adequacy decision (Art. 45
GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if
the level of data protection is otherwise ensured, in particular by means of standard contractual
clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent or in the case of contractual or legally
required transfer (Art. 49 para. 1 GDPR). In addition, we will provide you with the basis of the
third-country transfer for the individual providers from the third country, with the adequacy
decisions taking precedence as the basis. Information on third-country transfers and existing
adequacy decisions can be found in the EU Commission's information
service: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-
protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called "Data Privacy Framework"
(DPF), the EU Commission has also recognized the level of data protection as secure for certain
companies from the United States as part of the adequacy decision of 10.07.2023. The list of
certified companies as well as further information about the DPF can be found on the website of
the Ministry of Commerce of the United States at https://www.dataprivacyframework.gov/. As
part of the data protection notice, we will inform you which service providers we use are certified
under the Data Privacy Framework.

8. General information on data storage and deletion

We delete personal data that we process in accordance with the law, as soon as the underlying
consents are withdrawn or there are no other legal grounds for the processing. This applies to
cases in which the original purpose of processing no longer applies or the data is no longer
needed. Exceptions to this regulation exist if legal obligations or special interests require longer
storage or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or the storage of which is
necessary for legal prosecution or to protect the rights of other natural or legal persons, must be
archived accordingly.
Our Privacy Notice contains additional information on the retention and deletion of data that
applies specifically to certain processing operations.

If there is more information about the retention period or deletion periods of a date, the longest
period is always decisive.

If a time limit does not expressly begin on a specific date and is at least one year, it shall
automatically start at the end of the calendar year in which the event triggering the time limit
occurred. In the case of ongoing contractual relationships in the context of which data is stored,
the event triggering the deadline is the time when the termination or other termination of the
legal relationship takes effect.

We process data that is no longer stored for the originally intended purpose, but due to legal
requirements or other reasons, exclusively for the reasons that justify its storage.

Further information on processing processes, procedures and services:

• Retention and deletion of data: The following general deadlines apply to retention and
archiving under German law:
o 10 years - retention period for books and records, annual financial statements,
inventories, management reports, opening balance sheet as well as the work
instructions and other organisational documents, accounting documents and
invoices required for their understanding (sec. 147 para. 3 in conjunction with para.
1 nos. 1, 4 and 4a AO, sec. 14b para. 1 UStG, sec. 257 para. 1 nos. 1 and 4, para. 4
HGB).
o 6 years - Other business documents: received commercial or business letters,
reproductions of the commercial or business letters sent, other documents insofar
as they are relevant for taxation, e.g. hourly wage slips, company accounting
sheets, calculation documents, price labelling, but also payroll documents, insofar
as they are not already accounting documents and cash strips (§ 147 para. 3 in
conjunction with para. 1 nos. 2, 3, 5 AO, § 257 para. 1 nos. 2 and 3, para. 4 HGB).
 o 3 years - Data necessary to consider potential warranty and indemnity claims or
similar contractual claims and rights, as well as to process related requests, based
on previous business experience and common industry practices, will be retained
for the duration of the regular statutory limitation period of three years (§§ 195,
199 BGB).

9. Rights of data subjects

Rights of data subjects under the GDPR: As data subjects, you have various rights under the GDPR,
which result in particular from Art. 15 to 21 GDPR:

• Right to object: You have the right to object at any time, for reasons arising from your
particular situation, to the processing of personal data concerning you that is carried out
on the basis of Art. 6 (1) (e) or (f) GDPR; this also applies to profiling based on these
provisions. If the personal data concerning you is processed for the purpose of direct
marketing, you have the right to object at any time to the processing of the personal data
concerning you for the purpose of such marketing; this also applies to profiling, insofar as it
is related to such direct advertising.
• Right of revocation in the case of consent: You have the right to revoke any consent you
have given at any time.
• Right: You have the right to request confirmation as to whether the data in question is
being processed and to obtain information about this data, as well as further information
and a copy of the data in accordance with the legal requirements.
• Right to rectification: In accordance with the legal requirements, you have the right to
request the completion of the data concerning you or the correction of the incorrect data
concerning you.
• Right to erasure and restriction of processing: In accordance with the legal requirements,
you have the right to demand that data concerning you be deleted immediately, or
alternatively to demand a restriction of the processing of the data in accordance with the
legal requirements.
 • Right to data portability: You have the right to receive data concerning you that you have
provided to us in a structured, commonly used and machine-readable format in
accordance with the legal requirements or to request its transmission to another
controller.

• Complaint to supervisory authority: In accordance with the law, and without prejudice to
any other administrative or judicial remedy, you also have the right to lodge a complaint
with a data protection supervisory authority, in particular a supervisory authority in the
Member State in which you habitually reside, the supervisory authority of your place of
work or the place of the alleged infringement, if you believe that the processing of the data
relating to your person personal data violates the GDPR.

10. Bereitstellung des Onlineangebots und Webhosting

We process users' data in order to be able to provide them with our online services. For this
purpose, we process the user's IP address, which is necessary to transmit the content and
functions of our online services to the user's browser or device.

• Types of data processed: Usage Data (e.g., page views and dwell time, click paths, usage
intensity and frequency, types of devices and operating systems used, interactions with
content and features); Metalogical, communication and procedural data (e.g. IP addresses,
times, identification numbers, persons involved). Log data (e.g. log files regarding logins or
the retrieval of data or access times.).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; Information
technology infrastructure (operation and provision of information systems and technical
devices (computers, servers, etc.)). Security Measures.
• Retention and deletion: Deletion as indicated in the section "General information on data
storage and deletion".
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Further information on processing processes, procedures and services:

• Provision of online offer on rented storage space: For the provision of our online offer, we
use storage space, computing capacity and software that we rent or otherwise obtain from
a corresponding server provider (also called "web host"); Legal bases: Legitimate interests
(Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offer is logged in the form of
so-called "server log files". The server log files can include the address and name of the
websites and files accessed, date and time of access, data volumes transferred, notification
of successful access, browser type and version, the user's operating system, referrer URL
(the previously visited page) and, as a rule, IP addresses and the requesting provider. The
server log files can be used for security purposes, e.g. to avoid overloading the servers
(especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the load
on the servers and their stability; Legal bases: Legitimate interests (Art. 6 para. 1 sentence
1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum period of 30
days and then deleted or anonymized. Data whose further retention is necessary for
evidentiary purposes is exempt from deletion until the respective incident has been finally
clarified.

11. Use of cookies

Cookies are small text files or other memory notes that store information on end devices and read
them out of them. For example, to store the log-in status in a user account, the contents of a
shopping cart in an e-shop, the content accessed, or the functions used in an online offer. Cookies
can also be used for various purposes, such as the functionality, security and convenience of
online offers and the creation of analyses of visitor flows.

Notes on consent: We use cookies in accordance with the legal regulations. Therefore, we obtain
prior consent from users, unless it is not required by law. In particular, permission is not necessary
if the storage and reading of information, including cookies, is absolutely necessary in order to
provide users with a telemedia service (i.e. our online offer) that they expressly request. The
revocable consent will be clearly communicated to you and will contain the information on the
respective use of cookies.

Information on data protection legal bases: The data protection basis on which we process users'
personal data using cookies depends on whether we ask them for consent. If the users accept, the
legal basis for the use of their data is the declared consent. Otherwise, the data used with the help
of cookies will be processed on the basis of our legitimate interests (e.g. in the business operation
of our online offer and the improvement of its usability) or, if this is done in the context of the
fulfilment of our contractual obligations, if the use of cookies is necessary to fulfil our contractual
obligations. We will explain the purposes for which we use cookies in the course of this privacy
policy or as part of our consent and processing processes.

Storage period: With regard to the storage period, the following types of cookies are
distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at
the latest after a user has left an online offer and closed their device (e.g. browser or
mobile application).
• Persistent cookies: Persistent cookies remain stored even after the device is closed. For
example, the log-in status can be saved and preferred content can be displayed directly
when the user visits a website again. The user data collected with the help of cookies can
also be used to measure reach. Unless we provide users with explicit information about the
type and storage period of cookies (e.g. as part of obtaining consent), they should assume
that they are permanent and that they can be stored for up to two years.

General information on revocation and objection (opt-out): Users can revoke the consent they
have given at any time and also declare an objection to the processing in accordance with the legal
requirements, also by means of the privacy settings of their browser.

• Types of data processed: Metalogical, communication and procedural data (e.g. IP

addresses, times, identification numbers, persons involved).
 • Data subjects: Users (e.g., website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). consent (Art. 6
para. 1 sentence 1 lit. a) GDPR).

Further information on processing processes, procedures and services:

• Processing of cookie data on the basis of consent: We use a consent management

solution that obtains users' consent to the use of cookies or to the procedures and
providers specified in the consent management solution. This procedure serves to obtain,
record, manage and revoke consent, in particular with regard to the use of cookies and
similar technologies used to store, read and process information on users' end devices. As
part of this process, users' consents are obtained for the use of cookies and the related
processing of information, including the specific processing and providers mentioned in the
consent management procedure. Users also have the option of managing and withdrawing
their consents. The declarations of consent are stored in order to avoid a new query and to
be able to provide proof of consent in accordance with the legal requirements. The storage
takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of
comparable technologies in order to be able to assign the consent to a specific user or his
device. Unless specific information is available on the providers of consent management
services, the following general information applies: The duration of the storage of consent
is up to two years. This involves the creation of a pseudonymous user identifier that is
stored together with the time of consent, information on the scope of consent (e.g.
relevant categories of cookies and/or service providers), as well as information about the
browser, the system and the device used; Legal bases: consent (Art. 6 para. 1 sentence 1
lit. a) GDPR).

12. Contact and Request Management

• When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) as
well as in the context of existing user and business relationships, the information of the
enquiring persons will be processed insofar as this is necessary to answer the contact
 requests and any requested measures.

• Types of data processed: Inventory data (e.g., full name, home address, contact
information, customer number, etc.); Contact details (e.g. postal and email addresses or
telephone numbers); Content data (e.g., textual or pictorial news and posts, and
information about them, such as authorship or time of creation); Usage data (e.g., page
views and dwell time, click paths, usage intensity and frequency, device types and
operating systems used, interactions with content and features). Metalogical,
communication and procedural data (e.g. IP addresses, times, identification numbers,
persons involved).
• Data subjects: Communication.
• Purposes of processing: Communication; organisational and administrative procedures;
Feedback (e.g. collecting feedback via online form). Provision of our online offer and user-
friendliness.
• Retention and deletion: Deletion as indicated in the section "General information on data
storage and deletion".
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Performance of a
contract and pre-contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing processes, procedures and services:

• Contact: If you contact us via our contact form, by e-mail or other means of
communication, we process the personal data transmitted to us in order to answer and
process the respective request. This usually includes details such as name, contact
information and, where applicable, other information that is shared with us and is
necessary for appropriate processing. We use this data exclusively for the stated purpose
of contacting and communicating; Legal bases: Performance of a contract and pre-
contractual enquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6
para. 1 sentence 1 lit. f) GDPR).
13. Modification and updating

• We ask you to regularly inform yourself about the content of our privacy policy. We will
adapt the privacy policy as soon as the changes in the data processing we carry out make it
necessary. We will inform you as soon as the changes require you to cooperate (e.g.
consent) or other individual notification.
• If we provide addresses and contact information of companies and organizations in this
privacy policy, please note that the addresses may change over time and please check the
information before contacting us.

14. Definition of terms

• This section provides an overview of the terminology used in this Privacy Policy. Insofar as
the terms are defined by law, their legal definitions shall apply. The following explanations,
on the other hand, are primarily intended to serve understanding.

• Inventory data: Inventory data includes essential information necessary for the
identification and management of contractors, user accounts, profiles, and similar
assignments. This information may include, but is not limited to, personal and demographic
information such as names, contact information (addresses, phone numbers, email
addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis
for any formal interaction between people and services, facilities, or systems by enabling
unambiguous mapping and communication.
• Content data: Content data includes information generated in the course of creating,
editing, and publishing content of all kinds. This category of data may include text, images,
videos, audio files, and other multimedia content published on various platforms and
media. Content data is not limited to the actual content, but also includes metadata that
provides information about the content itself, such as tags, descriptions, author
information, and publication dates.
• Contact details: Contact details are essential information that enables communication with
individuals or organizations. They include, but are not limited to, telephone numbers,
postal addresses and email addresses, as well as means of communication such as social
media handles and instant messaging identifiers.
• Meta-, communication and procedural data: Meta, communication, and procedural data
are categories that contain information about the way in which data is processed,
transmitted, and managed. Metadata, also known as data about data, includes information
that describes the context, origin, and structure of other data. They can include
information about the file size, the date it was created, the author of a document, and the
change histories. Communication data captures the exchange of information between
users through various channels, such as email traffic, call logs, social media messages, and
chat histories, including the people involved, time stamps, and transmission routes.
Procedural data describes the processes and procedures within systems or organizations,
including workflow documentation, logs of transactions and activities, and audit logs used
to track and review operations.
• Usage: Usage Data refers to information that captures how users interact with digital
products, services, or platforms. This data includes a wide range of information that reveals
how users use applications, what features they prefer, how long they spend on certain
pages, and what paths they use to navigate through an application. Usage Data may also
include frequency of use, timestamps of activity, IP addresses, device information, and
location data. They are especially valuable for analyzing user behavior, optimizing user
experiences, personalizing content, and improving products or services. In addition, usage
data plays a crucial role in identifying trends, preferences and possible problem areas
within digital offerings
• Personal data: "Personal data" means any information relating to an identified or
identifiable natural person (hereinafter "data subject"); an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier (e.g. a cookie)
or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
 • Log: Log data is information about events or activities that have been logged on a system
or network. This data typically includes information such as timestamps, IP addresses, user
actions, error messages, and other details about the use or operation of a system. Log data
is often used to analyze system issues, monitor security, or generate performance reports.
• Person in charge: "Controller" means the natural or legal person, public authority, agency
or other body which, alone or jointly with others, determines the purposes and means of
the processing of personal data.
• Processing: "Processing" means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means. The term
is far-reaching and encompasses practically any handling of data, be it collection,
evaluation, storage, transmission or deletion.

As of: 4 June 2024

Technically necessary cookies

Technically necessary cookies are all cookies that are necessary for the operation of the
website and its functions.

Name Description Validity

Of course 365 days

Saves the selection made in the privacy settings.
Fe_typo_user Session
Maintains the user's states on all page requests.