Privacy policy

  1. Introduction

Definitions according to Art. 4 DSGVO

We use the following terms, among others, in this Privacy Policy:

personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Person concerned

Data subject is any identified or identifiable natural person whose personal data are processed by the controller.

Processing

Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

Controller or person responsible for the processing

The controller or controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

Processor

Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.

Receiver

A recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law shall not be considered as recipients.

Third

Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.

Profiling

Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Consent

Consent is any expression of will in the form of a declaration or other unambiguous affirmative action made voluntarily by the data subject in an informed and unambiguous manner for the specific case, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

  1. Responsibilities

The controller responsible for data processing on this website is:

Castella Nova Ltd.

Ring road 51

45219 Essen

Phone: +49 (0) 2054 104 99 40

E-mail: info@castellanova.com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, email addresses, etc.).

  1. Hosting

We host the content of our website with the following provider:

Strato

The provider is Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin (hereinafter referred to as "Strato"). When you visit our website, Strato records various log files including your IP addresses.

Further information can be found in Strato's privacy policy: https://www.strato.de/datenschutz/.

The use of Strato is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in ensuring that our website is displayed as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Order processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

 

 

  1. Legal basis of the processing

Below we inform you about the legal basis for the processing of personal data:

  • Section 6 (1) a) DSGVO (in conjunction with Section 25 (1) TTDSG) serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose.
  • If the processing of personal data is necessary for the performance of a contract, Article 6 (1) (b) DSGVO serves as the legal basis. Processing purposes for this can be, for example, delivery of goods, provision of services or processing operations for the implementation of pre-contractual measures, such as inquiries about our products or services.
  • If our company is subject to a legal obligation by which a processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c) DSGVO.
  • The processing of personal data may also be necessary to protect the vital interests of the data subject or another natural person. In these cases, the processing is based on Art. 6 (1) d) DSGVO.
  • Processing operations based on Art. 6 (1) f) DSGVO serve to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if you are a customer of our company (recital 47 sentence 2 DSGVO).
  1. Storage duration

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the deletion will take place after these reasons no longer apply.

  1. Data transfer to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only share your personal information with third parties if:

  • consent exists in accordance with Art. 6 (1) a) DSGVO,
  • the disclosure is permissible under Art. 6 (1) f) DSGVO to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • in the event that a legal obligation exists for the disclosure pursuant to Art. 6 (1) c) DSGVO, as well as
  • this is legally permissible and necessary according to Art. 6 para. 1 lit. b) DSGVO for the processing of contractual relationships with you.

Notice of Processing of Your Data Collected on this Website in the U.S. by Third Party Services and Content

In the context of the processing operations described here, it is possible that personal data will be transferred to the USA. The European Court of Justice describes the USA as a country with an insufficient level of data protection according to EU standards (ECJ: Schrems II ruling). Your data could be viewed and processed by institutions such as the US authorities within the USA without any further control options. We have no influence on these processing activities. To protect your data, we have entered into commissioned processing agreements based on the European Commission's standard contractual clauses. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 (1) a) DSGVO may serve as the legal basis for the transfer to third countries. This sometimes does not apply in the case of a data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 DSGVO. Transfers to third countries are possible. So-called standard contractual clauses pursuant to Art. 46 DSGVO have been concluded as suitable guarantees. Further information can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu_de.

  1. Technology
  • SSL/TLS encryption

For security reasons and to protect the transmission of confidential content that you send to us as site operator, our website uses SSL or TLS encryption. This means that data that you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.

  • Server log files

In server log files, the provider of the website automatically collects and stores information that your browser automatically transmits to us. This can be the following data:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. It is required to display the content of our website correctly, to ensure the long-term functionality of the IT systems and to facilitate cooperation with law enforcement authorities in the event of a cyber attack. The basis for data processing is Art. 6 para. 1 lit. f) GDPR.

The processor used here is Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin.

  1. Use of cookies

This website uses so-called cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.

Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID.

Through the use of cookies, it is possible to provide the users of this website with more user-friendly services that would not be possible without the cookie setting. On the other hand, we use cookies to statistically record the use of our website and to evaluate our offer for the purpose of optimizing it for you. These cookies enable us to automatically recognize that you have already visited our website when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage period of the cookies can be found in the settings of the consent tool used.

The data processed by the cookies, which are required for the proper functioning of the website, are thus necessary to protect our legitimate interests as well as those of third parties in accordance with Art. 6 para. 1 lit. f) DSGVO.

For all other cookies, you must have given your consent to this via our opt-in cookie banner within the meaning of Art. 6 (1) a) DSGVO.

  • Consent Tool

We use the consent management tool "Complianz GDPR/CCPA Cookie Consent" (Complianz) from Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands.

This allows us to obtain and manage your consent to process personal data.

Complianz automatically collects the following data through use:

  • Browser information,
  • Date and time of access,
  • Device information,
  • The URL of the visited page,
  • Banner language,
  • Consent ID,
  • The consent status of the end user, which serves as proof of consent

The status of your consent is stored within your web browser with which you visit our website. The retention period corresponds to the regular limitation period according to § 195 BGB. The data will be deleted after this period.

The functionality of the website is not guaranteed without the described processing. The user has no right to object as long as there is a legal obligation to obtain the user's consent to certain data processing operations (Art. 7 para. 1, 6 para. 1 sentence 1 lit. c GDPR).

Complianz is a recipient of your personal data and acts as a processor for us. The data processing takes place exclusively in the European Union.

Further information on the use of Complianz can be found at: https://complianz.io/legal/.

  1. Analysis tools
  • Google Analytics.

This website uses Google Analytics. Its provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by means of the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

Google Analytics activates the anonymization of IP addresses by default. This shortens the IP address of the user so that no clear personal reference can be established.

Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your website visit, your user behavior is recorded in the form of "events". Events can be:

  • Page views
  • First visit to the website
  • Session start
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the end of the page (90%))
  • Clicks on external links
  • internal queries
  • Interaction with videos
  • File downloads
  • Ads seen / clicked
  • Language setting

Also recorded:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request

Processing purposes

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your anonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

The legal basis for the processing of your data is the consent you have given via the cookie consent tool (Art. 6 para. 1 sentence 1 lit. a) DSGVO). The consent can be revoked at any time.

Revocation

You can revoke your consent at any time with effect for the future by calling up the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may restrict functionalities on this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by selecting

  1. do not give your consent to the setting of the cookie or
  2. Download and install a browser add-on to disable Google Analytics(https://tools.google.com/dlpage/gaoptout?hl=de).

You can find more information on the terms of use of Google Analytics and data protection at Google at https://support.google.com/analytics/answer/6004245?hl=de

and at https://policies.google.com/?hl=de.

  1. Presence in social networks

We are represented on certain social networks in order to offer you the opportunity to communicate with us. If you visit a page provided via these networks, we are jointly responsible with the provider of the respective platform for the processing operations triggered by this, within the meaning of Art. 26 GDPR.

We are not the original provider of these pages, but only use them within the scope of the possibilities offered to us by the respective providers.

We would therefore like to point out that user data may be processed outside the European Union without us being able to influence this.

The processing of personal data is based on the legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. If you have to give your consent to data processing as a user to the respective providers, the legal basis refers to Art. 6 para. 1 lit. a) GDPR in conjunction with Art. 7 GDPR. Art. 7 GDPR.

Data protection-relevant inquiries should be directed to the relevant providers of the platforms.

A list of the providers is presented below:

  • (Co-) Responsible for data processing in Europe:

LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland

Privacy policy: https://www.linkedin.com/legal/privacy-policy

  • (Co-) Responsible for data processing in Germany:

Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy policy: https://instagram.com/legal/privacy/

  1. Plugins and other services
  • Google WebFonts

Our website uses so-called WebFonts, which are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the uniform display of fonts. When you call up a page, your browser loads the required WebFonts into its browser cache in order to display texts and fonts correctly.

For this purpose, the browser you use must connect to the servers on which the fonts are hosted. In principle, these are our own servers, so that third parties such as Google generally do not gain access to your personal Internet data for this purpose. However, due to the use of a content management system, various plug-ins are integrated on our site, some of which nevertheless establish a connection to Google and load the fonts from there. Through this, Google can gain knowledge that our website was accessed via your IP address.

The use of Google Web Fonts is in the interest of a uniform and appealing presentation of our website. This represents a legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f) DSGVO.

Further information on Google WebFonts and Google's privacy policy can be found at: https://developers.google.com/fonts/faq; https://www.google.com/policies/privacy/.

  • Font Awesome

This website uses fonts from Fonticons, Inc. for better display.

By embedding the fonts locally on our servers, there is no connection to servers of Fonticons, Inc.

Further information about Font Awesome can be found in the Font Awesome privacy policy at: https://fontawesome.com/privacy.

  1. Rights of the data subject
  • Right to information of the data subject according to Art. 15 DSGVO: Information about your data stored by us and its processing,
  • Right to rectification according to Art. 16 DSGVO: Correction of incorrect personal data,
  • Right to deletion according to Art. 17 DSGVO: Deletion of your data stored by us,
  • Right to restriction of processing according to Art. 18 DSGVO: Restriction of data processing if we are not yet allowed to delete your data due to legal obligations,
  • Right to data portability according to Art. 20 DSGVO: Data portability, provided that you have consented to the data processing or have concluded a contract with us,
  • Right of objection according to Art. 21 DSGVO: Object to the processing of your data by us,
  • Revocation of consent under data protection law: Revocation of consent to the processing of personal data at any time with effect for the future and
  • Complaint to a supervisory authority: Complaint to a supervisory authority responsible for data protection about our processing of personal data