Privacy Policy

The following Privacy Policy is intended to inform you about the types of personal data (hereinafter also referred to as "data") we process, the purposes for which we do so, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terms used herein are not gender-specific.

Last updated: 9 May 2026

Marian D.
Germany

Authorised representative: Marian D.

E-mail address: support@itsmarian.dev

Legal notice: https://itsmarian.dev/imprint

The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act - BDSG). The BDSG contains, in particular, specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated individual decision-making including profiling. The data protection laws of the individual German federal states may also apply.

Note on the applicability of the GDPR and the Swiss FADP: These data protection notices serve both to provide information pursuant to the Swiss Federal Act on Data Protection (FADP) and pursuant to the General Data Protection Regulation (GDPR). For this reason, please note that the terminology of the GDPR is used due to its broader geographical scope and comprehensibility. In particular, instead of the terms used in the Swiss FADP - "processing" of "personal data", "overriding interest" and "particularly sensitive personal data" - the GDPR terms "processing" of "personal data", "legitimate interest" and "special categories of data" are used. The legal meaning of the terms, however, continues to be determined in accordance with the Swiss FADP where that Act applies.

Applicability of data protection requirements in the country of domicile: In the country in which the controller is domiciled, national data protection provisions apply in addition to the General Data Protection Regulation (GDPR).

We implement appropriate technical and organisational measures in accordance with the applicable legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, assurance of availability of, and segregation of such data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the erasure of data, and responses to data security threats. We also take the protection of personal data into account during the development and selection of hardware, software and processes, in accordance with the principle of data protection by design and by default.

Securing online connections via TLS/SSL encryption technology (HTTPS): In order to protect the data of users transmitted via our online services from unauthorised access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorised access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is being transmitted securely and in encrypted form.

Data processing in third countries: Where we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where such transfer occurs in the context of using third-party services or disclosing or transferring data to other persons, entities or companies, this is done exclusively in accordance with the applicable legal requirements.

For data transfers to the United States, we rely primarily on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers in accordance with the requirements of the European Commission, which establish contractual obligations for the protection of your data.

This dual safeguard ensures comprehensive protection of your data: the DPF constitutes the primary level of protection, while the Standard Contractual Clauses serve as an additional safeguard. Should changes arise within the DPF framework, the Standard Contractual Clauses will operate as a reliable fallback mechanism, ensuring that your data remains adequately protected at all times, even in the event of political or legal developments.

For individual service providers, we will inform you as to whether they are certified under the DPF and whether Standard Contractual Clauses have been concluded. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, corresponding safeguards apply, in particular Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be obtained from the European Commission's information portal: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

We erase personal data that we process in accordance with the applicable statutory provisions as soon as the underlying consents are revoked or no further legal grounds for the processing exist. This applies to cases in which the original purpose of the processing ceases to apply or the data is no longer required. Exceptions to this rule exist where statutory obligations or special interests require a longer period of retention or archiving.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the purposes of legal prosecution or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our data protection notices contain additional information on the retention and erasure of data that apply specifically to certain processing activities.

Where multiple retention periods or erasure deadlines are specified for a given item of data, the longest period shall always prevail. Data that is no longer retained for the purpose for which it was originally collected but is retained solely due to statutory requirements or other reasons shall be processed exclusively for the reasons justifying its retention.

Commencement of retention periods at the end of the calendar year: Where a retention period does not expressly commence on a specific date and amounts to at least one year, it shall automatically begin at the end of the calendar year in which the event triggering the retention period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the triggering event shall be the effective date of termination or other conclusion of the legal relationship.

Rights of data subjects under the GDPR: As a data subject, you are entitled to various rights under the GDPR, arising in particular from Articles 15 to 21 GDPR:

We process user data in order to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the contents and functions of our online services to the user's browser or end device.

The term "cookies" refers to functions that store and retrieve information on users' end devices. Cookies may be used for various purposes, including ensuring the functionality, security and convenience of online offerings, as well as the analysis of visitor traffic. We use cookies in accordance with the applicable legal provisions. Where required, we obtain prior consent from users. Where consent is not necessary, we rely on our legitimate interests. This applies where the storage and retrieval of information is essential in order to provide content and functions that have been expressly requested - including the storage of settings and the assurance of the functionality and security of our online offering. Consent may be withdrawn at any time. We clearly inform users of the scope of cookie use and which cookies are employed.

Notes on legal bases: Whether we process personal data using cookies depends on whether consent has been obtained. Where consent has been given, it serves as the legal basis for processing. Without consent, we rely on our legitimate interests, which are described above in this section and in the context of the relevant services and procedures.

Retention periods: With regard to retention periods, the following types of cookies are distinguished:

General notes on withdrawal and objection (opt-out): Users may withdraw any consent they have given at any time and may also object to processing in accordance with the applicable legal provisions, including via the privacy settings of their browser.

Users may create a user account. During the registration process, users are informed of the mandatory data required and such data is processed for the purpose of providing the user account on the basis of the fulfilment of contractual obligations. The data processed includes, in particular, login information (username, password and an e-mail address).

In the context of the use of our registration and login functions and of the user account, we store the IP address and the time of each user action. Storage is carried out on the basis of our legitimate interests and those of users in protection against misuse and other unauthorised use. As a general rule, this data is not disclosed to third parties unless such disclosure is necessary to pursue our claims or there is a statutory obligation to do so.

Users may be informed by e-mail of events relevant to their user account, such as technical changes.

When you contact us (e.g. by post, contact form, e-mail, telephone or via social media) and in the context of existing user and business relationships, the information provided by the enquiring parties is processed to the extent necessary to respond to the contact enquiries and any requested measures.

Web analytics (also referred to as "reach measurement") is used to evaluate the flow of visitors to our online offering and may encompass behaviour, interests or demographic information relating to visitors, such as age or gender, in pseudonymous form. Using reach analysis, we can, for example, identify at what time our online offering or its functions or content are most frequently used, or which areas require optimisation.

In addition to web analytics, we may also use testing procedures in order to test and optimise different versions of our online offering or its components.

Unless otherwise indicated below, profiles (i.e. data aggregated in relation to a usage process) may be created for these purposes, and information may be stored in and retrieved from a browser or end device. The data collected includes, in particular, websites visited and elements used thereon, as well as technical information such as the browser used, the computer system and details of usage times. Where users have consented to the collection of their location data, such data may also be processed.

In addition, IP addresses of users are stored. However, we employ an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. In general, within the context of web analytics, A/B testing and optimisation, no clear-text data of users (such as e-mail addresses or names) is stored; instead, pseudonyms are used. This means that neither we nor the providers of the software used are aware of the actual identity of users, but only of the information stored in their profiles for the purposes of the respective procedures.

Notes on legal bases: Where we request users' consent to the use of third-party providers, the legal basis for data processing is the consent given. Otherwise, user data is processed on the basis of our legitimate interests (i.e. our interest in efficient, cost-effective and recipient-friendly services). In this context, we also draw your attention to the information on the use of cookies in this Privacy Policy.

This section provides information on how we handle data relating to persons who submit reports (whistleblowers), as well as data relating to affected and involved parties in the context of our whistleblower procedure. Our aim is to provide an uncomplicated and secure reporting channel.

Legal bases (Germany): Where we process data to fulfil our statutory obligations pursuant to the Whistleblower Protection Act (HinSchG), the legal basis for processing is Art. 6(1)(c) GDPR and, in the case of special categories of personal data, Art. 9(2)(g) GDPR, § 22 BDSG, each in conjunction with § 10 HinSchG. This relates to the obligation to establish and operate an internal whistleblower reporting office, the fulfilment of its statutory tasks, and, where data collected in the reporting procedure is used, the implementation of further measures.

Types of data processed: In the context of receiving and processing reports and in the subsequent whistleblower procedure, we may collect various categories of data. These include, in particular, data provided by a whistleblower, such as: name, contact details and location of the person submitting the report; names and data relating to potential witnesses or persons affected by the report; names and data relating to the persons against whom the report is directed; data concerning the alleged misconduct; and further relevant details, where provided.

Special categories of personal data: It may be necessary for us to collect special categories of personal data in the course of our activities, in particular where such data is disclosed by a whistleblower. These include health-related data and data concerning racial or ethnic origin.

Use of our online forms: Please note that it is possible to submit reports anonymously. In order to ensure the security of your data when using our online forms, we recommend accessing them in the "incognito mode" of your browser. You may open an incognito window as follows:

Provision of name: You have the option of submitting reports anonymously. Unless prohibited by national legislation, however, we recommend that you provide your name and contact details. This enables us to follow up the report more effectively and, where necessary, to contact you directly. If you provide your name and contact details, your identity will be treated in strict confidence.

Disclosure of data to third parties: Data relating to submitted reports will only be disclosed to third parties under certain circumstances, namely: (a) where you have given us your express consent to do so, or (b) where there is a statutory obligation to disclose the data. Potential third parties include public authorities, governmental, regulatory or tax authorities where disclosure is necessary to comply with a statutory or regulatory obligation. Furthermore, in accordance with the applicable legal provisions, we may engage lawyers and other professional advisers who are authorised to investigate alleged misconduct and to take the necessary steps following an investigation, such as initiating disciplinary or legal proceedings. In addition, carefully selected and supervised service providers (e.g. operators of web-based reporting systems) may receive data for these purposes. However, such service providers are contractually obliged to comply with the applicable data protection provisions within the framework of a data processing agreement.

Data retention and erasure: Personal data is processed only for as long as is necessary to fulfil the processing purposes described above. Where such data is no longer required for the stated purposes, it will be erased. In certain situations, longer retention periods may apply by virtue of statutory obligations.

Technical and organisational measures: We have implemented the necessary contractual, technical and organisational measures to ensure the security of all data processed by us. Such data is processed exclusively for the defined purposes. Incoming reports are processed exclusively by authorised personnel.

We request that you familiarise yourself regularly with the content of our Privacy Policy. We revise the Privacy Policy as soon as changes to the data processing activities carried out by us make this necessary. We will notify you as soon as changes require an action on your part (e.g. consent) or any other form of individual notification.

Where addresses and contact details of companies and organisations are provided in this Privacy Policy, please note that such details may change over time and we recommend that you verify the information before making contact.

This section provides an overview of the terms used in this Privacy Policy. Where terms are defined by law, the statutory definitions apply. The following explanations are intended primarily to aid understanding.