Skip to content

Privacy Policy

Responsible

SQUARES for Tomorrow GmbH
Badenheimer Straße 19
55576 Sprendlingen

Managing Director: Alfons Schwiderski

Email: info@squaresfortomorrow.com

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and references the individuals affected.

Types of Data Processed

  • Master data
  • Contact data
  • Content data
  • Usage data
  • Meta, communication, and procedural data
  • Log data

Categories of Affected Individuals

  • Communication partners
  • Users

Purposes of Processing

  • Communication
  • Security measures
  • Reach measurement
  • Organizational and administrative procedures
  • Feedback
  • Profiles with user-related information
  • Provision of our online services and user-friendliness
  • Information technology infrastructure
  • Public relations

Relevant Legal Bases

Relevant legal bases under the GDPR: Below is an overview of the legal bases under the GDPR upon which we process personal data. Please note that, in addition to GDPR provisions, national data protection laws applicable in your or our country of residence may also apply. Should specific legal bases apply in individual cases, we will disclose them in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR): The individual has given consent for the processing of their personal data for one or more specific purposes.
  • Performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract or for pre-contractual actions requested by the individual.
  • Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary to protect the legitimate interests of the controller or a third party, provided these are not overridden by the individual’s rights and freedoms.

    National data protection regulations in Germany: In addition to GDPR, Germany has national data protection regulations, including the Federal Data Protection Act (BDSG). This law provides specific provisions on access rights, deletion, objection rights, processing of special categories of personal data, and processing for other purposes or automated decision-making, including profiling. State-level data protection laws may also apply.

    Note on the Applicability of GDPR and Swiss Data Protection Act (DSG): These privacy notices serve to inform under both the Swiss DSG and the GDPR. For simplicity and broader application, the terminology of the GDPR is used. However, terms are interpreted per the Swiss DSG when applicable.

    General Information on Data Retention and Deletion

    We delete personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This applies to cases where the original processing purpose no longer exists or the data is no longer needed. Exceptions to this rule exist if legal obligations or special interests require longer retention or archiving of the data.

    In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, must be archived accordingly.

    Our privacy notices contain additional information on the retention and deletion of data specific to certain processing operations.

    If multiple retention periods or deletion deadlines are specified for a datum, the longest period always applies.

    If a period does not explicitly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships within which data is stored, the event triggering the period is the effective date of termination or other termination of the legal relationship.

    Data that is no longer needed for the originally intended purpose but is retained due to legal requirements or other reasons is processed exclusively for the reasons justifying its retention.

    Further Notes on Processing Operations, Procedures, and Services:

    Retention and Deletion of Data: The following general periods apply for retention and archiving under German law:

    • 10 years: Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (§ 147 Abs. 1 Nr. 1 i.V.m. Abs. 3 AO, § 14b Abs. 1 UStG, § 257 Abs. 1 Nr. 1 i.V.m. Abs. 4 HGB).
    • 8 years – Accounting records, such as invoices and expense receipts (§ 147 Abs. 1 Nr. 4 and 4a in conjunction with Abs. 3 Satz 1 AO, as well as § 257 Abs. 1 Nr. 4 in conjunction with Abs. 4 HGB).
    • 6 years: Retention period for received commercial or business letters, copies of sent commercial or business letters, and other documents relevant to taxation, such as wage slips, operating accounting sheets, calculation documents, price lists, as well as payroll accounting documents, insofar as they are not already booking vouchers, and cash register strips (§ 147 Abs. 1 Nr. 2, 3, 5 i.V.m. Abs. 3 AO, § 257 Abs. 1 Nr. 2 u. 3 i.V.m. Abs. 4 HGB).
    • 3 years: Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as related inquiries, based on previous business experiences and common industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

    Provision of Online Services and Web Hosting

    We process user data to provide our online services. This includes processing the user’s IP address, which is necessary to deliver the contents and functionalities of our online services to their browser or device.

    Types of Data Processed:

    • Usage Data: e.g., page views, time spent on pages, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features, Meta, Communication, and Procedural Data: e.g., IP addresses, timestamps, identification numbers, individuals involved. Log Data: e.g., log files related to logins, data retrievals, or access times. Content Data: e.g., textual or visual messages and posts, including related information such as authorship and creation timestamps.
    • Affected Individuals: Users (e.g., website visitors, online service users).
    • Purposes of Processing: Providing our online offerings and ensuring user-friendliness; Maintaining the IT infrastructure (operation and provisioning of information systems and technical devices such as computers and servers); Implementing security measures.
    • Retention and Deletion: Data is deleted in accordance with the information in the section “General Information on Data Storage and Deletion.”
    • Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).

    Additional Notes on Processes, Procedures, and Services:

    • Provision of Online Services on Rented Storage Space: We use storage space, computing capacity, and software from server providers (also known as “web hosts”) to deliver our online services.
      Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
    • Access Data and Log File Collection: Access to our online services is logged via “server log files.” These log files may include the address and name of accessed pages/files, date and time of access, data volumes transferred, success messages, browser type/version, user operating system, referrer URLs (previously visited pages), IP addresses, and the requesting provider. These log files serve: Security purposes, e.g., preventing server overloads (such as DDoS attacks). Ensuring server stability and performance. Retention: Log file information is stored for up to 30 days and is then deleted or anonymized unless required as evidence. Legal Basis: Legitimate Interests (Art. 6(1)(f) GDPR).
    • WordPress.com: Hosting and software for creating, providing, and operating websites, blogs, and other online offerings;
      Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland;
      Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
      Website: https://wordpress.com;
      Privacy policy: https://automattic.com/de/privacy/;
      Data processing agreement: https://wordpress.com/support/data-processing-agreements/;
      Basis for third-country transfers: Data Privacy Framework (DPF).

    Use of Cookies

    The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies can be utilized for various purposes, such as ensuring the functionality, security, and convenience of online offerings, as well as analyzing visitor traffic. We use cookies in compliance with legal regulations. Where necessary, we obtain prior consent from users. If consent is not required, we rely on our legitimate interests. This applies when storing and retrieving information is essential to provide explicitly requested content and features, including saving settings and ensuring the functionality and security of our online offerings. Consent can be withdrawn at any time. We clearly inform users about the scope of consent and the cookies used.

    Information on Data Protection Legal Bases: Whether we process personal data using cookies depends on user consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained in this section and in the context of the respective services and procedures.

    Storage Duration: Regarding storage duration, the following types of cookies are distinguished:

    • Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their device (e.g., browser or mobile application).
    • Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved, and preferred content can be displayed directly when the user revisits a website. Similarly, user data collected via cookies may be used for reach measurement. Unless we provide explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that these are permanent and that the storage duration can be up to two years.

    General Information on Withdrawal and Objection (Opt-out): Users can withdraw their given consents at any time and also object to processing in accordance with legal requirements, including through their browser’s privacy settings.

    • Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
    • Affected Persons: Users (e.g., website visitors, users of online services).
    • Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

    Further Information on Processing Activities, Procedures, and Services:

    Processing of Cookie Data Based on Consent: We utilize a consent management solution to obtain users’ consent for the use of cookies or for the procedures and providers specified within the consent management solution. This process serves to collect, record, manage, and revoke consents, particularly concerning the use of cookies and similar technologies employed to store, read, and process information on users’ devices. Within this framework, users’ consents for the use of cookies and the associated processing of information—including specific processing activities and providers mentioned in the consent management procedure—are obtained. Users also have the option to manage and withdraw their consents. Consent declarations are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage occurs server-side and/or in a cookie (so-called opt-in cookie) or through comparable technologies to associate the consent with a specific user or their device. Unless specific information about the providers of consent management services is provided, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, stored along with the time of consent, details about the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and used device. Legal Basis: Consent (Art. 6 Para. 1 S. 1 lit. a) GDPR).

    Contact and Inquiry Management

    When you contact us (e.g., by mail, contact form, email, telephone, or via social media) or within existing user and business relationships, we process the information of the inquiring individuals as necessary to respond to contact inquiries and any requested measures.

    • Types of Data Processed: Inventory data (e.g., full name, home address, contact information, customer number, etc.); Contact data (e.g., postal and email addresses or telephone numbers); Content data (e.g., textual or visual messages and contributions, including related information such as authorship details or creation time); Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals)
    • Affected Persons: Communication partners.
    • Purposes of Processing: Communication; Organizational and administrative procedures; Feedback (e.g., collecting feedback via online form); Provision of our online offer and user-friendliness
    • Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion.”
    • Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR)

    Further Notes on Processing Procedures, Methods, and Services:

    Contact Form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and handle the respective request. This typically includes information such as name, contact details, and any other information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication.

    Legal Bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR)

    Web analysis, monitoring and optimization

    Web analysis (also referred to as “reach measurement”) serves to evaluate the visitor flows of our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of reach analysis, we can, for example, determine when our online offering or its functions and content are most frequently used or invite reuse. It also enables us to identify areas that require optimization.

    In addition to web analysis, we may employ testing procedures to evaluate and optimize different versions of our online offering or its components.

    Unless otherwise specified below, profiles (i.e., data aggregated into a usage process) may be created and information stored in a browser or on a device and later read for these purposes. The collected information includes, in particular, visited websites and utilized elements, as well as technical details such as the browser used, the computer system employed, and usage times. If users have consented to the collection of their location data to us or to the providers of the services we use, processing of location data is also possible.

    Furthermore, users’ IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear data of users (such as email addresses or names) are stored within the scope of web analysis, A/B testing, and optimization, but rather pseudonyms. This means that neither we nor the providers of the utilized software know the actual identity of the users, only the information stored in their profiles for the purposes of the respective procedures.

    Notes on Legal Bases: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, users’ data are processed based on our legitimate interests (i.e., interest in efficient, economical, and recipient-friendly services). In this context, we also refer you to the information on the use of cookies in this privacy policy.

    • Processed Data Types: Usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved individuals).
    • Affected Persons: Users (e.g., website visitors, users of online services).
    • Purposes of Processing: Reach measurement (e.g., access statistics, recognition of returning visitors); Profiles with user-related information (creating user profiles); Provision of our online offering and user-friendliness.
    • Retention and Deletion: Deletion in accordance with the information in the section “General Information on Data Storage and Deletion.”; Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods may be stored on users’ devices for up to two years).
    • Security Measures: IP masking (pseudonymization of the IP address).
    • Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

    Further Information on Processing Activities, Procedures, and Services:

    Google Analytics: We use Google Analytics to measure and analyze the usage of our online offerings based on a pseudonymous user identification number. This ID does not contain any personal data, such as names or email addresses. It helps associate analytical information with a specific device, allowing us to understand which content users have accessed during one or multiple sessions, which search terms they used, whether they revisited content, or how they interacted with our online offerings. Additionally, the time and duration of usage are recorded, along with the sources that referred users to our online offerings and technical details about their devices and browsers.

    Pseudonymous user profiles are created using information from various devices, and cookies may be employed. For users in the EU, Google Analytics does not log or store individual IP addresses. Analytics provides approximate geographic location data by deriving the following metadata from IP addresses: city (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). For EU traffic, IP address data is used solely for this geolocation derivation before being immediately deleted. They are neither logged nor accessible and are not used for other purposes. When Google Analytics collects measurement data, all IP address queries are conducted on EU-based servers before the traffic is forwarded for processing to Analytics servers. Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
    Legal Basis: Consent (Art. 6(1)(a) GDPR).
    Website: https://marketingplatform.google.com/intl/en/about/analytics/;
    Security measures: IP masking (pseudonymization of IP addresses);
    Privacy policy: https://policies.google.com/privacy;
    Data processing agreement: https://business.safety.google/adsprocessorterms/;
    Basis for third-country transfers: Data Privacy Framework (DPF);
    Opt-out option: Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, settings for ad personalization: https://myadcenter.google.com/personalizationoff.Further information: https://business.safety.google/adsservices/ (types of processing and data processed).

    Social Media Presence

    We maintain online presences within social networks and process user data in this context to communicate with active users or to offer information about us.

    Please note that user data may be processed outside the European Union. This could pose risks for users, for example, by making it more difficult to enforce their rights.

    Additionally, user data within social networks is generally processed for market research and advertising purposes. For instance, usage profiles can be created based on user behavior and resulting interests. These profiles may be used to display advertisements within and outside the networks that presumably align with users’ interests. Typically, cookies are stored on users’ devices, in which usage behavior and interests are saved. Moreover, data can be stored in the usage profiles regardless of the devices used by the users (especially if they are members of the respective platforms and are logged in).

    For a detailed description of the respective processing forms and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

    In cases of information requests and the assertion of data subject rights, we also point out that these can be most effectively asserted with the providers. Only they have access to the user data and can directly take appropriate measures and provide information. Should you still need assistance, you can contact us.

    • Processed Data Types: Contact data (e.g., postal and email addresses or phone numbers); content data (e.g., textual or visual messages and posts, including related information such as authorship details or creation timestamps); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions).
    • Data Subjects: Users (e.g., website visitors, online service users).
    • Purposes of Processing: Communication; feedback (e.g., collecting feedback via online form); public relations.
    • Retention and Deletion: Deletion in accordance with the information provided in the section “General Information on Data Storage and Deletion.”
    • Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR).

    Further Information on Processing Activities, Procedures, and Services:

    • Instagram: A social network that enables users to share photos and videos, comment on and favorite posts, send messages, and subscribe to profiles and pages.
      Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.
      Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
      Website: https://www.instagram.com
      Privacy policy: https://privacycenter.instagram.com/policy/
      Basis for third-country transfers: Data Privacy Framework (DPF).
    • LinkedIn: A social network—we share responsibility with LinkedIn Ireland Unlimited Company for collecting (but not further processing) visitor data used to create “Page Insights” (statistics) of our LinkedIn profiles. This data includes information about the types of content users view or interact with, as well as their actions. Additionally, details about the devices used are collected, such as IP addresses, operating systems, browser types, language settings, and cookie data, as well as information from user profiles like job function, country, industry, seniority, company size, and employment status. Privacy information regarding LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
      We have entered into a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum,” https://legal.linkedin.com/pages-joint-controller-addendum), which specifically outlines the security measures LinkedIn must adhere to and in which LinkedIn agrees to fulfill the rights of data subjects (i.e., users can, for example, direct requests for information or deletion directly to LinkedIn). The rights of users (especially the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection and transmission of the data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly concerning the transfer of the data to the parent company LinkedIn Corporation in the USA.
      Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
      Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
      Website: https://www.linkedin.com
      Privacy policy: https://www.linkedin.com/legal/privacy-policy
      Basis for third-country transfers: Data Privacy Framework (DPF).
      Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

    Definitions of Terms

    This section provides an overview of the terminology used in this privacy policy. Where terms are legally defined, their statutory definitions apply. The following explanations are intended primarily to aid understanding.

    • Inventory Data: Inventory data includes essential information necessary for the identification and management of contracting parties, user accounts, profiles, and similar associations. This data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions, or systems by enabling unique assignment and communication.
    • Content Data: Content data encompasses information generated during the creation, editing, and publication of all types of content. This category may include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data is not limited to the actual content but also includes metadata that provides information about the content itself, such as tags, descriptions, author information, and publication dates.
    • Contact Data: Contact data comprises essential information that enables communication with individuals or organizations. This includes phone numbers, postal addresses, and email addresses, as well as communication means like social media handles and instant messaging identifiers.
    • Meta, Communication, and Procedural Data: These categories contain information about how data is processed, transmitted, and managed. Metadata, also known as data about data, includes information that describes the context, origin, and structure of other data. This can include details like file size, creation date, document author, and modification histories. Communication data captures the exchange of information between users across various channels, such as email traffic, call logs, messages on social networks, and chat histories, including the parties involved, timestamps, and transmission paths. Procedural data describes the processes and workflows within systems or organizations, including workflow documentation, transaction and activity logs, and audit logs used for tracking and verifying operations.
    • Usage Data: Usage data refers to information that captures how users interact with digital products, services, or platforms. This data encompasses a wide range of information that shows how users utilize applications, which features they prefer, how long they stay on certain pages, and the paths they navigate through an application. Usage data can also include frequency of use, activity timestamps, IP addresses, device information, and location data. It is particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content, and improving products or services. Additionally, usage data plays a crucial role in identifying trends, preferences, and potential problem areas within digital offerings.
    • Personal Data: “Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
    • Profiles with User-Related Information: The processing of “profiles with user-related information,” or simply “profiles,” includes any type of automated processing of personal data that involves using this personal data to analyze, evaluate, or predict certain personal aspects relating to a natural person (depending on the type of profiling, this can include various information concerning demographics, behavior, and interests, such as interaction with websites and their content, etc.). Cookies and web beacons are often used for profiling purposes.
    • Log Data: Log data consists of information about events or activities that have been recorded in a system or network. This data typically includes information such as timestamps, IP addresses, user actions, error messages, and other details about the use or operation of a system. Log data is often used for analyzing system issues, security monitoring, or generating performance reports.
    • Reach Measurement: Reach measurement (also known as web analytics) serves to evaluate the visitor flows of an online offering and can include the behavior or interests of visitors in certain information, such as website content. With the help of reach analysis, operators of online offerings can, for example, recognize when users visit their websites and which content they are interested in. This allows them to better tailor the content of the websites to the needs of their visitors. Pseudonymous cookies and web beacons are often used for reach analysis to recognize returning visitors and thus obtain more precise analyses of the use of an online offering.
    • Controller: The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    • Processing: “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data, whether it be collection, evaluation, storage, transmission, or deletion.

    Created with the free privacy policy generator by Dr. Thomas Schwenke