PRIVACY POLICY

At DEFACTO, the protection of personal data and sensitive information is of the utmost importance. Merely complying with legal requirements is not sufficient for DEFACTO. Particularly high security can only be achieved through regular expert consultation and critical controls. For this reason, DEFACTO relies on an external certified data protection officer. This officer neutrally and without internal bias verifies compliance with data protection guidelines. Beyond legal requirements, an information security management system has been established, which considers all aspects of handling information and documents the technical and organizational measures taken.

To ensure that all employees live by the data protection guidelines on a daily basis, regular training sessions as well as workshops on specialized topics – such as the secure use of mobile devices – are conducted. A continuous revision of all critical processes leads to a consistently high level of information security, which in turn forms the basis for technical data protection in all deployed systems. This high quality is confirmed by regular audits carried out by external bodies on behalf of our partners and clients, contributing to continuous improvement. At this point, we would like to inform you about which data we collect, for what purpose we do so, and how you can exercise control over your data at any time.

1. Controller The controller within the meaning of the law for the processing of the data is: DEFACTO GmbH Am Pestalozziring 2 91058 Erlangen T: +49 9131 9712 0 E: kontakt@defacto.de

2. Categories of Data, Purpose, and Legal Basis of Processing You can of course visit our website without providing any personal information. The privacy policy can be accessed via the link at the bottom of every page. We use your personal data during your visit to our website solely for the operation and optimization of our website. For this purpose, the IP address, various technical data of the end device (e.g., operating system, browser used, etc.), and data about the usage of our website are collected. We do not store this data beyond the legal retention periods or fulfillment of purpose. Processing this data is necessary to ensure the operation of the website. If you do not agree with this processing, we cannot provide you with our online services. This information is analyzed statistically to make the use of our website even more enjoyable for all visitors. There is no linking with any personal data already stored with us. Data collected during the use of the website is deleted after a maximum of 14 months. Storage of data may be extended in individual cases to enforce legal claims, defend against potential legal claims, or due to legal obligations. The processing of personal data for the operation of the website and network and information security is based on Article 6(1)(f) GDPR. The operation of the website and the associated external presentation of the company is in our legitimate interest. There is no legal or contractual obligation for you to provide data when using our website. However, the operation of the website is not possible without processing your data.

3. Recipients of Data Disclosure of your data to third parties does not occur unless there is a legal obligation to transfer the data. This processing is based on Article 6(1)(c) GDPR in conjunction with the relevant order or legal obligation to which we are subject in each case. Categories of data recipients include public authorities in the event of a legal obligation and processors who process the online data collected on our behalf. Involved processors include web hosts, website operators, and designers.

4. Contact Form By filling out the contact form, you provide us with personal data. We may collect the following types of data: name and salutation, email address, telephone number, company. We use this data only to respond to your specific inquiry or request and to provide information. To protect your data, we use a recognized encryption method during transmission. We will retain your personal data for the period necessary to fulfill the purposes described in this notice. Statutory retention periods remain unaffected. The legal basis for processing general inquiries is your consent under Article 6(1)(a) GDPR. For inquiries related to contracts or in the context of contract initiation, the legal basis is Article 6(1)(b) GDPR. The legal basis for inquiries regarding data protection is Article 6(1)(c) GDPR. Submitting the form constitutes your consent to the processing of the data.

5. Newsletter If you would like to receive the newsletter offered on the website, we require your email address, name, and salutation, as well as other information that allows us to verify that you are the owner of the provided email address and agree to receive the newsletter. No further data is collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties. The processing of the data entered into the newsletter subscription form is based solely on your consent (Article 6(1)(a) GDPR). You can revoke your consent to the storage of the data, the email address, and its use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter. The legality of the data processing already carried out remains unaffected by the revocation. The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after unsubscribing from the newsletter. After the statutory retention period of three years (regular limitation), this data is deleted. Data stored for other purposes with us remains unaffected. The newsletter is sent by CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede. CleverReach is a service for organizing and analyzing newsletter distribution. The data you enter for newsletter subscription (e.g., email address) is stored on CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach allow us to analyze the behavior of newsletter recipients. Among other things, it can be analyzed how many recipients opened the newsletter message and how often which link in the newsletter was clicked. Conversion tracking can also analyze whether a predefined action (e.g., purchase of a product on our website) took place after clicking the link in the newsletter. For more information on data analysis by CleverReach newsletters, see: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/ Data processing is based on your consent under Article 6(1)(a) GDPR. You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing already carried out remains unaffected by the revocation. If you do not want analysis by CleverReach, you must unsubscribe from the newsletter. We provide an appropriate link in every newsletter message. The data you provide for the purpose of newsletter subscription will be stored by us until you unsubscribe and deleted from our servers as well as the servers of CleverReach after cancellation. Data stored for other purposes remains unaffected. Further details can be found in CleverReach’s privacy policy at: https://www.cleverreach.com/de/datenschutz/

6. Cookies We use two types of cookies on our website: session cookies and permanent cookies. Cookies are short text snippets we store on your computer. Cookies do not execute commands on your computer and therefore pose no security risk. Session cookies store certain information while you browse our website and are technically necessary for specific functions. These cookies are deleted when you leave our website. The use of these strictly necessary cookies does not require consent under § 25(2) No. 2 TTDSG. Permanent cookies, on the other hand, remain stored on your device after your visit and help us make our online offering more user-friendly – for example, by remembering that you have already visited our website. We only use these cookies with your consent. Our website uses Cookiebot from Usercentrics A/S to manage consents. Cookiebot helps us collect and document cookie consents in compliance with the GDPR. The legal basis is Article 6(1)(c) GDPR in conjunction with § 25(2) No. 2 TTDSG.

7. Use of Google Analytics This website uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses so-called "cookies", text files stored on your computer, which enable an analysis of your use of the website. Among other things, the following data is collected from you: IP address, time spent on the website, language, location, and the browser you use. The analysis is carried out using an algorithm (machine learning), which measures and analyzes your usage behavior and can recognize you across devices. Your IP address is anonymized by default before being transmitted to Google. We have also disabled the collection of exact location, position, and device data. Due to the activation of IP anonymization on these websites, your IP address is shortened by Google within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission. More about how Google uses this data can be found here: https://policies.google.com/privacy/partners?hl=de Data transfers to the USA are based on the Data Privacy Framework. Google Analytics is only used if you agree to the use of cookies. The legal basis is Article 6(1)(a) GDPR. You can revoke this consent at any time by clicking the "Cookie Settings" button under the "Cookies" section and saving a new selection. The data collected with Google Analytics is internally passed on to our marketing department and processed there. Via Google Tag Manager, we integrate various tracking tags, including those from Google Analytics 4 (GA4). The following information is collected:

This data helps us better understand how our website is used, optimize content, and improve user-friendliness. Processing is based on your consent pursuant to Article 6(1)(a) GDPR in conjunction with § 25 TTDSG. The collected data is anonymized by Google within the EU and may be transferred to the USA. Google is certified under the Data Privacy Framework. Further information on data processing can be found at: https://policies.google.com/privacy

To protect our web forms from misuse and to prevent automated access (e.g., by bots), we use the Google reCAPTCHA service. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Various data (e.g., IP address, mouse movements, duration of visit, screen resolution, browser and system settings) are transmitted to Google.

The legal basis for the use is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR to ensure the security of our website and to protect it from abusive, automated surveillance and SPAM.

Data processing may also take place on servers in the USA. Google is certified under the EU-U.S. Data Privacy Framework. Further information can be found in Google’s privacy policy: https://policies.google.com/privacy and at https://www.google.com/recaptcha/about/

You have the right to object to this processing if your particular situation gives rise to reasons that outweigh our legitimate interests (Art. 21 GDPR).

9. Use of Google Remarketing This website uses the remarketing feature of Google Inc. This function serves to present interest-based advertisements to visitors of the website within the Google advertising network. A so-called “cookie” is stored in the browser of the website visitor, which enables the visitor to be recognized when they access websites that belong to Google’s advertising network. On these websites, the visitor may be shown advertisements related to content that the visitor previously viewed on websites that use Google’s remarketing feature. According to Google, no personal data is collected in this process. Should you nevertheless not wish to use Google’s remarketing function, you can generally deactivate it by making the corresponding settings at http://www.google.com/settings/ads. Alternatively, you can disable the use of cookies for interest-based advertising through the Network Advertising Initiative by following the instructions at http://www.networkadvertising.org/managing/opt_out.asp. The Google Remarketing cookie is only set on our website if you consent to the use of cookies via the cookie bar. The legal basis is Art. 6(1)(a) GDPR.

10. Events We also process personal data in the context of customer events. Processing for the purpose of organizing the event is based on Art. 6(1)(b) GDPR. Your registration for the event establishes a contractual relationship. The processing of data for the purpose of inviting you to our events is in our legitimate interest. Invitations are sent to customers by email who have given us their consent for this purpose or by post to customers who have not consented to email marketing. After an event, we ask participants about their experiences, wishes, and suggestions related to the event. For this purpose, we send participants an email with a link to the survey. The legal basis for the aforementioned processing is Art. 6(1)(f) GDPR. In this context, we would like to draw your attention to your right of objection.

11. Our Social Media Presences We use the so-called Meta Pixel (formerly Facebook Pixel) on our website. This service is operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland ("Meta"). When you access a page of our website that includes the Meta Pixel, your browser establishes a direct connection with the Meta servers. Meta thereby receives the information that you have accessed the corresponding page of our website. If you are logged into Meta, your visit can be linked to your user account. Actions on our website (e.g., purchases made) can also be tracked. We use the Meta Pixel to analyze the effectiveness of our advertising (“conversion tracking”) and to display interest-based advertising (“retargeting”) on Meta services such as Facebook or Instagram. More on data processing by Meta is available at: https://www.facebook.com/policy.php The data transfer to Meta is based on the EU Commission’s standard contractual clauses (Art. 46 GDPR). The processing is carried out only with your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG. You can revoke this consent at any time. We also use the LinkedIn Insight Tag, an analytics tool provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Dublin 2, Ireland. It enables the tracking of page visits and conversions as well as retargeting measures. Collected data includes, among others, IP address (shortened or hashed), referrer URL, device and browser characteristics, and timestamp. The data is processed pseudonymously and collected only with your consent. The legal basis is Art. 6(1)(a) GDPR in conjunction with § 25(1) TTDSG. More information can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy

A cookie is a small text file that is stored on your device when you visit a website. This file contains information that allows a user to be recognized or provides certain functions of a website. Cookies are used, among other things, to make websites more user-friendly and to analyze usage data. On our website, we use both so-called "first-party cookies" – i.e., cookies set directly by us – and "third-party cookies," which originate from external service providers. Their use complies with the General Data Protection Regulation (GDPR), particularly Art. 6(1)(a) (consent) and (f) (legitimate interest), unless explicit consent is required.

Please note that the cookie list may change due to technical adjustments. The current version is reviewed and updated regularly.

12. Your Rights Regarding the Processing of Your Personal Data You have various rights concerning the processing of personal data, which we would like to inform you about below. Details of your rights can also be found in Articles 15 to 21 GDPR and §§ 32 to 37 of the Federal Data Protection Act (“BDSG”).You have the right to obtain information about your personal data. You may also request the correction of incorrect data.

Furthermore, you have the right – under certain conditions – to request the deletion of data, the restriction of data processing, and the right to data portability. You can object to processing based on Art. 6(1)(f) GDPR as well as to potential profiling according to Art. 21 GDPR. Any consent you have given in connection with the use of the website can be withdrawn at any time without giving reasons and with effect for the future.All aforementioned rights under Articles 15 to 21 GDPR can be asserted informally by email or post to the controller.You also have the right to lodge a complaint with the relevant supervisory authority if you believe that your data is being processed unlawfully. A list of data protection officers and their contact information can be found at:https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.htmlIf you have any questions, you are welcome to contact our external data protection officer:David Gabel – Email: david.gabel@your-insider.comGeneral information on data protection and the processing of personal data in data protection processes can be found at https://www.dsgvo-support.de