Privacy policy

This privacy policy tells you how, to what extent, and for what purpose we process personal data (in the following referred to as “data”) on our online services, comprising our websites, their functions, and content, and on other external online services, e.g. our social media profiles (in the following jointly referred to as “online services”). For a definition of the terms used, e.g. “processing” and “controller”, please see Article 4 of the General Data Protection Regulation (GDPR).

Controller
X-Act Agentur für Kommunikation GmbH
Alt-Moabit 60
10555 Berlin
Germany

Email: post@xactwerbung.de
Managing directors: André Rossi, Stefan Wilke
Link to legal notice: www.xactwerbung.de/impressum

Types of processed data
- Basic data (e.g. names, addresses)
- Contact data (e.g. email, telephone numbers)
- Content data (e.g. text input, photos, videos)
- Usage data (e.g. visited websites, content interests, access times)
- Meta/communication data (e.g. device information, IP addresses)

Categories of data subjects
Visitors to, and users of our online services (in the following, we generally also refer to data subjects as “users”).

Purpose of processing
- Provide the online services, functions, and content
- Reply to contact queries and other communication with users
- Security measures
- Reach measurement/marketing

Terms
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means. The term is wide-ranging and covers practically all usage of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Applicable legal bases
Under the terms of Article 13 of the GDPR, we are obliged to inform you of the legal bases of our data processing. The following applies should the legal basis not be explicitly stated in the privacy policy: the legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR; the legal basis for the performance of services and contracts, and for responding to requests, is Article 6(1)(b) of the GDPR; the legal basis for processing in compliance with our legal obligations is Article 6(1)(c) of the GDPR; the legal basis for processing for the purpose of protecting our legitimate interests is Article 6(1)(f) of the GDPR. If the vital interests of the data subject or of another natural person make the processing of personal data necessary, the legal basis is Article 6(1)(d) of the GDPR.

Security measures
Under the terms of Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In particular, these measures include protecting the confidentiality, integrity, and availability of data by controlling physical access to the data and their entry, disclosure, protection of availability, and separation. We have also put in place processes to allow data subjects to exercise their rights, erase data, and respond to potential data breaches. Beyond this, we take the protection of personal data into account when developing and selecting hardware, software, and processes in accordance with the principle of data protection by design and by default (Article 25 of the GDPR).

Cooperation with processors and third parties
If, during processing, we disclose, transmit, or otherwise provide data to other persons and companies (processors or third parties), this is done only as permitted by law (e.g. if transmission of data to third parties such as payment providers is required for performance of contract as set out in Article 6(1)(b) of the GDPR), you have provided your consent, we have a legal obligation to do so, or we have a legitimate interest in doing so (e.g. when employing contractors, web hosting services, etc.). If we contract third parties to process data on the basis of a “processing contract”, this is done on the basis of Article 28 of the GDPR.

Data transfer to third countries
If we process data in a third country (e.g. outside the European Union (EU) or the European Economic Area (EEA)) or have data processed in a third country under our right to engage another processor or disclose/transmit data to another processor, this is only done if necessary to perform a contract or take steps prior to entering into a contract, on the basis of your consent, where we have a legal obligation to do so, or where we have a legitimate interest in doing so. Subject to statutory or contractual permissions, we process or have data processed in a third country only if the specific conditions set out in Article 44ff. of the GDPR apply. In other words, processing here may be on the basis of specific safeguards such as the official recognition of a level of data protection that meets EU standards (e.g. the “Privacy Shield” for the USA) or the official recognition of specific contractual obligations (“standard contractual clauses”).

Rights of data subjects
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and to obtain access to these data, a copy of the data, and further information as set out in Article 15 of the GDPR. Under Article 16 of the GDPR, you have the right to obtain the rectification of inaccurate personal data concerning you or to have incomplete data completed. Article 17 of the GDPR gives you the right to obtain the erasure of personal data concerning you without undue delay, while Article 18 of the GDPR gives the right to obtain restriction of processing of your personal data. You have the right to receive the personal data concerning you which you have provided to us and the right to have your personal data transmitted to other controllers under Article 20 of the GDPR. You further have the right, set out in Article 77 of the GDPR, to lodge a complaint with a competent supervisory authority.

Right to withdraw consent
Under Article 7(3) of the GDPR, you have the right to withdraw any consent you have given with effect for the future.

Right to object to processing
Under the terms of Article 21 of the GDPR, you have the right to object to processing of personal data concerning you at any time. In particular, you may object to processing for direct marketing purposes.

Direct marketing: cookies and right to object
Cookies are small files that are saved on users’ computers. They may save a range of different information. Cookies are primarily used to save information on a user (or the device on which the cookie is saved) during or after a visit to an online service. Temporary cookies, also known as session or transient cookies, are cookies that are deleted when a user leaves an online service and closes their browser. This kind of cookie may, for example, save the contents of a shopping cart in an online shop or a login status. Permanent or persistent cookies are cookies that remain on a user’s computer after they close their browser. They can, for example, save a user’s login status for the next time the website is visited. This kind of cookie may also save a user’s interests, which are used for reach measurements or marketing purposes. Third-party cookies and cookies that are set by providers other than the controller of the online service (cookies set by the controller are termed first-party cookies). We may use both session and persistent cookies, and we explain our use of them in our privacy policy. If users do not wish cookies to be saved on their computers, they are asked to disable the relevant options in their browser’s system settings. Cookies that have been saved can be deleted in the browser’s system settings. Disabling cookies may limit the functionality of this website. You may generally object to the use of cookies for purposes of online marketing by using one of a range of services, especially with regard to tracking, on the American website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. You can also prevent cookies from being saved by adjusting your browser settings. Please note, however, that if you do so, you may not be able to use the full functionality of this website.

Data erasure
Under the terms of Article 17 and Article 18 of the GDPR, you have right to obtain the erasure or restriction of processing of your personal data. Unless otherwise stated in this privacy policy, your personal data stored by us are erased as soon as they are no longer required for the purpose for which they are obtained and on the condition that we are not required by law to retain them. If your data are not erased because they are required for other, legally permissible purposes, they will be subject to a restriction of processing, i.e. the data are made unavailable and not used for any other purposes. This, for example, applies to data that must be retained for commercial or tax purposes. Under statutory regulations in Germany, key periods of retention are 10 years in accordance with Section 147(1) of the Fiscal Code (AO) and Sections 1(1) and 4(4) of the Commercial Code (HGB) (books, records, financial reports, accounting records, trading books, documents relevant to taxation, etc.) and 6 years in Accordance with Section 257(1), (2), and (3) of the Commercial Code (commercial letters). Under statutory regulations in Austria, key periods of retention are 7 years in accordance with Section 132(1) of the Federal Fiscal Code (BAO) (accounting documents, receipts/invoices, accounts, documents, business papers, statements of revenue and expenditure), 22 years in connection with real estate, and 10 years for documents relating to services provided electronically and telecommunication, radio, and television services that are provided to non-entrepreneurs in EU Member States using the mini one-stop-shop scheme (MOSS).

Agency services
We process our clients’ data as part of our contractual services, including concept development and strategic consulting, campaign planning, software and design development/consulting or support, implementation of campaigns and processes/handling, server administration, data analysis/consulting services, and training services. When we do this, we process basic data (e.g. client master data such as names and addresses), contact data (e.g. email, telephone numbers), content data (e.g. text input, photos, videos), contract data (e.g. subject of contract, term), payment data (e.g. bank details, payment history), and usage data and metadata (e.g. when evaluating and gauging the success of marketing activities). We generally do not process special categories of personal data unless they form part of a contracted processing activity. Data subjects include our customers, potential customers, and their own customers, users, website visitors, employees, and third parties. The purpose of processing is to provide contractual services, billing services, and our own customer service. The legal bases of processing are Article 6(1)(b) of the GDPR (performance of contract) and Article 6(1)(f) of the GDPR (analysis, statistics, optimisation, security measures). We process data that are required to initiate and perform contractual services and inform users of the necessity to provide us with these data. Data are only disclosed to third parties if this is required as part of an order. When processing data provided to us as part of an order, we act in accordance with the client’s instructions and the statutory regulations regarding processing as set out in Article 28 of the GDPR, and do not process the data for any purpose other than that required for the order. We erase the data on the expiry of statutory warranty and related obligations. We review the need to retain data every three years; in the event of statutory archiving obligations, the data are erased on their expiry (6 years in accordance with Section 257(1) of the Commercial Code, 10 years in accordance with Section 147(1) of the Fiscal Code). We erase data that has been disclosed to us by a client as part of an order in accordance with the requirements of the order, and generally on completion of the order.

Administration, financial accounting, office organisation, contact management
We process data as part of administrative tasks and the organisation of our company, in financial accounting, and in compliance with statutory obligations, e.g. archiving. When we do so, we process the same data that we process when performing our contractual services. The legal bases of processing are Article 6(1)(c) of the GDPR and Article 6(1)(f) of the GDPR. Processing applies to customers, potential customers, business partners, and website visitors. The purpose of and our interest in processing is administration, financial accounting, office organisation, and data archiving, i.e. tasks we perform to maintain our business activities, fulfil our duties, and provide our services. Data regarding contractual services and contractual communications are erased in compliance with the information provided relating to these processing activities. In this context, we disclose or transfer data to the fiscal authorities, advisers (e.g. accountants or auditors), and other billing centres and payment providers. On the basis of our business interests, we also save information on suppliers, event organisers, and other business partners, e.g. for the purpose of maintaining contact with them in the future. We generally save this largely business-related information permanently.

Business analyses and market research
We analyse the data we hold on business processes, contracts, enquiries, etc. in order to run our business effectively and identify market trends and the requirements of our contract partners and users. When we do so, we process basic data, communication data, contract data, payment data, usage data, and metadata on the basis of Article 6(1)(f) of the GDPR, and data subjects may be contract partners, potential customers, customers, visitors, and users of our online service. We carry out these analyses for the purpose of evaluating our business, marketing, and market research. Here, we may use the profiles of registered users and the information they contain, e.g. on services they have used. We use the analyses to boost user-friendliness and optimise both our website and our business. The analyses are used by us alone and are not disclosed to any third parties, provided the analyses are not anonymous and do not make use of merged data. If these analyses or profiles are related to specific persons, they will be erased or anonymised when the user gives notice of termination, or otherwise two years following conclusion of contract. Overall business analyses and general trend analyses are created anonymously wherever possible.

Privacy policy for the job application process
We process applicant data purely for the purpose of and as part of the application process in accordance with statutory regulations. Applicant data are processed as necessary to perform our contractual obligations or take steps prior to entering into contractual obligations during the application process in accordance with Article 6(1)(b) of the GDPR and Article 6(1)(f) of the GDPR, provided that the data processing is necessary, e.g. as part of legal procedures (Section 26 of the Federal Data Protection Act (BDSG) also applies in Germany). The application process presupposes that applicants provide us with their applicant data. The required applicant data are clearly indicated where we offer an online form and can otherwise be ascertained from the relevant job description; these data generally include personal details, postal and contact addresses, and documents required for an application, such as a covering letter, CV, and references. Applicants may also provide us with additional data on a voluntary basis. On transmitting their applications to us, applicants declare their consent to the processing of their data for the purpose of the application process in the manner and scope as set out in this privacy policy. If, as part of the application process, special categories of personal data are provided as set out in Article 9(1) of the GDPR, their processing shall also be in accordance with Article 9(2)(b) of the GDPR (e.g. health data such as serious disability or ethnic origin). If, as part of the application process, special categories of personal data are requested as set out in Article 9(1) of the GDPR, their processing shall also be in accordance with Article 9(2)(a) of the GDPR (e.g. health data, if this is required for professional practice). If an online form is provided on our website, applicants may use it to send their applications to us. The data are encrypted before transmission using state-of-the-art technology. Applicants may also send us their applications by email. In this case, however, it is important to remember that emails are generally not sent in encrypted form; applicants must encrypt their emails themselves. We therefore cannot accept any responsibility for the electronic transmission between the sender and the point of receipt on our server, and therefore recommend the use of an online form or regular postal services; instead of applying on the online form or by email, applicants are still free to send us their applications by post. In the event of a successful application, the data provided by applicants may be processed further by us for the purpose of the employment relationship. The data belonging to unsuccessful applicants are erased. Applicant data are also erased if an applicant withdraws their application, which they may do at any time. Unless applicants justifiably withdraw their consent to processing, the data are erased following a period of six months, giving us time to reply to any application follow-up questions and allowing us to satisfy our obligation to prove compliance with the Equal Opportunities Act. Invoices for any travel expenses to be reimbursed are archived in accordance with tax law requirements.

Contact
When making contact with us (e.g. on the contact form, by email, telephone, or on social media), users’ information is processed for the purpose of addressing and handling their request in accordance with Article 6(1)(b) of the GDPR. Information provided by users may be saved in a customer relationship management (CRM) system or similar system. We erase requests when they are no longer required. We review the necessity to retain them every two years; statutory archiving obligations also apply.

Hosting
The hosting services we use are employed to ensure the availability of the following services: infrastructure and platform services, computing capacity, memory and database services, security services, and technical maintenance services that we use for the purpose of operating this online service. In this context, we, or our hosting provider, process the basic data, contact data, content data, contract data, usage data, metadata, and communication data of customers, potential customers, and visitors of this online service on the basis of our legitimate interest in ensuring the efficient and secure availability of this website in accordance with Article 6(1)(f) of the GDPR in conjunction with Article 28 of the GDPR (contracts for processing).

Collection of access data and log files
We, or our hosting provider, collect data on all access to the server on which this service is located (log files) on the basis of our legitimate interest in accordance with Article 6(1)(f) of the GDPR. These access data includes the name of the requested website, confirmation of successful request, browser type and version, the user’s operating system, the referral URL (the website last visited), the IP address, and the requesting provider. For security reasons (e.g. to investigate misuse or fraudulent actions), log file information is saved for a maximum of 7 days and then erased. Data that must continue to be retained as evidence are exempted from erasure until the incident in question has been fully resolved.

Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC (“Google”), on the basis of our legitimate interests (i.e. interest in analysis, optimisation, and effective operation of our website under the terms of Article 6(1)(f) of the GDPR). Google uses cookies. The information generated by the cookie about use of the website will generally be transmitted to and stored by Google on servers in the USA. Google is certified under the Privacy Shield framework and thus provides a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). Google will use this information on our behalf to evaluate use of our website, to compile reports on website activity, and to provide us with other services relating to use of this website and the internet. In this context, pseudonymised usage profiles may be created from the processed data. We use Google Analytics only with activated IP anonymisation. This means that Google will truncate users’ IP addresses for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to and truncated by Google servers in the USA. Google will not merge users’ truncated IP addresses transmitted by their browsers with any other data held by Google. Users can prevent cookies from being saved by adjusting their browser settings; users may also prevent the collection of data generated by the cookie and relating to their website use by Google and the processing of these data by Google by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de. More information on how Google uses data and on how you can change your settings and object to the processing of data can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the ad settings provided by Google (https://adssettings.google.com/authenticated). Personal user data are erased or anonymised after a period of 14 months. As an alternative to the browser plugin, in particular for browser on mobile devices, you can prevent Google Analytics from collecting data by clicking on this link. This places an opt-out cookie on your computer that prevents data from being collected in the future when visiting this website. The opt-out cookie is valid only in this browser and only on our website, and is stored on your device. If you delete your cookies in this browser, you will need to set the opt-out cookie again.

Google AdWords and conversion measurement
We use the services provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”), on the basis of our legitimate interests (i.e. interest in analysis, optimisation, and effective operation of our website under the terms of Article 6(1)(f) of the GDPR). Google is certified under the Privacy Shield framework and thus provides a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). We use Google AdWords, an online marketing service, to deliver ads in the Google Display Network (e.g. in search results, in videos, on websites, etc.) such that they are shown to users who are likely to have an interest in them. This allows us to deliver ads for and on our website that best suit our users and their interests. When a user, for example, is shown ads for products that they have viewed on other websites, this process is termed “remarketing”. For this purpose, when a user visits our and other websites on which the Google Display Network is active, Google directly executes a code and (re)marketing tags (invisible graphics or code, also known as web beacons) are embedded in the website. With their help, an individual cookie, i.e. a small file, is saved on the user’s device (related technologies may be used instead of cookies). This file records the websites visited by the user, the content they are interested in, and the items they have clicked on, as well as technical information on the browser and operating system, referrer websites, length of visit, and other website usage data. We also receive an individual conversion cookie. The information obtained with the help of the cookie is used by Google to create conversion statistics on our behalf. We, however, receive only the anonymous overall number of users who have clicked on our ad and were redirected to a website containing a conversion tracking tag. We do not receive any information that can be used to identify users personally. User data are processed in pseudonymised form within the Google Display Network. In other words, Google does not save or process the names or email address of users but rather processes the relevant data from the cookie within pseudonymised user profiles. From Google’s perspective, the ads are not managed and displayed for identifiable persons but for cookie owners, irrespective of who they may be. This does not apply if a user has expressly consent to Google’s processing of the data without the use of pseudonymisation. The information gathered on users is transmitted to Google and saved on Google servers in the USA. More information on how Google uses data and on how you can change your settings and object to the processing of data can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the ad settings provided by Google (https://adssettings.google.com/authenticated).

Visual Website Optimizer
We use the Visual Website Optimizer service (provided by Wingify Software Private Limited, 404, Gopal Heights, Netaji Subhash Place, Pitam Pura, Delhi 110034, India) on our website on the basis of our legitimate interests (i.e. interest in analysis, optimisation, and effective operation of our website under the terms of Article 6(1)(f) of the GDPR). Using “A/B testing”, “click tracking”, and “heatmaps”, Visual Website Optimizer makes it possible to see how changes impact on a website (e.g. changes to input fields, to the design, etc.). A/B tests are used to improve the user-friendliness and performance of websites. Users, for example, are shown different versions of a website or elements of a website, e.g. input forms, on which the placement of content or labelling of navigation elements may differ. Based on user behaviour, e.g. lengthier website visit or more frequent interaction with website elements, it is possible to ascertain which of the websites or elements is better suited to user needs. “Click tracking” makes it possible to follow a user’s navigation through an overall online service. As the results of this test are more precise if user interaction can be followed over a longer period of time (e.g. to see if a user returns frequently), cookies are usually saved on the user’s computer for this test purpose. “Heatmaps” are users’ mouse movements that can be compiled and used, for example, to identify which elements of a website are preferentially visited and which website elements are less popular among users. Cookies are only saved on users’ devices for this purpose. The user data that are processed is pseudonymised. For more information, please read the Visual Website Optimizer privacy policy: https://vwo.com/privacy-policy/. If you do not want Visual Website Optimizer to record your user behaviour, you may object to data collection by clicking on this link: https://www.xactwerbung.de/?vwo_opt_out=1.

Social media profiles
We maintain social media profiles to communicate with customers, potential customers, and users who are active on social media and to tell them about our services. When visiting the social networks and platforms, visitors are subject to their terms and conditions of business and data processing procedures. Unless otherwise stated in this privacy policy, we process the data of users if they communicate with us on social networks and platforms, e.g. if they post in our profiles or send us messages.

Integration of third-party services and content
We use third-party content and services on our online services on the basis of our legitimate interests (i.e. interest in analysis, optimisation, and effective operation of our website under the terms of Article 6(1)(f) of the GDPR) to integrate their content and services, e.g. videos or fonts (in the following referred to as “content”). This always presupposes that the third-party provider of this content knows the user’s IP address, as the content cannot be sent to their browser without an IP address. The IP address is thus required to display this content. We endeavour to use only content supplied by providers who use IP addresses only to deliver content. Third-party providers may also use pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. Pixel tags make it possible to evaluate information such as visitor numbers on the various pages of this website. The pseudonymised information may also be saved in cookies on a user’s device and contain technical information on the browser and operating system, referrer websites, time of visit, and other information on the use of our online services, as well as be associated with information from other sources.

Youtube
We embed videos from the “YouTube” platform, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google fonts
We embed fonts (“Google Fonts”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Maps
We embed maps from “Google Maps”, a service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Processed data may include, in particular, users’ IP addresses and location data, which, however, are not collected without their consent (usually provided in the settings on your mobile device). The data may be processed in the USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Created using Datenschutz-Generator.de provided by Dr. Thomas Schwenke