Privacy Policy

2. Definitions
Our privacy policy contains technical terms used in the DSGVO and BDSG. For your better understanding, we would like to explain these terms in plain language beforehand:

2.1 Personal Data
“Personal data” refers to any information relating to an identified or identifiable natural person (Art. 4 No. 1 DSGVO). Information about an identified person may include, for example, their name or email address. Data is also considered personal if the identity is not immediately apparent but can be determined by combining one’s own or third-party information to find out who the person is. A person can be identified, for example, through their address or bank details, date of birth, username, IP addresses, and/or location data. All information that can in any way be traced back to a person is relevant here.

2.2 Processing
“Processing” under Art. 4 No. 2 DSGVO refers to any operation carried out in connection with personal data. This includes in particular the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

CONTROLLER
The controller responsible for data processing is:

Company: Facts and Stories GmbH (“we”)
Legal representative: Karin Kiesl (Managing Director) Address: Henriettenweg 13, 20259 Hamburg
Phone: +49 40 607 893 65
Email: info@factsandstories.de

PROCESSING ACTIVITIES

3. Processing Framework:
Website Within the website at www.factsandstories.de, we process the personal data listed in detail under sections 4–12 below. We only process data that you actively provide on our website (e.g. by filling in forms) or that you automatically make available when using our services.

Your data is processed exclusively by us and is generally not sold, lent, or shared with third parties. If we use external service providers to help process your personal data, this is done within the framework of so-called data processing agreements, in which we as the client have the right to issue instructions to our processors. For the operation of our website, we use external service providers for hosting (all-inkl.com) as well as for maintenance, upkeep, and further development. If additional external service providers are used for any of the processing activities listed in sections 4–12, they will be named there.

Data transfers to third countries do not generally take place and are not planned. Exceptions to this principle will be noted in the relevant processing activities described below.

INDIVIDUAL PROCESSING ACTIVITIES

4. Provision of the Website and Server Log Files

4.1 Description of Processing
Each time the website is accessed, we automatically collect information that your browser transmits to our server. This is also stored in the so-called log files of our system. The data collected includes:

Your IP address
The browser software you are using, including its version and language
The operating system you are using
The website from which you accessed our website (so-called referrer)
The subpages of our website that you visited
The date and time of your visit to our website
Your internet service provider
Volume of data transmitted
Country and location from which you visited our website
Time spent on our website
Your IP address is stored in the log files with the last three digits removed.

4.2 Purpose
The processing is carried out to enable access to the website and to ensure its stability and security. It also serves the statistical analysis and improvement of our online offering.

4.3 Legal Basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 4.2.

4.4 Retention Period
Data is deleted as soon as it is no longer needed for the purpose for which it was collected. In the case of data collected for the provision of the website, this occurs when the respective session ends. Log files are deleted after 30 days.

5. Contact via Email

5.1 Description of Processing
You can contact us via the email addresses provided on the website. In this case, the personal data transmitted with the email will be processed by us.

5.2 Purpose
The data transmitted with and in your email will be used exclusively for the purpose of processing and responding to your enquiry.

5.3 Legal Basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 5.2. If the email contact is aimed at concluding or fulfilling a contract, the data processing is carried out for the performance of that contract (Art. 6(1)(b) DSGVO).

5.4 Retention Period
We delete data as soon as it is no longer needed for the purpose for which it was collected. This is generally the case when the respective communication with you has ended — i.e., when it can be inferred from the circumstances that your enquiry has been conclusively resolved. If statutory retention periods prevent deletion, the data will be deleted immediately after the statutory retention period expires.

6. Cookies

6.1 Description of Processing Our website uses cookies. Cookies are small text files that are stored on a user’s device when visiting a website. They contain information that enables a device to be recognised and, if applicable, certain functions of a website to be used. In most cases, we only use so-called “session cookies”, which are automatically deleted when you end your internet session and close the browser. Other cookies remain stored on your device for a longer period. Our website uses the following cookies:

Cookie name: _ga | Purpose/Function: Google Analytics – distinguishing visitors | Retention: This cookie expires 2 years after it is set.
Cookie name: _gat | Purpose/Function: Google Analytics – throttling request rates | Retention: This cookie expires 1 minute after it is set.
Cookie name: _gid | Purpose/Function: Google Analytics – distinguishing users | Retention: This cookie expires 24 hours after it is set.
Cookie name: wordpress_test_cookie | Purpose/Function: Distinguishing users | Retention: This cookie expires 24 hours after it is set.
Cookie name: tk_ai | Purpose/Function: Jetpack – distinguishing users | Retention: This cookie expires at the end of the session.

6.2 Purpose
We use cookies to make our website more user-friendly and to provide the functions described in section 6.1.

6.3 Legal Basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 6.2.

6.4 Retention Period

Cookies are automatically deleted at the end of a session or upon expiry of the stated retention period. Since cookies are stored on your device, you as the user also have full control over the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been stored can be deleted at any time, including automatically. If cookies are disabled for our website, some functions of our website may not be available or may be limited.

7. Social Networks
Our website does not use so-called social media plugins. The logos of the social networks Facebook, Twitter, Xing, and LinkedIn displayed on our website are linked only to the respective profiles of our company. If you click on one of the logos, you will be redirected to the external website of the respective social network.

8. Google Webfonts

8.1 Description of Processing
Our website uses “Google Web Fonts”, a font replacement service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Google Web Fonts replaces the standard fonts on your device with fonts from Google’s catalogue when displaying our website. If your browser blocks the integration of Google Web Fonts, the text of our website will be displayed in the standard fonts of your device. The Google Fonts are loaded directly from a Google server. To enable this, your browser sends a request to a Google server, which may also transmit your IP address in connection with the address of our website to Google. However, Google Web Fonts does not store any cookies on your device. According to Google, data processed in the context of the Google Web Fonts service is transmitted on resource-specific domains such as fonts.googleapis.com or fonts.gstatic.com. This data is not associated with data that may be processed in connection with the use of other Google services such as the search engine or Gmail. Further information on data protection with Google Web Fonts is available at https://developers.google.com/fonts/faq. General information on data protection at Google can be found at http://www.google.com/intl/en/policies/privacy/.

8.2 Purpose
The processing is carried out to display the text of our website in a more readable and aesthetically pleasing manner.

8.3 Legal Basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 8.2.

8.4 Recipients and Transfer to Third Countries Through the use of Google Web Fonts, personal data may be transferred to Google. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield is available at https://www.privacyshield.gov/EU-US-Framework.

9. Openstreet Maps

9.1 Description of Processing Our website uses OpenStreetMap, a map display service provided by FOSSGIS e.V., Römerweg 5, D-79199 Kirchzarten.

We use OpenStreetMap by embedding a map with our business address on our website. The map is loaded directly from an OpenStreetMap server. To enable this, your browser sends a request to an OpenStreetMap server, which may also transmit your IP address in connection with the address of our website to OpenStreetMap.

Purpose
The processing is carried out to display an interactive map on our website.

9.2 Legal Basis The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 9.2.

9.3 Recipients and Transfer to Third Countries OpenStreetMap does not process your personal data. Further information is available at https://www.openstreetmap.de/faq.html.

10. Google Analytics

10.1 Description of Processing
Our website uses “Google Analytics”, a web analytics service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). Google Analytics uses cookies (see section 6) that enable analysis of your use of our website. The information generated by the cookie is generally transferred to and stored on a Google server in the USA. However, we use Google Analytics exclusively with IP anonymisation. This means that your IP address is truncated by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. The IP address transmitted by your browser in the context of Google Analytics will not be merged with other Google data. The statistics created by Google Analytics capture in particular how many users visit our website, from which country or location access is made, which subpages are visited, and via which links or search terms visitors reach our website. The terms of use for Google Analytics can be found at http://www.google.com/analytics/terms/en.html. An overview of data protection with Google Analytics is available at http://www.google.com/intl/en/analytics/learn/privacy.html. Google’s privacy policy can be found at http://www.google.com/intl/en/policies/privacy.

10.2 Purpose
The processing is carried out to enable analysis of the use of our website. The information obtained is used to improve and tailor our online presence to user needs.

10.3 Legal Basis
The processing is necessary to protect the overriding legitimate interests of the controller (Art. 6(1)(f) DSGVO). Our legitimate interest lies in the purpose stated in section 10.2.

10.4 Retention Period and Right to Object
The retention period and your options for controlling and managing cookies are explained in section 6. You can object to data processing by Google Analytics at any time by downloading and installing the browser add-on provided by Google at https://tools.google.com/dlpage/gaoptout. Alternatively, you can click the following link to set an opt-out cookie on your device that prevents the collection of your data during future visits to this website. Analytics data processed and stored by Google Analytics is automatically deleted by us after 14 months.

10.5 Recipients and Transfer to Third Countries Google Analytics acts as a data processor for us. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield. Further information on the EU-US Privacy Shield is available at https://www.privacyshield.gov/EU-US-Framework.

11. Google Tag Manager
Our website uses the “Google Tag Manager”, a service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter “Google”). The Google Tag Manager does not collect any personal data and does not set any cookies. This service simply enables us to integrate and manage tags on our website. Tags are small code elements on our website that are useful for measuring traffic and visitor behaviour with other tools, capturing the impact of online advertising and social channels, using remarketing and audience targeting, and testing and optimising the website. Further information on the Google Tag Manager can be found at: https://www.google.com/intl/en/tagmanager/use-policy.html.

12. Gravatar

12.1. 12.1 Description of Processing
We use the Gravatar service by Automattic, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA, within our online offering and in particular in the blog.

Gravatar is a service where users can register and store profile pictures and their email addresses. When users leave posts or comments on other online presences (especially blogs) using the respective email address, their profile pictures can be displayed next to the posts or comments. For this purpose, the email address provided by users is transmitted to Gravatar in encrypted form to check whether a profile is stored for it. This is the sole purpose of transmitting the email address; it is not used for any other purposes and is deleted afterwards.

12.2. 12.2 Purpose
Gravatar is used on the basis of our legitimate interests pursuant to Art. 6(1)(f) DSGVO, as we use Gravatar to give post and comment authors the option to personalise their contributions with a profile picture

12.3. 12.3 Legal Basis
The use of Gravatar is based on our legitimate interests pursuant to Art. 6(1)(f) GDPR. Our legitimate interest lies in the purpose stated in section 12.2.

12.4. 12.4 Retention Period and Right to Object
If users do not want a profile picture linked to their email address on Gravatar to appear in the comments, they should use an email address that is not registered with Gravatar when commenting. We also point out that it is possible to use an anonymous email address or no email address at all, if users do not wish their email address to be sent to Gravatar. Users can prevent the transfer of data entirely by not using our comment system.

12.5. 12.5 Recipients and Transfer to Third Countries
By displaying images, Gravatar obtains the IP address of users, as this is necessary for communication between a browser and an online service. Further information on the collection and use of data by Gravatar can be found in Automattic’s privacy policy: https://automattic.com/privacy/. Automattic is certified under the Privacy Shield agreement and thereby offers a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000CbqcAAC&status=Active).

12.6 Appointment Booking Function
Appointment booking via Outlook / Office 365
In order to provide you with the appointment booking function on our website, it is necessary for you to enter certain personal data. This generally includes the following information:

Name
Email address
Phone number (optional)
Address (optional)

This data is used by us exclusively for the purpose of booking and managing appointments. We do not use your data for advertising purposes and do not pass it on to third parties unless this is necessary for the execution of the appointment booking.

Use of Outlook Office 365

Our appointment booking function is based on the integration of Outlook Office 365. When using this function, the data you enter is transferred to and processed on the Outlook Office 365 servers. Microsoft’s privacy policy (owner of Outlook Office 365) applies with regard to the processing of your data by Outlook Office 365.

12.7 YouTube

Our website contains embedded videos from YouTube, a service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you visit one of our pages on which a YouTube video is embedded, a connection is established to YouTube’s servers. YouTube is thereby informed which of our pages you have visited. If you are logged into your YouTube account, you allow YouTube to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account. Further information on how user data is handled can be found in YouTube’s privacy policy at: https://www.google.com/intl/en/policies/privacy/.

12.8 Spotify

Our website contains embedded music tracks and playlists from Spotify, a service of Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden. When you visit one of our pages on which a Spotify track or playlist is embedded, a connection is established to Spotify’s servers. Spotify is thereby informed which of our pages you have visited. If you are logged into your Spotify account, you allow Spotify to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your Spotify account. Further information on how user data is handled can be found in Spotify’s privacy policy at: https://www.spotify.com/legal/privacy-policy/.

SECURITY MEASURES

13. Security Measures To protect your personal data from unauthorised access, we have secured our website with an SSL/TLS certificate. SSL stands for “Secure Sockets Layer” and TLS for “Transport Layer Security”; both encrypt the communication of data between a website and the user’s device. You can recognise active SSL/TLS encryption by the small padlock icon displayed on the far left of the browser’s address bar.

YOUR RIGHTS

14. Data Subject Rights
With regard to the data processing described above by our company, you have the following rights:

14.1 Right of Access (Art. 15 DSGVO) You have the right to request confirmation from us as to whether we are processing personal data relating to you. If this is the case, you have the right, under the conditions set out in Art. 15 DSGVO, to access this personal data and to receive the additional information listed in Art. 15 DSGVO.

14.2 Right to Rectification (Art. 16 DSGVO) You have the right to request that we immediately correct any inaccurate personal data relating to you and, where applicable, complete any incomplete personal data.

14.3 Right to Erasure (Art. 17 DSGVO)
You have the right to request that personal data relating to you be deleted without delay, provided one of the reasons listed in detail in Art. 17 DSGVO applies — for example, if your data is no longer needed for the purposes we are pursuing.

14.4 Right to Restriction of Processing (Art. 18 DSGVO)
You have the right to request that we restrict processing if one of the conditions set out in Art. 18 DSGVO is met — for example, if you dispute the accuracy of your personal data, processing will be restricted for the period that enables us to verify the accuracy of your data.

14.5 Right to Data Portability (Art. 20 DSGVO)
You have the right, under the conditions set out in Art. 20 DSGVO, to request the release of data relating to you in a structured, commonly used, and machine-readable format.

14.6 Right to Withdraw Consent (Art. 7(3) DSGVO) Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal takes effect from the point it is exercised. In other words, it applies prospectively. Withdrawal of consent does not therefore render prior processing retrospectively unlawful.

14.7 Right to Lodge a Complaint (Art. 77 DSGVO)
If you believe that the processing of your personal data violates the DSGVO, you have the right to lodge a complaint with a supervisory authority. You may exercise this right with a supervisory authority in the EU member state of your habitual residence, place of work, or the location of the alleged infringement.

14.8 Prohibition of Automated Decision-Making / Profiling (Art. 22 GDPR)
Decisions that have legal consequences for you or that significantly affect you must not be based solely on automated processing of personal data — including profiling. We hereby inform you that we do not use automated decision-making, including profiling, with regard to your personal data.

14.9 Right to Object (Art. 21 DSGVO) Where we process your personal data on the basis of Art. 6 (1) (f) DSGVO (to protect overriding legitimate interests), you have the right to object under the conditions set out in Art. 21 DSGVO. This applies, however, only where there are reasons arising from your particular situation. Following an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms. We are also not required to cease processing if it serves the establishment, exercise, or defence of legal claims. In any case — and independently of any particular situation — you have the right to object at any time to the processing of your personal data for direct marketing purposes.