Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent in connection with the provision of our application.

The terms used are not gender-specific.

Controller

ER‑TEC GmbH
Grüner Talstraße 69
58644 Iserlohn
Germany

Email: hello@er-tec.net
Phone: +49 2371 3913 822
Legal Notice: https://er-tec.net/impressum/

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects concerned.

Types of Data Processed

• Inventory data
• Contact data
• Content data
• Usage data
• Meta, communication, and procedural data

Categories of Data Subjects

• Communication partners
• Users

Purposes of Processing

• Contact requests and communication
• Security measures
• Direct marketing
• Management and responding to inquiries
• Feedback
• Provision of our online offering and user experience
• IT infrastructure

Applicable Legal Bases

Legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Where more specific legal bases apply in individual cases, we will inform you of these in the Privacy Policy.

• Consent (Art. 6(1)(a) GDPR) — The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) — Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
• Legitimate interests (Art. 6(1)(f) GDPR) — Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the GDPR, national data protection laws apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transmission, and automated individual decision-making including profiling. State-level data protection laws of the individual German federal states may also apply.

Note on the applicability of the GDPR and the Swiss FADP: These privacy notices serve to fulfill information obligations under both the Swiss Federal Act on Data Protection (Swiss FADP) and the General Data Protection Regulation (GDPR). For this reason, please note that the terminology of the GDPR is used for broader geographical applicability and clarity. In particular, instead of the terms used in the Swiss FADP — "processing" of "personal data," "overriding interest," and "particularly sensitive personal data" — the GDPR terms "processing" of "personal data," "legitimate interest," and "special categories of data" are used. However, the legal meaning of these terms continues to be determined by the Swiss FADP where it applies.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, ensuring availability of, and separation of the data. We have also established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security threats. Furthermore, we take data protection into account at the earliest stage of hardware, software, and process development, in accordance with the principle of privacy by design and privacy by default.

IP address truncation: Where IP addresses are processed by us or by the service providers and technologies we use, and where processing a complete IP address is not necessary, the IP address is truncated (also referred to as "IP masking"). In this process, the last two digits, or the last segment of the IP address after a period, are removed or replaced with placeholders. The purpose of truncating the IP address is to prevent or significantly hinder the identification of a person based on their IP address.

TLS/SSL encryption (HTTPS): To protect the data of users transmitted via our online services, we use TLS/SSL encryption. Secure Sockets Layer (SSL) is the standard technology for securing internet connections by encrypting data transmitted between a website or app and a browser (or between two servers). Transport Layer Security (TLS) is an updated, more secure version of SSL. HTTPS is displayed in the URL when a website is secured by an SSL/TLS certificate.

Transmission of Personal Data

In the course of processing personal data, it may occur that data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or persons. Recipients of such data may include, for example, service providers entrusted with IT tasks or providers of services and content embedded in a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Intra-organizational data transfers: We may transfer personal data to other entities within our organization or grant them access to such data. Where such transfers are made for administrative purposes, they are based on our legitimate business and operational interests, or are made as required for the fulfillment of our contractual obligations, or where consent from the data subjects or a legal authorization exists.

International Data Transfers

Processing data in third countries: Where we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or where processing occurs in the context of using third-party services or disclosing or transferring data to other persons, entities, or companies, this is done only in accordance with legal requirements. Where the level of data protection in a third country has been recognized by way of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers are only carried out where the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractually or legally required transfers (Art. 49(1) GDPR). We will additionally inform you of the basis for third-country transfers for individual providers from third countries, with adequacy decisions taking precedence as the basis where applicable. Information on third-country transfers and existing adequacy decisions can be found in the EU Commission's information portal at: commission.europa.eu.

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the EU Commission has also recognized the level of data protection for certain companies in the USA as adequate under its adequacy decision of July 10, 2023. The list of certified companies and further information about the DPF can be found on the website of the U.S. Department of Commerce at dataprivacyframework.gov (in English). We will inform you in these privacy notices which service providers we use that are certified under the Data Privacy Framework.

Deletion of Data

The data we process will be deleted in accordance with legal requirements once the consents permitting their processing are revoked or other permissions cease to apply (e.g., when the purpose for which the data was processed no longer exists or it is no longer necessary for that purpose). Where data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose storage is necessary for the assertion, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person. Our privacy notices may also contain further information on the retention and deletion of data that takes precedence for the respective processing activities.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to request confirmation as to whether data concerning you is being processed, and to obtain information about such data as well as further details and a copy of the data, in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with legal requirements, to request the completion or correction of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request the immediate deletion of data concerning you, or alternatively to request restriction of the processing of such data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format, or to request its transmission to another controller, in accordance with legal requirements.
• Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the provisions of the GDPR.

Use of Cookies

Cookies are small text files or other storage mechanisms that store and retrieve information on end devices — for example, to save login status in a user account, shopping cart contents in an online store, the content accessed, or functions used within an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings, and for creating visitor flow analyses.

Notes on consent: We use cookies in accordance with legal requirements. We therefore obtain prior consent from users, unless such consent is not required by law. Consent is not required in particular where the storage and retrieval of information — including cookies — is strictly necessary to provide a telemedia service (i.e., our online offering) that users have explicitly requested. Strictly necessary cookies generally include those serving functions related to the display and operability of the online offering, load balancing, security, storing user preferences and choices, or similar purposes related to providing the main and ancillary functions of the online offering requested by users. The revocable consent is clearly communicated to users and includes information about the specific cookie use.

Notes on legal bases for data protection: The legal basis on which we process users' personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, data processed using cookies is processed on the basis of our legitimate interests (e.g., in the economically efficient operation of our online offering and improving its usability), or, where the use of cookies is necessary to fulfill our contractual obligations. We will inform users of the purposes for which cookies are processed throughout this Privacy Policy and within our consent and processing procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest once a user has left an online offering and closed their end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, login status can be saved or preferred content displayed directly when a user revisits a website. Data collected via cookies can also be used for reach measurement. Unless we provide users with explicit information about the type and duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and that the storage period may be up to two years.

General notes on revocation and objection ("opt-out"): Users may revoke their consent at any time and object to processing in accordance with legal requirements. Users may, among other things, restrict the use of cookies in their browser settings (which may also limit the functionality of our online offering). An objection to the use of cookies for online marketing purposes can also be declared via the websites optout.aboutads.info and youronlinechoices.com.

Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further notes on processing activities, procedures, and services

Processing of cookie data based on consent: We use a cookie consent management procedure through which users' consents to the use of cookies — or to the processing activities and providers referred to in the cookie consent management procedure — are obtained and can be managed and revoked by users. The consent declaration is stored to avoid the need to request it again and to be able to demonstrate consent in accordance with legal obligations. Storage may occur server-side and/or in a cookie (a so-called opt-in cookie or using comparable technologies) in order to associate the consent with a user or their device. Subject to individual information provided by cookie management service providers, the following general notes apply: The duration of consent storage may be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), and the browser, system, and end device used. Legal bases: Consent (Art. 6(1)(a) GDPR).

Provision of the Online Offering and Web Hosting

We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or end device.

• Types of data processed: Usage data (e.g., pages visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user experience; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing activities, procedures, and services

Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files." Server log files may include the address and name of the pages and files accessed, the date and time of access, the volume of data transferred, notification of successful retrieval, the browser type and version, the user's operating system, the referrer URL (the previously visited page), and typically IP addresses and the requesting provider. Server log files may be used for security purposes (e.g., to prevent server overload, particularly in the case of abusive attacks such as DDoS attacks) and to ensure server load and stability. Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempt from deletion until the final resolution of the respective incident.

Contact and Inquiry Management

When you contact us (e.g., by post, contact form, email, telephone, or via social media) or in the context of existing user and business relationships, we process the information provided by the inquiring persons to the extent necessary to respond to the contact inquiries and any requested measures.

• Types of data processed: Contact data (e.g., email, phone numbers); content data (e.g., input in online forms); usage data (e.g., pages visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Data subjects: Communication partners.
• Purposes of processing: Contact requests and communication; management and responding to inquiries; feedback (e.g., collecting feedback via online form); provision of our online offering and user experience.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Further notes on processing activities, procedures, and services

Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided in that context in order to handle the matter communicated. Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Promotional Communication via Email, Post, Fax, or Telephone

We process personal data for the purposes of promotional communication, which may take place via various channels such as email, telephone, post, or fax, in accordance with legal requirements.

Recipients have the right to withdraw any consent given at any time, or to object to promotional communication at any time.

Following a withdrawal or objection, we store the data required to demonstrate prior authorization for contact or sending for up to three years after the end of the year of the withdrawal or objection, on the basis of our legitimate interests. The processing of this data is limited to the purpose of potentially defending against claims. On the basis of our legitimate interest in permanently honoring users' withdrawals and objections, we also store the data required to avoid renewed contact (e.g., depending on the communication channel: email address, phone number, name).

• Types of data processed: Inventory data (e.g., names, addresses); contact data (e.g., email, phone numbers).
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Changes and Updates to the Privacy Policy

We ask you to regularly review the content of our Privacy Policy. We update the Privacy Policy as soon as changes to the data processing activities we carry out make this necessary. We will notify you as soon as a change requires an action on your part (e.g., consent) or another individual notification.

Where we provide addresses and contact details of companies and organizations in this Privacy Policy, please note that these may change over time and we ask you to verify the details before making contact.

Definitions

This section provides an overview of the terms used in this Privacy Policy. Where terms are defined by law, their legal definitions apply. The following explanations are intended primarily to aid understanding.

Personal data

Any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Controller

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing

Any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, including collection, evaluation, storage, transmission, or deletion.