Data Privacy Statement.

Last update: October 2022

1. Introduction

With the following data protection declaration, we would like to inform you of the types of your personal data we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our service and on our websites, in mobile applications and within external online presences, such as our social media profile. The provisions of our data protection declaration listed here apply without restriction to all CI-HUB GmbH internet offers referenced here by word and internet link.

2. Our full contact details in accordance with the European GDPR can be found at the end of this Privacy Statement.

3. Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed according to consent and purpose of use

- Inventory data (e.g., names, addresses)
- Content data (e.g., text input, photographs, videos)
- Contact data (e.g., e-mail, telephone numbers)
- Meta/communication data (e.g., device information, IP addresses)
- Usage data (e.g., websites visited, interest in content, access times)
- Contract data (e.g., subject matter of contract, term, customer category)
- Payment data (e.g., bank details, invoices, payment history


Categories of data subjects

- Employees (e.g., employees, applicants, former employees)
- Business and contractual partners
- Interested parties
- Communication partners
- Customers
- Users (website visitors, users of our services)


Purposes of processing

- Evaluation of visits, events
- Office and organizational procedures
- Direct marketing
- Interest-based and behavioral marketing
- Contact requests and communication
- Profiling (creation of user profiles)
- Reach measurement (access statistics, recognition of returning visitors)
- Security measures
- Tracking (interest/behavior-based profiling, use of cookies you allow)
- Contractual services, billing and services
- Administration and response to inquiries


Applicable legal basis

In the following, we share the legal bases of the General Data Protection Regulation (GDPR) based on which we process personal data. In addition to the regulations of the GDPR, the national data protection regulations in your or our country of residence and domicile apply. In the Federal Republic of Germany, this is the Federal Data Protection Act (BDSG). If, in addition, more specific legal bases are relevant in individual cases, we will inform you of these in the data protection declaration.

- Consent (Art. 6 para. 1 p. 1 lit. a GDPR) - The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or purposes.
- Performance of a contract and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. GDPR) - Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures carried out at the data subject's request.
- Legal obligation (Art. 6 (1) p. 1 lit. c. GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR) - Processing is necessary to protect the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

4. Data security

Our service is secured in accordance with legal requirements, considering the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons appropriate technical and organizational measures to ensure the personal data a level of protection appropriate to the risk. Within the website visit, we use the widespread SSL (Secure Socket Layer) procedure in conjunction with the highest encryption level supported by your browser. As a rule, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.


5. Transfer and disclosure of personal data

During our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, payment institutions in the context of payment transactions, service providers commissioned with IT tasks or providers of additional services and content that are integrated into our service. In this case, we observe the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data transfer within the organization

Furthermore, we may transfer personal data to other companies within our organization or grant them access to this data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and operational interests or is done if it is necessary to fulfill our contract-related obligations or if there is a consent of the data subjects or a legal permission.

6. Data processing in third countries

We try to avoid it, but insofar as we need to process data in a third country (outside the European Union, the European Economic Area) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies, or companies, this is only done in accordance with the legal requirements.

7. Cookie statement

Cookies are files that contain data from visited websites or domains and are stored by a browser on the user's computer. A cookie is primarily used to store information about a user during or after his visit within an online offer. Stored information may include, for example, language settings on a website, login status, a shopping cart, or where a video was watched. We further include in the term cookies other technologies that perform the same functions as cookies, such as user IDs.

The following cookie types and functions are distinguished:


- Temporary cookies (also: session cookies): temporary cookies are deleted at the latest after a user has left an online offer and closed his browser.
- Permanent cookies: Permanent cookies remain stored even after the browser is closed. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the interests of users used for reach measurement or marketing purposes can be stored in such a cookie.
- First-party cookies: First-party cookies are set by us.
- Third-party cookies (also: third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
- Necessary (also: essential or absolutely necessary) cookies: Cookies may be absolutely necessary for the operation of a website (e.g., to store logins or other user input or for  security reasons).
- Statistical, marketing and personalization cookies: Furthermore, cookies are generally also used in the context of range measurement and when a user's interests or behavior (e.g., viewing certain content, using functions, etc.) on individual websites are stored in a user profile. Such profiles are used, for example, to show users content that matches their potential interests. This process is also referred to as "tracking," i.e., tracing the potential interests of users. To the extent that we use cookies or "tracking" technologies, we will inform you separately in our privacy policy or in the context of obtaining consent.


The legal basis on which we process your personal data using cookies depends on whether we ask you for consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent (Art. 6 (1) p. 1 lit. a GDPR). Otherwise, the data processed with the help of cookies is processed based on our legitimate interests (Art. 6 para. 1 p. 1 lit. f GDPR) or if the use of cookies is necessary to fulfill our contractual obligations (Art. 6 para. 1 p. 1 lit. b GDPR).

Unless we provide you with explicit information about the storage period of permanent cookies, please assume that the storage period can be up to two years.

Depending on whether the processing is based on consent or legal permission, you have the option at any time to revoke any consent given or to object to the processing of your data by cookie technologies. You can initially declare your objection by means of your browser settings by deactivating the use of cookies. An objection to the use of cookies for online marketing purposes can also be declared by means of a variety of services, especially in the case of tracking.

Before we process or have processed data in the context of the use of cookies, we ask users for consent that can be revoked at any time. Before the consent has not been expressed, cookies are used at most, which are necessary for the operation of our online offer. Their use is based on our interest and the interest of users in the expected functionality of our online offer.
- Types of data processed: Usage data (e.g., web pages visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
- Data subjects: Users (e.g., website visitors, users of online services).
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


8. Services

We process data of our contractual, business partners and interested parties in the context of contractual and comparable legal relationships as well as related measures and in the context of communication with contractual partners (or pre-contractually to respond to inquiries). We process this data to fulfill our contractual obligations, to secure our rights and for the purposes of the administrative tasks associated with this information as well as for business organization. Within the framework of the applicable law, we only pass on the data of the contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or for the fulfillment of legal obligations or with the consent of the contractual partners (e.g. to participating telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). You will be informed about further forms of processing below in this declaration. We inform the contractual partners in each case which data is required for the aforementioned purposes before or as part of the data collection.

We delete the data after the expiry of legal warranty and comparable obligations, i.e., generally after 4 years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archiving reasons (e.g., for tax purposes generally 10 years). We delete data disclosed to us by the contractual partner as part of an order in accordance with the specifications of the order, generally after the end of the order.

If we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms shall apply in the relationship between the users and the providers.


9. Customer account/User account

Contractual partners can create an account within our online offer upon request (e.g. customer or user account). Customer accounts are not public, protected and cannot be indexed by search engines. Within the scope of registration and subsequent logins and uses of the customer account, we store the IP addresses of the customers along with the access times in order to prove the registration and to prevent any misuse of the customer account. If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to their retention being required for legal reasons. It is the responsibility of the customer to back up their data upon termination of the customer account.

10. Offering of software, platform, and services

We process the data of our users, registered users, and any demanders (users) to be able to provide our contractual services to them as well as on the basis of legitimate interests in order to ensure the security of our offer and to be able to develop it further.
The required information is identified as such in the context of the order, purchase order or comparable contract conclusion and includes the information necessary for the provision of services and billing as well as contact information to be able to hold any
consultations.
- Types of data processed: inventory data (e.g., names, addresses, as well as via Okta Inc.), payment data (via Paddle.com), contact data (e.g., email, phone numbers), contract data (e.g., subject matter of contract, term, customer category, as well as via Okta Inc.), usage data (via Okta. Inc.), meta/communication data (e.g., device information, IP addresses).
- Data Subjects: Prospective customers, business and contractual partners, customers.
- Purposes of processing: contractual performance and service, contact requests and communication, office and organizational procedures, administration and response to requests, security measures
- Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legal obligation (Art. 6 para. 1 p. 1 lit. c. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

11. Use of online platforms

We offer our services on online platforms operated by other service providers. In this context, the data protection notices of the respective platforms apply in addition to our data protection notices. This applies in particular regarding the reach measurement and interest-based marketing methods used on the platforms.
- Types of data processed: types of data processed: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
- Data subjects: Customers
- Purposes of processing: Contractual performance and service
- Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


12. Payment service providers

In the context of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers for this purpose in addition to banks and credit institutions.
The data processed by the payment service providers may include inventory data, such as the name and address, bank data, such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as the contract, total and recipient-related information. The information is required to carry out the transactions necessary for contractual fulfillment. However, the data entered is only processed by the payment service providers and stored with them. We only receive information with confirmation or negative information of the payment, i.e., no personal information. Under certain circumstances, the data is transmitted by the payment service providers to credit agencies.
This transmission is for the purpose of checking identity and
creditworthiness. In this regard, we refer to the terms and conditions and data protection notices of the payment service providers.
For payment transactions, the terms and conditions and data protection notices of the respective payment service providers apply, which can be accessed within the respective websites or transaction applications. We also refer to these for the purpose of further information and assertion of revocation, information, and other data subject rights.
- Types of data processed: types of data processed: inventory data (names, addresses), contact data, job title, content data (text entries, photographs, videos), usage data, meta/communication data.
- Data subjects: Customers, interested parties
- Purposes of processing: Contractual performance and service
- Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

For online payment we currently offer our clients various best payment services: FastSpring, Santa Barbara, USA and Keylight GmbH, Berlin, Germany, EU.

GDPR for FastSpring: Your data is stored through FastSpring’s data storage, databases and the general FastSpring application. They store your data on a secure server behind firewalls.

If you choose a direct payment gateway to complete your purchase, then FastSpring stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS).
All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers.
For more insight, you may also want to read FastSpring’s Terms of Service here or Privacy Statement here.

GDPR for Keylight GmbH: Kantstraße 24 10623 Berlin Germany


13. Providing the service and web hosting

To provide our Service securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the Service can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting service may include all information relating to the users of our service, which is generated during use and communication. This regularly includes the IP address, which is necessary to provide the content of our services, and all entries made within our services or from websites, as well as the metadata packages for the use of our services.
- Types of data processed: inventory data (names, addresses), contact data, content data (text inputs, photographs, videos), usage data, meta/communication data.
- Data subjects: Customers, employees (e.g., employees, applicants, former employees), prospective customers, communication partners.
- Purposes of processing: office and organizational procedures
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre- contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
We use the following third-party providers for this purpose:

- Microsoft Cloud Services: cloud storage services; service providers: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA;
Website:
https://microsoft.com/de-de;
Privacy Policy:
https://privacy.microsoft.com/de-de/privacystatement,
Security Notice:
https://www.microsoft.com/de-de/trustcenter;
Privacy Shield (ensuring level of data
protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.

- Amazon Web Services: Cloud service; service provider: Amazon Web Services Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS), parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121, USA;
website: https://www.amazon.de;
privacy policy:
https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice-GERMAN_2020-01-24.pdf;
Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4&status=Active.



14. Collection of access data and log files

We ourselves (or our web hosting provider) collect data on each access to the server (so called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, data volumes transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.

- Types of data processed: processed types of data: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
- Data subjects: Users (e.g., website visitors, users of our service).
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).


15. Registration, login, user, and user account

Users can create a user account. As part of the registration process, users are provided with the required mandatory information and processed for the purpose of providing the user account based on contractual obligation fulfillment.
The processed data includes
the login information (name, password as well as an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose. If users have terminated their user account, their data regarding the user account will be deleted, subject to any legal obligation to retain such data.
It is the responsibility of
users to back up their data upon termination prior to the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract. Within the scope of the use of our registration and login functions as well as the use of the user account, we or the third party provider Okta Inc. store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against misuse and other unauthorized use.
As
a matter of principle, this data is not passed on to other third parties unless it is necessary for the prosecution of our claims or there is a legal obligation to do so.
- Types of data processed: processed data types: inventory data (names, addresses), contact data, content data (text entries, photographs, videos), usage data, meta/communication data.
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: contractual performance and service, security measures, administration, and response to inquiries
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre- contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR). We currently use Okta Inc. 301 Brannan Street, San Francisco, CA 94107 United States for registration, login, and user account management.
Privacy Notice and Terms
and Conditions https://trust.okta.com/security, as well as
https://www.okta.com/privacy-policy/.
GDPR for OKTA: Paddle.com Market Limited, 15
Briery Close, Great Oakley, Corby, Northamptonshire, NN18 8JG, United Kingdom, exclusively as another payment service provider. Data protection information and general terms and conditions of Paddle Ltd. can be found at https://paddle.com/gdpr and https://paddle.com/privacy


16. Contacting us

When contacting us (via contact form, email, telephone or via social media), the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures. The response to contact inquiries in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries.
- Types of data processed: inventory data (names, addresses), contact data, content data (text input, photographs, videos), usage data, meta/communication data.
- Data subjects: Communication partners
- Purposes of processing: contact inquiries and communication, administration, and response to inquiries
- Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), Legitimate Interests (Art. 6 para. 1 p. 1 lit. f. GDPR). We currently additionally use the third-party service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication. The terms and conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.


17. Communication via Messenger

We use messengers for communication purposes and therefore ask you to observe the following information on the functionality of the messengers, on encryption, on the use of the metadata of the communication and on your objection options.
You can also contact us by alternative means, e.g. via telephone or e-mail. Please use the contact options provided to you or the contact options provided within our service. However, we additionally point out to our communication partners that although the messenger providers cannot view the content, they can learn that and when communication partners communicate with us as well as process technical information about the device used by the communication partners and, depending on the settings of their device, also location information (metadata). If we ask communication partners for permission before communicating with them via Messenger, the legal basis of our processing of their data is their consent. Otherwise, if we do not ask for consent and they contact us on their own initiative, for example, we use Messenger in relation to our contractual partners as well as in the context of contract initiation as a contractual measure and, in the case of other interested parties and communication partners, based on our legitimate interests in fast and efficient communication and meeting the needs of our communication partners in communicating via Messenger. Furthermore, we would like to point out that we do not transmit the contact data provided to us to the messengers for the first time without your consent. You can revoke any consent given at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion guidelines (i.e., e.g., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume to have answered any information provided by the communication partners, if no reference back to a previous conversation is to be expected and the deletion does not conflict with any legal
retention obligations. Finally, we would like to point out that for reasons of your security, we reserve the right not to answer inquiries via Messenger. This is the case if, for example, contractual internals require special confidentiality or an answer via Messenger does not meet the formal requirements. In such cases, we refer you to our other communication channels.
- Types of data processed: contact data (e.g., e-mail, telephone numbers), usage data (e.g., websites visited, interest in content, access times), meta/communication data, content data (e.g., text input, photographs, videos).
- Data subjects: Communication partner
- Purposes of processing: contact requests and communication, direct marketing.
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
We currently use the service of HubSpot Inc, 25 First Street, Cambridge, MA 02141, USA for communication via Messenger. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy and
https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.


18. Newsletters

We send newsletters, emails and other electronic notifications only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during a registration, they are decisive for the consent of the users. Apart from that, our newsletters contain information about our services and us. To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name, for the purpose of personal address in the newsletter, or further information, if this is necessary for the purposes of the newsletter. Double opt-in procedure: The registration for our newsletter is generally carried out in a so-called double opt-in process. In this context, you will receive an e-mail after registration in which you will be asked to confirm your registration. This confirmation is necessary so that no one can register with other e-mail addresses. The registrations for our newsletter are logged to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Likewise, the changes to your data stored with the shipping service provider are logged. Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to prove consent formerly given. The processing of this data will be limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blocking list for this purpose alone. The logging of the registration process takes place based on our legitimate interests for the purpose of proving its proper course. Insofar as we commission a service provider to send e-mails, this is done based on our legitimate interests in an efficient and secure dispatch system. Our newsletters are sent based on the recipients' consent or, if consent is not required, based on our legitimate interests in direct marketing, if and insofar as this is permitted by law. If we commission a service provider to send e-mails, this is done based on our legitimate interests. The registration process is recorded based on our legitimate interests to prove that it has been carried out in accordance with the law. The content of our newsletter is information about us, our services, promotions and offers. The newsletters contain a so-called "web beacon", this is a pixel-sized file that is retrieved from the server of our dispatch service provider when the newsletter is opened. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of the retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. For technical reasons, this information can indeed be assigned to individual newsletter recipients. However, it is neither our intention nor that of the dispatch service provider to observe individual users. Rather, the evaluations serve us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The evaluation of the newsletter and the measurement of success are carried out, subject to the express consent of the users, based on our legitimate interests for the purpose of using a user- friendly as well as secure newsletter system, which serves both our business interests and meets the expectations of the users. Unfortunately, a separate revocation of the performance measurement is not possible, in which case the entire newsletter subscription must be cancelled.
- Types of data processed: inventory data (e.g., names, addresses), contact data (e.g.,
e-mail, phone numbers), meta/communication data (e.g., device information, IP addresses), usage data (e.g. web pages visited, interest in content, access times).
- Data subjects: Communication partners.
- Purposes of processing: direct marketing (e.g., by e-mail or postal mail).
- Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a GDPR), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
- Opt-out: You can cancel the receipt of our newsletter at any time and thus revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or otherwise use one of the above contact options, preferably e-mail, for this purpose. We use the newsletter service of HubSpot Inc., 25 First Street, Cambridge, MA 02141, USA for this purpose. The General Terms and Conditions and data protection information of HubSpot Inc. can be found at
https://www.hubspot.com/data-privacy/gdpr, https://legal.hubspot.com/privacy-policy ,
api.hubspot.com , track.hubspot.com and
https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.


19. Website analysis and optimization

Web analytics (also referred to as "reach analysis") is used to evaluate the flow of visitors to our service offering and may include behavior, interests or demographic information about visitors as pseudonymous values. With the help of reach analysis, we can, for example, identify at what time our online service or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization.
In addition to web analysis, we may also use test procedures, for
example, to test and optimize different versions of our online offering or its components.
For these purposes, so-called user profiles may be created and stored in
a file (so-called "cookie") or similar procedures with the same purpose may be used.
This information may include, for example, content viewed, websites visited and elements used there, and technical information such as the browser used, the computer system used, and information on usage times. If users have consented to the collection of their location data, this may also be processed, depending on the provider.
The IP addresses of users are also stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users.
Generally, in the
context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures. Notes on legal bases: If we ask users for their consent to use the third-party providers, the legal basis for processing data is consent. Otherwise, users' data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical and recipient- friendly services).
In this context, we would also like to refer you to the information on
the use of cookies in this Privacy Policy.
- Types of data processed: Usage data and usage times
- Data subjects: Users (e.g., website visitors, users of our services).
- Purposes of processing: reach measurement, tracking, visit action evaluation, profiling, interest-based and behavioral marketing.
- Security Measures: IP masking
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).
For this purpose, we use Google Analytics of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The general terms and conditions and data protection information for this service can be found at https://optimize.google.com; https://policies.google.com/privacy; https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=ActiveEine.
The corresponding opt-out option for the
opt-out plug-in can be found at https://tools.google.com/dlpage/gaoptout?hl=de and for the settings for the display of advertising content at https://adssettings.google.com/authenticated.

Google DoubleClick
This website uses the online marketing tool DoubleClick from Google Ireland Limited, Gordon House Barrow Street Dublin 4, Ireland (hereinafter: Google).
DoubleClick uses cookies to serve ads that are relevant to users, to improve campaign performance reports, or to prevent a user from seeing the same ads more than once. Via a cookie ID, Google records which ads are displayed in which browser and can thus prevent them from being displayed more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions that are related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later calls up the advertiser's website with the same browser and buys something there. According to Google, DoubleClick cookies do not contain any personal information. Due to the marketing tools used, your browser automatically establishes a direct connection with Google's server. We have no influence on the scope and further use of the data collected by Google using this tool and therefore inform you according to our state of knowledge: Through the integration of DoubleClick, Google receives the information that you have called up the relevant part of our website or clicked on the ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider learns your IP address and stores it. You can prevent participation in this tracking process in various ways: by setting your browser software accordingly - the suppression of third-party cookies will result in you not receiving third-party ads; by disabling cookies for conversion tracking by setting your browser to block cookies from the domain www.googleadservices.com (https://www.google.de/settings/ads ). This setting will be deleted when you delete your cookies; by disabling interest-based ads from the providers that are part of the "About Ads" self-regulatory campaign (via the link http://www.aboutads.info/choices ). This setting will be deleted when you delete your cookies; by permanently disabling them in your Firefox, Internet Explorer, or Google Chrome browsers (plug ins available at the link http://www.google.com/settings/ads/plugin ). We would like to point out that in this case you may not be able to use all functions of this offer in full. The legal basis for the processing of your data is the consent you have given via the cookie consent tool (Art. 6 para. 1 sentence 1 lit. a) DSGVO). Information on the third country transfer that takes place can be found under the item "Third country transfer".
Further information on DoubleClick by Google can be found at
https://www.google.de/doubleclick and http://support.google.com/adsense/answer/2839090 , as well as on data protection at Google in general: https://www.google.de/intl/de/policies/privacy.
Alternatively, you can visit the website of the Network Advertising.

LinkedIn Insight Tag
Our website uses the conversion tool "LinkedIn Insight Tag" from LinkedIn Ireland Unlimited Company (hereinafter: LinkedIn). This tool creates a cookie in your web browser, which enables the collection of, among other things, the following data: IP address, device and browser properties, and page events (e.g. page views). This data is encrypted, anonymized within seven days, and the anonymized data is deleted within 90 days. LinkedIn does not share any personal data with CI HUB but offers anonymized reports on website audience and ad performance. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. CI HUB can use this data to display targeted advertising outside its website without identifying you as a website visitor. Further information on data protection at LinkedIn can be found in LinkedIn's privacy policy. LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight tag on our website ("opt-out"), click here https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Microsoft Clarity
We use Microsoft Clarity. "Microsoft Clarity" refers to a Microsoft procedure that enables user analysis based on a pseudonymous user ID and thus based on pseudonymous data, such as the evaluation of data about mouse movements or performance data about certain Internet presentations. We process usage data (e.g., Internet presentations visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses), location data (information on the geographical position of a device or a person), movement data (mouse movements, scrolling movements) in pseudonymous form. We have made the appropriate settings so that even the collection of data to and by Microsoft alone is pseudonymized, in the form of IP masking (pseudonymization of the IP address).
All users of our website who have consented to the corresponding use via our cookie consent service are affected by this data processing. The data processing is thus carried out solely based on your consent pursuant to Art. 6 (1) a) DSGVO. The purpose of the processing is tracking (e.g., interest/behavior-based profiling, use of cookies), remarketing, conversion measurement (measurement of the effectiveness of marketing measures), interest-based and behavioral marketing, profiling (creation of user profiles), reach measurement (e.g., access statistics, recognition of returning users), cross-device tracking (cross-device processing of user data for marketing purposes).
You will be informed of your rights to object in accordance with this privacy policy. In addition, you can set an opt-out with the respective provider.
a) Europe: https://www.youronlinechoices.eu.
b) Canada: https://www.youradchoices.ca/choices.
c) USA: https://www.aboutads.info/choices.
d) International: https://optout.aboutads.info.

Microsoft Clarity: Online marketing and web analysis; offered by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA;
Internet presentation: https://clarity.microsoft.com 
Privacy policy: https://privacy.microsoft.com/de-de/privacystatement
Opt-out: https://choice.microsoft.com/de-DE/opt-out  
Please note that we have concluded an AV contract with Microsoft to enable this activity, including the necessary standard contractual clauses.

Cloudflare
We use the Content Delivery Network (CDN) von Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 München Deutschland  (Cloudflare) to increase the security and delivery speed of our website.
This corresponds to our legitimate interest (Art. 6 para. 1 lit. f DSGVO). A CDN is a network of [globally] distributed servers that can deliver optimized content to the website user.
For this purpose, personal data may be processed in server log files by Cloudflare. Please compare the explanations under "Hosting". Cloudflare is a recipient of your personal data and acts as a processor for CI HUB. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to operate a content delivery network ourselves. You have the right to object to the processing. Whether the objection is successful is to be determined as part of a balancing of interests. The processing of the data provided under this section is not required by law or contract. The functionality of the website is not guaranteed without the processing. Your personal data will be stored by Cloudflare for as long as necessary for the purposes described.
For more information on objection and removal options against Cloudflare, please visit: Cloudflare DPA https://www.cloudflare.com/de-de/cloudflare-customer-dpa/
Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf .

Google Tag Manager
Our website uses the Google Tag Manager. Through this service, website tags can be managed via an interface. The Google Tag Manager itself does not set cookies but only tags and does not collect any personal data. The service triggers other tags, which in turn may collect data. However, Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

HubSpot
We use the services of the software manufacturer HubSpot. HubSpot is a software company from the USA with a branch in Ireland (HubSpot European Headquarters, Ground Floor, Two Dockland Central, Guild Street, Dublin 1, Ireland).
HubSpot is a service platform. The service used is an integrated software solution that allows us to manage customer data and cover various aspects of our online marketing. This includes, among other things, the analysis of landing pages and reporting. In the process, so-called "web beacons" are used and cookies are stored on the end device used by you. In the process, the following personal data may be collected, for example: IP address, geographical location, type of browser, duration of the visit or pages visited.
The collected information as well as the content of our website is stored on servers of our software partner HubSpot Ireland. We use HubSpot to analyze the use of our website. This allows us to constantly optimize our website and make it more user - friendly. We also use information to determine which of our company's services are of interest to customers and newsletter subscribers and to contact them for advertising purposes. In addition, we use the analysis to optimize our website for you. However, we only use your IP address in a shortened version. This means that the IP address of the user is shortened by HubSpot within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a HubSpot server in the USA and shortened there.
The cookies have a usual lifetime of 12 months. In addition, we delete the personal data collected via HubSpot as soon as the purpose for which it was collected has been achieved, unless deletion conflicts with legal retention periods. The information generated by the cookie about the use of the online offer by the users may also be transmitted to a Google server in the USA and stored there. The data processing is based on your consent according to Art. 6 para. 1 lit. a DSGVO, if you have given your consent via our banner. You can revoke your consent at any time.

For more information about how HubSpot works, please see the privacy policy of HubSpot Inc. https://legal.hubspot.com/de/privacy-policy 

20. Plug-Ins for Social Media

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.
We
point out that this may involve processing user data outside the area of the European Union. Furthermore, user data within social networks is usually processed for market research and advertising purposes.
For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users if the users are members of the respective platforms and log in to them with different devices.
For a detailed presentation of the respective forms of processing and the options to object (opt-out), please refer to the data protection statements, and information provided by the operators of the respective networks.
- Types of data processed: inventory data (e.g., names, addresses), contact data (e.g.,
e-mail, telephone numbers), content data (e.g., text entries, photographs, videos), usage data (e.g., websites visited, interest in content, access times), meta/communication data (e.g., device information, IP addresses).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: contact requests and communication, tracking (e.g., interest/behavioral profiling, use of cookies), remarketing, reach measurement (e.g., access statistics, recognition of returning visitors).
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We use the following third-party providers for this purpose:

- Facebook:
Social network; Service provider: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland;
parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA;
Website: https://www.facebook.com;
Privacy policy:
https://www.facebook.com/about/privacy;
Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active;
Opt-out:
Settings for advertisements: https://www.facebook.com/settings?tab=ads
Zusätzliche Privacy notices: Agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum,
Privacy notices for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.

- LinkedIn:
Social network; service provider: LinkedIn Ireland Unlimited Company,
Wilton Place, Dublin 2, Ireland;
website: https://www.linkedin.com;
privacy policy: https://www.linkedin.com/legal/privacy-policy;
Privacy Shield (guaranteeing the level of data protection when processing data in the USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active;
opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

- Xing:
Social network; service provider: XING AG, Dammtorstraße 29-32, 20354
Hamburg, Germany;
Website: https://www.xing.de
Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung


21. Design, organization, implementation and auxiliary tools.

On our website we use Google Fonts of the company Google Inc. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible.
We have embedded the Google fonts locally, i.e. on our web
server - not on Google's servers. This means that there is no connection to Google servers and thus no data transfer or storage. In this way, we act in accordance with data protection laws GDPR/DSGVO and do not send any data to Google Fonts.
We use based on our legitimate interests in the economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. GDPR, we use services, platforms, and software of others for purposes of organization, administration, planning as well as provision of our services. When selecting third-party providers and their services, we observe the legal requirements.
In this context, personal data may be processed and stored on the servers of the third-party providers. This may involve various data that we process in accordance with this privacy policy. This data may include master data and contact data of users, data on transactions, contracts, other processes and their contents.
If users are referred to the third-party providers or their software or platforms during communication, business or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization or marketing purposes.
We therefore explicitly point out to observe the data protection notices of the respective third-party providers. If we ask users for their consent to use the third-party providers, the legal basis for processing data is consent.
Furthermore, their use may be a component of our (pre)contractual services if the use of the third-party providers has been agreed within this framework. Otherwise, user data is processed based on our legitimate interests.
- Types of data processed: inventory data (e.g., names, addresses), contact data, content data (text input, photographs, videos, etc.), meta/communication data.
- Data subjects: Communication partners, users (e.g., website visitors, users of our services).
- Purposes of processing: contact requests and communication
- Legal basis: consent (Art. 6 para. 1 p. 1 lit. a GDPR), contract performance and pre- contractual inquiries (Art. 6 para. 1 p. 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 p. 1 lit. f. GDPR).

We use the following service providers for this purpose:

- Microsoft Cloud Services:
cloud storage services; service providers: Microsoft
Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA;
Website: https://microsoft.com/de-de; c.bing.com
Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement,
Security Notice: https://www.microsoft.com/de-de/trustcenter;

- Privacy Shield (ensuring level of data protection when processing data in the USA):
https://www.privacyshield.gov/participant?id=a2zt0000000KzNaAAK&status=Active.

- Amazon Web Services: Cloud service; service provider: Amazon Web Services
Europe S.à.r.l., 38, avenue John F. Kennedy, L-1855 Luxembourg, and Amazon Web
Services, 2021 Seventh Ave, Seattle, Washington 98121, USA, (collectively AWS),
parent company: Amazon.com, Inc, 2021 Seventh Ave, Seattle, Washington 98121,
USA; website: https://www.amazon.de;
privacy policy: https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_NoticeGERMAN_2020-01-24.pdf.

- Okta Inc, 301 Brannan Street, San Francisco, CA 94107 United States. Privacy notice
and terms and conditions available at https://www.okta.com/privacy-policy/ .

- HubSpot Inc, 25 First Street, Cambridge, MA 02141, United States. HubSpot Inc.
terms and conditions and privacy information can be found at
https://www.hubspot.com/data-privacy/gdpr , https://legal.hubspot.com/privacy-policy and https://www.privacyshield.gov/participant?id=a2zt0000000TN8pAAG&status=Active.

- Paddle.com Market Limited, 15 Briery Close, Great Oakley, Corby, Northamptonshire,
NN18 8JG, United Kingdom. Paddle Ltd. privacy notice and terms and conditions can be found at www. Paddle Ltd. https://paddle.com/gdpr and https://paddle.com/privacy.


22. Erasure of personal data

The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (for example, the purpose of processing this data no longer applies or the need for it no longer exists). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes.
This
applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.

For more detailed
information, please refer to the explanations in the respective sections of this privacy policy.

23. Rights of the data subject

You have the right:

  • According to Art. 7 para. 3 GDPR to revoke your consent once given to us at any time. This has the consequence that we may no longer continue the data processing, which was based on this consent, for the future;
  • in accordance with Art. 15 GDPR, to request information about your personal data processed by us;
  • pursuant to Art. 16 GDPR, to request without undue delay the rectification of inaccurate or incomplete personal data held by us;
  • pursuant to Art. 17 GDPR, to request the erasure of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims;
  • pursuant to Art. 18 GDPR, to request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you object to its erasure and we no longer require the data, but you need it for the assertion, exercise or defense of legal claims or you have objected to the processing pursuant to Art. 21 GDPR;
  • pursuant to Art. 20 GDPR, to receive your personal data that you have provided to us in a structured, common, and machine-readable format or to request the transfer to another controller; and
  • complain to a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our association headquarters for this purpose. The supervisory authority responsible for us is: The Brandenburg StateCommissioner for Data Protection and for the Right to Inspect Files, Stahnsdorfer Damm 77, 14532 Kleinmachnow.
  • Right to object
If your personal data is processed based on legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, for example, if there are grounds for doing so that arise from your situation. If you wish to exercise your right to object, an e-mail to info@ci-hub.com will suffice. The contact details of the controller are

Name and address of the data controller:
CI HUB GmbH
Andreas Michalski
Benkertstraße 4
14467 Potsdam
info@ci-hub.com
E-mail address: info@ci-hub.com
Phone: + 49 172 6900970
Domain: https://ci-hub.com/de/
Webhosting Provider: IONOS by 1&1 Internet SE located in 56410 Montabaur,
Germany
Contact data of the Data protection officer:
Datenschutz Beinhold
Frank Beinhold
Maximiliankorso 9
13465 Berlin
info@datenschutz-beinhold.de

24. Topicality and change of this data protection statement

Due to the further development of our website and offers on it or due to changed legal or regulatory requirements, it may become necessary to change this privacy policy. We will inform you as soon as the changes require your cooperation (e.g., consent) or other individual notification. You can access and print out the current data protection declaration on the website at any time.