Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes and to what extent in the context of providing our application.

The terms used are not gender-specific.

Last updated: January 3, 2025

Table of Contents

• Preamble
• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• General Information on Data Storage and Deletion
• Rights of Data Subjects
• Business Services
• Payment Procedures
• Provision of Online Offering and Web Hosting
• Use of Cookies
• Special Notes on Applications (Apps)
• Obtaining Applications via App Stores
• Registration, Login and User Account
• Community Functions
• Single Sign-On Login
• Contact and Inquiry Management
• Push Notifications
• Artificial Intelligence (AI)
• Newsletter and Electronic Notifications
• Web Analytics, Monitoring and Optimization
• Presence on Social Networks (Social Media)
• Changes and Updates
• Definitions of Terms

Controller

TUNZE® Aquarientechnik GmbH
Seeshaupter Str. 68
D-82377 Penzberg

Authorized representatives: Dipl.Ing.(FH) Axel Tunze, Felix Tunze B.Sc

Email address: info@tunze.com

Phone: +49 (0) 8856-9017580

Imprint: /tunze/en/imprint

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

• Inventory data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and procedural data.
• Image and/or video recordings.
• Log data.

Categories of Data Subjects

• Service recipients and clients.
• Interested parties.
• Communication partners.
• Users.
• Business and contractual partners.
• Third parties.

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Office and organizational procedures.
• Organizational and administrative procedures.
• Content Delivery Network (CDN).
• Feedback.
• Marketing.
• Profiles with user-related information.
• Registration procedures.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.
• Public relations.
• Business processes and economic procedures.
• Artificial Intelligence (AI).

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Should more specific legal bases be relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of personal data relating to him or her for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on applicability of GDPR and Swiss DPA: These data protection notices serve to provide information both under the Swiss DPA and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that, due to the broader spatial application and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms "processing" of "personal data", "overriding interest" and "particularly sensitive personal data" used in the Swiss DPA, the terms "processing" of "personal data" as well as "legitimate interest" and "special categories of data" used in the GDPR are used. However, the legal meaning of the terms will continue to be determined under the Swiss DPA within the scope of its applicability.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include in particular securing the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, securing the availability of and separation of data. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data and responses to data threats. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software and procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users' data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is signaled by the display of HTTPS in the URL. This serves as an indicator for users that their data is transmitted securely and encrypted.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consent is revoked or there are no further legal grounds for processing. This applies to cases in which the original purpose of processing ceases to apply or the data is no longer required. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or whose storage is necessary for legal prosecution or for the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy policy contains additional information on the retention and deletion of data that applies specifically to certain processing processes.

If there are multiple indications of retention periods or deletion deadlines for a date, the longest period is always decisive.

If a period does not expressly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the period-triggering event occurred. In the case of ongoing contractual relationships within which data is stored, the period-triggering event is the time when the termination or other termination of the legal relationship becomes effective.

Data that is no longer retained for the originally intended purpose, but due to legal requirements or other reasons, we process exclusively for the reasons that justify their retention.

Further notes on processing processes, procedures and services:

• Retention and deletion of data: The following general deadlines apply for retention and archiving under German law:
  • 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheet as well as the work instructions and other organizational documents required for their understanding, accounting vouchers and invoices (§ 147 para. 3 in conjunction with para. 1 nos. 1, 4 and 4a AO, § 14b para. 1 UStG, § 257 para. 1 nos. 1 and 4, para. 4 HGB).
  • 6 years - Other business documents: received commercial or business letters, reproductions of sent commercial or business letters, other documents insofar as they are of importance for taxation, e.g. hourly wage slips, operating accounting sheets, calculation documents, price labels, but also payroll documents insofar as they are not already accounting vouchers and cash register receipts (§ 147 para. 3 in conjunction with para. 1 nos. 2, 3, 5 AO, § 257 para. 1 nos. 2 and 3, para. 4 HGB).
  • 3 years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights as well as to process related inquiries, based on previous business experience and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As data subjects under the GDPR, you have various rights, which arise in particular from Articles 15 to 21 GDPR:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw consent given at any time.
• Right of access: You have the right to request confirmation as to whether data is being processed and to information about this data as well as to further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased immediately, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
• Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
• Complaint to supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of personal data concerning you violates the GDPR.

Business Services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as "contractual partners") within the framework of contractual and comparable legal relationships as well as associated measures and in relation to communication with contractual partners (or pre-contractually), e.g. to answer inquiries.

We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purpose of administrative tasks associated with these obligations and company organization. Furthermore, we process the data on the basis of our legitimate interests in proper and economical business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, such as for marketing purposes, within the framework of this privacy policy.

We inform contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, through special marking (e.g. colors) or symbols (e.g. asterisks or similar), or personally.

We delete the data after expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as it must be retained for legal reasons of archiving (for tax purposes generally ten years). We delete data disclosed to us by the contractual partner within the framework of an order in accordance with the requirements and generally after the end of the order.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or telephone numbers). Contract data (e.g. subject matter of contract, term, customer category).
• Data subjects: Service recipients and clients; Interested parties. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures. Business processes and economic procedures.
• Retention and deletion: Deletion in accordance with information in the section "General Information on Data Storage and Deletion".
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing processes, procedures and services:

• Provision of software and platform services: We process the data of our users, registered and any test users (hereinafter uniformly referred to as "users") in order to be able to provide them with our contractual services and on the basis of legitimate interests in order to ensure the security of our offering and to be able to further develop it. The required information is marked as such within the framework of the order, order or comparable contract conclusion and includes the information required for service provision and billing as well as contact information in order to be able to hold any consultations; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Payment Procedures

Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use other service providers in addition to banks and credit institutions (collectively "payment service providers").

The data processed by the payment service providers includes inventory data, such as name and address, bank data, such as account numbers or credit card numbers, passwords, TANs and checksums as well as contract, total and recipient-related information. The information is required to carry out the transactions. However, the data entered is only processed and stored by the payment service providers. I.e. we do not receive any account or credit card-related information, but only information confirming or negatively confirming the payment. Under certain circumstances, the data may be transmitted by the payment service providers to credit agencies. This transmission is for the purpose of identity and credit checks. For this, we refer to the terms and conditions and data protection information of the payment service providers.

The terms and conditions and data protection information of the respective payment service providers apply to payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to these for further information and assertion of withdrawal, information and other data subject rights.

• Types of data processed: Inventory data (e.g. full name, residential address, contact information, customer number, etc.); Payment data (e.g. bank details, invoices, payment history); Contract data (e.g. subject matter of contract, term, customer category); Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved). Contact data (e.g. postal and email addresses or telephone numbers).
• Data subjects: Service recipients and clients. Business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Business processes and economic procedures.
• Retention and deletion: Deletion in accordance with information in the section "General Information on Data Storage and Deletion".
• Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing processes, procedures and services:

• Apple Pay: Payment services (technical integration of online payment methods); Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.apple.com/apple-pay/. Privacy policy: https://www.apple.com/legal/privacy/.
• Google Pay: Payment services (technical integration of online payment methods); Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://pay.google.com/about/. Privacy policy: https://policies.google.com/privacy.

Provision of Online Offering and Web Hosting

We process users' data in order to be able to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

• Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication and procedural data (e.g. IP addresses, time information, identification numbers, persons involved); Log data (e.g. log files concerning logins or the retrieval of data or access times). Content data (e.g. textual or pictorial messages and posts as well as information concerning them, such as information on authorship or time of creation).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures. Content Delivery Network (CDN).
• Retention and deletion: Deletion in accordance with information in the section "General Information on Data Storage and Deletion".
• Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing processes, procedures and services:

• Provision of online offering on rented storage space: For the provision of our online offering, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called "web hoster"); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks), and on the other hand, to ensure the utilization of the servers and their stability; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is required for evidence purposes is excluded from deletion until the respective incident has been finally clarified.
• Content Delivery Network: We use a "Content Delivery Network" (CDN). A CDN is a service with the help of which content of an online offering, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
• Hetzner: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/legal/privacy-policy. Data processing agreement: https://docs.hetzner.com/general/general-terms-and-conditions/data-privacy-faq/.
• Cloudflare: Content Delivery Network (CDN) - service with the help of which content of an online offering, in particular large media files such as graphics or program scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.cloudflare.com; Privacy policy: https://www.cloudflare.com/privacypolicy/; Data processing agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third country transfers: Data Privacy Framework (DPF).

Use of Cookies

The term "cookies" refers to functions that store information on users' devices and read it from them. Cookies can also be used for different purposes, such as for the functionality, security and convenience of online offerings as well as for creating analyses of visitor flows. We use cookies in accordance with legal regulations. For this purpose, we obtain the consent of users in advance if necessary. If consent is not necessary, we rely on our legitimate interests. This applies if the storage and reading of information is essential to provide expressly requested content and functions. This includes, for example, the storage of settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We clearly inform about their scope and which cookies are used.

Notes on legal bases under data protection law: Whether we process personal data with the help of cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and procedures.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g. browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), they should assume that they are permanent and the storage duration can be up to two years.

General notes on withdrawal and objection (opt-out): Users can withdraw their consent at any time and also lodge an objection to processing in accordance with legal requirements, including through the privacy settings of their browser.