Privacy Policy

Preamble

With the following privacy policy, we would like to inform you which types of your personal data (hereinafter also referred to simply as “data”) we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as the “online offering”).

The terms used are not gender-specific.

Status: 9 September 2025

Table of Contents

• Preamble
• Controller
• Overview of Processing
• Relevant Legal Bases
• Security Measures
• Disclosure of Personal Data
• International Data Transfers
• General Information on Storage and Deletion
• Rights of Data Subjects
• Provision of the Online Offering and Web Hosting
• Use of Cookies
• Blogs and Publishing Media
• Newsletters and Electronic Notifications
• Web Analytics, Monitoring and Optimization
• Presence on Social Networks (Social Media)
• Plug-ins and Embedded Functions and Content
• Changes and Updates
• Definitions

Controller

Thomas John
Zum Breitfeld 71a
51503 Rösrath

Email: mail@ki-navigator.ai

Imprint: https://ki-navigator.ai/impressum

Overview of Processing

The following overview summarizes the types of data processed and the purposes for which they are processed and refers to the categories of data subjects.

Types of Data Processed

• Inventory data.
• Contact data.
• Content data.
• Usage data.
• Meta, communication and procedural data.
• Event data (Facebook).
• Log data.

Categories of Data Subjects

• Communication partners.
• Users.

Purposes of Processing

• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Audience building.
• Feedback.
• Marketing.
• Profiles with user-related information.
• Provision of our online offering and user-friendliness.
• Information technology infrastructure.
• Public relations.

Relevant Legal Bases

Legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or seat. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains, inter alia, specific provisions regarding the right of access, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes and transmission as well as automated individual decision-making including profiling. State data protection laws may also apply.

Note on applicability of the GDPR and the Swiss FADP: These privacy notices serve to provide information both under the Swiss Federal Act on Data Protection (FADP) and the GDPR. For broader applicability and readability, the terms of the GDPR are used (e.g., “processing” of “personal data”, “legitimate interest”, “special categories of data”). The legal meaning of the terms under the FADP remains determined by the FADP.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, ensuring availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, deletion of data, and responses to data threats. We also take the protection of personal data into account during the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. SSL and TLS are the cornerstones of secure data transmission on the internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by “HTTPS” in the URL.

Disclosure of Personal Data

In the course of processing personal data, it may happen that data is transmitted to other entities, companies, legally independent organizational units or persons, or disclosed to them. Recipients may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude contracts or agreements with the recipients that serve to protect your data.

International Data Transfers

Processing of data in third countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosing/transmitting data to other persons, bodies, or companies (which can be recognized, for example, by the provider’s postal address or if this privacy policy explicitly refers to third-country transfers), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognized by an adequacy decision of the EU Commission on 10 July 2023. In addition, we have concluded Standard Contractual Clauses with the respective providers.

This dual safeguard ensures comprehensive protection of your data: The DPF forms the primary level of protection, while the Standard Contractual Clauses serve as an additional layer. Should changes occur with respect to the DPF, the Standard Contractual Clauses act as a fallback. Thus, your data remains adequately protected even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information on the DPF and a list of certified companies can be found at https://www.dataprivacyframework.gov/.

For transfers to other third countries, corresponding safeguards apply, in particular Standard Contractual Clauses, explicit consents, or legally required transfers. Information on third-country transfers and adequacy decisions is available from the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

General Information on Storage and Deletion

We delete personal data processed by us in accordance with legal requirements as soon as the underlying consents are revoked or there are no other legal bases for processing. This applies in cases where the original purpose no longer applies or the data is no longer needed. Exceptions exist where statutory obligations or particular interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion that specifically apply to certain processing operations.

Where multiple retention periods are specified, the longest period is decisive. Data that is no longer required for the original purpose but is retained due to legal requirements or other reasons will be processed solely for the reasons justifying their retention.

Retention and deletion of data: The following general periods apply under German law:

• 10 years – retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and the working instructions and other organizational documents required to understand them (§ 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
• 8 years – booking records, e.g., invoices and cost receipts (§ 147(1) Nos. 4 and 4a in conjunction with (3) sentence 1 AO; § 257(1) No. 4 in conjunction with (4) HGB).
• 6 years – other business documents such as received and sent business letters and other documents relevant for taxation (§ 147(1) Nos. 2,3,5 in conjunction with (3) AO; § 257(1) Nos. 2,3 in conjunction with (4) HGB).
• 3 years – data required to consider potential warranty and damages claims or similar contractual claims/rights and related inquiries, stored for the regular limitation period (§§ 195, 199 BGB).

Commencement of periods at year-end: If a period does not explicitly begin on a specific date and is at least one year, it starts at the end of the calendar year in which the triggering event occurred. For ongoing contractual relationships, the triggering event is termination or other ending of the relationship.

Rights of Data Subjects

Rights under the GDPR: As a data subject, you have various rights pursuant to Articles 15 to 21 GDPR, including:

• Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, including profiling. Where personal data is processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling related to direct marketing.
• Right to withdraw consent: You may withdraw consent at any time.
• Right of access: You have the right to confirmation as to whether data concerning you is being processed and, where that is the case, access to the data and further information.
• Right to rectification: You have the right to the completion or correction of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right to request the erasure of data concerning you or, alternatively, restriction of processing.
• Right to data portability: You have the right to receive the data you provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller.
• Right to lodge a complaint: You may lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement.

Provision of the Online Offering and Web Hosting

We process users’ data in order to provide our online services. For this purpose, we process users’ IP addresses, which are necessary to transmit the content and functions of our online services to the user’s browser or device.

• Data types processed: Usage data (e.g., page views, dwell time, click paths, usage intensity/frequency, device types and operating systems used, interactions with content/functions); meta, communication and procedural data (e.g., IP addresses, timestamps, IDs, parties involved). Log data (e.g., log files regarding logins, data retrievals, access times).
• Data subjects: Users (e.g., website visitors, users of online services).
• Purposes of processing: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices). Security measures.
• Retention and deletion: Deletion as set out in “General Information on Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processes, procedures and services:

• Provision of the online offering on rented storage: We use storage, computing capacity and software supplied by a hosting provider; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).
• Collection of access data and log files: Access to our online offering is recorded in server log files (requested pages/files, date/time, data volume, success message, browser type/version, OS, referrer URL, IP addresses, requesting provider). Log files are used for security (e.g., to prevent DDoS attacks) and to ensure server load and stability; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Deletion: Log files are stored for a maximum of 30 days and then deleted or anonymized. Data required as evidence is excluded until final clarification.
• STRATO: Hosting and related services; Provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.strato.de; Privacy Policy: https://www.strato.de/datenschutz/. Data Processing Agreement: Provided by the provider.

Use of Cookies

“Cookies” refers to functions that store and read information on users’ devices. Cookies may serve different purposes, such as functionality, security and convenience of online offerings, and audience measurement. We use cookies in accordance with legal requirements. Where necessary, we obtain the user’s prior consent. Where consent is not required, we rely on legitimate interests, e.g., where storage/reading is essential to provide expressly requested content/functions (such as storing settings and ensuring functionality/security). Consent can be withdrawn at any time. We provide clear information on scope and which cookies are used.

Notes on legal bases: Whether we process personal data via cookies depends on consent. If consent is given, it is the legal basis. Without consent, we rely on our legitimate interests as outlined here and in the context of the respective services and procedures.

Storage duration: We distinguish between:

• Temporary (session) cookies: Deleted at the latest after the user leaves our online offering and closes their device (e.g., browser/app).
• Persistent cookies: Remain stored after closing the device (e.g., login status, preferred content). Unless otherwise stated, assume up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw consent at any time and also declare an objection to processing in accordance with legal requirements, including via their browser privacy settings.

• Data types processed: Meta, communication and procedural data (e.g., IP addresses, timestamps, IDs, parties involved).
• Data subjects: Users.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).

Further notes on processes, procedures and services:

• Processing of cookie data based on consent: We use a consent management solution to collect, log, manage and withdraw consents, particularly for cookies and similar technologies. Consents are stored server-side and/or in an opt-in cookie or via comparable technologies to assign consent to a specific user/device. Unless otherwise stated, storage duration is up to two years. A pseudonymous user identifier, the time of consent, scope of consent (e.g., categories/services), and information about browser/system/device are stored; Legal bases: Consent (Art. 6(1)(a) GDPR).

Blogs and Publishing Media

We use blogs or comparable online communication and publishing media (“publishing media”). Readers’ data is processed only to the extent necessary for presentation and communication between authors and readers or for security reasons. Otherwise, see the general information in this privacy policy.

• Data types processed: Inventory data; contact data; content data; usage data; meta, communication and procedural data.
• Data subjects: Users.
• Purposes of processing: Feedback (e.g., collecting feedback via online form). Provision of our online offering and user-friendliness.
• Retention and deletion: As set out in “General Information on Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (“newsletter”) only with recipients’ consent or a legal basis. Where contents are specified during signup, they are decisive for consent. Usually, your email address is sufficient to subscribe. To provide a personalized service, we may ask for your name for a personal salutation or other information if necessary for the newsletter’s purpose.

Deletion and restriction: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests in order to prove previously given consent. Processing of this data is limited to potential defense of claims. Individual deletion is possible at any time if the former existence of consent is confirmed. Where we must permanently observe objections, we store the email address for this purpose alone in a “blocklist”.

Logging of the signup process occurs on the basis of our legitimate interests to prove proper procedures. If we commission a service provider with sending emails, this is based on our legitimate interests in an efficient and secure dispatch system.

Information about us, our services, campaigns and offers.

• Data types processed: Inventory data; contact data; meta, communication and procedural data.
• Data subjects: Communication partners.
• Purposes of processing: Direct marketing (e.g., by email or post).
• Legal bases: Consent (Art. 6(1)(a) GDPR).
• Opt-out: You can unsubscribe at any time using the link at the end of each newsletter or via the contact options above (preferably email).

Web Analytics, Monitoring and Optimization

Web analytics (also “reach measurement”) serves to evaluate visitor flows to our online offering and may include behavior, interests or demographic information (e.g., age, gender) as pseudonymous values. Analytics helps us identify when our online offering and its functions/content are used most often and which areas require optimization.

We may also use testing procedures (A/B tests) to test and optimize different versions of our online offering or its components.

Unless otherwise stated, profiles may be created for these purposes, and information stored on a browser/device may be saved and then read. Data collected includes visited websites and elements used, as well as technical information such as browser, system, and usage times. If users consent to location data collection, such data may also be processed.

IP addresses are stored but we use IP masking (pseudonymization by truncation). Generally, no clear data (such as names or emails) are stored for analytics/A-B testing/optimization; only pseudonyms.

Legal bases: If we ask for consent to use third-party providers, the legal basis is consent; otherwise, processing is based on our legitimate interests (efficient, economical and recipient-friendly services). See also the section “Use of Cookies”.

• Data types processed: Usage data; meta, communication and procedural data.
• Data subjects: Users.
• Purposes of processing: Reach measurement; profiles with user-related information; provision of our online offering and user-friendliness.
• Retention and deletion: As per “General Information on Storage and Deletion”. Cookies may be stored for up to two years unless otherwise noted.
• Security measures: IP masking.
• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processes, procedures and services:

• Google Analytics: We use Google Analytics to measure and analyze the use of our online offering based on a pseudonymous user ID (no names/emails). Cookies may be used. For EU traffic, IP addresses are not logged or stored; coarse location is derived and the IP is then deleted. IP lookups occur on EU-based servers before traffic is processed; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: https://marketingplatform.google.com/intl/de/about/analytics/; Security: IP masking; Privacy: https://policies.google.com/privacy; DPA: https://business.safety.google/adsprocessorterms/; Transfer basis: DPF, Standard Contractual Clauses (https://business.safety.google/adsprocessorterms); Opt-out: Opt-out add-on, ad settings: My Ad Center. More info: https://business.safety.google/adsservices/.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data to communicate with users active there or to provide information about us.

We point out that user data may be processed outside the EU. This may pose risks (e.g., more difficult enforcement of rights).

User data in social networks is usually processed for market research and advertising purposes (profiles based on usage behavior/interests; ads inside and outside the networks; cookies used; cross-device storage for members logged in).

For details on processing and opt-out options, please see the privacy policies of the respective networks.

In the case of access requests and the exercise of data subject rights, we also point out that these are most effectively asserted with the providers. Only they have access to user data. If you still need help, contact us.

• Data types processed: Contact data; content data; usage data.
• Data subjects: Users.
• Purposes of processing: Communication; feedback; public relations.
• Retention and deletion: As per “General Information on Storage and Deletion”.
• Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processes, procedures and services:

• Instagram: Social network; Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy: https://privacycenter.instagram.com/policy/. Transfer basis: DPF.
• Facebook Pages: Joint controllership with Meta Platforms Ireland Limited regarding collection/transfer of “event data” for our fanpage insights; see Facebook policy: https://www.facebook.com/privacy/policy/, and joint controllership addendum: link, page insights data info: link; Provider: Meta Platforms Ireland Limited; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Transfer basis: DPF, SCCs (link).
• LinkedIn: Joint controllership with LinkedIn Ireland Unlimited Company for “Page Insights”; details and addendum: link; Privacy: policy; DPA: link; Transfer basis: DPF, SCCs; Opt-out: link.
• YouTube: Social network and video platform; Provider: Google Ireland Limited; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Privacy: policy; Transfer basis: DPF; Opt-out: My Ad Center.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements obtained from the servers of their respective providers (“third parties”) (e.g., graphics, videos, maps).

Integration always requires that third parties process users’ IP addresses, since without the IP they cannot send the content to the user’s browser. We strive to use only content whose providers use the IP address solely to deliver the content. Third parties may also use pixel tags for statistics/marketing. Pseudonymous information may be stored in cookies and include technical data and usage info and may be combined with information from other sources.

Legal bases: Where we request consent for third-party use, the legal basis is consent; otherwise, processing is based on our legitimate interests. See also “Use of Cookies”.

• Data types processed: Usage data; meta, communication and procedural data. Event data (Facebook).
• Data subjects: Users.
• Purposes of processing: Provision of our online offering and user-friendliness; reach measurement; tracking; audience building; marketing; profiles with user-related information.
• Retention and deletion: As per “General Information on Storage and Deletion”. Cookies may be stored up to two years unless otherwise noted.
• Legal bases: Consent (Art. 6(1)(a) GDPR). Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processes, procedures and services:

• Facebook plug-ins and content: Social plug-ins and content (e.g., share buttons, embedded posts). Joint controllership with Meta for collection/receipt of event data for certain purposes (interest-based content/ads, messages, personalization). Controller addendum: link, data security terms: link, DPA: link, EU transfer addendum: link; Provider: Meta Platforms Ireland Limited; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: facebook.com; Privacy: policy; Transfer basis: DPF.
• Google Fonts (served from Google): Retrieval of fonts/icons to ensure secure, maintenance-free and efficient use. The provider receives the user’s IP and necessary technical data. According to Google, IPs are not logged/stored for EU visitors. Provider: Google Ireland Limited; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: fonts.google.com; Privacy: policy; Transfer basis: DPF; More info: FAQ.
• Instagram plug-ins and content: As above under Instagram; joint controllership for event data collection; controller addendum: link; Provider: Meta Platforms Ireland Limited; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: instagram.com; Privacy: policy.
• LinkedIn plug-ins and content: Share/embed functions; Provider: LinkedIn Ireland Unlimited Company; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: linkedin.com; Privacy: policy; DPA: link; Transfer basis: DPF, SCCs; Opt-out: link.
• YouTube videos: Video content; Provider: Google Ireland Limited; Legal bases: Consent (Art. 6(1)(a) GDPR); Website: youtube.com; Privacy: policy; Transfer basis: DPF; Opt-out: add-on, My Ad Center.

Changes and Updates

Please review the content of our privacy policy regularly. We will adapt the privacy policy as soon as changes in our data processing make this necessary. We will inform you if your cooperation (e.g., consent) or other individual notification is required due to the changes.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that addresses may change over time; please verify before contacting them.

Definitions

Below is an overview of terms used in this privacy policy. Where terms are legally defined, the legal definitions apply. The explanations below serve understanding.

• Inventory data: Core information used to identify/manage contractual partners, user accounts, profiles and similar assignments (e.g., names, contact info, dates of birth, user IDs).
• Content data: Information generated in the creation, editing and publication of all kinds of content (texts, images, videos, audio, metadata, tags, descriptions, authorship, publication dates).
• Contact data: Information enabling communication (phone numbers, postal and email addresses, social media handles, messaging IDs).
• Meta, communication and procedural data: Data describing context/origin/structure of other data, communication exchanges (participants, timestamps, channels), and process/transaction/audit logs.
• Usage data: Information capturing how users interact with digital products/services (page paths, dwell time, features used, frequency, IP, device info, location, timestamps).
• Personal data: Any information relating to an identified or identifiable natural person.
• Profiles with user-related information: Automated processing to analyze/evaluate/predict personal aspects (e.g., interests, behavior). Often uses cookies/web beacons.
• Log data: Information about events/activities recorded in a system (timestamps, IPs, actions, errors) for analysis/security/performance.
• Reach measurement: Evaluation of visitor flows and interests to adapt content to needs (often using pseudonymous cookies/web beacons).
• Tracking: Following user behavior across online offerings (profiles used for interest-based ads etc.).
• Controller: The natural or legal person determining purposes and means of processing personal data.
• Processing: Any operation performed on personal data (collection, storage, transmission, deletion, etc.).
• Audience building (Custom Audiences): Defining target groups for advertising; “lookalike audiences” are similar profiles to existing groups.

Created with the free Datenschutz-Generator.de by Dr. Thomas Schwenke