Privacy Policy

Preamble

This privacy policy explains what types of personal data ("data") we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in connection with our services and especially on our websites, in mobile applications, and within external online presences such as social media profiles (collectively referred to as the "online offer").

The terms used are gender-neutral.

Last updated: August 28, 2024

Table of contents

• Preamble
• Controller
• Overview of processing activities
• Applicable legal bases
• Security measures
• Transfer of personal data
• General information on storage and deletion
• Rights of data subjects
• Provision of the online offer and web hosting
• Use of cookies
• Contact and inquiry management
• Web analytics, monitoring, and optimization
• Plug-ins and embedded functions and content
• Changes and updates
• Definitions

Controller

DentaTool GmbH & Co. KG
Jülicher Straße 6
13357 Berlin
Germany

Email address: florian.goersdorf@dentatool.de

Overview of processing activities

The following overview summarizes the types of data processed and the purposes of processing and refers to the data subjects concerned.

Types of data processed

• Inventory data.
• Contact data.
• Content data.
• Usage data.
• Meta, communication, and process data.
• Log data.

Categories of data subjects

• Communication partners.
• Users.

Purposes of processing

• Communication.
• Security measures.
• Reach measurement.
• Organizational and administrative procedures.
• Feedback.
• Profiles with user-related information.
• Provision of our online offer and user-friendliness.
• Information technology infrastructure.

Applicable legal bases

Applicable legal bases under the GDPR:Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the GDPR, national data protection requirements may apply in your or our country of residence or establishment. If more specific legal bases are relevant in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
• Performance of a contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data.

National data protection rules in Germany:In addition to the GDPR, national data protection rules apply in Germany. In particular, this includes the Federal Data Protection Act (BDSG). The BDSG contains specific provisions, especially on the right of access, right to deletion, right to object, processing of special categories of personal data, processing for other purposes, and transfer and automated decision-making in individual cases including profiling. Data protection laws of the German federal states may also apply.

Security measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, availability, and segregation. We have also established procedures to ensure the exercise of data subject rights, deletion of data, and response to data incidents. Furthermore, we consider the protection of personal data already during the development and selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing online connections with TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services against unauthorized access, we use TLS/SSL encryption. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are key technologies for secure data transmission on the internet. These technologies encrypt information transmitted between a website or app and the user's browser (or between two servers), thereby protecting data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet high security standards. If a website is secured by an SSL/TLS certificate, this is indicated by HTTPS in the URL.

Transfer of personal data

As part of our processing of personal data, data may be transferred to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and in particular conclude appropriate contracts or agreements that serve to protect your data.

General information on storage and deletion

We delete personal data that we process in accordance with legal requirements as soon as underlying consents are withdrawn or no further legal basis for processing exists. This applies in cases where the original processing purpose no longer applies or the data is no longer needed. Exceptions apply where legal obligations or special interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion of data specifically applicable to certain processing activities.

If multiple retention periods or deletion deadlines apply to a data item, the longest period always applies.

If a period does not explicitly start on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the triggering event occurred. In ongoing contractual relationships in which data is stored, the triggering event is the date the termination or other end of the legal relationship becomes effective.

Data that is no longer retained for the originally intended purpose but due to legal requirements or other reasons is processed exclusively for the reasons that justify its retention.

Further information on processing activities, procedures, and services:

• Retention and deletion of data:The following general periods apply for retention and archiving under German law:
  • 10 years - retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and work instructions and other organizational documents necessary for understanding them, accounting documents, and invoices (Section 147 para. 3 in conjunction with para. 1 no. 1, 4 and 4a AO, Section 14b para. 1 UStG, Section 257 para. 1 no. 1 and 4, para. 4 HGB).
  • 6 years - other business documents: received commercial or business letters, reproductions of sent commercial or business letters, and other documents relevant for taxation, e.g. hourly wage slips, operating accounting sheets, calculation documents, price labels, payroll documents if not already accounting documents, and cash register tapes (Section 147 para. 3 in conjunction with para. 1 no. 2, 3, 5 AO, Section 257 para. 1 no. 2 and 3, para. 4 HGB).
  • 3 years - data required to consider potential warranty and damages claims or similar contractual claims and rights and to process related inquiries, based on previous business experience and common industry practice, is stored for the regular statutory limitation period of three years (Sections 195, 199 BGB).

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular under Articles 15 to 21 GDPR:

• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you that is based on Art. 6 para. 1 lit. e or f GDPR; this also applies to profiling based on those provisions. If personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent at any time.
• Right of access: You have the right to request confirmation as to whether relevant data is being processed and to obtain information about this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request completion of your data or correction of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be deleted without undue delay, or alternatively to request restriction of processing of the data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller.
• Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that processing of personal data concerning you infringes the GDPR.

Provision of the online offer and web hosting

We process users' data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the users' browser or device.

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, parties involved); log data (e.g. log files relating to logins, data retrieval, or access times).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers); security measures.
• Retention and deletion: Deletion in accordance with the information in the section "General information on storage and deletion".
• Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Provision of the online offer on rented storage space:For provision of our online offer, we use storage space, computing capacity, and software that we rent or otherwise obtain from a corresponding server provider (also called "web host"); Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Collection of access data and log files:Access to our online offer is logged in the form of so-called server log files. Server log files may include the address and name of retrieved web pages and files, date and time of retrieval, transmitted data volume, message on successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider. Server log files may be used for security purposes, e.g. to avoid overloading servers (especially in the event of abusive attacks, so-called DDoS attacks), and to ensure server utilization and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until final clarification of the respective incident.

Use of cookies

Cookies are small text files or other storage notes that store and read information on end devices. For example, to store login status in a user account, shopping cart content in an e-shop, accessed content, or functions used in an online offer. Cookies can also be used for different purposes, such as functionality, security and convenience of online offers, and creating analyses of visitor flows.

Notes on consent:We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless this is not required by law. In particular, permission is not necessary if storing and reading information, including cookies, is strictly necessary to provide users with a telemedia service expressly requested by them (i.e. our online offer). Revocable consent is clearly communicated and includes information about the respective cookie usage.

Notes on data protection legal bases:The legal basis on which we process users' personal data with the help of cookies depends on whether we request consent. If users consent, the legal basis is the declared consent. Otherwise, data processed using cookies is processed based on our legitimate interests (e.g. in economically operating our online offer and improving usability) or, if required for contractual obligations, if the use of cookies is necessary to fulfill our contractual duties.

Storage duration:The following types of cookies are distinguished with regard to storage duration:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offer and closes their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be stored and preferred content displayed directly when the user revisits a website. User data collected using cookies may also be used for reach measurement. Unless we provide explicit information on type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and may be stored for up to two years.

General notes on revocation and objection (opt-out):Users can revoke consent given at any time and also object to processing in accordance with legal requirements, including via privacy settings in their browser.

• Types of data processed: Meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, parties involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Further information on processing activities, procedures, and services:

• Processing cookie data based on consent:We use a consent management solution in which users' consent to the use of cookies or to procedures and providers named in the consent management solution is obtained. This process serves to obtain, log, manage, and revoke consent, especially regarding the use of cookies and comparable technologies used to store, read, and process information on users' devices. Within this process, users' consents are obtained for use of cookies and related processing of information, including specific processing and providers named in the consent management process. Users can also manage and revoke their consents. Consent declarations are stored to avoid repeated requests and to prove consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to assign consent to a specific user or their device. If no specific information is available on providers of consent management services, the following general information applies: consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the timestamp of consent, information on scope of consent (e.g. categories of cookies and service providers), and information on browser, system, and device used; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Contact and inquiry management

When contacting us (e.g. by post, contact form, email, telephone, or social media) and within existing user and business relationships, information provided by inquiring persons is processed to the extent necessary to answer contact requests and requested measures.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or phone numbers); content data (e.g. textual or visual messages and contributions and related information such as authorship or time of creation); usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, parties involved).
• Data subjects: Communication partners.
• Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General information on storage and deletion".
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR).

Further information on processing activities, procedures, and services:

• Contact form:When contacting us via contact form, email, or other communication channels, we process the personal data transmitted to us for answering and handling the respective request. This generally includes details such as name, contact information, and, if applicable, additional information communicated to us and required for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal bases: Performance of contract and pre-contractual requests (Art. 6 para. 1 sentence 1 lit. b GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Web analytics, monitoring, and optimization

Web analytics (also called "reach measurement") is used to evaluate visitor flows of our online offer and can include behavior, interests, or demographic information of visitors, such as age or gender, as pseudonymous values. With reach analytics, we can identify at what time our online offer, its functions, or content are used most often, or invite reuse. We can also understand which areas require optimization.

In addition to web analytics, we may use test procedures to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles (i.e. data summarized for a usage process) may be created for these purposes and information may be stored in and read from a browser or device. Collected information includes, in particular, visited websites and elements used there, and technical information such as browser used, operating system, and usage times. If users have consented to collection of location data by us or by providers of services used by us, processing of location data is also possible.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users. In general, no clear data of users (such as email addresses or names) is stored in the context of web analytics, A/B testing, and optimization, but pseudonyms. This means that neither we nor providers of used software know the actual identity of users, only information stored in profiles for the respective procedures.

Notes on legal bases: If we ask users for consent for use of third-party providers, the legal basis is consent. Otherwise, user data is processed based on our legitimate interests (i.e. interest in efficient, economical, and recipient-friendly services). In this context, we also refer to the information on use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, parties involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Reach measurement (e.g. access statistics, recognition of returning visitors). Profiles with user-related information (creation of user profiles).
• Retention and deletion: Deletion in accordance with the information in the section "General information on storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Security measures: IP masking (pseudonymization of the IP address).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offer that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). This may include, for example, graphics, videos, or maps (hereinafter uniformly referred to as "content").

Integration always requires that third-party providers process users' IP addresses, because without IP addresses they could not send the content to users' browsers. The IP address is therefore required for display of this content or these functions. We endeavor to use only such content whose providers use the IP address solely for delivery of content. Third-party providers may also use so-called pixel tags (invisible graphics, also called "web beacons") for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on pages of this website. Pseudonymous information may also be stored in cookies on users' devices and may contain technical information about browser and operating system, referring websites, visit time, and other information on use of our online offer, and may also be linked with such information from other sources.

Notes on legal bases: If we ask users for consent for use of third-party providers, the legal basis is consent. Otherwise, user data is processed based on our legitimate interests (i.e. interest in efficient, economical, and recipient-friendly services). In this context, we also refer to information on use of cookies in this privacy policy.

• Types of data processed: Usage data (e.g. page views and length of stay, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, parties involved).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offer and user-friendliness.
• Retention and deletion: Deletion in accordance with the information in the section "General information on storage and deletion". Storage of cookies for up to 2 years (unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years).
• Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further information on processing activities, procedures, and services:

• Google Fonts (provided on own server):Provision of font files for user-friendly display of our online offer; Service provider: Google Fonts are hosted on our server, no data is transmitted to Google; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• Font Awesome (provided on own server):Display of fonts and symbols; Service provider: Font Awesome icons are hosted on our server, no data is transmitted to the Font Awesome provider; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
• YouTube videos:Video content; YouTube videos are embedded via a special domain (recognizable by "youtube-nocookie") in so-called "enhanced privacy mode", whereby no cookies on user activities are collected to personalize video playback. Nevertheless, information on users' interaction with the video (e.g. remembering last playback position) may be stored; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).

Changes and updates

Please inform yourself regularly about the content of our privacy policy. We adapt this privacy policy as soon as changes in data processing carried out by us make this necessary. We will inform you as soon as changes require an action on your part (e.g. consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time and ask you to verify the information before contacting.

Definitions

In this section, you will find an overview of terms used in this privacy policy. Where terms are legally defined, their legal definitions apply. The following explanations are primarily intended to aid understanding.

• Inventory data: Inventory data includes essential information required for identification and management of contractual partners, user accounts, profiles, and similar assignments. This data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), dates of birth, and specific identifiers (user IDs). Inventory data forms the basis for formal interaction between persons and services, facilities, or systems by enabling clear assignment and communication.
• Content data: Content data includes information generated in the course of creating, editing, and publishing content of any kind. This category may include text, images, videos, audio files, and other multimedia content published on various platforms and media. Content data is not limited to the content itself but also includes metadata that provides information about content, such as tags, descriptions, author information, and publication dates.
• Contact data: Contact data is essential information that enables communication with persons or organizations. It includes phone numbers, postal addresses, and email addresses, as well as communication channels such as social media handles and instant messaging identifiers.
• Meta, communication, and process data: Meta, communication, and process data are categories containing information about how data is processed, transmitted, and managed. Metadata (data about data) includes information describing context, origin, and structure of other data, such as file size, creation date, document author, and change history. Communication data records exchanges of information between users across channels, such as emails, call logs, social media messages, and chat histories, including involved parties, timestamps, and transmission paths. Process data describes processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used for tracing and verification.
• Usage data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data includes a broad range of information showing how users use applications, which functions they prefer, how long they stay on certain pages, and which paths they take through an application. Usage data may also include usage frequency, timestamps of activities, IP addresses, device information, and location data. It is especially valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences, and potential problem areas in digital offers.
• Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with user-related information: Processing of "profiles with user-related information", or "profiles" for short, includes any type of automated processing of personal data consisting of using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profile creation, this may include information on demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
• Log data: Log data is information about events or activities recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about use or operation of a system. Log data is often used to analyze system problems, monitor security, or generate performance reports.
• Reach measurement: Reach measurement (also called web analytics) is used to evaluate visitor flows of an online offer and may include behavior or interests of visitors in specific information, such as website content. With reach analysis, operators of online offers can identify, for example, when users visit their websites and which content interests them. This enables better adaptation of website content to visitors' needs. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and obtain more accurate analyses of usage of an online offer.
• Controller: "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
• Processing: "Processing" means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, including collection, evaluation, storage, transmission, or deletion.

Created with the free Privacy Policy Generator by Dr. Thomas Schwenke