Privacy Policy

This translation is for information purposes only and does not necessarily accurately reflect the original German meaning. In the event of discrepancies or inconsistencies between the English version of this text and translations, the German version is binding.

1 PRIVACY STATEMENT FOR LENGALIA
We treat personal data under the Germany Data Protection Act (incorporating the EU General Data Protection Regulation - GDPR) to our global operations unless the local equivalent laws are stronger. Also, we apply the personal data under the provisions of the California Consumer Privacy Act (CCPA) in our operations in California.
We operate the website www.lengalia.com along with our learning portal learning.lengalia.com and subdomains blog.lengalia.com/spanisch-lernen-online/, support.lengalia.com/hc/en-gb and collect certain data from our visitors and customers as necessary. With this privacy policy, Lengalia would like to explain how your personal data is processed and in what form some of this data may be accessible to other users.
In the following privacy policy, you will learn what we do with your personal data and why. We will also tell you how we protect your data, when the data will be deleted and what rights you have under data protection law.

2 SCOPE OF THIS PRIVACY POLICY

The German version of this privacy policy is deemed to be the basis for using the Lengalia’s online-service. Its translation into English, Spanish, French, Italian and Portuguese is provided for information purposes only. In case of contradictions, the only legally binding version of the document (which can be viewed here) is the German version.

3 DECLARATION OF CONSENT
By using the service offered on the Lengalia website you automatically agree to the following privacy policy. Your declaration of consent will be recorded by us. 
You can withdraw your declaration of consent at any time via email, however not in retrospect. Withdrawing your consent means that you may no longer use any of the services provided by Lengalia. In addition to the data processing on our website, we explain in this privacy policy the data processing in the services we offer for which our customers can register.
This privacy policy will explain:
- What data Lengalia collects and what we do with it.
- What technologies we use for provision and personalization.
- What data protection rights you have and how you can exercise them.

4 CONTACT
The trust of our users is important to us. Lengalia therefore wishes to provide its users with full information on the processing of their personal data at all times. If any queries remain unanswered by this privacy statement or if more detailed information is required on any point, please contact the following address at any time.
Author of this page:
Lengalia, José Delgado
Schmarjestr. 42 22767
Hamburg
email: mail (@) lengalia.com
You can also reach our Data Protection Supervisor and other data protection-related contacts via these contact details. In this context, we process data exclusively for the purpose of communicating with you. The legal basis for the data processing is the performance of the contract pursuant to Article 6(1)(b) GDPR.

GET IN TOUCH
We collect your personal data when you provide it to us of your own accord, e.g. when you contact us. This information is communicated on a voluntary basis and in these cases is initiated by you. Insofar as this involves information regarding communication channels (email address, telephone number), we will use these channels to contact you in accordance with your request.
Legal basis for data processing
The legal basis for processing the data that you transmit to us in the course of contacting us is Art. 6 (1) sentence 1 lit. f DSGVO.
Purpose of data processing
The purpose of processing your data is to handle and respond to your request.
Duration of storage
We will delete the data we have received in the course of contacting you as soon as it is no longer required to achieve the purpose for which it was collected, i.e. your request has been fully processed and no further communication with you is required or requested.
Possibility of objection and removal
If a user contacts us by email, they can object to the storage of their personal data at any time.

5 WHAT RIGHTS DO YOU HAVE?
- Withdrawal of consent in accordance with Article 7(3) GDPR (e.g. you can contact us to withdraw consent and stop receiving the newsletter)
- Right of Access in accordance with Article 15 GDPR (e.g. you can contact us to find out which data of yours we have saved)
- Rectification in accordance with Article 16 GDPR (e.g. you can contact us if your email address has changed and you want us to update it)
- Erasure in accordance with Article 17 GDPR (e.g. you can contact us if you want us to delete any of your data that we have saved)
- Restriction of processing in accordance with Article 18 GDPR (e.g. you can contact us if you do not want us to delete your email address but only want to receive emails that are strictly necessary)
- Data portability in accordance with Article 20 GDPR (e.g. you can contact us to obtain the data we have saved on you in a compressed format as you may want to provide the data to another website)
- Objection in accordance with Article 21 GDPR (e.g. you can contact us if you do not consent to one of the advertising or analytical procedures listed in this document)
- Right to lodge a complaint with the relevant supervisory authority in accordance with Article 77(1) GDPR (e.g. in the event of a complaint you could contact the data protection supervisory authority in your state directly)

Supervisory authority in Hamburg
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22
20459 Hamburg

Your rights concerning the processing of your personal data
To exercise your rights, you must send us a request in writing, either by post or email. If you would also like to speak to someone in person, you can contact us by telephone. You will need to provide:
. proof of identity
. proof of address
. any additional details we need to locate the information you have requested (for example, details regarding Lengalia or staff that you have had contact with and when).
We will not start looking for your information until we confirm your identity.

6 DELETION OF DATA AND STORAGE PERIOD
If not otherwise noted, we delete personal data as soon as it is no longer needed. Your data will also be locked or deleted if a storage period set out by law expires, unless the data must be kept in order to complete or fulfil a contract. Some data may have to be stored for a longer time period if the law requires it. You can, of course, request information regarding the personal data we have saved on you at any time.
Right to erasure - 'right to be forgotten'
After your access period to our Learning portal has finished, your data will be completely deleted after 90 days (both your personal data and data concerning your learning progress connected to your account). You also have the option of deleting your data yourself at any time during your period of access under ‘Profile‘. This is because the personal data are no longer necessary in relation to the purposes for which they were collected.
The legal basis is your consent in accordance with the European data protection requirements from Article 17(1) GDPR.

7 LOG FILES
If you visit our website, we do not collect any personal data, with the exception of the data that your browser transmits to enable you to visit the website. The website provider -Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (Germany)- automatically collects and stores information that your browser automatically transmits to us in "log files". These are:
- type and version of browser used,
- operating system,
- date and time of server requests,
- number of visits,
- time spent on the website,
- website previously visited,
- IP address of users is anonymised before being stored.
As a protective measure in favour of your privacy, we delete or anonymize the IP address after specified periods. Therefore, other related data can no longer be traced back to you and may only serve anonymous, statistical purposes for the optimization of our website. The purpose of the temporary storage of the data is a technical necessity for establishing the connection, and the correct and error-free display of our website. The IP address and the technical data already mentioned are needed to display the website, to prevent display problems for visitors and to correct error messages.
The legal basis is the so-called legitimate interest which has been examined in the context of the aforementioned protective measures and in accordance with the European data protection requirements from Article 6(1)(f) GDPR.

8 CLOUDFLARE
We use Cloudflare by the company Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA) on our website to enhance its speed and security. For this, Cloudflare uses cookies and processes user data. Cloudflare, Inc. is an American company that offers a content delivery network and various security services. These services take place between the user and our hosting provider. In the following, we will try to explain in detail what all this means.
A content delivery network (CDN), as provided by Cloudflare, is nothing more than a network of servers that are connected to each other. Cloudflare has deployed servers around the world, which ensure websites can appear on your screen faster. Simply put, Cloudflare makes copies of our website and places them on its own servers. Thus, when you visit our website, a load distribution system ensures that the main part of our website is delivered by a server that can display our website to you as quickly as possible. The CDN significantly shortens the route of the transmitted data to your browser. Thus, Cloudflare does not only deliver our website’s content from our hosting server, but from servers from all over the world. Cloudflare is particularly helpful for users from abroad, since pages can be delivered from a nearby server. In addition to the fast delivery of websites, Cloudflare also offers various security services, such as DDoS protection, or the web application firewall.
Why do we use Cloudflare on our website?
Of course, we want our website to offer you the best possible service. Cloudflare helps us make our website faster and more secure. Cloudflare offers us web optimisations as well as security services such as DDoS protection and a web firewall. Moreover, this includes a Reverse-Proxy and the content distribution network (CDN). Cloudflare blocks threats and limits abusive bots as well as crawlers that waste our bandwidth and server resources. By storing our website in local data centres and blocking spam software, Cloudflare enables us to reduce our bandwidth usage by about 60%. Furthermore, the provision of content through a data centre near you and certain web optimizations carried out there, cut the average loading time of a website in about half. According to Cloudflare, the setting “I’m Under Attack Mode” can be used to mitigate further attacks by displaying a JavaScript calculation task that must be solved before a user can access a website. Overall, this makes our website significantly more powerful and less susceptible to spam or other attacks.
What data is stored by Cloudflare?
Cloudflare generally only transmits data that is controlled by website operators. Therefore, Cloudflare does not determine the content, but the website operator themselves does. Additionally, Cloudflare may collect certain information about the use of our website and may process data we send or data which Cloudflare has received certain instructions for. Mostly, Cloudflare receives data such as IP addresses, contacts and protocol information, security fingerprints and websites’ performance data. Log data for example helps Cloudflare identify new threats. That way, Cloudflare can ensure a high level of security for our website. As part of their services, Cloudflare process this data in compliance with the applicable laws. Of course, this also includes the compliance with the General Data Protection Regulation (GDPR). Furthermore, Cloudflare uses a cookie for security reasons. The cookie (__cfduid) is used to identify individual users behind a shared IP address, and to apply security settings for each individual user. The cookie is very useful, if you e.g. use our website from a restaurant where several infected computers are located. However, if your computer is trustworthy, we can recognise that with the cookie. Hence, you will be able to freely and carelessly surf our website, despite the infected PCs in your area. Another point that is important to know, is that this cookie does not store any personal data. The cookie is essential for Cloudflare’s security functions and cannot be deactivated. Cloudflare also works with third party providers. They may however only process personal data after the instruction of Cloudflare and in accordance with the data protection guidelines and other confidentiality and security measures. Without explicit consent from us, Cloudflare will not pass on any personal data.
How long and where is the data stored?
Cloudflare stores your information primarily in the United States and the European Economic Area. Cloudflare can transfer and access the information described above, from all over the world. In general, Cloudflare stores domains’ user-level data with the Free, Pro and Business versions for less than 24 hours. For enterprise domains that have activated Cloudflare Logs (previously called Enterprise LogShare or ELS), data can be stored for up to 7 days. However, if IP addresses trigger security warnings in Cloudflare, there may be exceptions to the storage period mentioned above.
How can I erase my data or prevent data retention?
Cloudflare only keeps data logs for as long as necessary and in most cases deletes the data within 24 hours. Cloudflare also does not store any personal data, such as your IP address. However, there is information that Cloudflare store indefinitely as part of their permanent logs. This is done to improve the overall performance of Cloudflare Resolver and to identify potential security risks. You can find out exactly which permanent logs are saved here. All data Cloudflare collects (temporarily or permanently) is cleared of all personal data. Cloudflare also anonymise all permanent logs. In their privacy policy, Cloudflare state that they are not responsible for the content you receive. For example, if you ask Cloudflare whether you can update or delete content, Cloudflare will always refer to us as the website operator. You can also completely prevent the collection and processing of your data by Cloudflare, when you deactivate the execution of script-code in your browser, or if you integrate a script blocker to your browser.
Legal basis
If you have consented to the use of Cloudflare, your consent is the legal basis for the corresponding data processing. According to Art. 6 paragraph 1 lit. a (Consent) your consent is the legal basis for the processing of personal data, as can occur when it is collected by Cloudflare. We also have a legitimate interest in using Cloudflare to optimise our online service and make it more secure. The corresponding legal basis for this is Art. 6 para. 1 lit.f GDPR (legitimate interests). Nevertheless, we only use Cloudflare if you have given your consent to it. Cloudflare also processes data in the USA, among other countries. We would like to note, that according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This can be associated with various risks to the legality and security of data processing. Cloudflare uses standard contractual clauses approved by the EU Commission as basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway and especially in the USA) or data transfer there (= Art. 46, paragraphs 2 and 3 of the GDPR). These clauses oblige Cloudflare to comply with the EU‘s level of data protection when processing relevant data outside the EU. These clauses are based on an implementing order by the EU Commission. You can find the order and the clauses here. You can find more information about data protection at Cloudflare.
Data Processing Agreement (DPA) Cloudflare
In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have entered into a Data Processing Agreement (DPA) with Cloudflare. What exactly a DPA is and especially what must be included in a DPA, you can read in our general section “Data Processing Agreement (DPA)”. This contract is required by law because Cloudflare processes personal data on our behalf. It clarifies that Cloudflare may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the Data Processing Agreement (DPA) here.

9 PROVISION OF THE LENGALIA LEARNING PORTAL
We process your data to the extent necessary in each case for the performance of the contract and for the purposes of providing and carrying out other services requested by you, as described in this Privacy Policy. This includes:
- The provision, personalization and needs-based design of our website
- Ensuring the general security, operability and stability of our services, including defense against attacks
- Non-promotional communication with you on technical, security and contract-related topics (e.g. fraud alerts, account blocking or contract changes)
Insofar as the purpose is the performance of a contract agreed with you or the provision of a service requested by you, the legal basis is Article 6(1)(b) GDPR. Otherwise, the legal basis is Article 6(1)(f) GDPR, whereby our legitimate interests lie in the above-mentioned purposes.

10 YOUR LENGALIA ACCOUNT
The use of our learning portal Spanish language courses, requires registration on our website. When you register with us, we collect and store the basic data you enter, such as (user) name, email address, and your password, as required fields as part of the registration process. We may receive further information from you about the learning portal, e.g. in your personal profile.
As a protective measure, the transmission of the data you enter, as happens when you visit the rest of the learning portal, takes place via an encrypted connection. After successful confirmation, your data will be stored until you decide to delete either individual data or the entire user account. The purpose of the requested data is the creation of a user account for the use of extended functions on the website. Registration is voluntary and can be revoked or the user data deleted at any time.

11 USE OF THE LENGALIA LEARNING PORTAL
a) Profile
Using the information you provide when you pay for a course, we create a personal profile for you. This profile contains the following information: title, first name and surname, street, postcode, town/city, country and email address. Furthermore, the email addresses of course participants, or those employed by companies, schools and institutions who are using the learning platform, will be taken. You will need your email address to log in. We use your email address to communicate with you within the framework of our contract. We use your first and last names in order to directly address you when using the learning platform. We need your address in order to fulfil our contractual duties for you. When we send you your access details and your bill via email, we include your address at the top of these documents.
You can delete your profile information at any time. If you delete your profile you will only be able to use the service again after paying for a new course. Your learning progress (learning statistics) and all contents of the learning tools will all be reset.


b) Learning statistics
While you practise, Lengalia automatically creates statistics which record and analyze the progress of your learning. In your statistics, we save and make use of data that is needed by other learning tools (for example, ‘Vocabulary trainer‘, Verb conjugator‘, ‘correct mistakes‘). In your statistics, these tools would not be useable if the data were not available. Therefore, we save and use the results of the progress you made whilst practising. Your learning statistics are only visible to you and to the Lengalia teacher or Lengalia team responsible for you. If you use an online course in the context of your company, a school or any other institution the teacher (supervisor) may be appointed by Lengalia or by your company, school, or institution respectively. The legal basis for the data processing is the fulfillment of the contract according to Article 28 GDPR.

12 PERSONAL VOCABULARY TRAINER
Lengalia offers a personal vocabulary trainer that allows users to transfer their own vocabulary in order to repeat and learn later. This data is not visible to other users.
The legal basis for the data processing is the fulfillment of the contract according to Article 6(1)(b) GDPR.

13 DEEPL
On our website we use the service of the company DeepL GmbH, Maarweg 165, 50825 Köln (Germany). Our legitimate interest in using this service is to translate user requests quickly. When using DeepL, the texts and/or documents you submit are not stored permanently and are only kept temporarily to the extent necessary for the creation and transmission of the translation. After the translation has been transmitted to you, both the submitted texts and/or documents and their translations will be deleted. This data cannot be viewed by other users. The use of DeepL is optional.
The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(b) GDPR.

14 VOICE RECORDER
In order for us to check your pronunciation, we use voice recognition systems. For this purpose, we store the audio recordings you make for a short period of time and delete them immediately after evaluation. To do this, we first need authorized access to the microphone of your terminal device. Your audio recordings are then processed via an interface and subsequently evaluated. Lengalia does not store these audio recordings after evaluation with regard to the accuracy of your pronunciation.
The legal basis for the aforementioned data processing is the fulfillment of the contract pursuant to Article 6(1)(b) GDPR.

15 MATOMO
Our website uses "Matomo", a web analytics service provided by InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand. The information collected is stored only on our server and is not shared with third parties. The following data is stored:
- two bytes of the user's IP address
- the webpage that was visited
- the website from which the user accessed our website (referrer)
- the subpages
- the time spent on the website
- the frequency with which the website is accessed
Our website uses Matomo with the setting "Anonymise visitor IP addresses". This means that IP addresses are processed in abbreviated form, which makes it impossible to link them directly to individuals. It is therefore not possible to assign the shortened IP address to your computer. Further information on Matomo's terms of use and data protection regulations can be found here.
The legal basis for the use of this service is Art. 6 para. 1 p. 1 lit. f GDPR - legitimate interest. Our legitimate interest is the optimisation of our website, the improvement of our offers and online marketing.

16 ZENDESK
We also use the customer service software Zendesk. The provider of this service is the American company Zendesk, Inc., 989 Market St, San Francisco, CA 94103, USA.
Zendesk also processes data in the USA, among other countries. We would like to note, that according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This can be associated with various risks to the legality and security of data processing.
Zendesk uses standard contractual clauses approved by the EU Commission as the basis for data processing by recipients based in third countries (i. e. outside the European Union, Iceland, Liechtenstein, Norway, and thus especially in the USA) or data transfer there (= Art. 46, paragraphs 2 and 3 of the GDPR). Standard Contractual Clauses (SCC) are legal templates provided by the EU Commission. Their purpose is to ensure that your data complies with European data privacy standards, even if your data is transferred to and stored in third countries (such as the USA). With these clauses, Zendesk commits to comply with the EU‘s level of data protection when processing relevant data, even if it is stored, processed and managed in the USA. These clauses are based on an implementing order by the EU Commission. You can find the order and the standard contractual clauses here. Further information on data processing and the standard contractual clauses at Zendesk can be found here. You can find out more about the data that is processed by Zendesk in their Privacy Policy. The legal basis for the use of this service is our legitimate interest pursuant to Article 6(1)(f) GDPR. Our legitimate interest in using this service is to be able to answer user inquiries quickly and efficiently. 

17 AMAZON WEB SERVICES (AWS)
We use Amazon Web Services (AWS) for our website, which is a web hosting provider, among other things. The provider of this service is the American company Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA. Amazon Web Services (AWS) also processes data in the USA, among other countries. We would like to note, that according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This can be associated with various risks to the legality and security of data processing. Amazon Web Services (AWS) uses standard contractual clauses approved by the EU Commission as basis for data processing by recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway and especially in the USA) or data transfer there (= Art. 46, paragraphs 2 and 3 of the GDPR). These clauses oblige Amazon Web Services (AWS) to comply with the EU‘s level of data protection when processing relevant data outside the EU. These clauses are based on an implementing order by the EU Commission. You can find the order and the clauses here. You can find out more about the data that are processed through the use of Amazon Web Services (AWS) in their Privacy Policy.
Data Processing Agreement (DPA) Amazon Web Services (AWS)
In accordance with Article 28 of the General Data Protection Regulation (GDPR), we have entered into a Data Processing Agreement (DPA) with Amazon Web Services (AWS). What exactly a DPA is and especially what must be included in a DPA, you can read in our general section “Data Processing Agreement (DPA)”. This contract is required by law because Amazon Web Services (AWS) processes personal data on our behalf. It clarifies that Amazon Web Services (AWS) may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the Data Processing Agreement (DPA).

18 POSTMARK
To ensure that our emails (e.g., contact form, registration confirmations, order confirmations, invoices, etc.) are successfully sent via email, we use the product Postmark. Postmark is a service provided by the American company AC PM LLC, 1 N Dearborn Street, Suite 500, Chicago, IL 60602, USA. The data you enter (e.g., email address) is stored on Postmark's servers. Postmark retains the transmitted email orders to ensure delivery or log them in case of errors. Postmark automatically deletes your data after 45 days. Postmark also processes your data in the USA. We would like to inform you that, according to the opinion of the European Court of Justice, there is currently no adequate level of protection for data transfer to the USA. This may entail various risks for the legality and security of data processing.
As the basis for data processing for recipients based in third countries (outside the European Union, Iceland, Liechtenstein, Norway, especially in the USA) or data transfers to such countries, Postmark uses so-called Standard Contractual Clauses (= Art. 46, para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are template clauses provided by the EU Commission and are intended to ensure that your data is processed in accordance with European data protection standards even when transmitted to and stored in third countries (such as the USA). Through these clauses, Postmark commits to maintaining the European level of data protection when processing your personal data, even if the data is stored, managed, or otherwise processed in the USA. These clauses are based on an implementing decision of the EU Commission (Implementing Decision (EU) 2021/914 of June 4, 2021). You can find the decision and the corresponding Standard Contractual Clauses here.
For more information on Postmark's Standard Contractual Clauses, refer to the data processing terms here. Learn more about data processing by Postmark in the privacy policy.

19 WHAT ARE MESSENGER & COMMUNICATION FUNCTIONS?
We offer you various options on our website to communicate with us (e.g. messenger and chat functions, online or contact forms, email, telephone). With the use of these functions, your data will be processed and stored insofar as it is necessary to answer your inquiry and conduct any of our subsequent measures. In addition to classic means of communication such as email, contact forms or telephone, we also use chats or messengers. The most commonly used messenger function at the moment is WhatsApp, but of course, there are many different providers who offer messenger functions for websites. If content is end-to-end encrypted, it will be indicated in our individual privacy policies or in the privacy policy of the respective provider. End-to-end encryption means that the content of a message is not visible to the provider themselves. However, information about your device, location settings and other technical data can still be processed and stored.
Why do we use Messenger & Communication functions?
The ability to communicate with you is very important to us. After all, we want to keep the conversation with you going and answer any questions you may have about our service as best we can. Needless to say, smooth communication is an important part of our service. With our practical messenger & communication functions, you always have the option to choose the ones you prefer most. In exceptional cases, however, we may not be able to answer certain questions via chat or messenger. This may be the case for internal contractual matters, for example. For matters like these, we recommend you to use other communication options such as email or telephone. We generally assume our responsibility under data protection law, even if we use the services of any social media platform. However, the European Court of Justice has decided that in certain cases the operator of the social media platform be jointly responsible alongside us in the scope of Art. 26 GDPR. Should this be the case, we will point it out separately and work on the basis of a relevant agreement. You will find the essence of the agreement for the respective platforms below. Please note that when using our integrated elements, your data may also be processed outside the European Union, since many providers, such as Facebook Messenger or WhatsApp, are American companies. As a result, you may not be able to claim or enforce your rights in relation to your personal data as easily.
Which data is processed?
Exactly which data is retained and processed depends on the respective messenger & communication function provider. In general, it is data such as your name, address, telephone number, email address and content data such as any information you enter into a contact form. In most cases, information about your device and IP address are also stored. Moreover, data that are transmitted via a messenger & communication function are also stored on the providers’ servers. If you want to know exactly which data is stored and processed by the respective providers and how you can object to the data processing, you please carefully read the respective privacy policy of the company in question.
How long is data stored?
How long data is processed and stored depends primarily on the tools we use. Below you can find out more about the data processing of individual tools. The providers’ privacy policies usually state exactly which data is stored and processed and for how long. In general, we only process personal data for as long as necessary to provide our services. When data is stored in cookies, the storage period varies greatly. Data may e.g. be deleted immediately after leaving a website, or they may be stored for several years. Therefore, you should study each individual cookie in detail if you want to know more about data storage. In most cases, you will also find helpful information about individual cookies in the privacy policies of the individual providers.
Right to object
You also have the right and the option to revoke your consent to the use of cookies or third-party providers at any time. This can be done either via our cookie management tool or via other opt-out functions. For example, you can also prevent data collection by cookies by managing, deactivating or deleting the cookies in your browser. For more information, we recommend you to read the Consent section. Since cookies may be in use with messenger & communication functions, we recommend you to read our general privacy policy on cookies. To find out exactly which of your data is stored and processed, please read the privacy policies of the respective tools.
Legal Basis
If you have consented to the data processing and storage by integrated messenger & communication functions, this consent is the legal basis for data processing (Art. 6 Para. 1 lit. a GDPR). We process your request and manage your data within the framework of contractual or pre-contractual relationships in order to fulfill our pre-contractual and contractual obligations or to answer inquiries. The basis for this is Art. 6 Para. 1 section 1 lit. b GDPR. In general, if you have given your consent, your data will also be stored and processed on the basis of our legitimate interest (Art. 6 Para. 1 lit. f GDPR) in quick and smooth communication with you or other customers and business partners.

20 FACEBOOK PIXEL
Within our online offer we use the so-called “Facebook Pixel” of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. With the help of the Facebook pixel, a so-called JavaScript code snippet, Facebook is able to determine the visitors of our online offer as a target group for the display of ads within the social network.
We use Facebook’s Facebook pixel on our website. For that, we have implemented a code on our website. The Facebook pixel is a segment of a JavaScript code, which, in case you arrived on our website via Facebook ads, loads an array or functions that enable Facebook to track your user actions. For example, if you buy a product on our website, the Facebook pixel is triggered and then saves your actions on our website in one or more cookies. These cookies enable Facebook to match your user data (customer data such as IP address, user ID) with the data of your Facebook account. After that, Facebook deletes your data again. The collected data is anonymous as well as inaccessible and can only be used for ad placement purposes. If you are a Facebook user and you are logged in, your visit to our website is automatically assigned to your Facebook user account. We exclusively want to show our products or services to persons, who are interested in them. With the aid of the Facebook pixel, our advertising measures can get better adjusted to your wishes and interests. Therefore, Facebook users get to see suitable advertisement (if they allowed personalised advertisement). Moreover, Facebook uses the collected data for analytical purposes and for its own advertisements.
If you are registered at Facebook, you can change the settings for advertisements yourself here. If you are not a Facebook user, you can manage your user based online advertising here. You have the option to activate or deactivate any providers there. If you want to learn more about Facebook’s data protection, we recommend you the view the company’s in-house data policies.
The processing of your personal data is based on a voluntary and informed consent pursuant to Art. 6 para. 1 S 1 lit. a GDPR, which you have given by selecting within the cookie banner. You can revoke your consent at any time with effect for the future by changing your selection in the cookie settings.

21 COOKIES
Our website uses HTTP-cookies to store user-specific data. For your better understanding of the following Privacy Policy statement, we will explain to you below what cookies are and why they are in use.
What exactly are cookies?
Every time you surf the internet, you use a browser. Common browsers are for example Chrome, Safari, Firefox, Internet Explorer and Microsoft Edge. Most websites store small text-files in your browser. These files are called cookies
It is important to note that cookies are very useful little helpers. Almost every website uses cookies. More precisely, these are HTTP cookies, as there are also other cookies for other uses. HTTP cookies are small files that our website stores on your computer. These cookie files are automatically placed into the cookie-folder, which is the “brain” of your browser. A cookie consists of a name and a value. Moreover, to define a cookie, one or multiple attributes must be specified. Cookies store certain user data about you, such as language or personal page settings. When you re-open our website to visit again, your browser submits these “user-related” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are familiar to. In some browsers, each cookie has its own file, while in others, such as Firefox, all cookies are stored in one single file.
Which types of cookies are there
What exact cookies we use, depends on the used services. We will explain this in the following sections of the Privacy Policy statement. Firstly, we will briefly focus on the different types of HTTP-cookies.There are 4 different types of cookies:
- Essential Cookies: These cookies are necessary to ensure the basic function of a website. They are needed when a user for example puts a product into their shopping cart, then continues surfing on different websites and comes back later in order to proceed to the checkout. Even when the user closed their window priorly, these cookies ensure that the shopping cart does not get deleted.
- Purposive Cookies: These cookies collect info about the user behaviour and record if the user potentially receives any error messages. Furthermore, these cookies record the website’s loading time as well as its behaviour within different browsers.
- Target-orientated Cookies: These cookies care for an improved user-friendliness. Thus, information such as previously entered locations, fonts or data in forms stay saved.
- Advertising Cookies: These cookies are also known as targeting-Cookies. They serve the purpose of delivering individually adapted advertisements to the user. This can be very practical, but also rather annoying.
Upon your first visit to a website you are usually asked which of these cookie-types you want to accept. Furthermore, this decision will of course also be saved in a cookie.
Purpose of processing via cookies
The purpose ultimately depends on the respective cookie. You can find out more details below or from the software manufacturer that sets the cookie.
Which data are processed?
Cookies are little helpers for a wide variety of tasks. Unfortunately, it is not possible to tell which data is generally stored in cookies, but in the privacy policy below we will inform you on what data is processed or stored.
Storage period of cookies
The storage period depends on the respective cookie and is further specified below. Some cookies are erased after less than an hour, while others can remain on a computer for several years.
You can also influence the storage duration yourself. You can manually erase all cookies at any time in your browser (also see “Right of objection” below). Furthermore, the latest instance cookies based on consent will be erased is after you withdraw your consent. The legality of storage will remain unaffected until then.
Right of objection – how can I erase cookies?
You can decide for yourself how and whether you want to use cookies. Regardless of which service or website the cookies originate from, you always have the option of erasing, deactivating or only partially accepting cookies. You can for example block third-party cookies but allow all other cookies.
If you want to find out which cookies have been stored in your browser, or if you want to change or erase cookie settings, you can find this option in your browser settings:
Chrome: Clear, enable and manage cookies in Chrome
Safari: Manage cookies and website data in Safari
Firefox: Clear cookies and site data in Firefox
Internet Explorer: Delete and manage cookies
Microsoft Edge: Delete cookies in Microsoft Edge
If you generally do not want to allow any cookies at all, you can set up your browser in a way, to notify you whenever a potential cookie is about to be set. This gives you the opportunity to manually decide to either permit or deny the placement of every single cookie. The settings for this differ from browser to browser. Therefore, it might be best for you to search for the instructions in Google. If you are using Chrome, you could for example put the search phrase “delete cookies Chrome” or “deactivate cookies Chrome” into Google.
Legal basis
The so-called “cookie directive” has existed since 2009. It states that the storage of cookies requires your consent (Article 6 Paragraph 1 lit. a GDPR). Within countries of the EU, however, the reactions to these guidelines still vary greatly. In Austria, however, this directive was implemented in Section 96 (3) of the Telecommunications Act (TKG). In Germany, the cookie guidelines have not been implemented as national law. Instead, this guideline was largely implemented in Section 15 (3) of the Telemedia Act (TMG).
For absolutely necessary cookies, even if no consent has been given, there are legitimate interests (Article 6 (1) (f) GDPR), which in most cases are of an economic nature. We want to offer our visitors a pleasant user experience on our website. For this, certain cookies often are absolutely necessary.
This is exclusively done with your consent, unless absolutely necessary cookies are used. The legal basis for this is Article 6 (1) (a) of the GDPR.
Cookie settings

22 TLS ENCRYPTION WITH HTTPS
We use https to transfer information on the internet in a tap-proof manner (data protection through technology design Article 25 Section 1 GDPR). With the use of TLS (Transport Layer Security), which is an encryption protocol for safe data transfer on the internet, we can ensure the protection of confidential information. You can recognise the use of this safeguarding tool by the little lock-symbol, which is situated in your browser’s top left corner, as well as by the use of the letters https (instead of http) as a part of our web address.

23 YOUTUBE
We have integrated YouTube videos to our website. Therefore, we can show you interesting videos directly on our site. YouTube is a video portal, which has been a subsidiary company of Google LLC since 2006. The video portal is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit a page on our website that contains an embedded YouTube video, your browser automatically connects to the servers of YouTube or Google. Thereby, certain data are transferred (depending on the settings). Google is responsible for YouTube’s data processing and therefore Google’s data protection applies. In the following we will explain in more detail which data is processed, why we have integrated YouTube videos and how you can manage or clear your data. On YouTube, users can watch, rate, comment or upload videos for free. Over the past few years, YouTube has become one of the most important social media channels worldwide. For us to be able to display videos on our website, YouTube provides a code snippet that we have integrated to our website.
Why do we use YouTube videos on our website?
YouTube is the video platform with the most visitors and best content. We strive to offer you the best possible user experience on our website, which of course includes interesting videos. With the help of our embedded videos, we can provide you other helpful content in addition to our texts and images. Additionally, embedded videos make it easier for our website to be found on the Google search engine. Moreover, if we place ads via Google Ads, Google only shows these ads to people who are interested in our offers, thanks to the collected data.
What data is stored by YouTube?
As soon as you visit one of our pages with an integrated YouTube, YouTube places at least one cookie that stores your IP address and our URL. If you are logged into your YouTube account, by using cookies YouTube can usually associate your interactions on our website with your profile. This includes data such as session duration, bounce rate, approximate location, technical information such as browser type, screen resolution or your Internet provider. Additional data can include contact details, potential ratings, shared content via social media or YouTube videos you added to your favourites. If you are not logged in to a Google or YouTube account, Google stores data with a unique identifier linked to your device, browser or app. Thereby, e.g. your preferred language setting is maintained. However, many interaction data cannot be saved since less cookies are set. In the following list we show you cookies that were placed in the browser during a test. On the one hand, we show cookies that were set without being logged into a YouTube account.
How long and where is the data stored?
The data YouTube receive and process on you are stored on Google’s servers. Most of these servers are in America. Hier you can see where Google’s data centres are located. Your data is distributed across the servers. Therefore, the data can be retrieved quicker and is better protected against manipulation. Google stores collected data for different periods of time. You can delete some data anytime, while other data are automatically deleted after a certain time, and still other data are stored by Google for a long time. Some data (such as elements on “My activity”, photos, documents or products) that are saved in your Google account are stored until you delete them. Moreover, you can delete some data associated with your device, browser, or app, even if you are not signed into a Google Account.
How can I erase my data or prevent data retention?
Generally, you can delete data manually in your Google account. Furthermore, in 2019 an automatic deletion of location and activity data was introduced. Depending on what you decide on, it deletes stored information either after 3 or 18 months. Regardless of whether you have a Google account or not, you can set your browser to delete or deactivate cookies placed by Google. These settings vary depending on the browser you use. If you generally do not want to allow any cookies, you can set your browser to always notify you when a cookie is about to be set. This will enable you to decide to either allow or permit each individual cookie.
Legal basis
If you have consented processing and storage of your data by integrated YouTube elements, this consent is the legal basis for data processing (Art. 6 para. 1 lit. a GDPR). Generally, your data is also stored and processed on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) to maintain fast and good communication with you or other customers and business partners. Nevertheless, we only use integrated YouTube elements if you have given your consent. YouTube also sets cookies in your browser to store data. We therefore recommend you to read our privacy policy on cookies carefully and to take a look at the privacy policy or the cookie policy of the respective service provider. YouTube also processes data in the USA, among other countries. We would like to note, that according to the European Court of Justice, there is currently no adequate level of protection for data transfers to the USA. This can be associated with various risks to the legality and security of the data processing. YouTube uses standard contractual clauses approved by the EU Commission (= Art. 46, paragraphs 2 and 3 of the GDPR) as basis for data processing by recipients based in third countries (which are outside the European Union, Iceland, Liechtenstein and Norway) or for data transfer there. These clauses oblige YouTube to comply with the EU‘s level of data protection when processing relevant data outside the EU. These clauses are based on an implementing order by the EU Commission. You can find the order and the clauses here. Since YouTube is a subsidiary company of Google, Google’s privacy statement applies to both. If you want to learn more about how your data is handled, we recommend the privacy policy.

24 GOOGLE FONTS
Google Fonts from Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, a font collection from Google, are used to visually improve the typeface. These fonts are transferred to your browser's storage folder and activated when you access this website or other websites. If this is not supported, the text on the website will only be displayed in a standard font. To enable this, a request is sent to domains such as fonts.googleapis.com or fonts.gstatic.com, which contains your IP address for technical reasons. However, your data will not be merged with other data or traced back to you personally. As a protective measure, we have ensured that the retrieval of the font collection from Google does not result in the data being merged with other Google offerings, e.g. if you have a Google user account. English information on data protection at Google Fonts confirms this. In addition, the high security standards of the Google platform and Google’s associated privacy policy apply. The purpose of the data transfer is the correct display of the fonts in the form we set. The IP address is required to establish a connection with Google's servers in order to download the font collection if it is not already stored on the end device.
The legal basis is the so-called legitimate interest, which has been examined in order to pursue the purpose and within the framework of the aforementioned protective measures, as well as in accordance with the European data protection requirements from Article 6(1)(f) GDPR.

25 GOOGLE ANALYTICS
If you have given your consent, this website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google‘).
Scope of processing
Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored. We use the function User-ID. The User ID allows us to assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and to analyze user behaviour across devices. We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalized ads (interests and demographic data). Also, ads can be delivered to these users in cross-device remarketing campaigns.
We use the function 'anonymizeIP' (so-called IP-Masking): Due to the activation of IP-anonymization on this website, your IP-address will be shortened by Google within member states of the European Union or in other signatory states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.
During your website visit the following data will be collected:
- The pages you visit, your ‘click behaviour‘
- Achievement of ‘website goals‘ (conversions, e.g. newsletter registrations, downloads, purchases)
- Your user behaviour (for example clicks, dwell time, bounce rates)
- Your approximate location (region)
- Your IP address (in abbreviated form)
- Technical information about your browser and the end devices you use (e.g. language settings, screen resolution)
- Your internet provider
- The referrer URL (via which website/advertising medium you came to this website)
Purposes of processing
On behalf of the operator of this website, Google will use this information to evaluate your (pseudonymous [not user id]) use of the website and to compile reports on website activity. The reports provided by Google Analytics serve to analyse the performance of our website and the success of our marketing campaigns.
Recipient 
The data recipient is: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, as data processor. For this purpose we have concluded a contract with Google. Google LLC, headquartered in California, USA, and, if applicable, US authorities can access the data stored at Google.
Transfer to third countries 
A transfer of data to the USA cannot be excluded. Duration of storage The data sent by us and linked to cookies is automatically deleted after 14 months. Data is automatically deleted once a month as soon as the storage period is reached.
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by:
a. not consenting to cookies or
b. downloading and installing the browser add-on to disable Google Analytics here.
By setting your browser software accordingly you can also prevent the storage of cookies. If your browser is set to refuse all cookies, the functionality of this and other websites may be limited.
Legal basis and right of withdrawal 
Your consent is the legal basis for this data processing, Article 6(1)(a) GDPR. You can revoke your consent at any time with effect for the future by changing your selection in the cookie settings. More information here about Google Analytics terms of use and Google's privacy policy.

26 GOOGLE ADS AND GOOGLE CONVERSION TRACKING
We use Google Ads as an online marketing measure, to advertise our products and services. Thus, we want to draw more people’s attention on the internet to the high quality of our offers. As part of our advertising measures with Google Ads, we use the conversion tracking of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) on our website. With the aid of this free tracking tool we can tailor our advertising offer better to your interests and needs. In the following article we will explain, why we use conversion tracking, what data gets saved and how you can prevent this data retention.
What is Google Ads conversion tracking?
Google Ads (previously Google AdWords) is the internal online advertising sxstem of the company Google LLC. We are convinced of our offer‘s quality and would like as many people as possible to discover our website. For this, Google Ads offers the best platform within the online environment. Of course, we also want to get an overview of the cost-benefit factor of our advertising campaigns. Thence, we use Google Ads’ conversion tracking tool. But what is a conversion actually? A conversion occurs, when you turn from an interested visitor into an acting website visitor. This happens every time you click on our ad and then make another action, such as paying a visit to our website. With Google’s conversion tracking tool, we can understand what happens after a user clicks our Google ad. It shows us for instance if products get bought, services are used or whether users have subscribed to our newsletter.
Why do we use Google Ads conversion tracking on our website?
We use Google Ads to show our offer also across other websites. Our aim is for our advertising campaigns to reach only those people, who are interested in our offers. With the conversion tracking tool, we see what keywords, ads, ad groups and campaigns lead to the desired customer actions. We see how many customers interact with our ads on a device, to then convert. With this data we can calculate our cost-benefit-factor, measure the success of individual ad campaigns and therefore optimise our online marketing measures. With the help of the obtained data we can give our website a more interesting design and customise our advertising offer better to your needs.
What data is stored with Google Ads conversion tracking?
For a better analysis of certain user actions, we have integrated a conversion tracking tag, or code snippet to our website. Therefore, if you click one of our Google ads, a Google domain stores the cookie “conversion” on your computer (usually in the browser) or on your mobile device. Cookies are little text files that save information on your computer. At this point we want to reiterate, that we have no influence on how Google use the collected data. According to Google, the data are encrypted and saved on a secure server. In most cases, conversion cookies expire after 30 days, and do not transmit any personalised data. The cookies named “conversion“ and “_gac“ (which is used with Google Analytics) have an expiry date of 3 months.
How can I delete my data or prevent data retention?
You have the possibility to opt out of Google Ads’ conversion tracking. The conversion tracking can be blocked by deactivating the conversion tracking cookie via your browser. If you do this, you will not be considered for the statistic of the tracking tool. You can change the cookie settings in your browser anytime. Doing so, works a little different in every browser. If you generally do not want to allow any cookies at all, you can set up your browser to notify you whenever a potential cookie is about to be set. This lets you decide upon permitting or denying the cookie’s placement. By downloading and installing the browser plugin here you can also deactivate all “advertising cookies”. Please consider that by deactivating these cookies, you cannot prevent all advertisements, only personalised ads. Due to the certification for the American-European data protection convention “Privacy Shield”, the American corporation Google LLC must comply to the EU’s applicable data protection laws. If you want to find out more on data protection at Google, we recommend Google’s general Privacy Policy.
The storage of “Conversion” cookies and the use of this tracking tool are based on Art. 6 Sect. 1 lit. f GDPR. The website operator has a legitimate interest in the analysis of user patterns, in order to optimize the operator’s web offerings and advertising. If a corresponding agreement has been requested (e.g. an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the agreement can be revoked at any time.

27 GOOGLE TAG MANAGER
Google Tag Manager is an organising tool with which we can integrate and manage website tags centrally and via a user interface. Tags are little code sections which e.g. track your activities on our website. For this, segments of JavaScript code are integrated to our site’s source text. The tags often come from Google’s intern products, such as Google Ads or Google Analytics, but tags from other companies can also be integrated and managed via the manager. Since the tags have different tasks, they can collect browser data, feed marketing tools with data, embed buttons, set cookies and track users across several websites.
Why do we use Google Tag Manager for our website?
Everybody knows: Being organised is important! Of course, this also applies to maintenance of our website. In order to organise and design our website as well as possible for you and anyone who is interested in our products and services, we rely on various tracking tools, such as Google Analytics. The collected data shows us what interests you most, which of our services we should improve, and which other persons we should also display our services to. Furthermore, for this tracking to work, we must implement relevant JavaScript Codes to our website. While we could theoretically integrate every code section of every tracking tool separately into our source text, this would take too much time and we would lose overview. This is the reason why we use Google Tag Manager. We can easily integrate the necessary scripts and manage them from one place. Additionally, Google Tag Manager’s user interface is easy to operate, and requires no programming skills. Therefore, we can easily keep order in our jungle of tags.
What data is saved by Google Tag Manager?
Tag Manager itself is a domain that neither uses cookies nor stores data. It merely functions as an “administrator“ of implemented tags. Data is collected by the individual tags of the different web analysis tools. Therefore, in Google Tag Manager the data is sent to the individual tracking tools and does not get saved. However, with the integrated tags of different web analysis tools such as Google Analytics, this is quite different. Depending on the analysis tool used, various data on your internet behaviour is collected, stored and processed with the help of cookies. Please read our texts on data protection for more information on the articular analysis and tracking tools we use on our website. We allowed Google via the account settings for the Tag Manager to receive anonymised data from us. However, this exclusively refers to the use of our Tag Manager and not to your data, which are saved via code sections. We allow Google and others, to receive selected data in anonymous form. Therefore, we agree to the anonymised transfer of our website data. However, even after extensive research we could not find out what summarised and anonymous data it is exactly that gets transmitted. What we do know is that Google deleted any info that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking is a process of comparing a company’s results with the ones of competitors. As a result, processes can be optimised based on the collected information.
How long and where is the data saved?
When Google stores data, this is done on Google’s own servers. These servers are located all over the world, with most of them being in America. Here you can read in detail where Google’s servers are. In our individual data protection texts on the different tools you can find out how long the respective tracking tools save your data.
How can I delete my data or prevent data retention?
Google Tag Manager itself does not set any cookies but manages different tracking websites’ tags. In our data protection texts on the different tracking tools you can find detailed information on how you can delete or manage your data. Google actively participates in the EU-U.S. Privacy Shield Framework, which regulates safe transfer of personal data. You can find more information here. If you want to learn more about Google Tag Manager, we recommend you to read here.
The legal basis for use of this service is your consent as laid out in Article 6(1)(a) GDPR, and consent is granted via our cookie banner. Consent can be withdrawn at any time via cookie management.

28 TUTOR AI - VIRTUAL TEACHER AI - OPEN AI
As the operator of this website and user of the Open AI API service, we would like to inform you about how we process and protect your personal data. We use the services of OpenAI L.L.C. ("OpenAI"), 3180 18th Street, San Francisco, CA 94110, USA to provide Lengalia (AI-assistance) in the field of machine learning and artificial intelligence. More information can be found in the OpenAI privacy policy. Please note that the answers from our virtual tutor come directly from OpenAI and we have no influence on their accuracy. The terms of use and privacy policy of OpenAI apply.
When using the Open AI API service, personal data is processed. These are in particular:
- Usage data: In order to provide you with the service, we collect technical information such as the IP address of your device, the time of access, the pages called up, and the type of browser used.
- Content data: When you use our Open AI API, you transmit texts that are processed by our service.
Data introduced via the API is stored until the user deletes it. In addition, there is a retention period of up to 30 days for the purpose of monitoring abuse (unless otherwise required by law).
Purpose and legal basis of data processing
We process your personal data in order to provide you with the Open AI API service. The processing is based on the contractual relationship between you and us in accordance with Art. 6 para. 1 lit. b GDPR. If you have given us your consent to process your personal data, the processing is based on this consent in accordance with Art. 6 para. 1 lit. a GDPR.

29 WHEN IS DATA PASSED ON?
Data collected by us will only be passed on if:
- You have given your express consent in accordance with Article 6(1)(a) GDPR
- The disclosure is necessary for the assertion, exercise or defense of legal claims pursuant to Article 6(1)(f) GDPR and there is no reason to assume that you have an overriding interest worthy of protection in not having your data disclosed
- We are legally obligated to disclose your data pursuant to Art. 6 Par. 1 Sentence 1 lit. c GDPR or
- This is legally permissible and necessary according to Article 6(1)(b) GDPR for the processing of contractual relationships with you or for the implementation of pre-contractual measures that take place at your request In addition, disclosure may take place in connection with official inquiries, court decisions and legal proceedings if it is necessary for legal prosecution or enforcement.

30 PAYMENT SERVICE PROVIDER
A. STRIPE
On our website we use a payment tool by Stripe, an American technology company and online payment service. Stripe Payments Europe (Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland) is responsible for customers within the EU. Therefore, if you choose Stripe as your payment method, your payment will be processed via Stripe Payments. Hence, the data required for the payment process is forwarded to Stripe where it is then stored. In this privacy policy we will give you an overview of Stripe’s data processing and retention. Moreover, we will explain why we use Stripe on our website.
What is Stripe?
The technology company Stripe offers payment solutions for online payments. Stripe enables us to accept credit and debit card payments in our webshop while it handles the entire payment process. A major advantage of Stripe is that you never have to leave our website or shop during the payment process. Moreover, payments are processed very quickly via Stripe.
Why do we use Stripe on our website?
We of course want to offer the best possible service with both our website and our integrated online shop. After all, we would like you to feel comfortable on our site and take advantage of our offers. We know that your time is valuable and therefore, payment processing in particular must work quickly and smoothly. In addition to our other payment providers, with Stripe we have found a partner that guarantees secure and fast payment processing.
What data are stored by Stripe?
If you choose Stripe as your payment method, your personal data (transaction data) will be transmitted to Stripe where it will be stored. These data include the payment method (i.e. credit card, debit card or account number), bank sort code, currency, as well as the amount and the payment date. During a transaction, your name, email address, billing or shipping address and sometimes your transaction history may also be transmitted. These data are necessary for authentication. Furthermore, Stripe may also collect relevant data for the purpose of fraud prevention, financial reporting and for providing its services in full. These data may include your name, address, telephone number as well as your country in addition to technical data about your device (such as your IP address). Stripe does not sell any of your data to independent third parties, such as marketing agencies or other companies that have nothing to do with Stripe. However, data may be forwarded to internal departments, a limited number of Stripe’s external partners or for legal compliance reasons.
How long and where are the data stored?
Generally, personal data are stored for the duration of the provided service. This means that the data will be stored until we terminate our cooperation with Stripe. However, in order to meet legal and official obligations, Stripe may also store personal data for longer than the duration of the provided service. Furthermore, since Stripe is a global company, your data may be stored in any of the countries Stripe offers its services in. Therefore, your data may be stored outside your country, such as in the USA for example.
How can I delete my data or prevent data retention?
Stripe is still a participant of the EU-U.S. Privacy Shield Framework which regulated correct and secure transfer of personal data until July 16, 2020. However, since the European Court of Justice declared the agreement to be invalid, the company no longer relies on this agreement, but still acts according to the principles of Privacy Shield. You always reserve the right to information, correction and deletion of your personal data. Should you have any questions, you can contact the Stripe team. You can delete, deactivate or manage cookies in your browser that Stripe uses for its functions. This works differently depending on which browser you are using. Please note, however, that if you do so the payment process may no longer work. We have now given you a general overview of Stripe’s data processing and retention. If you want more information, see Stripe’s detailed privacy policy is a good source.
The legal basis for the data processing is the fulfillment of the contract according to Article 6(1)(b) GDPR. Therefore, the privacy policy of the respective payment service provider applies
B. PAYPAL
You can choose to pay using PayPal in our online shop. PayPal is provided by PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. If you select PayPal as your payment method, your personal data will automatically be transmitted to PayPal. PayPal acts as an online payment service provider and payment processing takes place directly with PayPal.
We provide PayPal with our Merchant ID so the payment can be transferred to us. The personal data transmitted to PayPal is data related to the relevant order (first name, surname, address, email, IP address) or other data required to process the purchase contract (such as product, period of access, invoice amount, taxes and other billing information). After payment has been made, a feedback message is sent to our website to confirm the payment has been successful. The buyer can withdraw his or her consent for PayPal to handle personal data at any time. This withdrawal has no effect on the personal data that must be processed, used or transmitted for (contractual) payment processing. The applicable PayPal privacy policy can be found here. We have no knowledge of the storage period at PayPal and no ability to influence it. Paypal does not transmit any of your payment data to us.
The transmission of your data is necessary for payment processing via PayPal and is intended to confirm your identity and to administer your payment order. The legal basis for the aforementioned data processing is the fulfillment of the contract pursuant to Article 6(1)(b) GDPR

31 LINKS
Lengalia might contain links to other internet sites. We are not responsible for the private practices on other internet sites. We encourage our users to read through every privacy setting on every internet site individually before giving away any personal data.

32 AGE LIMIT FOR THE USE OF LENGALIA
The Lengalia offer is not aimed at children under 16 years of age. The Lengalia offer is also not offered to children whose age makes the processing of their personal data illegal or requires the consent of their parents to the processing of their personal data in accordance with the general data protection regulation (GDPR) or other local laws. It is also pointed out that persons under 18 years of age always require the permission of parents or legal guardians in order to use the service. If you are under 16 years of age, do not provide us with any personal data. If you are a parent of a child under the age limit and you notice that your child has submitted personal data to Lengalia, please contact us using the contact form.

33 DATA SECURITY
Lengalia takes adequate security measures to protect the user's data. When you enter confidential data (e.g. passwords) we encode them by using secure SSL technology. Lengalia employs safety precautions to guarantee that your data are protected against loss, modification or misuse. To this end, Lengalia works with constantly updated firewalls meeting the industry standard as well as other security systems. At the same time, the user should be aware of the fact that one hundred per cent protection against attacks cannot be guaranteed because of the continual appearance of new viruses and other means of attacking the protected data systems of internet services. Lengalia will instigate civil and criminal proceedings against any attack by hackers and the like and will inform the users of any cases in which their data have been compromised.

34 PUBLICATION AND AMENDMENTS
We reserve the right to change our privacy policy. Amendments which are not fundamental become effective right away. Fundamental amendments become effective within 30 days of being published on the Lengalia website. If we make any changes we will make them public and mark the date when the change becomes effective at the top of the website. If we make fundamental changes to these guidelines, we will alert you here, via email, or via an announcement on your homepage. We recommend that you regularly come back to these guidelines and re-read them so that you are always completely informed about our privacy policy.

35 INDIVIDUALS IN THE EEA
Over and above the aforementioned rights, you are entitled to submit a grievance with a relevant authority if you suspect a breach in our personal information handling procedures. We would be grateful if in the first instance you would contact us by email to allow us to investigate any misgivings.

36 CALIFORNIA AND NEVADA RESIDENTS (CCPA)
It is incumbent upon us to provide additional information to residents of California and Nevada regarding how their personal data is used and shared by us. If this applies to you, you may have additional rights regarding the way in which your data is used by us. We have laid out in the following section the details specific to California for your information. Under certain state laws, the way in which we disclose your personal information could be viewed as a 'sale' of personal information. Those who reside in California or Nevada are entitled to refuse the sale of their personal information. If you are able to provide proof of residency in California or Nevada, you can contact us via email to request you opt-out of any possible future sales under California and Nevada law. You will hear from us regarding your request as soon as is feasibly possible and within no more than 30 days. If we are unable to comply with this time period due to some unforeseen reason, we will inform you of this as soon as possible.
CA Personal Information
We gather specific categories and pieces of data regarding individuals that, in California, are viewed as "CA Personal Information". These are as follows:
. Direct and indirect identifiers such as full name, personal or professional contact details, home address, telephone number, email, unique personal identifier, IP, device and online activity data, sex, demographics, username and password to our website or service;
. Commercial information such as records of products or services purchased or obtained, or purchasing or consuming histories or tendencies;
. The sources from which the data was collected from you and other third parties, as per our Privacy Policy.
Use of CA Personal Information
CA Personal Information may be used by us for business or commercial purposes. Further details can be found in our Privacy Policy.
Use of CA Personal Information Sold or Disclosed For Business Purposes
Within the preceding 12-month period, it is possible that we have “sold” (as per the CCPA) some categories of CA Personal Information or disclosed CA Personal Information for business purposes.
California Consumer Rights
Residents of California may have the following rights to their CA Personal Information (exemptions may apply):
(i) The right to access the CA Personal Information we collect, use, share, or sell;
(ii) The right to deletion of the aforementioned CA Personal Information;
(iii) The right to refuse the sale of the CA Personal Information we hold;
(iv) The right to request details of the CA Personal Information we have "sold" (as per the CCPA) or shared for commercial purposes within the preceding 12-month period.
In compliance with applicable law, it may be necessary for us to retain some CA Personal Information and some specific CA Personal Information is required to allow us to adhere fully to our Privacy Policy.
Exercising California consumer rights
Residents of California who wish to exercise any of these rights must do one of the following:
(a) submit a request via our contact form;
(b) access their account to update any necessary information and/or to submit a request;
(c) contact us as per our Privacy Policy.
Once you have submitted your request, we may ask you to provide further details, such as proof of ID, to allow us to confirm your identity and corroborate your request. We do not accept responsibility for requests that are submitted incorrectly or that do not provide sufficient detail. You will not be discriminated against in the prices or products we offer you as a result of making a request regarding your rights to your CA Personal Information. It is important to remember that you are restricted by law to a certain number of requests per year.
Do Not Sell My Personal Information
If you are resident in California, you have the right to refuse the sale (as per the CCPA) of your CA Personal Information to a third party. Please contact us as per our Privacy Policy if you would like to exercise this right. If you choose to appoint a designated agent to submit a request on your behalf, they must provide us with written confirmation of this fact, including written authorization with your signature, proof of your identity, and confirmation of their identity; or, as required under the California Probate Code, a valid, designated power of attorney. We will contact you if further proof of authority is required or to confirm the request. We will never "sell" the CA Personal Information of persons under the age of 16 without proper, authorized consent.

Last updated and effective as of: February 1, 2024

get help