Privacy Policy

Stand: 20 April 2025

Controller
Overview of Data Processing
Applicable Legal Bases
Security Measures
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services
Use of Cookies
Registration, Login, and User Accounts
Single Sign-On Login
Changes and Updates

Controller

COMMERCEWERK
Hansjakobstraße 113
81825 München

Authorized Representatives: Marko Antolovic

Email address: support@commercewerk.de

Imprint: https://commercewerk.de/imprint

Overview of Data Processing

The following overview summarizes the types of data processed, their purposes, and the data subjects involved.

Types of Processed Data

Master data.
Payment data.
Contact data.
Content data.
Contract data.
Usage data.
Meta, communication, and procedural data.
Log data.

Categories of Data Subjects

Service recipients and clients.
Prospects.
Communication partners.
Users.
Business and contractual partners.

Purposes of Processing

Provision of contractual services and fulfillment of contractual obligations.
Communication.
Security measures.
Office and organizational procedures.
Organizational and administrative procedures.
Feedback.
Registration procedure.
Provision of our online services and user-friendliness.
Business processes and economic procedures.

Applicable Legal Bases

Applicable legal bases under the GDPR: Below is an overview of the legal bases of the GDPR upon which we process personal data. Please note that in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or business. If there are specific legal bases that apply in individual cases, we will inform you in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) - The data subject has consented to the processing of their personal data for a specific purpose or purposes.
Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of the data subject.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) - Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not override those interests.

National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection laws in Germany may apply. In particular, this includes the Federal Data Protection Act (BDSG), which contains special provisions regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission of data as well as automated decision-making, including profiling. Additionally, the data protection laws of individual federal states may apply.

Notice regarding the applicability of the GDPR and Swiss Data Protection Act (DSG): These privacy notices are intended to inform both under the Swiss DSG and the GDPR. Therefore, please note that the terms used in the GDPR are applied due to their broader spatial application and understanding. Specifically, instead of terms used in the Swiss DSG such as "processing" of "personal data," "overriding interest," and "particularly sensitive personal data," the terms used in the GDPR, such as "processing" of "personal data" and "legitimate interest" and "special categories of data," are used. However, the legal meaning of these terms continues to be determined under the Swiss DSG for its scope.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the different probabilities and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, availability security, and separation. Furthermore, we have implemented procedures that ensure the exercise of data subject rights, data erasure, and responses to data threats. Additionally, we consider the protection of personal data already in the design or selection of hardware, software, and procedures according to the principle of data protection by design and by default.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal provisions as soon as the underlying consents are withdrawn or no further legal grounds for processing exist. This applies to cases where the original processing purpose is no longer relevant, or the data is no longer required. Exceptions exist where legal obligations or special interests require a longer retention or archiving of data.

In particular, data that must be stored for commercial or tax reasons or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on data retention and deletion specific to certain processing activities.

If there are multiple retention periods or deletion deadlines for a particular type of data, the longest period applies.

If a period does not explicitly start on a particular date and is at least one year long, it automatically begins at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships where data is stored, the triggering event is the date on which the termination or other cessation of the legal relationship becomes effective.

Data that is no longer required for its original purpose but must be stored due to legal requirements or other reasons will be processed only for the purposes that justify their retention.

Additional Notes on Processing Procedures, Services, and Data:

Retention and Deletion of Data: The following general retention periods apply under German law:
- 10 years - Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and other necessary working instructions and organizational documents (§ 147 para. 1 no. 1 in conjunction with para. 3 AO, § 14b para. 1 UStG, § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
- 8 years - Accounting records such as invoices and expense receipts (§ 147 para. 1 no. 4 and 4a in conjunction with para. 3 sentence 1 AO and § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
- 6 years - Other business documents: received trade or business correspondence, copies of sent trade or business letters, and other documents that are important for taxation, e.g., hourly wage slips, operating accounting forms, calculation documents, price labeling, but also payroll documents, as far as they are not already accounting records or cash register slips (§ 147 para. 1 no. 2, 3, 5 in conjunction with para. 3 AO, § 257 para. 1 no. 2 and 3 in conjunction with para. 4 HGB).
- 3 years - Data required to handle potential warranty and compensation claims or similar contractual claims and rights, based on previous business experience and standard industry practices, are stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly under Articles 15 to 21 GDPR:

Right to Object: You have the right to object, at any time, to the processing of your personal data based on Article 6 para. 1 lit. e or f GDPR, for reasons related to your particular situation. This also applies to profiling based on these provisions. If your personal data is being processed for direct marketing purposes, you also have the right to object to the processing of your personal data for such marketing at any time, including profiling related to such marketing.
Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.
Right to Access: You have the right to request confirmation as to whether your data is being processed, as well as access to your data and further information in accordance with legal requirements.
Right to Rectification: You have the right to request the completion or rectification of inaccurate data concerning you in accordance with legal requirements.
Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to request the immediate deletion of personal data concerning you, or alternatively, to request the restriction of processing.
Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to us, in a structured, commonly used, and machine-readable format, or to request the transmission of the data to another controller, in accordance with legal requirements.
Right to Lodge a Complaint with a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, especially in the member state of your habitual residence, place of work, or the place of the alleged infringement, if you believe that the processing of your personal data infringes the GDPR.

Business Services

We process data of our contractual and business partners, e.g., customers and prospects (collectively referred to as "contract partners"), within the scope of contractual and comparable legal relationships as well as related measures, and in regard to communication with the contract partners (or pre-contractual), such as answering inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the duties to provide the agreed services, any update obligations, and remedies for warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks related to these obligations, as well as company organization. In addition, we process the data based on our legitimate interests, both in proper and business-oriented management of the company, as well as for security measures to protect our contract partners and our business operations against misuse, threats to their data, secrets, information, and rights (e.g., involving telecommunications, transportation, and other auxiliary services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities). In accordance with applicable law, we will only share contract partner data with third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contract partners will be informed about other forms of processing, such as for marketing purposes, within the scope of this privacy policy.

We inform contract partners, prior to or during data collection (e.g., in online forms), about which data is required for the aforementioned purposes, such as through special markings (e.g., colors) or symbols (e.g., asterisks, etc.), or personally.

We delete the data after the statutory warranty and comparable obligations have expired, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for legal archival purposes (usually ten years for tax purposes). Data that has been disclosed to us by the contract partner within the scope of an order will be deleted in accordance with the provisions and, in principle, after the completion of the order.

Processed Data Types: Master data (e.g., full name, residential address, contact information, customer number, etc.); payment data (e.g., bank details, invoices, payment history); contact data (e.g., postal and email addresses or phone numbers); contract data (e.g., subject of the contract, term, customer category); usage data (e.g., page views and duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions). Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
Affected Persons: Service recipients and clients; prospects. Business and contract partners.
Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; communication; office and organizational procedures; organizational and administrative procedures. Business processes and business management procedures.
Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".
Legal Bases: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legal obligations (Art. 6 para. 1 sentence 1 lit. c GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Additional Information on Processing Procedures, Methods, and Services:

Online Shop, Order Forms, E-Commerce, and Delivery: We process the data of our customers to enable them to select, purchase, or order the chosen products, goods, and associated services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, particularly postal, shipping, and courier companies, to carry out the delivery or execution for our customers. For payment processing, we use the services of banks and payment service providers. The required information is marked as such during the order or similar purchase process and includes the data necessary for delivery, provision, and billing, as well as contact details for any follow-up communications; Legal Bases: Fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Use of Cookies

The term "cookies" refers to functions that store and read information on users' devices. Cookies can serve different purposes, such as ensuring the functionality, security, and convenience of online services, as well as creating analytics of visitor flows. We use cookies in accordance with legal regulations. To do so, we obtain users' consent in advance if required. If consent is not necessary, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, storing settings and ensuring the functionality and security of our online service. Consent can be revoked at any time. We clearly inform users about the scope of cookies used.

Notes on Data Protection Legal Grounds: Whether we process personal data using cookies depends on consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained earlier in this section and in the context of the respective services and procedures.

Retention Period: Regarding retention duration, the following types of cookies are distinguished:

Temporary Cookies (also: Session or Session Cookies): Temporary cookies are deleted at the latest when a user leaves an online service and closes their device (e.g., browser or mobile application).
Permanent Cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be stored, and preferred content can be directly displayed when the user revisits a website. Additionally, user data collected via cookies may be used for reach measurement. If we do not provide explicit information regarding the type and retention duration of cookies (e.g., during consent collection), users should assume that they are permanent and that the retention period may be up to two years.

General Notes on Revocation and Objection (Opt-out): Users can revoke their given consent at any time and also object to the processing in accordance with legal provisions, including via the privacy settings of their browser.

Processed Data Types: Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
Affected Persons: Users (e.g., website visitors, users of online services).
Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Additional Information on Processing Procedures, Methods, and Services:

Processing of Cookie Data Based on Consent: We use a consent management solution where users' consent for the use of cookies or the procedures and providers mentioned in the consent management solution is obtained. This procedure is used to collect, log, manage, and revoke consent, especially regarding the use of cookies and similar technologies that store, read, and process information on users' devices. In this process, users' consents for the use of cookies and associated processing of information, including the specific processes and providers named in the consent management process, are obtained. Users also have the option to manage and revoke their consent. The consent declarations are stored to avoid re-querying and to be able to prove the consent in accordance with legal requirements. The storage occurs server-side and/or in a cookie (so-called opt-in cookie) or using similar technologies to associate the consent with a specific user or their device. If no specific details are available about the providers of consent management services, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and used device; Legal Bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Registration, Login, and User Account

Users can create a user account. During the registration process, the users are informed about the required mandatory information, and the data is processed for the purpose of providing the user account based on contractual obligations. The processed data includes, in particular, login information (username, password, and an email address).

As part of using our registration and login features as well as the use of the user account, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests as well as those of the users in protection against abuse and other unauthorized use. This data is generally not passed on to third parties unless it is necessary to assert our claims or there is a legal obligation to do so.

Users may be informed by email about activities relevant to their user account, such as technical changes.

Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); content data (e.g., text or image messages and posts, and related information such as authorship or creation time); usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Log data (e.g., log files related to logins or data retrieval or access times).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; organizational and administrative procedures. Provision of our online offer and user-friendliness.
Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion." Deletion after termination.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR). Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).

Further Information on Processing Procedures, Processes, and Services:

Registration with Real Names: Due to the nature of our community, we ask users to use our services only under their real names. This means the use of pseudonyms is not allowed; Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR).
User Profiles are Not Public: User profiles are not publicly visible or accessible.

Single Sign-On Login

"Single Sign-On" or "Single Sign-On Login or Authentication" refers to processes that allow users to log in to our online service using a user account with a Single Sign-On provider (e.g., a social network). The prerequisite for Single Sign-On authentication is that the users are registered with the respective Single Sign-On provider and enter the required login details in the provided online form or are already logged in with the Single Sign-On provider and confirm the Single Sign-On login via a button.

The authentication takes place directly with the respective Single Sign-On provider. As part of such authentication, we receive a user ID indicating that the user is logged in under this user ID with the respective Single Sign-On provider, and an ID (so-called "User Handle") that cannot be used for other purposes. Whether additional data is transmitted to us depends solely on the Single Sign-On procedure used, the data sharing choices made during authentication, and which data users have made available in the privacy or other settings of their user account with the Single Sign-On provider. Depending on the Single Sign-On provider and the user's choice, this can include various data, typically email address and username. The password entered during the Single Sign-On process with the provider is neither visible to us nor stored by us.

Users are asked to note that their data stored with us may automatically be reconciled with their user account with the Single Sign-On provider, but this is not always possible or actually performed. For example, if users change their email addresses, they must manually update them in their user account with us.

We can use the Single Sign-On login, as agreed with the users, as part of or before fulfilling the contract, provided that the users have requested this processing through consent, or otherwise based on our legitimate interests and the interests of the users in an effective and secure login system.

If users decide not to use the link between their user account and the Single Sign-On provider for Single Sign-On authentication anymore, they must disconnect this link within their user account at the Single Sign-On provider. If users wish to delete their data with us, they must terminate their registration with us.

Processed Data Types: Master data (e.g., full name, address, contact information, customer number, etc.); contact data (e.g., postal and email addresses or phone numbers); usage data (e.g., page views, duration of stay, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions). Meta-, communication, and procedural data (e.g., IP addresses, time data, identification numbers, involved persons).
Affected Persons: Users (e.g., website visitors, users of online services).
Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; login process. Provision of our online offer and user-friendliness.
Storage and Deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion." Deletion after termination.
Legal Basis: Contract fulfillment and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR). Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR).