Privacy Policy

Effective Date: July 15, 2025

Contents

• Controller
• Overview of Processing
• Applicable Legal Bases
• Security Measures
• Disclosure of Personal Data
• International Data Transfers
• General Information on Data Retention and Deletion
• Rights of Data Subjects
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Blogs and Publication Media
• Contact and Inquiry Management
• Web Analytics, Monitoring, and Optimization
• Social Media Presences
• Plug-ins and Embedded Functions and Content
• Management, Organization, and Assistance Tools

Controller

Frank Koall
5 Rue de Wentzwiller
68220 Hégenheim
France
Authorized representative: Managing Director
Email address: frank.koall@bslmed.ch

Overview of Processing

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects involved.

Types of Data Processed:

• Inventory data
• Contact data
• Content data
• Usage data
• Meta, communication, and procedural data
• Log data

Categories of Data Subjects:

• Communication partners
• Users

Purposes of Processing:

• Fulfillment of contractual services and obligations
• Communication
• Security measures
• Audience measurement
• Tracking
• Office and organizational procedures
• Audience targeting
• Organizational and administrative processes
• Feedback
• Marketing
• User profiling
• Provision and user-friendliness of the online offering
• IT infrastructure
• Public relations

Applicable Legal Bases

Under the Swiss Data Protection Act (DSG):
If you are located in Switzerland, we process your data based on the Swiss Federal Act on Data Protection (“Swiss DSG”). Unlike the GDPR, the Swiss DSG generally does not require citing a specific legal basis. Instead, personal data must be processed in good faith, lawfully, and proportionately (Art. 6 (1) and (2) Swiss DSG). Moreover, we only collect personal data for a specific, identifiable purpose and process it in a manner compatible with that purpose (Art. 6 (3) Swiss DSG).

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include safeguarding the confidentiality, integrity, and availability of data through controls over physical and electronic access, input, transmission, backup, and separation. We also have procedures to respond to data threats, exercise data subject rights, and delete data as needed. Moreover, we factor data protection into the design and selection of hardware, software, and procedures, in line with data protection by design and by default.

IP Address Shortening (IP Masking):
If we or our service providers process IP addresses and full IPs are not necessary, we shorten them (e.g., by removing the last digits). This prevents or greatly complicates identification of individuals via their IP address.

TLS/SSL Encryption (HTTPS):
To protect user data transmitted through our online services, we use TLS/SSL encryption. These technologies secure data transmission between our website/app and the user’s browser (or between servers), and are signaled by “HTTPS” in the URL.

Disclosure of Personal Data

In the course of processing personal data, we may disclose or transmit such data to other entities, companies, legally independent organizational units, or individuals. This includes, for example, IT service providers or providers of services and content integrated into our website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements to protect your data.

Data Transfers Within the Organization:
We may share personal data internally within our organization for administrative purposes. This is based either on our legitimate business and economic interests or, where required, to fulfill contractual obligations, or if there is a legal basis or the data subject’s consent.

International Data Transfers

Data Processing in Third Countries:
If we transfer data to a third country (outside the EU or EEA) or allow third-party services to do so, we ensure compliance with legal requirements. This is apparent by the provider’s postal address or if the privacy policy explicitly mentions third-country transfers.

For transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), recognized by the EU Commission on July 10, 2023, as an adequate legal framework. In addition, we have concluded Standard Contractual Clauses (SCCs) with these providers, ensuring legal data protection obligations.

This dual protection ensures strong safeguards: the DPF serves as the primary layer, while SCCs act as a fallback in case of changes in the DPF framework.

You will be informed whether specific providers are DPF-certified and whether SCCs are in place. Details about the DPF and a list of certified companies can be found on the U.S. Department of Commerce website: https://www.dataprivacyframework.gov (English only).

Transfers to Other Third Countries:
We apply equivalent safeguards such as SCCs, explicit consent, or legally required disclosures. More info can be found on the EU Commission’s site:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

Transfers Abroad under Swiss DSG:
Under Art. 16 of the Swiss DSG, we only transfer personal data abroad if the destination country ensures an adequate level of protection. If the Swiss Federal Council has not confirmed adequacy (list here), we apply alternative protective measures.

For U.S. data transfers, the Swiss Federal Council recognizes the DPF as adequate (June 7, 2024). We also use Standard Data Protection Clauses approved by the Swiss Data Protection and Information Commissioner (EDÖB).

Again, we apply a dual safeguard system (DPF + SCCs) for strong and resilient protection even if political or legal changes occur.

General Information on Data Retention and Deletion

We delete personal data in compliance with legal obligations once the purpose for processing ends, the legal basis no longer applies, or consent is withdrawn — unless retention is required for legal reasons or justified interests.

Exceptions:
Data may be retained longer if necessary for legal obligations (e.g., commercial or tax retention) or legal claims.

Retention Periods Under Swiss Law:

• 10 years: For accounting records, financial statements, inventories, reports, opening balances, vouchers, invoices, and all relevant working instructions and organizational documents (Art. 958f of the Swiss Code of Obligations).
• 10 years: For data relevant to potential liability or contract claims, unless a 5-year limitation period applies (e.g., rent, wages, food deliveries, hospitality, legal services, small goods sales) (Art. 127–128 OR).

When multiple retention periods exist, the longest applies. Data retained for compliance or legal protection is used only for that purpose.

Rights of Data Subjects

Rights under the GDPR (EU General Data Protection Regulation):

As a data subject, you have the following rights under Articles 15–21 of the GDPR:

• Right to Object:
  You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions.
  If your data is processed for direct marketing purposes, you have the right to object at any time to such processing — including profiling, to the extent that it relates to such direct marketing.
• Right to Withdraw Consent:
  You have the right to withdraw any consent you have given at any time.
• Right of Access:
  You have the right to obtain confirmation as to whether your personal data is being processed, and, if so, access to the data and additional information as specified by law, including a copy of the data.
• Right to Rectification:
  You have the right to request the rectification of inaccurate data and the completion of incomplete data.
• Right to Erasure and Restriction of Processing:
  You have the right to request the immediate deletion of your data or, alternatively, to request restriction of processing where provided by law.
• Right to Data Portability:
  You have the right to receive the personal data you provided in a structured, commonly used, and machine-readable format and to have it transmitted to another controller, where technically feasible.
• Right to Lodge a Complaint:
  You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or the place of the alleged infringement, if you believe the processing of your personal data violates the GDPR.

Rights under the Swiss Federal Data Protection Act (DSG):

If you are subject to the Swiss DSG, the following rights apply:

• Right to Information:
  You have the right to request confirmation of whether your personal data is being processed and to receive the information necessary to exercise your rights and ensure transparent data processing.
• Right to Data Disclosure or Transfer:
  You have the right to request a copy of the personal data you have provided, in a commonly used electronic format.
• Right to Rectification:
  You have the right to request correction of inaccurate personal data.
• Right to Object, Erasure, and Destruction:
  You have the right to object to the processing of your data and to request the deletion or destruction of your personal data.

Provision of the Online Offering and Web Hosting

We process users’ data to provide our online services. For this purpose, we process the users’ IP address, which is necessary to transmit content and functionalities of our online services to the user’s browser or device.

Types of Data Processed:

• Usage data: (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, identification numbers, involved individuals)
• Log data: (e.g., login logs, data access, access times)
• Content data: (e.g., textual or visual messages and posts, including author details or creation timestamps)

Categories of Data Subjects:

• Users (e.g., website visitors, users of online services)

Purposes of Processing:

• Provision of our online offering and user-friendliness
• IT infrastructure (operation and provisioning of information systems and technical equipment like computers, servers, etc.)
• Security measures
• Fulfillment of contractual services and obligations

Retention and Deletion:
See section “General Information on Data Retention and Deletion.”

Legal Bases:

• Legitimate interests (Art. 6(1)(f) GDPR)

Additional Details on Processing Activities and Services:

Access Logs and Server Log Files:
Access to our online offering is logged via “server log files.” These may include the address and name of accessed pages/files, date/time of access, data volumes transferred, success messages, browser type/version, operating system, referrer URL, and — generally — IP addresses and providers. These logs are used for:

• Security (e.g., defending against DDoS attacks)
• Server load monitoring and stability

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
Retention: Log data is stored for up to 30 days, then deleted or anonymized. If required for evidence, data may be retained until the issue is resolved.

Email Transmission and Hosting:
Our web hosting services include sending, receiving, and storing emails. This involves processing recipient/sender addresses, metadata (e.g., email service providers), and content. This may also include spam detection.

⚠️ Please note: Emails are generally not end-to-end encrypted on the internet. Transport encryption is common, but without end-to-end measures, emails are not protected on the sending or receiving servers. We cannot guarantee email confidentiality during transmission.

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

1&1 IONOS:

• Service: Web hosting and IT infrastructure
• Provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: ionos.de
• Privacy Policy: Privacy Terms
• Data Processing Agreement: AV Contract

WordPress.com:

• Service: Website, blog, and online offering hosting
• Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: wordpress.com
• Privacy Policy: Automattic Privacy
• Data Processing Agreement: DPA
• Third-Country Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider)

Use of Cookies

The term “cookies” refers to technologies that store and read information on users’ end devices. Cookies can serve a variety of purposes, such as ensuring functionality, improving security and convenience, or analyzing visitor behavior.

We use cookies in accordance with legal requirements. Where necessary, we obtain users’ consent in advance. If consent is not required, we rely on our legitimate interests — particularly where storing and accessing information is essential for providing explicitly requested features (e.g., saving settings, ensuring functionality and security of our services).
Consent can be withdrawn at any time. We clearly inform users of the scope and purpose of cookies used.

Legal Basis for Processing with Cookies

Whether we process personal data via cookies depends on whether users have given their consent. If so, this is the legal basis (Art. 6(1)(a) GDPR). Otherwise, we rely on legitimate interests (Art. 6(1)(f) GDPR), as explained above.

Cookie Storage Durations

We distinguish between:

• Temporary cookies (session cookies):
  These are deleted once the user leaves the website or closes the app/browser.
• Permanent cookies:
  These remain stored after the browser is closed, e.g., to retain login status or preferences. They may also be used for analytics. Unless otherwise specified, such cookies may remain on the user’s device for up to two years.

Right to Withdraw and Object (Opt-out)

Users can withdraw consent at any time or object to processing, e.g., by changing browser privacy settings.

Types of Data Processed:

• Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, involved individuals)

Categories of Data Subjects:

• Users (e.g., website visitors, online service users)

Legal Bases:

• Legitimate interests (Art. 6(1)(f) GDPR)
• Consent (Art. 6(1)(a) GDPR)

Further Details on Processes and Services

Consent Management Platform:
We use a consent management tool to collect and manage users’ consent regarding cookies and similar technologies. This includes logging consent, enabling withdrawals, and linking consent to a specific user/device. Storage may be server-side and/or via a cookie (“opt-in cookie”).

Unless otherwise specified, consents are stored for up to two years, including:

• A pseudonymous user ID
• Timestamp of consent
• Scope of consent (e.g., cookie categories or providers)
• Browser/system/device data

Legal Basis: Consent (Art. 6(1)(a) GDPR)

Blogs and Publication Media

We operate blogs or similar online communication and publication platforms (hereinafter referred to as “publication media”). Users’ data is processed only to the extent necessary for presentation of the media and for communication between authors and readers, or for security purposes.

For all other data processing, please refer to the relevant sections of this privacy policy.

Types of Data Processed:

• Inventory data: (e.g., full names, home addresses, contact information, customer numbers)
• Contact data: (e.g., postal and email addresses, phone numbers)
• Content data: (e.g., text or image messages and contributions, including authorship and timestamps)
• Usage data: (e.g., page views, session duration, click paths, frequency and intensity of use, device types, OS, user interactions)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, user IDs)

Categories of Data Subjects:

• Users (e.g., visitors to the blog or publication platform)

Purposes of Processing:

• Collecting feedback (e.g., through online forms)
• Provision and usability of the online offering
• Security measures
• Organizational and administrative tasks

Retention and Deletion:
See section “General Information on Data Retention and Deletion.”

Legal Basis:

• Legitimate interests (Art. 6(1)(f) GDPR)

Additional Information on Processing Activities:

Comments and Contributions:
If users leave comments or other posts, we may store their IP addresses based on our legitimate interests. This is to protect against illegal content (e.g., insults, prohibited political propaganda), since we could be held liable for such posts and thus have an interest in the author’s identity.

We may also process user information for spam detection purposes, and in case of surveys, to store IP addresses and set cookies to prevent multiple votes.

Information provided in comments and posts (including contact details and content) will be stored permanently until the user objects.

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

Fetching WordPress Emojis and Smilies:
To efficiently display graphical elements in our blog, we load emojis (small graphics expressing emotions) from external servers. These providers log users’ IP addresses to deliver these emoji files to their browsers.

• Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Website: automattic.com
• Privacy Policy: Privacy Notice
• Data Processing Agreement: Provided by the service provider
• International Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, phone, or via social media), or within the context of existing user or business relationships, we process the information you provide to the extent necessary to respond to your inquiries and any related actions.

Types of Data Processed:

• Inventory data: (e.g., full names, home addresses, contact details, customer numbers)
• Contact data: (e.g., postal and email addresses, phone numbers)
• Content data: (e.g., text or image messages and contributions, including authorship and timestamps)
• Usage data: (e.g., page views, click paths, session duration, device types, operating systems, content interactions)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, identifiers, involved individuals)

Categories of Data Subjects:

• Communication partners

Purposes of Processing:

• Communication
• Organizational and administrative purposes
• Feedback collection (e.g., via online forms)
• Provision and usability of the online offering

Retention and Deletion:
See section “General Information on Data Retention and Deletion.”

Legal Bases:

• Legitimate interests (Art. 6(1)(f) GDPR)
• Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR)

Further Details on Processing Activities:

Contact Form:
When contacting us via form, email, or other communication channels, we process the personal data you provide to respond to your inquiry. Typically, this includes your name, contact information, and any further details you submit that are necessary to handle your request appropriately. This data is used only for the stated purpose.

Legal Bases:

• Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR)
• Legitimate interests (Art. 6(1)(f) GDPR)

FluentBooking:
To facilitate easy and direct appointment scheduling, we use the Fluent Booking plugin, hosted locally on our web server. Only the data you enter (e.g., name, email address, desired meeting time) is processed.
No data is transferred to third parties or to third countries.

• Provider: WPManageNinja LLC, installed locally with no external data transmission
• Legal Bases: Contract performance or pre-contractual measures (Art. 6(1)(b) GDPR); possibly legitimate interests (Art. 6(1)(f) GDPR)
• Retention: Data is deleted once the purpose for storage no longer applies, unless retention is legally required

Web Analytics, Monitoring, and Optimization

Web analytics (also known as “audience measurement”) serves to analyze visitor flows to our online offering. This may include behavior, interests, or demographic information such as age or gender, in pseudonymized form.
Audience analytics help us understand when our content or features are most used, and identify areas for improvement or reuse.

In addition to analytics, we may use testing tools to compare different versions of our services (A/B testing) to improve functionality or design.

Unless stated otherwise, we may:

• Create usage profiles by combining collected data
• Store information in users’ browsers or devices
• Read data about visited pages, clicked elements, browser/system info, and usage duration
• If granted, process users’ location data

We also store IP addresses. However, to protect user privacy, we use IP masking (anonymizing the last part of the IP address).
Neither we nor analytics providers store clear personal identifiers (e.g., names or email addresses); all data remains pseudonymous.

Legal Bases:

• If user consent is obtained, processing is based on Art. 6(1)(a) GDPR
• Otherwise, based on legitimate interests per Art. 6(1)(f) GDPR, i.e., efficient, user-friendly, and economical service delivery

Types of Data Processed:

• Usage data: (e.g., page views, duration, click paths, usage frequency, device types, OS, content interactions)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, identifiers)

Categories of Data Subjects:

• Users (e.g., visitors to websites or online services)

Purposes of Processing:

• Audience measurement (e.g., access statistics, detecting returning users)
• User profiling (creating profiles based on usage behavior)

Retention and Deletion:
See section “General Information on Data Retention and Deletion”
Cookies and similar data may be stored on devices for up to 2 years, unless stated otherwise.

Security Measures:

• IP masking (pseudonymization of IP addresses)

Further Details on Services and Tools:

Jetpack (WordPress Stats):
Provides analytics for WordPress websites.

• Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland
• Legal Basis: Consent (Art. 6(1)(a) GDPR)
• Website: automattic.com
• Privacy Policy: Privacy Notice
• Data Processing Agreement: Provided by the service provider
• International Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses

Social Media Presences

We maintain online presences within social networks to communicate with users and share information about our services and organization.

Please note:
User data may be processed outside the European Union, which could lead to increased risks (e.g., reduced ability to enforce rights).

User data in social networks is typically processed for:

• Market research
• Advertising purposes

User behavior and interests may be used to create usage profiles, which in turn serve to display personalized ads — both within and outside the platforms. To achieve this, cookies are generally stored on users’ devices, storing behavioral and preference data.
Cross-device profiling may also occur (especially if users are logged in across devices).

For detailed information on processing methods and opt-out options, refer to the privacy policies of the respective platforms.

Please also note:
In case of data access requests or to exercise your data subject rights, it is most effective to contact the platform provider directly, as they control the data. If needed, we are happy to assist.

Types of Data Processed:

• Contact data: (e.g., postal/email addresses, phone numbers)
• Content data: (e.g., text or image messages and posts, authorship, timestamps)
• Usage data: (e.g., page views, click paths, device types, OS, interactions)

Categories of Data Subjects:

• Users (e.g., visitors to our social media pages or profiles)

Purposes of Processing:

• Communication
• Feedback collection (e.g., via forms)
• Public relations

Retention and Deletion:
See section “General Information on Data Retention and Deletion.”

Legal Basis:

• Legitimate interests (Art. 6(1)(f) GDPR)

Further Details on Platforms and Tools:

LinkedIn:
We share joint responsibility with LinkedIn Ireland for collecting certain data from page visitors (Page Insights), including:

• Content types viewed or interacted with
• User actions on the page
• Device info: IP address, OS, browser type, language, cookie data
• Profile data: job title, country, industry, seniority, company size, employment status

Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
Privacy Policy: LinkedIn Privacy
DPA & Joint Responsibility Addendum: LinkedIn DPA
International Transfers: Data Privacy Framework (DPF), Standard Contractual Clauses
Opt-out Option: LinkedIn Retargeting Settings

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online services that are retrieved from the servers of their respective providers (referred to as “third-party providers”). These may include graphics, videos, maps, or other embedded content (hereafter “content”).

This integration always requires that the third-party providers process users’ IP addresses, as the content cannot be delivered to their browser without it. The IP address is therefore essential for displaying the content or functions.
We make efforts to only use content where providers use IP addresses solely for delivering the content.

Third-party providers may also use so-called pixel tags (invisible graphics or “web beacons”) for statistical or marketing purposes. These can analyze visitor traffic and may store pseudonymized data in cookies on the users’ device, including:

• Technical data (browser, OS, referring sites)
• Visit time
• Usage patterns
• Combined data from other sources

Legal Basis:

• If we ask for user consent: Art. 6(1)(a) GDPR
• Otherwise: legitimate interests (Art. 6(1)(f) GDPR)

Types of Data Processed:

• Usage data: (e.g., page views, duration, clicks, device type, OS, feature use)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, user IDs)

Categories of Data Subjects:

• Users (e.g., visitors to websites or online services)

Purposes of Processing:

• Provision and usability of online services
• Audience measurement (e.g., visit stats, recognizing return users)
• Tracking (e.g., interest-based profiling, cookies)
• Audience targeting
• Marketing
• Creating user profiles

Retention and Deletion:
See section “General Information on Data Retention and Deletion.”
Cookies or similar technologies may be stored for up to 2 years unless stated otherwise.

Further Details on Services and Tools:

Embedding Third-Party Software, Scripts, or Frameworks (e.g., jQuery):
We include externally hosted software libraries (e.g., for visual design or usability). Providers may collect IP addresses to deliver scripts and may process data for security, analytics, or optimization.

Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)

LinkedIn Plug-ins and Content:
This includes share buttons or embedded content (images, videos, text).

• Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR)
• Privacy Policy: LinkedIn Privacy
• DPA: LinkedIn DPA
• International Transfers: DPF, Standard Contractual Clauses
• Opt-out: LinkedIn Retargeting Settings

YouTube Videos:
For embedded video content.

• Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
• Legal Basis: Consent (Art. 6(1)(a) GDPR)
• Website: youtube.com
• Privacy Policy: Google Privacy
• International Transfers: Data Privacy Framework (DPF)
• Opt-out: Ad Personalization Settings
• Analytics Opt-out Plugin: Google Opt-out Tool

Management, Organization, and Assistance Tools

We use services, platforms, and software from other providers (“third-party providers”) for purposes such as:

• Organizing and managing our internal operations
• Planning and executing services
• Supporting business processes

When selecting third-party services, we comply with applicable legal data protection regulations.

In this context, personal data may be processed and stored on the servers of these providers. This can include various types of data already mentioned in this privacy policy, especially:

• Master and contact data of users
• Data related to operations, contracts, workflows, and content

If users are referred to third-party platforms or software in the course of communication or business relationships with us, those providers may process usage and metadata for security, service optimization, or marketing purposes.
We recommend consulting the individual providers’ privacy policies for further details.

Types of Data Processed:

• Content data: (e.g., text or image messages and contributions, authorship, timestamps)
• Usage data: (e.g., page views, click paths, intensity and frequency of use, device types, OS, feature interactions)
• Meta, communication, and procedural data: (e.g., IP addresses, timestamps, IDs, involved persons)

Categories of Data Subjects:

• Communication partners
• Users (e.g., website visitors, online service users)

Purposes of Processing:

• Fulfillment of contractual services and obligations
• Office and administrative procedures

Retention and Deletion:
As stated in the section “General Information on Data Retention and Deletion.”

Legal Basis:

• Legitimate interests (Art. 6(1)(f) GDPR)