Privacy Policy
1. Privacy Policy
1.1 General Information
We take the protection of your personal data very seriously and take extensive measures to protect your data from unauthorised access and misuse. We therefore treat your personal data confidentially and in accordance with the legal data protection regulations. Personal data within the meaning of Art. 4 No. 1 GDPR is any data that can be used to identify you personally. Personal data will only be processed in accordance with the relevant data protection regulations. In accordance with Art. 13 GDPR, we inform you in this data protection declaration about the purpose and the relevant legal basis of each data processing.
When you use this website or our services, various personal data is collected. In this privacy policy, we explain your rights to protect your personal data. We also explain how we collect your information and what we use it for.
Please note that data transmission over the Internet, for example when communicating by email, may be subject to potential security risks such as phishing or man-in-the-middle attacks. It is not technically possible to completely protect data from access by third parties. We therefore recommend that you take security precautions such as using encrypted email services or strong passwords.
1.2. Data Controller
The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses).
The data controller for the data processing on this website is:
TULA Capital GmbH
Rheinsberger Straße 42
10435 Berlin, Germany
If you have any questions about data protection and how to assert your rights, which are explained in detail in section 2 “Rights of the data subject”, please do not hesitate to contact us at any time:
Telephone: +49 30 49922481
E-mail: team@tulacap.com
1.3. Updating the privacy policy
We reserve the right to change this privacy policy at any time. Significant changes that affect your rights or the way we process your information will be communicated to you through our cookie consent tool or other appropriate means. If a change to the Privacy Policy requires your renewed consent or other cooperation, we will notify you in a timely manner, such as by posting a notice on our website or sending you an email. The current version of this Privacy Policy is always available on our website.
This policy was last updated on 19 August 2024.
1.4. Security measures
We take the necessary security measures in accordance with Art. 32 GDPR, which requires us to take technical and organisational measures to ensure an adequate level of protection for personal data.
This site uses SSL or TLS encryption for security purposes and to protect the transmission of confidential content. The data is encrypted during transmission using a complex mathematical key. The data cannot be decrypted by unauthorised parties. You can recognise an encrypted connection by the browser address bar changing from ‘http://’ to ‘https://’ and a lock icon appearing in the browser address bar. When SSL/TLS encryption is enabled, the information you send to us cannot be read by third parties. We use TLS 1.2 or higher to ensure that your information is protected during transmission. In addition to encryption during transmission, your information is also protected at rest on our servers using advanced encryption techniques such as AES-256. Access to this data is strictly controlled and only authorised persons can access it.
In addition to encryption, we use other security measures to protect your information. These include the use of firewalls, intrusion detection systems (IDS) and regular security audits of our systems.
1.5. Transfer of data to third parties
As part of the data processing, data may be transferred to third parties or third parties may otherwise be given access to such data. This is done in accordance with the legal provisions of Art. 6 (1) GDPR. The data transfer is based on Art. 6 (1) (a) (consent), (b) (performance of a contract) or (f) (legitimate interest) GDPR, depending on the specific circumstances of the data processing.
Data will only be transferred to trusted service providers who comply with strict data protection standards and who have contractually agreed to comply with these standards. Third parties to whom data may be transferred include IT service providers, payment service providers and marketing platforms. You can find more information in this privacy statement.
If third parties are commissioned to process data on the basis of a so-called data processing agreement, this is done on the basis of Art. 28 GDPR. Such a data processing contract regulates the scope, nature and purpose of access to and processing of personal data. Data processing then only takes place to the extent that it is actually necessary to fulfil the contractor’s performance obligations, and our instructions regarding this data are followed. Examples of such processors are our IT service providers who help us host our website. These contracts are regularly reviewed and updated to ensure that all data protection requirements are met.
1.6. Deletion of data
Where no retention period is specified in this Privacy Policy, your personal data will be deleted immediately when the purpose for which it was processed no longer applies.
Your data will also be deleted if you make a justified request for deletion or if you revoke your consent to data processing, unless we have another legally permissible reason for storing your personal data (e.g. tax or commercial law retention periods, which can be up to 10 years). In the latter case, the data will be deleted as soon as these reasons cease to apply. If the data cannot be deleted for legal reasons, its processing will be restricted. Restricting processing means that your data will be stored but not processed further unless you have given your consent or it is required by law.
If you believe that your data has not been properly deleted, you have the right to lodge a complaint with the competent supervisory authority.
1.7. Information about data transfer to third countries
Our website and services include tools from companies located outside the EU, in particular the USA. We will indicate the use of such services at the appropriate places in this privacy statement. Although your data is primarily hosted on European servers, it may be transferred to servers in the US through the use of tools from US providers.
Please note that the USA is not a safe third country for the purposes of EU data protection law. However, in individual cases, the US may provide a level of data protection comparable to that in the EU/ EEA in accordance with the EU-US Privacy Framework. To do so, the company in question must be certified accordingly. The purpose of the EU-US Privacy Framework is to ensure an adequate level of data protection when personal data is transferred between the EU and the US. Companies certified under this framework agree to comply with EU privacy standards. Even without certification under the EU-US Privacy Framework, tools can ensure an adequate level of data protection in individual cases by taking appropriate technical and organisational measures.
Please note that personal data transferred to the US may be viewed by US authorities without you, as the data subject, being able to take legal action. It cannot be ruled out that certain US authorities (e.g. intelligence services) may process, analyse and permanently store your data on US servers for surveillance purposes. We have no control over such processing.
2. Data subject rights
2.1 Right of access, rectification and deletion
In accordance with Art. 15 GDPR, you have the right, at any time and free of charge, to obtain information about your personal data stored by us, in particular the origin, the recipients and the purposes of the data processing. If you discover that this data is incorrect, you can request a correction in accordance with Art. 16 GDPR. In addition, pursuant to Art. 17 GDPR, you have the right to request the deletion of your data if it is no longer needed or if you have withdrawn your consent.
2.2 Right to restrict processing
According to Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data. The restriction of processing may be useful, for example, if you dispute the accuracy of the data and we need to verify it.
If you have restricted the processing of your personal data, the data may only be processed – apart from its storage – with your consent or for the purpose of establishing, exercising or defending legal claims or for the purpose of protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union or a Member State.
2.3 Right to data transfer
You have the right to have the data that we process automatically on the basis of your consent or in fulfilment of a contract transferred to you or to a third party in accordance with Art. 20 GDPR. If you request the data to be transferred directly to another controller, this will only be done if it is technically feasible.
2.4 Right of cancellation
Many data processing operations are only possible with your explicit consent. You may revoke your consent at any time with effect for the future pursuant to Art. 7 (3) GDPR. The lawfulness of the data processing carried out up to the time of revocation shall remain unaffected by the revocation.
2.5 Right to object
In accordance with Art. 21 GDPR, you have the right to object to the future processing of your data at any time. In particular, you may object to the processing of your data for direct marketing purposes.
2.6 Right to appeal to the competent supervisory authority
In the event of a breach of the GDPR, data subjects have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of their habitual residence, place of work or the place of the alleged breach, in accordance with Art. 77 GDPR. In Germany, for example, this is the data protection authority of your federal state.
The right of appeal is without prejudice to other administrative or judicial remedies.
3. External hosting
This website is hosted by an external service provider (host). The personal data collected on this website is stored on the host’s servers. This includes IP addresses, contact requests, meta and communication data, contract data, contact data, names, website access and other data generated via the website. This data is collected and stored to ensure the security and functionality of our website and to perform statistical analyses to help us optimise our offering.
The hosting services on which this website is based are provided by IONOS SE, Elgendorfer Straße 57, 56410 Montabaur, Germany (“IONOS”). IONOS offers Software-as-a-Service (SaaS) services in the context of cloud hosting.
As part of this, IONOS automatically collects and stores server log files containing information that your browser sends to us. This information includes:
- Operating system
- Referrer URL (previously visited site)
- Host name (IP address)
- Browser type
Our hosting provider is informed in accordance with Art. 6 (1) (f) GDPR, i.e. on the basis of our legitimate interest. With the help of IONOS, we can provide our products and services on our website securely and efficiently. IONOS uses extensive security measures such as firewalls and DDoS protection to protect your data from unauthorised access and attacks. The personal data collected does not allow any conclusions to be drawn about a specific person and is not merged with other data sources.
Server log data such as IP addresses and other connection information are deleted after a statistical analysis within 7 days at the latest, unless there is a legal obligation to retain the data or the data is required to clarify cases of misuse.
Further information can be found in the privacy policy of IONOS SE.
In addition, we have concluded a contract with IONOS SE for the processing of order data in accordance with Art. 28 GDPR. Such an agreement ensures that IONOS processes your personal data only on our behalf and in accordance with our instructions and complies with all data protection regulations.
4. Data collection on this website
Personal information is sometimes collected on this website. This is information that can be used to personally identify users. We collect different types of personal information on our website:
- Information provided directly by the user: This may include contact information that you provide to us through a form.
- Automatically collected technical information: This includes information such as your browser type, the operating system you are using and the time of your visit.
- Data from tracking and analysis tools: These are used to analyse user behaviour on our website and to improve our offering.
Tracking and analysis tools are only used with your consent, which you can withdraw at any time. You can adjust your cookie settings using our cookie consent tool. Users have the right to be informed about the data collected and how it is processed. If you have any questions, please do not hesitate to contact us.
4.1 Use of cookies
Our website uses cookies. Cookies are small text files that are stored on your computer and saved by your browser. Cookies do not allow a server to access private information from your computer or from another server. They do not damage your computer and do not contain viruses. Cookies are used to make our website more user-friendly, effective and secure. In addition to essential cookies, we also use functional cookies to support certain website functions, analytical cookies to help us better understand user behaviour, and advertising cookies to personalise content and advertising.
4.1.1. Technical cookies (“essential cookies”)
Technical cookies are necessary for us to display our website to you and to provide basic functionality. Most of the cookies we use are session cookies. These are automatically deleted after your visit. You can control the use of cookies through your browser. Please note that disabling cookies may limit the functionality of this website.
Technically necessary cookies are used on the basis of Art. 6 (1) (f) GDPR or on the basis of § 25 (2) No. 2 TDDDG. The processing takes place in order to provide our website. We therefore have a legitimate interest in storing cookies in order to provide our services in a technically faultless and optimised manner.
4.1.2 Non-essential cookies (“functional cookies”)
Non-essential cookies help us to better understand how our website is used so that we can optimise it and make it more user-friendly. This includes analysing visitor data and user experience.
Consent to the use of non-essential cookies in accordance with Art. 6 (1) (a) GDPR is given via our cookie consent tool, which is displayed to you when you first visit our website. You can change your preferences at any time using the same tool or through your browser preferences. You can withdraw your consent at any time with effect for the future.
Non-essential cookies will not be used without your consent. Please note that disabling cookies may limit the functionality of our website. Non-essential cookies will remain on your device until you delete them.
4.2. Cookie Management
4.2.1. Cookie consent tool
To enable you to control the use of cookies, a cookie consent tool (hereinafter referred to as the cookie banner) is integrated into our website. Our cookie banner helps you to control the use of cookies on our website. When you visit our website for the first time, you will see a pop-up window allowing you to manage your cookie settings.
In order to use the cookie banner, it is technically necessary to store a cookie. When you visit the site for the first time, the cookie banner will appear as a pop-up window. Here you can change any cookie settings that are not required. The cookie banner displays a list of cookies, including the purpose of the cookie function groups, the individual cookies and their storage duration.
After your first visit to the site, you can open the cookie banner by moving your cursor to the partially hidden white box at the bottom right of the screen and clicking on “Manage access”. The cookie banner will then appear.
The cookie banner stores a cookie in your browser on your device with your consent. We store your consent in accordance with legal requirements. In doing so, we collect personal information, including an anonymised IP address, a unique user ID, a timestamp of the user’s last consent decision, and the consents granted according to the selectable categories.
We do not associate a consent decision with a specific individual unless the user specifically requests that we do so. In order for us to be able to associate the consent you have given and to be able to provide you with information about the logs relating to you that have been made in accordance with the consent you have given, it is necessary for you to provide us with your User ID. This is stored locally in the browser you used to visit our website.
You can find out how to find your User ID here.
The data collected will be stored until you ask us to delete it, you delete the cookie yourself or the purpose for which the data was collected no longer applies. This does not affect any statutory retention obligations.
The cookie banner is used to obtain the legally required consent for the use of cookies. The legal basis is therefore Art. 6 (1) (c) GDPR.
4.2.2. Withdrawal options / Opt-out option
If you have consented to the use of cookies during your visit to our website, you can revoke this consent at any time.
To do this, simply click on the partially hidden box at the bottom right of the screen and select “Manage consent”, which will open the cookie banner. You can then deselect the relevant cookie category. You can also prevent cookies from being set by using browser plug-ins or, if necessary, by adjusting your browser settings. Please note that the functionality of this website may be restricted if you disable technical cookies.
4.2.3 Transfer of data to third countries
Our website sometimes uses tools that use cookies and may result in data being processed in non-EU/ EEA countries, such as the USA. Please note that these third countries may not provide a level of data protection comparable to that in the EU. You can find more information about this in section 1.7. ‘Information about data transfers to third countries’. If you agree to the use of cookies, you also agree to the possible transfer and processing of data in third countries in accordance with Art. 49(1)(1)(a) GDPR.
4.3 Server Log Files
The website provider temporarily collects and stores information in so-called server log files, which your browser automatically transmits to us.
These are:
- Browser type and version
- Operating system used
- Referrer URL
- Host name of the accessing computer
- Time of the server request
- IP address
This data is not merged with other data sources.
This data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically correct presentation and optimisation of its website, for which the collection of server log files is essential.
Server log data is only stored temporarily. This means that the data is deleted as soon as the purpose for which it was collected has been fulfilled. The data is only collected for the duration of each session in order to provide the website. The data is stored in log files for a maximum of 7 days. It may be stored beyond this period. In this case, the IP addresses of the users are deleted or made anonymous so that it is no longer possible to identify the calling client.
5. Data management and storage
5.1 Airtable
We use the cloud-based database software Airtable. It is provided by Formagrid, Inc., 799 Market Street, San Francisco, California, 94103, USA.
We use Airtable to collect, store and process personal information, such as a user’s name and contact details, in order to collect and manage the customer data necessary for our brokerage services. Airtable enables us to automate and streamline many of our processes. We therefore have a legitimate interest in using Airtable in accordance with Art. 6 (1) (f) GDPR.
Airtable maintains comprehensive security measures, including strict access controls and data encryption, to protect your information. Data transmission is protected by 256-bit SSL/TLS encryption and storage at rest is protected by 256-bit AES encryption to protect your data. Airtable meets high compliance standards and holds certifications such as ISO/IEC 27001 and SOC 2 Type 2. Airtable performs regular backups of production data, which are stored in a separate, isolated location. These backups are also encrypted to ensure maximum data security.
For more information on Airtable’s security measures, please visit this link.
In addition, we have entered into an order data processing agreement with Formagrid, Inc. in accordance with Art. 28 GDPR. Data processing by Airtable will therefore only be carried out in accordance with our instructions. In addition, we have also concluded EU standard contractual clauses in accordance with Art. 46 (2) (c) GDPR to ensure an adequate level of data protection.
For more information, please see Airtable’s privacy policy.
5.2. GPT API
We use the GPT language model provided by OpenAI Inc. at 3180 18th St., San Francisco, CA 94110, USA. The GPT model allows us to streamline a variety of processes, such as automating requests, improving communication processes, and effectively processing information. This may involve the processing of personal data.
The processing is based on Art. 6 (1) (f) GDPR. By using the GPT language model, we can make our internal processes more efficient and thus provide potential investors with a sound decision-making basis. This includes, in particular, the precise generation of investor enquiries, the optimisation of internal communication and the processing and analysis of relevant information provided to us by startups. This information has been provided to us directly by the startups in advance. The data provided will not be stored or used to improve or train GPT models after processing.
OpenAI has implemented comprehensive security measures to protect personal data. These include encryption of data transmission, regular security checks and access controls. OpenAI ensures the protection of your data through a multi-layered security architecture, including regular internal audits. In addition, measures such as multi-factor authentication and access controls are in place to prevent unauthorised access. We therefore have a legitimate interest in the use of the GPT API.
To ensure that your data is processed in accordance with the requirements of the GDPR, we have entered into a data processing agreement with OpenAI. Users have the right to access, correct or request the deletion of their personal data. In addition, we have entered into the EU standard contractual clauses.
For more information, please see OpenAI’s privacy policy.
6. Communication and Marketing
6.1. Brevo
We use Brevo, a cloud-based marketing and communication platform. The provider of Brevo is Sendinblue GmbH, based at Köpenicker Strasse 126, 10179 Berlin, Germany. We use Brevo to send automated emails to our customers and to collect the information necessary to process the transaction.
In order to send you emails, we process your personal data, in particular your name and email address. Email contact is based on Art. 6 (1) (a) GDPR. You have given us your consent to do so in our form (‘Company Presentation’). You can withdraw your consent at any time.
Brevo stores this data on secure servers within the EU and the data is encrypted before being backed up. Brevo meets high security standards and is ISO 27001:2013 certified. In addition, Brevo meets the requirements of GDPR, CASL and CCPA and offers security measures such as multi-factor authentication and IP address whitelisting. Brevo protects your data through a multi-layered security architecture that includes regular internal security audits and the use of multi-factor authentication. In addition, your data is backed up on three geographically separate servers to ensure resilience.
Brevo only processes data in accordance with our instructions – we have ensured this by entering into a data processing agreement in accordance with Art. 28 GDPR. Users have the right to access, correct or request the deletion of their personal data. Brevo ensures that all requests are processed within the legal deadlines.
For more information, please refer to Brevo’s privacy policy.
6.2. MailChimp
We have integrated MailChimp into our website to manage our newsletter. The service provider is Intuit Inc., 2700 Coast Ave, Mountain View, CA 94043, USA.
We use MailChimp to manage our newsletter and to process your email address to send it to you. This is personal data.
Your personal data will be processed on the basis of Art. 6 (1) (a) GDPR. We will only send you our newsletter if you have given us your consent to do so. This is done through a two-step double opt-in process: First, you register by entering your email address. You will then receive a confirmation email which you must confirm in order to activate the newsletter. You can unsubscribe at any time by clicking on the ‘Unsubscribe’ link at the bottom of each email.
Mailchimp uses TLS encryption (1.2 or higher) to protect your data during transmission and offers additional security measures such as multi-factor authentication and regular security updates to prevent unauthorised access. For data transfers to countries outside the EU, Mailchimp offers GDPR-compliant data processing agreements and uses mechanisms such as standard contractual clauses to ensure an adequate level of data protection.
We have entered into a data processing agreement with Intuit Inc. in accordance with Art. 28 GDPR and have also agreed to the EU standard contractual clauses. In addition, we have obtained certification under the EU-US Privacy Framework, which ensures a level of data protection comparable to that in the EU.
For more information, please see MailChimp’s privacy policy.
6.3 Contacting us by email or phone
If you contact us by email or telephone, we will store and process your enquiry and any personal data arising from it in order to process your request. We will not share this information without your consent.
The processing is based on our legitimate interest in the effective processing of requests addressed to us in accordance with Art. 6 (1) (f) GDPR or on your consent in accordance with Art. 6 (1) (a) GDPR, where this has been requested. You may withdraw your consent at any time.
7. Collection of forms and documents
7.1. Jotform
We have integrated Jotform into our processes to request the necessary information. The provider is Jotform Inc. located at 4 Embarcadero Center, Suite 780, San Francisco, CA 94111, USA.
Jotform is a tool for creating and managing online forms that we may use to request the information necessary for our processes, including personal information such as name and contact details. Your information is processed on Jotform’s servers.
Jotform offers 256-bit SSL encryption for transmission and optional end-to-end encryption (E2EE) for data storage. These encrypted forms can only be decrypted by us with a unique key, ensuring a high level of security. Jotform is GDPR, HIPAA and SOC 2 compliant. The company offers special features to ensure that user data meets the highest security standards. This includes HIPAA compliant forms for the healthcare sector and GDPR compliant tools for European users. Jotform offers Data Processing Addendum (DPA) agreements to ensure that all data transfers and processing comply with applicable data protection regulations. These agreements support GDPR compliance and provide additional security guarantees.
Jotform collects and processes data on the basis of Art. 6 (1) (a) GDPR. By providing your personal data and ticking the appropriate box in the form, you consent to the processing of your data. You may withdraw your consent at any time.
Furthermore, we have entered into a contract with Jotform Inc. for order processing in accordance with Art. 28 GDPR. Data collection and processing by Jotform will only be carried out in accordance with our instructions. The transfer of data to the USA is covered by EU standard contractual clauses in accordance with Art. 46 (2) (c) GDPR.
In addition, Jotform Inc. is certified under the EU-US Privacy Framework, which ensures a level of data protection comparable to that in the EU.
For more information, please see Jotform’s privacy policy.
7.2. Plumsail
We use Plumsail to automatically generate compliant documents. The provider is Plumsail Inc. located at 2055 Limestone Rd Ste 200C, Wilmington, DE 19808, USA.
When a document is created using Plumsail, personal data may be collected, stored and processed. Data in transit is encrypted using SSL/TLS, while data at rest is secured using AES 256-bit encryption managed by Microsoft Azure Storage Service Encryption.
We use Plumsail on the basis of Art. 6 (1) (f) GDPR. The automated creation of documents, in particular our Letter of Engagement, allows us to optimise our processes and thus ensure a high level of legal certainty at all times. This is because automated creation reduces errors compared to manual creation. This means that we can always produce accurate and legally compliant documents. Plumsail maintains a high level of security through regular security audits, intrusion detection systems (IDS) and the processing of confidential data within the PCI DSS network. We therefore have a legitimate interest in using Plumsail.
We have entered into a contract with Plumsail Inc. for the processing of orders in accordance with Art. 28 GDPR. In addition, the EU standard contractual clauses have also been agreed. The Microsoft Azure data centres where Plumsail is hosted are ISO 27001, SOC I, II and III, HIPAA and FedRAMP certified.
For more information, please see the Plumsail privacy policy.
7.3. DocuSign
We have integrated DocuSign into our business processes. The provider is DocuSign Inc. located at 221 Main Street Suite 1550 in San Francisco, CA 94105, USA.
DocuSign is cloud-based software that enables the electronic signing of documents and therefore the digital completion of contracts.
The use of DocuSign is based on Art. 6 (1) (f) GDPR. DocuSign streamlines and secures the signing process by enabling the efficient and legally valid digital signing of documents. Personal data such as name, email address and signature details are processed. All data is transferred via HTTPS and documents are stored using AES 256-bit encryption to ensure the highest security standards. DocuSign complies with legal requirements for written form and ensures high standards of security. We therefore have a legitimate interest in using DocuSign.
We have entered into an order processing contract with DocuSign Inc. in accordance with Art. 28 GDPR. Data processing is carried out solely in accordance with our instructions. DocuSign uses Binding Corporate Rules (BCRs) to ensure the protection of personal data in the event of global data transfers and to meet the requirements of the GDPR. DocuSign is ISO 27001, SOC 1, SOC 2 and SOC 3 certified and conducts regular security audits and penetration tests to ensure the ongoing security of its systems.
For more information, please see DocuSign’s privacy policy.
8. Interface Connection
We use the interface software Make to connect our Airtable database to the web tools we use. The provider is Make s.r.o., located at Novakovych 1954/20a, 180 00 Prague 8, Czech Republic.
Make enables the linking and synchronisation of functions with our website. In doing so, personal data may be collected, stored and processed in order to store information in the target tools and achieve the desired results.
Make is used on the basis of Art. 6 (1) (f) GDPR. Make enables us to efficiently connect and synchronise various functions with our website, which allows us to optimise processes and process requests quickly and efficiently.
Make relies on secure data storage in AWS data centres that are SOC 2 certified and provides data encryption both in transit and at rest. In addition, Make performs regular security assessments and offers a full data confidentiality option that does not store any log or business data.
Your information is used solely for the technical processing of your request and is integrated into our IT systems without being shared with third parties. After processing, all user data is deleted. If additional tools from Make are integrated, this will only be done with your consent. We therefore have a legitimate interest in using Make.
We have a contract with Make for order processing in accordance with Art. 28 GDPR. Your data will therefore only be processed in accordance with our instructions.
For more information, please see Make’s privacy policy.
9. Analysis tools
9.1. Google Tag Manager
We use Google Tag Manager. It is provided by Google LLC. The data controller is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, Ireland (“Google”).
Google Tag Manager is a tool that we use to integrate tracking or statistical tools and other technologies into our website. The Google Tag Manager itself does not create user profiles, store cookies or perform any independent analysis. It is only used to manage and display the tools it integrates. If Google Tag Manager uses tracking or statistical tools that require opt-in consent, we will ask for your opt-in consent before activating those tools. However, the Google Tag Manager does record your IP address, which may also be transmitted to Google’s parent company in the United States.
The use of the Google Tag Manager is based on Art. 6 (1) (f) GDPR. Google Tag Manager enables the efficient management of marketing and analytics tags on websites. This is particularly important for website optimisation and user experience. Where consent tools are integrated by Google Tag Manager, they will only be used where appropriate consent has been given. We therefore have a legitimate interest in using Google Tag Manager.
We have also entered into a personal data processing agreement with Google LLC. This agreement governs the scope, nature and purpose of the access and processing of personal data by Google LLC.
9.2. Google Analytics
This website uses Google Analytics, a web analytics service provided by Google LLC. The data controller is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, Ireland (“Google”).
Google Analytics enables the analysis of visitor behaviour. Google Analytics provides the website operator with the following information about your use of the website: pages viewed, time spent on the site, operating system used and country of origin. Google may aggregate this data to create a profile that is associated with the user or the user’s device. Google Analytics uses technologies that allow users to be recognised for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information generated by the cookie about your use of the website is transmitted to and stored by Google on servers in the United States.
Google Analytics is used on the basis of your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, which you give us by means of our cookie banner. This consent can be revoked at any time.
IP Anonymisation
We have enabled IP anonymisation on this website. This means that within the member states of the European Union or in other states that are party to the agreement on the European Economic Area (EEA) your IP address will be truncated by Google before it is transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA where it will be truncated. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google will not associate the IP address transmitted by your browser with any other data held by Google.
Browser plugin
You may opt out of the collection and processing of data by Google by downloading and installing the browser plug-in available from this link.
For more information about how Google Analytics handles user data, please see Google’s privacy policy.
Retention period
Data associated with cookies, user IDs (e.g., user ID) or advertising IDs (e.g., DoubleClick cookie, Android advertising ID) stored by Google at the user and event level is anonymised or deleted after 14 months. For more information, please visit this link.
10. E-commerce and payments
10.1. Presentation of our Online Shop
We have integrated WooCommerce into this website. WooCommerce is a plugin developed for WordPress that we use to present and offer our services in the form of an online shop.
We use the WooCommerce software to collect and process your personal information, in particular contact details (name, address, telephone number, email address), order details for the product booked and payment information (payment method, billing address, payment confirmation), so that we can process the user’s order. The cookies that are set depend on the specific action of the user.
WooCommerce sets the woocommerce_cart_hash and woocommerce_items_in_cart cookies. The former is used to recognise and record changes to the shopping cart, while the latter is used to recognise and record products that the user adds to the shopping cart. These two cookies are session cookies, which are only stored for the duration of the session or visit to the website.
In addition, the cookie wp_woocommerce_session_ is set. This contains a unique identifier for each visitor, which allows WooCommerce to find the shopping basket data in the database more quickly. Unlike the other two cookies, this one is stored for two days.
Personal data is collected and processed in accordance with Art. 6 para. 1 lit. b GDPR in order to be able to fulfil the legal service you have booked, which becomes our contractual obligation through your binding booking.
The cookies set are technically necessary cookies. They are used on the basis of Art. 6 (1) (f) GDPR or on the basis of § 25 (2) No. 2 TDDDG. They are used to provide our website and booking services. This is the only way we can provide our users with easy and simple access to our products. We therefore have a legitimate interest in integrating WooCommerce into our website.
WordPress and other plugins are installed locally. There is no connection to the WordPress servers or the provider Automattic. As WooCommerce is installed as a WordPress plugin on our website, all data is processed directly on our web space. Accordingly, no data is transferred.
10.2 Payment processing
In selecting our payment service providers, we have placed particular emphasis on the highest security standards and a wide range of payment methods.
We can therefore offer you the following payment methods:
- Paypal
- Credit Card
- Giropay
- DIRECT
- By invoice
- Payment by invoice
- SEPA Direct Debit
- Payment by SEPA Direct Debit
- Payment in advance
PayPal payment
If you choose to pay by PayPal during the checkout process, your payment will be processed directly through PayPal. PayPal is an online payment system provided by PayPal (Europe) S.à r.l. et Cie, S.C.A. with a registered office at 22-24 Boulevard Royal, L-2449 Luxembourg.
By choosing to pay via PayPal, you consent to the automated transfer of your personal data to PayPal, in particular your name, contact details such as your email address, home address and, where applicable, your telephone number, and payment information such as your bank details or card number.
Your data is processed and transmitted to PayPal on the basis of Art. 6 (1) (b) GDPR, as PayPal is responsible for processing and managing the payment. PayPal uses end-to-end encryption (TLS) for all transactions and stores data in accordance with the Payment Card Industry Data Security Standard (PCI-DSS). PayPal uses comprehensive security measures, including fraud detection and customer authentication, to protect users and their personal information. In addition, PayPal offers purchase protection for authorised transactions and monitors all payment transactions in real time to respond to fraudulent activity at an early stage.
For more information, please see PayPal’s privacy policy.
Stripe
If you choose to pay by credit card, Giropay or SOFORT during the checkout process, your payment will be processed by Stripe. Stripe is an online payment service provided by Stripe Payments Europe Limited based at 1 Grand Canal Street Lower, Dublin, Ireland.
By choosing to pay by credit card, Giropay and SOFORT, you consent to the automated transfer of your personal data to Stripe, in particular your name, contact details such as your email address, home address and, where applicable, your telephone number, and payment information such as your bank details or card number.
Your data is processed and transferred to Stripe on the basis of Art. 6 (1) (b) GDPR, with Stripe being responsible for payment processing and management. Stripe is certified as a PCI Service Provider Level 1, the highest level of certification in the payment industry. Stripe uses HTTPS and TLS 1.2 for all services and encrypts all card numbers at rest with AES-256. Stripe also offers tools such as multi-factor authentication and regular security checks to ensure the security of your data. In addition, Stripe protects your data with a comprehensive security programme that meets the standards of the NIST Cybersecurity Framework and includes measures such as the use of HSTS and PGP keys for secure communication.
For more information, please see Stripe’s privacy policy.