1. Responsible Party

df GmbH Nymphenburger Str. 115 80636 München, Germany Email: [email protected] Managing Directors: Florian Pinger, Dr. Torsten Poeck

2. Privacy Officer

For questions regarding data protection, please contact our privacy officer at: Email: [email protected]

3. Overview of Data Processing

The following provides an overview of what types of personal data we process, the purposes for which we process it, and the categories of data subjects affected.

4. Legal Basis

We process personal data in accordance with the following legal bases of the GDPR: • Legitimate interests (Art. 6(1)(f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights of the data subject. • Contract performance (Art. 6(1)(b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is party.

5. Security Measures

We take appropriate technical and organizational measures to ensure a level of security commensurate with the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. Measures include: • Encryption of data transmission (TLS/SSL) • Secure server infrastructure • Regular security updates • Access control for personal data

6. Hosting

This website is hosted on dedicated servers located in Germany. We process user data to provide our online services. For this purpose, we process the IP address of the user, which is necessary to deliver the content and functions of our website to the user's browser or device. Collected data: • IP address (anonymized) • Date and time of the request • Content of the request (specific page) • Access status / HTTP status code • Amount of data transferred • Browser type and version • Operating system • Referrer URL Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) Storage duration: Log file data is deleted after a maximum of 30 days.

7. Cookies

This website uses only technically necessary cookies required for the operation of the website. No tracking cookies, analytics cookies, or advertising cookies are used. Technically necessary cookies are required for basic website functions and cannot be deactivated. They are usually only set in response to actions you take that amount to a service request, such as setting your language preferences. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)

8. Web Analytics

We use a self-hosted web analytics solution (Umami) on our website to collect anonymized statistics about usage. This analysis serves to improve our offering and user-friendliness. Privacy-friendly analysis without cookies: • No cookies are set or read • No persistent identification - visitors are not tracked across sessions • IP anonymization - IP addresses are hashed and not stored in plain text • No cross-site tracking - data is not linked with other websites • Self-hosted - analytics data is stored on our own servers in the EU (Frankfurt) Collected data (anonymized): • Pages visited and time spent • Referrer (where the visitor came from) • Approximate location (country/region, based on anonymized IP) • Device type, operating system, and browser (without unique identification) • Time of visit Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). As no personal data within the meaning of the GDPR is processed (complete anonymization), no consent is required. Storage duration: Anonymized analytics data is stored indefinitely for statistical purposes.

9. Contact

When you contact us (e.g. by email), your information is processed for the purpose of handling your inquiry. • Data types processed: contact data, content data, usage data, meta/communication data • Affected persons: communication partners • Purpose: handling contact requests and communication • Legal basis: Contract performance (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR)

10. Rights of Data Subjects

As a data subject under the GDPR, you have the following rights:

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR. Competent supervisory authority: Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) Promenade 18, 91522 Ansbach www.lda.bayern.de

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our data processing practices. We encourage you to review this page periodically. We will notify you if changes require your action (e.g. consent) or other individual notification.