Privacy policy

1. introduction

Definitions according to Art. 4 DSGVO

We use the following terms, among others, in this Privacy Policy:

personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Person concerned

Data subject is any identified or identifiable natural person whose personal data are processed by the controller.


Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

Controller or person responsible for the processing

The controller or controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.


Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller.


A recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law shall not be considered as recipients.


Third party means a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons authorized to process the personal data under the direct responsibility of the controller or the processor.


Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.


Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.


Consent is any expression of will in the form of a declaration or other unambiguous affirmative action made voluntarily by the data subject in an informed and unambiguous manner for the specific case, by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.

2. responsibilities

The controller within the meaning of the General Data Protection Regulation (in short DSGVO) and other national data protection laws of the Member States as well as other data protection provisions is:

Castella Nova Ltd.

Ringstrasse 51
45219 Essen

Represented by: Stefan Agatz

Phone: +49 (0) 2054 104 99 40

If you have any questions about data protection, please send us an e-mail.

3. legal basis of the processing

Below we inform you about the legal basis for the processing of personal data:

  • Section 6 (1) a) DSGVO (in conjunction with Section 25 (1) TTDSG) serves our company as the legal basis for processing operations in which we obtain consent for a specific processing purpose.
  • If the processing of personal data is necessary for the performance of a contract, Article 6 (1) (b) DSGVO serves as the legal basis. Processing purposes for this can be, for example, delivery of goods, provision of services or processing operations for the implementation of pre-contractual measures, such as inquiries about our products or services.
  • If our company is subject to a legal obligation by which a processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 para. 1 lit. c) DSGVO.
  • The processing of personal data may also be necessary to protect the vital interests of the data subject or another natural person. In these cases, the processing is based on Art. 6 (1) d) DSGVO.
  • Processing operations based on Art. 6 (1) f) DSGVO serve to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if you are a customer of our company (recital 47 sentence 2 DSGVO).

4. storage period

We adhere to the principles of data avoidance and data economy. We therefore only store your personal data for as long as is necessary to achieve the purposes stated here or as stipulated by the various storage periods provided for by law. After the respective purpose has ceased to exist or these periods have expired, the corresponding data will be routinely blocked or deleted in accordance with the statutory provisions, provided that they are no longer required for the fulfillment or initiation of the contract.

5. data transmission to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only share your personal information with third parties if:

  • consent exists in accordance with Art. 6 (1) a) DSGVO,
  • the disclosure is permissible under Art. 6 (1) f) DSGVO to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
  • in the event that a legal obligation exists for the disclosure pursuant to Art. 6 (1) c) DSGVO, as well as
  • this is legally permissible and necessary according to Art. 6 para. 1 lit. b) DSGVO for the processing of contractual relationships with you.

Notice of Processing of Your Data Collected on this Website in the U.S. by Third Party Services and Content

In the context of the processing operations described here, it is possible that personal data will be transferred to the USA. The European Court of Justice describes the USA as a country with an insufficient level of data protection according to EU standards (ECJ: Schrems II ruling). Your data could be viewed and processed by institutions such as the US authorities within the USA without any further control options. We have no influence on these processing activities. To protect your data, we have entered into commissioned processing agreements based on the European Commission's standard contractual clauses. If the standard contractual clauses are not sufficient to establish an adequate level of security, your consent pursuant to Art. 49 (1) a) DSGVO may serve as the legal basis for the transfer to third countries. This sometimes does not apply in the case of a data transfer to third countries for which the European Commission has issued an adequacy decision pursuant to Art. 45 DSGVO. Transfers to third countries are possible. So-called standard contractual clauses pursuant to Art. 46 DSGVO have been concluded as suitable guarantees. Further information can be found here:

6. technology

  • SSL/TLS encryption

For security reasons and to protect the transmission of confidential content that you send to us as site operator, our website uses SSL or TLS encryption. This means that data that you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the "https://" address line of your browser and the lock symbol in the browser line.

  • Server log files

In server log files, the provider of the website automatically collects and stores information that your browser automatically transmits to us. This can be the following data:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request
  • IP address

This data is not merged with other data sources. They are needed to display the contents of our website correctly, to ensure the permanent functionality of the IT systems and to facilitate cooperation and law enforcement authorities in the event of a cyber attack. The data processing is based on Art. 6 para. 1 lit. f) DSGVO.

The processor used here is Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin.

7. use of cookies

This website uses so-called cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser.

Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string of characters by which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This enables the visited Internet pages and servers to distinguish the individual browser of the data subject from other Internet browsers that contain other cookies. A specific internet browser can be recognized and identified via the unique cookie ID.

Through the use of cookies, it is possible to provide the users of this website with more user-friendly services that would not be possible without the cookie setting. On the other hand, we use cookies to statistically record the use of our website and to evaluate our offer for the purpose of optimizing it for you. These cookies enable us to automatically recognize that you have already visited our website when you visit it again. The cookies set in this way are automatically deleted after a defined period of time. The respective storage period of the cookies can be found in the settings of the consent tool used.

The data processed by the cookies, which are required for the proper functioning of the website, are thus necessary to protect our legitimate interests as well as those of third parties in accordance with Art. 6 para. 1 lit. f) DSGVO.

For all other cookies, you must have given your consent to this via our opt-in cookie banner within the meaning of Art. 6 (1) a) DSGVO.

  • Consent Tool

We use the consent management tool "Complianz GDPR/CCPA Cookie Consent" (Complianz) from Complianz B.V., Kalmarweg 14-5, 9723 JG Groningen, Netherlands.

This allows us to obtain and manage your consent to process personal data.

Complianz automatically collects the following data through use:

  • Browser information,
  • Date and time of access,
  • Device information,
  • The URL of the visited page,
  • Banner language,
  • Consent ID,
  • The consent status of the end user, which serves as proof of consent

The status of your consent is stored within your web browser with which you visit our website. The retention period corresponds to the regular limitation period according to § 195 BGB. The data will be deleted after this period.

The functionality of the website is not guaranteed without the described processing. There is no possibility for the user to object as long as there is a legal obligation to obtain the user's consent to certain data processing operations (Artt. 7 para. 1, 6 para. 1 p. 1 lit. c DSGVO).

Complianz is a recipient of your personal data and acts as a processor for us. The data processing takes place exclusively in the European Union.

For more information on using Complianz, visit:

8. analysis tools

  • Google Analytics.

This website uses Google Analytics. Its provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics uses cookies that enable an analysis of your use of our website. The information collected by means of the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

Google Analytics activates the anonymization of IP addresses by default. This shortens the IP address of the user so that no clear personal reference can be established.

Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by your browser as part of Google Analytics is not merged with other Google data.

During your website visit, your user behavior is recorded in the form of "events". Events can be:

  • Page views
  • First visit to the website
  • Session start
  • Your "click path", interaction with the website
  • Scrolls (whenever a user scrolls to the end of the page (90%))
  • Clicks on external links
  • internal queries
  • Interaction with videos
  • File downloads
  • Ads seen / clicked
  • Language setting

Also recorded:

  • Browser type and version
  • Operating system used
  • Referrer URL
  • Host name of the accessing computer
  • Time of the server request

Processing purposes

On behalf of the operator of this website, Google will use this information for the purpose of evaluating your anonymous use of the website and compiling reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

The legal basis for the processing of your data is the consent you have given via the cookie consent tool (Art. 6 para. 1 sentence 1 lit. a) DSGVO). The consent can be revoked at any time.


You can revoke your consent at any time with effect for the future by calling up the cookie settings and changing your selection there. The lawfulness of the processing carried out on the basis of the consent until the revocation remains unaffected.

You can also prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may restrict functionalities on this and other websites. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google, by selecting

  1. do not give your consent to the setting of the cookie or
  2. Download and install a browser add-on to disable Google Analytics(

For more information on Google Analytics' terms of use and Google's privacy policy, please visit

and at

9. presence in social networks

In order to offer you a possibility to communicate with us, we are represented in certain social networks. If you visit a page provided via these networks, we are jointly responsible for the processing operations triggered thereby, within the meaning of Art. 26 DSGVO, with the provider of the respective platform.

We are not the original provider of these pages, but only use them within the scope of the possibilities offered to us by the respective providers.

We would therefore like to point out that user data may be processed outside the European Union without us being able to influence this.

The processing of personal data is based on the legitimate interest according to Art. 6 para. 1 lit. f) DSGVO. If you have to give your consent to data processing as a user with the respective providers, the legal basis refers to Art. 6 para. 1 lit. a) DSGVO in conjunction with. Art. 7 DSGVO.

Data protection-relevant inquiries should be directed to the relevant providers of the platforms.

A list of the providers is presented below:

  • (Co-) Responsible for data processing in Europe:

LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland

Privacy policy:

  • (Co-) Responsible for data processing in Germany:

Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Privacy policy:

10. plugins and other services

  • Google WebFonts

Our website uses so-called WebFonts, which are provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the uniform display of fonts. When you call up a page, your browser loads the required WebFonts into its browser cache in order to display texts and fonts correctly.

For this purpose, the browser you use must connect to the servers on which the fonts are hosted. In principle, these are our own servers, so that third parties such as Google generally do not gain access to your personal Internet data for this purpose. However, due to the use of a content management system, various plug-ins are integrated on our site, some of which nevertheless establish a connection to Google and load the fonts from there. Through this, Google can gain knowledge that our website was accessed via your IP address.

The use of Google Web Fonts is in the interest of a uniform and appealing presentation of our website. This represents a legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f) DSGVO.

Further information on Google WebFonts and Google's privacy policy can be found at:;

  • Font Awesome

This website uses fonts from Fonticons, Inc. for better display.

By embedding the fonts locally on our servers, there is no connection to servers of Fonticons, Inc.

For more information about Font Awesome, please see the Font Awesome Privacy Policy at:


11. rights of the data subject

  • Right to information of the data subject according to Art. 15 DSGVO: Information about your data stored by us and its processing,
  • Right to rectification according to Art. 16 DSGVO: Correction of incorrect personal data,
  • Right to deletion according to Art. 17 DSGVO: Deletion of your data stored by us,
  • Right to restriction of processing according to Art. 18 DSGVO: Restriction of data processing if we are not yet allowed to delete your data due to legal obligations,
  • Right to data portability according to Art. 20 DSGVO: Data portability, provided that you have consented to the data processing or have concluded a contract with us,
  • Right of objection according to Art. 21 DSGVO: Object to the processing of your data by us,
  • Revocation of consent under data protection law: Revocation of consent to the processing of personal data at any time with effect for the future and
  • Complaint to a supervisory authority: Complaint to a supervisory authority responsible for data protection about our processing of personal data