en flag
en flag

Privacy Policy

Date: November 12, 2024

Table of Contents

  • Controller

  • Overview of Data Processing

  • Relevant Legal Grounds

  • Security Measures

  • Transfer of Personal Data

  • International Data Transfers

  • General Information on Data Storage and Deletion

  • Rights of the Data Subject

  • Business Services

  • Provision of the Online Offer and Web Hosting

  • Use of Cookies

  • Contact and Inquiry Management

  • Web Analysis, Monitoring, and Optimization

  • Customer Reviews and Rating Procedures

  • Plug-ins and Embedded Features and Content

Controller

Tactical Sandbox
Daniel Vagner
Aegidienwall 7
33378 Rheda-Wiedenbrück
Email address: info@tacticalsandbox.com

Overview of Data Processing

The following overview summarizes the types of data processed and the purposes for their processing, and it refers to the affected individuals.

Types of Processed Data

  • Master Data

  • Payment Data

  • Location Data

  • Contact Data

  • Content Data

  • Contract Data

  • Usage Data

  • Meta, Communication, and Procedural Data

  • Log Data

Categories of Affected Individuals

  • Service recipients and clients

  • Prospects

  • Communication partners

  • Users

  • Business and contractual partners

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations

  • Communication

  • Security measures

  • Reach measurement

  • Office and organizational processes

  • Organizational and administrative procedures

  • Feedback

  • Marketing

  • Profiles with user-related information

  • Provision of our online offer and user-friendliness

  • IT infrastructure

  • Business processes and commercial procedures

Relevant Legal Grounds

The relevant legal grounds under the GDPR are summarized below. Please note that, in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence may apply. If, in individual cases, specific legal grounds apply, we will inform you in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of personal data for one or more specific purposes.

  • Contract fulfillment and pre-contractual requests (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for pre-contractual measures taken at the data subject's request.

  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the legitimate interests of the controller or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not override those interests.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection regulations in Germany apply. This includes the Federal Data Protection Act (BDSG), which contains special provisions regarding the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfers, including automated decision-making and profiling.

Note on the Applicability of the GDPR and Swiss Data Protection Act (DSG): These privacy notices are intended to inform in accordance with both the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). Therefore, terms used in the GDPR are applied, and we ask that you take note of their broader applicability.

Security Measures

We take appropriate technical and organizational measures, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the varying probabilities and extent of the risks to the rights and freedoms of natural persons. These measures ensure an adequate level of protection for the data.

The measures include ensuring the confidentiality, integrity, and availability of data by controlling both physical and electronic access, as well as access, input, transfer, storage, availability, and separation of data. We also have procedures in place to ensure the exercise of data subject rights, data deletion, and responses to data breaches. Furthermore, we consider data protection already during the development or selection of hardware, software, and procedures, in accordance with the principle of privacy by design and privacy-friendly default settings.

Transfer of Personal Data

As part of our processing of personal data, there are instances where such data may be transferred or disclosed to other parties, companies, legally independent entities, or individuals. Recipients of this data may include service providers assigned to IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and enter into appropriate contracts or agreements with the data recipients to protect your data.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if the processing involves using services from third parties or disclosing/transferring data to other individuals, entities, or companies, this will only occur in accordance with legal requirements. If the level of data protection in the third country has been recognized through an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only occur if the level of data protection is otherwise ensured, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or if required by contract or law (Art. 49(1) GDPR). We will provide the basis for third-country transfers with individual third-party providers when applicable, prioritizing adequacy decisions. Information regarding third-country transfers and adequacy decisions can be found on the European Commission’s website: EU Commission - International Data Protection. As part of the "Data Privacy Framework" (DPF), the European Commission recognized the data protection level as safe for certain U.S. companies under the adequacy decision of July 10, 2023. You can find the list of certified companies and more information on the U.S. Department of Commerce's website: Data Privacy Framework. We inform you in our privacy policy which service providers we use that are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements once the underlying consents are revoked or when no further legal grounds for processing exist. This applies to cases where the original purpose of processing no longer applies, or the data is no longer required. Exceptions exist if legal obligations or special interests require longer storage or archiving of data.

In particular, data that must be retained for commercial or tax reasons or that is necessary for legal proceedings or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy policy contains additional information about the retention and deletion of data that applies to specific processing operations.

If multiple retention periods or deletion deadlines are provided for a specific data, the longest period applies.

If a retention period does not explicitly start on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the effective date of the termination or other cessation of the legal relationship.

Data that is no longer processed for the originally intended purpose but is retained due to legal requirements or other reasons will only be processed for the purposes justifying its retention.

Further Notes on Processing, Procedures, and Services:

Retention and Deletion of Data: The following general periods apply to retention and archiving under German law:

  • 10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the necessary accompanying documents (e.g., work instructions and organizational documents, booking vouchers, and invoices) under tax law (§ 147 Abs. 3 i.V.m. Abs. 1 Nr. 1, 4, 4a AO, § 14b Abs. 1 UStG, § 257 Abs. 1 Nr. 1 u. 4, Abs. 4 HGB).

  • 6 years: Other business documents (received business letters, copies of sent business letters, other documents relevant for taxation, e.g., wage slips, accounting sheets, price labels, and payroll documents not considered booking vouchers) (§ 147 Abs. 3 i.V.m. Abs. 1 Nr. 2, 3, 5 AO, § 257 Abs. 1 Nr. 2 u. 3, Abs. 4 HGB).

  • 3 years: Data required to address potential warranty claims, damages, and similar contractual claims or rights, based on previous business experience and industry practices, retained for the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of the Data Subject

As a data subject, you have various rights under the GDPR, particularly as outlined in Articles 15 to 21 of the GDPR:

  1. Right to Object: You have the right to object at any time to the processing of your personal data based on Art. 6 (1) lit. e or f GDPR, on grounds relating to your particular situation. This includes profiling based on these provisions. If your personal data is being processed for direct marketing purposes, you also have the right to object at any time to the processing of your data for such advertising purposes, including profiling related to direct marketing.

  2. Right to Withdraw Consent: You have the right to withdraw any consents you have previously given at any time.

  3. Right to Access: You have the right to request confirmation as to whether your personal data is being processed, and to request access to this data, along with further information and a copy of the data, in accordance with the legal provisions.

  4. Right to Rectification: You have the right to request the completion of your personal data or the correction of inaccurate data, in accordance with the legal provisions.

  5. Right to Deletion and Restriction of Processing: You have the right to request the immediate deletion of your personal data or, alternatively, to request the restriction of the processing of your data, in accordance with the legal provisions.

  6. Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, or to request its transmission to another controller, in accordance with the legal provisions.

  7. Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, especially in the member state of your habitual residence, place of work, or the place of the alleged infringement if you believe that the processing of your personal data violates the GDPR.

Business Services

We process data of our contract and business partners, such as customers and prospects (collectively referred to as "contract partners"), within the framework of contractual and similar legal relationships, as well as related actions and communication with contract partners (or pre-contractual), e.g., to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes the duties to provide agreed-upon services, update duties, and remedy warranty or other performance issues. Additionally, we use the data to safeguard our rights and for administrative tasks related to these duties and business organization. We also process the data based on our legitimate interests in proper and efficient business management, as well as security measures to protect our contract partners and our business operations from abuse, endangerment of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other service providers, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In compliance with applicable law, we only share contract partners' data with third parties to the extent necessary for these purposes or to fulfill legal obligations. We inform contract partners about any additional processing for marketing purposes within this privacy notice.

We inform contract partners about the necessary data for the aforementioned purposes before or during data collection, for example, in online forms, through specific labeling (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete data after the expiration of legal warranty and similar obligations, i.e., generally after four years unless the data is stored in a customer account, for example, as long as it must be archived for legal reasons (e.g., for tax purposes, usually ten years). Data disclosed to us by the contract partner in the context of an order is deleted according to the regulations and generally after the completion of the order.

Types of Data Processed:

  • Personal Data: e.g., full name, address, contact information, customer number.

  • Payment Data: e.g., bank account information, invoices, payment history.

  • Contact Data: e.g., postal and email addresses, phone numbers.

  • Contract Data: e.g., contract subject, duration, customer category.

  • Usage Data: e.g., page views, dwell time, click paths, usage intensity and frequency, device types, operating systems, interactions with content and features.

  • Meta, Communication, and Process Data: e.g., IP addresses, timestamps, identification numbers, involved persons.

Affected Persons:

  • Service recipients and clients, prospects.

  • Business and contract partners.

Purposes of Processing:

  • Providing contractual services and fulfilling contractual obligations.

  • Security measures.

  • Communication.

  • Office and organizational procedures.

  • Organizational and administrative processes.

  • Business processes and business operations.

Storage and Deletion:

  • Deletion is carried out in accordance with the guidelines under "General Information on Data Storage and Deletion."

Legal Basis:

  • Fulfillment of contracts and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR).

  • Legal obligation (Art. 6 (1) sentence 1 lit. c GDPR).

  • Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Online Shop, Order Forms, E-Commerce, and Delivery

We process the data of our customers to enable them to select, purchase, or order products, goods, and related services, as well as to process payment and delivery. If necessary for order fulfillment, we use service providers, especially postal, shipping, and logistics companies, to carry out the delivery. For payment processing, we use the services of banks and payment service providers. The necessary information is marked accordingly during the ordering or similar acquisition process, including delivery and billing information, as well as contact details for any follow-up.

Legal Basis:

  • Fulfillment of contracts and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b GDPR).

Provision of Online Services and Web Hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit content and functionalities of our online services to the user's browser or device.

Types of Data Processed:

  • Usage Data: e.g., page views, dwell time, click paths, usage intensity, and frequency, device types, operating systems, interactions with content and functions.

  • Meta, Communication, and Process Data: e.g., IP addresses, timestamps, identification numbers, involved persons.

  • Log Data: e.g., logfiles related to logins or data retrieval and access times.

Affected Persons:

  • Users (e.g., website visitors, online service users).

Purposes of Processing:

  • Providing our online services and user-friendliness.

  • Information technology infrastructure (operation and provision of information systems and technical devices such as computers and servers).

  • Security measures.

Storage and Deletion:

  • Deletion in accordance with the guidelines under "General Information on Data Storage and Deletion."

Legal Basis:

  • Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Collection of Access Data and Logfiles

Access to our online services is logged in "server logfiles." These can include details such as the address and name of the pages accessed, date and time of access, transmitted data volume, successful access notifications, browser type and version, operating system, referrer URL (previously visited page), and generally IP addresses and requesting provider. Server logfiles are used for security purposes, such as preventing server overload (especially in the case of malicious attacks like DDoS attacks), and to ensure server load and stability.

Legal Basis:

  • Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Data Deletion:

  • Logfile information is stored for up to 30 days and is then deleted or anonymized. Data that needs to be retained for legal evidence purposes is exempt from deletion until the issue is fully resolved.

Here is the translation of the provided text into English:

Use of Cookies

The term "cookies" refers to functions that store and read information on users' devices. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal requirements. If necessary, we obtain prior consent from users. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and features, such as saving settings or ensuring the functionality and security of our online service. Consent can be withdrawn at any time. We clearly inform users about the extent of cookies used.

Notes on Data Protection Legal Bases: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, which are explained above in this section and in the context of the respective services and processes.

Storage Duration: Regarding storage duration, the following types of cookies are distinguished:

  • Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted as soon as a user leaves an online service and closes their device (e.g., browser or mobile application).

  • Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, login status can be saved, and preferred content displayed when the user revisits a website. Data collected via cookies may also be used for reach measurement. If we do not provide explicit details about the type and duration of cookies (e.g., when obtaining consent), users should assume that they are permanent and the storage duration can be up to two years.

General Notes on Withdrawal and Objection (Opt-out): Users can withdraw their consent at any time and also object to processing in accordance with legal provisions, including through their browser privacy settings.

Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons: Users (e.g., website visitors, online service users).

Legal Bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR). Consent (Art. 6(1) Sentence 1 lit. a) GDPR).

Further Notes on Processing Processes, Procedures, and Services:

Processing of Cookie Data Based on Consent: We use a consent management solution to obtain users' consent for the use of cookies or the procedures and providers mentioned in the consent management solution. This procedure is used to collect, log, manage, and withdraw consent, especially for the use of cookies and similar technologies that store, read, and process information on users' devices. Consent is obtained for the use of cookies and the related processing of information, including specific processes and providers mentioned in the consent management procedure. Users also have the option to manage and withdraw their consent. Consent declarations are stored to avoid re-querying and to provide proof of consent in accordance with legal requirements. The data is stored server-side and/or in a cookie (so-called opt-in cookie) or by using similar technologies to assign consent to a specific user or their device. Unless specific details about the providers of consent management services are provided, the following general information applies: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, the scope of consent (e.g., related categories of cookies and/or service providers), and technical details about the browser, system, and device used.

Contact and Request Management:

When contacting us (e.g., via post, contact form, email, phone, or social media) or in the context of existing user and business relationships, the details of the requesting individuals are processed as necessary to respond to contact requests and any requested actions.

Processed Data Types: Basic data (e.g., full name, address, contact information, customer number, etc.); contact details (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, as well as related information like author details or creation time); usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Affected Persons: Communication partners.

Purposes of Processing: Communication; organizational and administrative procedures; feedback (e.g., collecting feedback via online form). Providing our online offer and user-friendliness.

Retention and Deletion: Deletion in accordance with the details in the "General Information on Data Storage and Deletion" section.

Legal Bases: Legitimate interests (Art. 6(1) Sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6(1) Sentence 1 lit. b) GDPR).

The rest of the translation would follow this structure. Let me know if you'd like to continue or need adjustments!

info@tacticalsandbox.com

© 2024. Tactical Sandbox

AGB

Impressum

Datenschutz

Versandinformationen