Introduction

This Privacy Policy explains the type, scope, and purpose of processing personal data (hereinafter referred to as “data”) when you use our online services (including the associated webpages, features, and content, as well as any external online presences such as our social media profiles). For definitions of the terms used, such as “processing” or “controller,” please refer to Article 4 of the General Data Protection Regulation (GDPR).

Controller

The entity responsible (the “Controller”) for processing your personal data on our website is:

Circle-Hand UG (haftungsbeschränkt)

Email: mail [@] circle-hand.com

Types of Data Processed

• Basic Data (e.g., names, addresses)

• Contact Details (e.g., email addresses, phone numbers)

• Content Data (e.g., text entries, photographs, videos)

• Usage Data (e.g., pages visited, interest in content, access times)

• Meta/Communication Data (e.g., device information, IP addresses)

Categories of Individuals Affected

Visitors and users of the online services (collectively referred to as “users” in this policy).

Purpose of Processing

• To provide our online services, including related functionalities and content

• To respond to contact requests and communicate with users

• To implement security measures

• To measure reach and for marketing purposes

Terminology

• Personal Data: Any information relating to an identified or identifiable natural person (“data subject”). A person is considered identifiable if they can be identified directly or indirectly, for example by name, ID number, location data, or an online identifier (e.g., cookies).

• Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This term is broad and covers practically all data handling.

• Pseudonymization: Processing personal data in such a way that these data can no longer be attributed to a specific individual without additional information, provided such additional information is kept separately and is subject to technical and organizational measures ensuring the data cannot be linked to an identified or identifiable person.

• Profiling: Any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person (e.g., to analyze or predict work performance, economic situation, health, personal preferences, interests, reliability, behavior, or location).

• Controller: The natural or legal person, authority, institution, or other body that alone or jointly with others decides on the purposes and means of processing personal data.

• Processor: A natural or legal person, authority, institution, or other body that processes personal data on behalf of the Controller.

Legal Basis

Under Article 13 of the GDPR, we must inform you about the legal bases of our data processing. Unless otherwise stated in this Privacy Policy, the following applies:

• Consent is governed by Article 6(1)(a) and Article 7 GDPR

• Processing to fulfill our contractual services or carry out pre-contractual measures and respond to inquiries is based on Article 6(1)(b) GDPR

• Processing to fulfill our legal obligations is based on Article 6(1)(c) GDPR

• Processing to safeguard our legitimate interests is based on Article 6(1)(f) GDPR

• If the processing of personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR applies

Security Measures

In accordance with Article 32 GDPR—and taking into account the current state of technology, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks to individuals’ rights—we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, securing the confidentiality, integrity, and availability of data through controls over physical and digital access, data input, data transfer, and data backups. We also maintain procedures to ensure individuals’ rights are protected, data is deleted when no longer needed, and we can respond effectively if data is compromised. Moreover, we factor in the protection of personal data from the earliest stages of designing or selecting hardware, software, and procedures (known as “data protection by design” and “default,” as per Article 25 GDPR).

Collaboration with Processors and Third Parties

If we disclose or transmit data to other individuals or companies (processors or third parties) or otherwise grant them access to data, such action occurs only if we are legally permitted or required to do so (e.g., disclosing data to payment service providers under Article 6(1)(b) GDPR to perform a contract), if you have given consent, if there is a legal obligation, or if we have a legitimate interest in doing so (e.g., use of subcontractors, web hosts, etc.).

If we commission third parties to process data under a so-called “data processing agreement,” this is done based on Article 28 GDPR.

Data Transfers to Third Countries

If we process data in a “third country” (i.e., outside the EU or the European Economic Area (EEA)) or if this occurs in connection with using third-party services or disclosing data to third parties, it will only take place if it is required to fulfill our (pre)contractual obligations, with your explicit consent, if it is legally required, or if it is justified by our legitimate interests. Subject to legal or contractual permissions, we only process data or have it processed in a third country if the special requirements under Articles 44 ff. GDPR are met. For example, processing may be based on “standard contractual clauses,” or an officially recognized equivalent level of data protection in the recipient country (e.g., “Privacy Shield” for the USA—though note that this framework’s status may have changed due to evolving legal standards).

Your Rights

Under the GDPR, you have the right to:

• Obtain confirmation whether relevant data is being processed and to request information about such data, including a copy thereof (Article 15 GDPR).

• Request rectification or completion of your personal data (Article 16 GDPR).

• Request erasure of your data (Article 17 GDPR) or, alternatively, restriction of processing (Article 18 GDPR) where erasure is not legally permissible or the data is needed for legitimate purposes.

• Request transfer of data you have provided to us to another controller (Article 20 GDPR).

• Lodge a complaint with a supervisory authority (Article 77 GDPR).

Right to Withdraw Consent

You have the right to withdraw any consent you have given at any time for the future, in accordance with Article 7(3) GDPR.

Right to Object

You may object at any time to the future processing of data relating to you, as provided under Article 21 GDPR. This particularly applies to any direct marketing activities.

Cookies and Right to Object in Direct Marketing

“Cookies” are small files stored on users’ devices. They can store a variety of information. A cookie’s primary purpose is to store information about a user (or the device on which the cookie is set) during or after the user’s visit to an online offering. “Session cookies” or “transient cookies” are cookies that are deleted after a user leaves a website and closes the browser. A “persistent” or “permanent” cookie remains stored even after the browser is closed (e.g., to remember login information when returning to a site). “Third-party cookies” are cookies from providers other than the one operating the online offering (where they are set by the site operator itself, they are referred to as “first-party cookies”).

We may use both temporary and permanent cookies and will inform you accordingly in this Privacy Policy. If you prefer not to have cookies stored on your device, please disable the relevant option in your browser settings. You can also delete stored cookies there. Please note that disabling cookies may affect some features of our online services.

To generally object to the use of cookies for online marketing or tracking, you can utilize the resources provided by the Network Advertising Initiative at http://www.aboutads.info/choices/ or by the European site http://www.youronlinechoices.com/. Additionally, you can prevent cookies from being stored by changing your browser settings. Be aware that if you do so, some features of this website may not function properly.

Deletion of Data

Data we process will be deleted or their processing restricted in accordance with Articles 17 and 18 GDPR. Unless otherwise specified in this Privacy Policy, the data we store will be deleted as soon as it is no longer needed for its intended purpose and there are no legal retention requirements preventing its deletion. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means the data is blocked and not processed for any other purpose. This practice applies, for example, to data retained under commercial or tax regulations.

Under German law, records must be kept for 10 years in line with §§ 147(1) AO, 257(1)(1) and (4), and 257(4) of the German Commercial Code (HGB) (e.g., commercial books, accounting records, etc.) and for 6 years according to § 257(1)(2) and (3), and § 257(4) HGB (e.g., commercial correspondence).

Under Austrian law, the retention period is 7 years in accordance with § 132(1) of the Austrian Federal Tax Code (BAO) (e.g., accounting documents, vouchers, invoices), 22 years in connection with real estate, and 10 years for documents related to electronically supplied services, telecommunications, radio, and television services provided to non-business customers in EU Member States and for which the Mini One-Stop-Shop (MOSS) is used.

Business-Related Processing

We additionally process:

• Contract Data (e.g., contract object, duration, customer category)

• Payment Data (e.g., bank details, payment history)

of our customers, interested parties, and business partners for the purpose of providing contractual services, customer support, marketing, advertising, and market research.

Contacting Us

When you contact us (for example, via contact form, email, telephone, or social media), the user’s details are processed to handle the inquiry (Article 6(1)(b) GDPR). User information may be stored in a Customer Relationship Management (CRM) system or a comparable system for tracking inquiries.

We will delete inquiries that are no longer required. We review data retention needs every two years. Statutory archiving obligations also apply where relevant.

Newsletters and Mass Communications

We send newsletters, emails, and other electronic notifications (collectively “Newsletters”) only with the recipient’s consent or as legally permitted. If a Newsletter’s content is specifically described during signup, that content is decisive for user consent. Otherwise, our Newsletter may include updates on our services and related information.

If you register for our Newsletter, you generally only need to provide your email address. We may ask for your name or other details if needed for the Newsletter.

We use a double opt-in process. After subscribing, you receive an email asking you to confirm your signup. This step is necessary to ensure no one subscribes with a different email address. Subscriptions are logged for legal proof, including storage of subscription and confirmation times and IP address. Changes to data stored by our email service provider may also be logged.

Deletion and Restriction of Processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests, solely to verify that consent was previously given. The data is used only for potential defense against claims. You can request deletion at any time, provided you simultaneously confirm past consent. If we must permanently honor opt-outs, we may store your email in a “blocklist” for this sole purpose.

Documentation of the subscription process is based on our legitimate interests to demonstrate compliance with the law. If we engage a service provider to deliver emails, this is done based on our legitimate interests in an efficient, secure email delivery system.

Legal Basis: Newsletters are sent with the recipient’s consent or, where consent is not required, in our legitimate interest in direct marketing (as permitted by law). If we engage a service provider for email delivery, that is also based on our legitimate interests. Our registration procedure is documented under our legitimate interest to prove it was carried out lawfully.

Content: Information about us, our services, promotions, and offers.

Analytics and Performance Tracking: Our Newsletters contain a “web beacon,” a pixel-sized file retrieved from our server (or from our service provider’s server) when the Newsletter is opened. Technical information (e.g., browser, system, IP address, time of retrieval) is collected. This information is used for technical improvements and to better understand user reading habits. In particular, we measure whether and when Newsletters are opened and which links are clicked. This information can theoretically be linked to individual recipients. However, it is not our intention—nor, if applicable, that of our service provider—to monitor individual users. Rather, these evaluations help us recognize reading habits and tailor content or send different content to different user groups.

Such tracking is performed, unless otherwise consented to, under our legitimate interest in using a user-friendly and secure Newsletter system that meets both our business interests and user expectations.

You cannot opt out of performance tracking while continuing to receive the Newsletter. If you wish to stop the tracking, you must unsubscribe entirely.

• Types of Data Processed: Basic Data (names, addresses), Contact Details (emails, phone numbers), Meta/Communication Data (e.g., device information, IP addresses), Usage Data (e.g., websites visited, interest in content, access times)

• Data Subjects: Communication partners

• Purpose of Processing: Direct marketing (e.g., via email or postal mail)

• Legal Basis: Consent (Article 6(1)(a) GDPR), Legitimate Interests (Article 6(1)(f) GDPR)

• Opt-Out: You can unsubscribe from our Newsletter at any time. You will find an unsubscribe link at the end of each Newsletter, or you can send us an email or another message using the contact details above.

Service Providers Used:

• MailerLite (Email Marketing Platform): Provided by MailerLite UAB, a European company based in Lithuania (an EU Member State and thus subject to and compliant with the GDPR).

• Address: MailerLite UAB, Jono Basanavičiaus g. 15, Vilnius 03108, Lithuania

• Company Code: 30252057, VAT LT100007448516

• Website: https://www.mailerlite.com

• Privacy Policy: https://www.mailerlite.com/legal/privacy-policy

Hosting

We rely on hosting services to provide infrastructure and platform services, computing capacity, storage, database services, security, and technical maintenance to operate this online service efficiently and securely.

In this context, our hosting provider processes user data (basic data, contact information, content data, contractual data, usage data, and meta/communication data) based on our legitimate interest in ensuring a secure, efficient provision of this service (Article 6(1)(f) GDPR in conjunction with Article 28 GDPR).

Collection of Access Data and Log Files

We (or our hosting provider) collect data on every access to the server hosting this service (“server log files”) based on our legitimate interests (Article 6(1)(f) GDPR). Access data includes the name of the accessed webpage or file, date/time, transferred data volume, notification of successful retrieval, browser type and version, user operating system, referrer URL (the previously visited page), IP address, and requesting provider.

Log file information is kept for security reasons (e.g., to investigate misuse or fraud) for up to 7 days and then deleted. Data required as evidence is excluded from deletion until the incident is fully resolved.

Google Tag Manager

We use Google Tag Manager to manage “website tags” through a single interface (e.g., integrating Google Analytics or other Google marketing services into our website). The Tag Manager itself (which implements the tags) does not process users’ personal data. For information on how user data is processed by Google’s services, please see the relevant sections below. Further information on usage policies can be found at: https://www.google.com/intl/en/tagmanager/use-policy.html.

Google Analytics

Based on our legitimate interests in analyzing, optimizing, and cost-effective operation of our online services (Article 6(1)(f) GDPR), we use Google Analytics, a web analytics service provided by Google LLC (“Google”). Google uses cookies; the information generated by the cookie about use of our online services is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield, offering a guarantee that European data protection requirements are met (although the status of the Privacy Shield may have changed, please refer to current legal frameworks).

Google processes this information on our behalf to evaluate usage of our services, compile reports on activities within our online services, and provide other services related to online usage. Pseudonymous user profiles can be created from the processed data.

We use Google Analytics only with IP anonymization enabled. This means that Google truncates users’ IP addresses within EU Member States or other EEA signatory states. In rare cases, the full IP address may be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser will not be combined with other Google data. Users can prevent the storage of cookies through their browser settings; they can also prevent Google from capturing and processing data generated by cookies (related to their website usage) by downloading and installing the browser plugin available at: http://tools.google.com/dlpage/gaoptout?hl=en.

Further details on how Google uses data, as well as settings and opt-out options, can be found in Google’s Privacy Policy (https://policies.google.com/technologies/ads) and the ad display settings (https://adssettings.google.com/authenticated).

User-level data is deleted or anonymized after 14 months.

Google AdWords and Conversion Tracking

We use Google AdWords on the basis of our legitimate interests in analyzing, optimizing, and cost-effective operation of our online services (Article 6(1)(f) GDPR). This service is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google is certified under the Privacy Shield, offering a guarantee of compliance with European data protection laws (again, with the caveat about evolving legal standards).

Google AdWords allows us to display ads within Google’s advertising network (e.g., in search results, YouTube videos, on websites) that appear to users who might be interested in them. This helps us show ads that are potentially relevant to users’ interests. If, for example, someone sees ads for products they previously viewed on other websites, this is known as remarketing. When you visit our website or others in the Google advertising network, Google executes a code that sets (re)marketing tags (invisible graphics or code also referred to as “web beacons”). This allows a unique cookie (or similar technology) to be placed on the user’s device. The cookie stores which websites the user visits, the content they’re interested in, the offers they click, plus technical details about the browser, operating system, referring pages, time of visit, and other usage details.

We also receive an individual “conversion cookie.” The information collected by the cookie helps Google generate conversion statistics for us (e.g., how many users clicked on our ads and later purchased a product). We do not receive any information that personally identifies users.

Google processes user data under a pseudonym within the Google advertising network. That is, Google does not store or process users’ names or email addresses but uses cookies to process relevant data within pseudonymous user profiles. From Google’s perspective, the ads are shown to the cookie holder, not a specifically identified person (unless the user has expressly allowed Google to process their data without this pseudonymization). The information collected about users is sent to Google’s servers in the USA and stored there.

For more details about data usage by Google and how to opt out, please review Google’s Privacy Policy: https://policies.google.com/technologies/ads and Google’s ad settings: https://adssettings.google.com/authenticated.

Social Media Presence

We maintain online presences within social networks and platforms to communicate with customers, interested parties, and users active there and to inform them about our services. When you visit these networks and platforms, their terms and data processing policies apply. Unless otherwise specified in this Privacy Policy, we process user data if they communicate with us within these social networks and platforms (e.g., by posting on our pages or sending us messages).

Third-Party Content and Services

We incorporate within our online services third-party content and services (e.g., videos or fonts) based on our legitimate interests in analyzing, optimizing, and cost-effective operation of our online services (Article 6(1)(f) GDPR). This requires third-party providers to recognize users’ IP addresses, as they cannot send the content to the user’s browser otherwise. Wherever possible, we only use content from providers that use IP addresses solely to deliver the content. Third-party providers may also use pixel tags (“web beacons”) for statistical or marketing purposes, enabling them to track visitor traffic on various pages of this website. The pseudonymous information may be stored in cookies on the user’s device and possibly combined with similar data from other sources.

Google Fonts

We use “Google Fonts” from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For more information, see Google’s Privacy Policy: https://www.google.com/policies/privacy/. You can opt out at: https://adssettings.google.com/authenticated.

Contact

For any questions regarding data protection, please contact:

Email: mail [@] circle-hand.com