Privacy notice

As the operator of the FFOSSO platform consisting of the FFOSSO APP, which is stored on your end user device, cloud services and our website www.ffosso.com, we are the responsible controller for the personal data of the user (“you”) of our platform within the meaning of the applicable data protection law, in particular the General Data Protection Regulation (“GDPR”).
As part of our duty to provide information (Art. 13 f. GDPR), we will inform you below about which data is processed when you use the FFOSSO APP and/or visit our website and on what legal basis this is done. You will also receive information about your rights vis-à-vis us and the competent supervisory authority.

1. Information on the controller
OT Distribution GmbH & Co KG
Am Untergrün 6
79232 March
Germany
Email: support@orchestraltools.com

2. Data Protection Officer
We have appointed a company data protection officer:
Tobias Escher
Am Untergrün 6
79232 March
Germany
dataprotection@orchestraltools.com

3. Informational use of our website
When you access our website merely to visit it, so-called log files are processed by being automatically recorded by our system.
The following log files are processed automatically:

IP address of the requesting computer
Type of Internet browser used
Version of the Internet browser used
Operating system and, for Apple products, its version
Pages accessed
Date and time of the visit
Time zone difference to Greenwich Mean Time (GMT)
Access status/httpsss status code
Amount of data transferred
Success or error of the charging process
USER ID if a customer account exists

The log files contain your IP address and possibly other personal data. It is therefore generally possible to identify you.
However, we only store your data temporarily and, in particular, not together with other personal data. The data will be deleted as soon as you leave the website. The temporary processing and storage of the above-mentioned data is necessary to provide our website and to ensure the security of our information technology systems. These purposes also justify our legitimate interest in processing the data on the legal basis of Art. 6 para. 1 sentence 1 lit. f GDPR.

4. Provision of our website and other Cloud computing servicesa. Hosting and cloud computing servicesOur website is operated on the servers of the provider Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (“AWS”), with server location in Germany. This means that the data we collect when you visit and use this website is stored by our hosting provider.
The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR, as it is in our legitimate interest to use the services of a professional provider for the secure and efficient provision of our website. We have concluded a data processing agreement with Amazon Web Services.
We further use various cloud computing services provided by AWS, with server location in Germany, to operate and maintain our FFOSSO platform.
AWS services are used for:

secure hosting and operation of our databases and backend systems,
storage of user-generated content and media,
management of APIs and application logic,
monitoring, error detection, and system optimization,
network and DNS management.

The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. b. and f. GDPR. The use of third-party cloud computing services is necessary for the fulfilment of the contract. Furthermore it corresponds to our legitimate interest in not operate cloud services ourselves and the interest in providing our website as error-free and secure as possible (Art. 6 para. 1 lit. f GDPR).
Where AWS processes data outside the European Union (e.g., in the United States), such transfers are safeguarded by EU-U.S Data privacy Framework, Swiss-U.S. Data Privacy Framework and/or the Standard Contractual Clauses and additional security measures (encryption, access restriction, and pseudonymization).
You can find information on data processing by AWS here: https://aws.amazon.com/privacy/
AWS has implemented compliance measures for international data transfers. These apply to all global activities where AWS processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). We have concluded a data processing Agreement with Amazon Web Services. Further information can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
In order to provide certain content on FFOSSO in a performant and scalable manner, we use Cloudflare R2, a service for decentralised storage and delivery of data provided by Cloudflare Inc., 101 Townsend St, San Francisco, CA 94107, USA (“Cloudflare”). R2 enables us to deliver static content such as Instruments, Presets, Visuals and sample storage or other media files efficiently and cost-effectively via distributed servers without having to resort to traditional cloud storage solutions. This may involve the transfer of personal data – in particular the IP address – to Cloudflare servers in order to deliver the requested content.
This data is processed on the legal basis of our legitimate interest pursuant to Art. 6 (1) sentence 1 lit. f GDPR, which lies in the fast, reliable and resource-saving provision of our online services. We have concluded a data processing agreement (DPA) with Cloudflare in accordance with Art. 28 GDPR, which ensures that your data is processed exclusively in accordance with our instructions and is protected by appropriate technical and organisational measures.
You can find information on the processing of your personal data by Cloudflare here: https://www.cloudflare.com/de-de/privacypolicy/#cloudflare-privacy-policy
When Cloudflare transfers personal data from the EEA, Switzerland, or the United Kingdom (UK) to the United States, they rely on their certifications under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), and the UK Extension to the EU-U.S. DPF (https://www.dataprivacyframework.gov/list). Should these certifications lapse or become otherwise invalidated, Cloudflare relies on the standard contractual clauses, including supplementary measures as necessary for transfers to the United States. They also use standard contractual clauses for other international transfers from the EEA, Switzerland, or the United Kingdom.

b. Content Delivery Network

We use the Amazon CloudFront content delivery network (CDN) from AWS to increase the security and delivery speed of our website. A CDN is a network of globally distributed servers that is able to deliver optimized content to the website user. For this purpose, personal data may be processed in server log files by AWS. Please compare the explanations under “Hosting”.
The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR. It corresponds to our legitimate interest in not operating a content delivery network ourselves and the interest in providing our website as error-free and secure as possible (Art. 6 para. 1 lit. f GDPR).
Your personal data will be stored by AWS for as long as it is necessary for the purposes described. You can find information on the processing of your personal data here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/data-protection-summary.html
AWS has implemented compliance measures for international data transfers. These apply to all global activities where AWS processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). We have concluded a data processing Agreement with Amazon Web Services. Further information can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

5. Customer account / Customer registration
You have the option of creating a customer account in our FFOSSO APP using your personal data. If you decide to create a customer account, you must provide us with the following information:

First and last name
Email address
Password

Your data is used for the purpose of managing your customer account and providing the associated functions, such as processing your customer data and displaying your orders. The legal basis for the storage of your customer account data is Art. 6 para. 1 sentence 1 lit. b and f. GDPR.
We store the data you have provided to us as part of your login/registration as long as you do not delete your customer account with us. If you make changes to your details, the old details will be deleted and only the updated data will be saved. In addition, we only store your data in order to comply with our legal obligations (e.g. tax obligations) (Art. 6 para. 1 sentence 1 lit. c GDPR). In this case, we block your data to the extent that it is only processed for the necessary purposes.
In addition to the data you provide to us, we may also store the time (date and time) of the transmission of your data to us, as well as your IP address. The processing of this data is in our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in order to ensure the security of our systems and to counteract misuse. This additional data will be deleted as soon as it is no longer required, at the latest when the contract with you has been completed.
You can have your voluntary customer account deleted at any time in your FFOSSO profile.
In connection with the operation of our user accounts, we use the services of CAOS Ltd., with head office in Lerchenfeldstrasse 3, 9014 St. Gallen, Switzerland („ZITADEL”) as an identity and access management platform to handle user registration, authentication, authorization, and account administration. In doing so, we process personal data such as your name, email address, login credentials, roles and permissions, as well as usage and activity data. An overview of the personal data processed you can find in the data processing agreement linked below.
The processing of personal data via ZITADEL serves the following purposes:

Creation and management of user accounts, including secure login and access control.
Authentication and authorization of users within our subscription service.
Ensuring operational security, auditability of access (audit trails), and compliance with legal obligations.
Communication related to account usage (e.g. password resets, notifications).

Legal Basis of the data processing is Art. 6 para. 1 sentence 1 lit. b and f. GDPR. Our legitimate interest is maintaining a secure and functional user management system.
Information on how Zitadel processes your data can be found here: https://zitadel.com/docs/legal/policies/privacy-policy
We have concluded a data processing agreement with Zitadel and affiliated companies. You can find it here: https://zitadel.com/docs/legal/data-processing-agreement
Zitadel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Zitadel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Zitadel has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Zitadels certification, please visit https://www.dataprivacyframework.gov/

6. Order placement / Subscription Management
When you place an order on our website, we need the following data to fulfill the contract with you:

First name, last name, and your address for your invoice.
Email address to send you the order confirmation and to provide you with contract documents immediately after the order.
Eventually company name and your VAT number
Your payment information to process the payment of your order

We also process the data required in each case in order to reverse our contract after a revocation or for any other reason or to check claims. We also store your aforementioned data in order to be able to display your order history on our website.
For our subscription and billing management, we use the services of our data processor CHARGEBEE Inc., 340 S. Lemon Avenue, Suite #1537, Walnut, California 91789, USA (“Chargebee”). We have concluded an agreement with Chargebee with regard to the processing of your data in accordance with Art. 28 GDPR. The data processing agreement with Chargbee you may find here: https://www.chargebee.com/privacy/dpa/
You may find further information about Chargebee data processing and data protection in here: https://www.chargebee.com/privacy/
The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b and f GDPR. The data will be stored for as long as it is necessary to process your order. It is in our legitimate interests to enable you to track your current and previous orders. Beyond this, we only store your data in order to comply with our legal obligations (e.g. tax obligations pursuant to Section 147 AO and Section 257 HGB) (Art. 6 para. 1 sentence 1 lit. c GDPR). In this case, we block your data to the extent that it is only processed for the necessary purposes.
In addition to the aforementioned data, we store the time (date and time) of the transmission of your data to us, as well as your IP address. The processing of this data is in our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in order to ensure the security of our systems and to counteract misuse. This additional data will be deleted as soon as it is no longer required, at the latest when the contract with you has been completed.

7. Payment processing
We use the payment service provider Stripe for billing and payment processing. Stripe is an international financial services provider with various business units. According to the company, Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland (“Stripe”) is primarily responsible for customers from the EEA, Switzerland, Great Britain and the Asia-Pacific region; for certain authorized payment services, Stripe Technology Europe, Limited, The One Building, 1, Grand Canal Street Lower, Dublin 2, Ireland (EEA and Switzerland) and Stripe Payments UK, Ltd, 211 Old Street, The Warehouse, Dublin 2, Ireland (EEA and Switzerland) are also responsible, depending on the location. Stripe Payments UK, Ltd, 211 Old Street, The Warehouse, 7th Floor, London EC1V 9NR, United Kingdom (Great Britain). For customers from North, Central and South America, on the other hand, the US parent company Stripe Inc. 354 Oyster Point Boulevard, South San Francisco, California, 94080 is generally responsible.
Due to the implementation of Stripe, cookies are set on our website. You can find information on this in our cookie information and Stripe’s cookie policy: https://stripe.com/legal/cookies-policy
According to its own information, Stripe processes the following end customer data in particular in connection with billing and payment processing:

Email address
(Billing and delivery) address
Information on the respective payment method (e.g., credit card details, account information)
Order date
Ordered service
Any other information you enter when paying via Stripe

According to its own information, Stripe uses the collected data primarily for payment processing and the associated services (e.g., issuing and sending invoices, fraud prevention), but also for other purposes if necessary. Stripe transmits the data to various recipients, including recipients who are not based within the EU. Stripe bases this data processing and transfer on various legal bases, which you can find in Stripe’s privacy policy (https://stripe.com/privacy) and the further data privacy information in the Stripe Privacy Center (https://stripe.com/privacy-center/legal#stripe-legal-bases-tables).

As a small company, we can only provide billing and payment processing for our international customer base with the help of the automation services of a global financial services provider such as Stripe. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. In this respect, our legitimate interests lie in offering an efficient and secure payment method while at the same time developing international customers and securing payments in international business transactions. In addition, the data processing in connection with the payment of your order is carried out in accordance with Art. 6 para. 1 lit. b GDPR for the execution of the contracts concluded with you. A contract for commissioned data processing has been concluded with Stripe in accordance with Art. 28 GDPR. You can find the agreement here: https://stripe.com/de/legal/dpa
When using the following payment methods, data is also transmitted to the respective provider of your payment method:
PayPal: If you pay at Stripe with PayPal (PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal L-2449 Luxembourg), PayPal will receive your payment data for payment processing and PayPal may carry out a credit check. You can find information on this at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=en_DE
Credit card: If you pay with your credit card on our website, your credit card provider will receive the information that you have placed an order with us. Your credit card provider may carry out a credit check. You can find more information on this on the respective website of your credit card provider.

8. Contact form and email
You can contact us electronically via the contact form on our website or by email, e.g., to provide us with feedback, to send us inquiries about the services we offer or to ask us general questions. If you use this option, you transmit the following data to us:

Name
Object
Email address
Description of the request

The legal basis for the processing of your data for the purpose of processing your contact is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. You can withdraw your consent at any time. In addition, the legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified.
If your contact is aimed at concluding a contract with us, the additional legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. b GDPR.
The data will be stored for as long as it is necessary for the performance of the contract or pre-contractual measures or until you withdraw your consent. Beyond this, we only store your data in order to comply with legal obligations (e.g., tax obligations) (Art. 6 para. 1 sentence 1 lit. c GDPR).
In addition to the data you provide to us, we store the time (date and time) of the transmission of your data to us, as well as your IP address. The processing of this data is in our legitimate interest (Art. 6 para. 1 sentence 1 lit. f GDPR) in order to ensure the security of our systems and to counteract misuse. This data, which we also collect when you contact us, is deleted as soon as it is no longer required, at the latest when your contact request has been fully clarified.
You can inform us at any time that you would like us to delete the data provided during the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.

9. Contact us by phone or post
You have the option of contacting us by telephone or post. Your personal data transmitted in this way will be stored by us. The data is processed exclusively in order to process your contact appropriately, whereby this corresponds to our legitimate interest. The legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. f GDPR. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified.
If your contact is aimed at concluding a contract with us, the additional legal basis for the processing of your personal data is Art. 6 para. 1 sentence 1 lit. b GDPR. This data is stored for as long as it is required for the performance of the contract or pre-contractual measures. In addition, we only store your data in order to comply with legal obligations (e.g. tax obligations) (Art. 6 para. 1 sentence 1 lit. c GDPR).
You can inform us at any time that you would like us to delete the data provided during the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.

10. Newsletter

a. Newsletter Subscription

In our FFOSSO App and on our website, we offer you the opportunity to subscribe to our newsletter free of charge. In addition to your declaration of consent, we only need your email address.
The legal basis for sending the newsletter and the associated processing of further voluntary information is Art. 6 para. 1 sentence 1 lit. a GDPR. By sending the newsletter registration, you consent to the processing of your data by us.
As part of your newsletter registration, we also store the date and time of the transmission of your data to us, as well as your IP address. The processing of this data corresponds to our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR in order to ensure the security of our systems and to counteract misuse.
Your data will be processed exclusively in connection with the sending of newsletters. The purpose of processing your email address is to enable us to send you the newsletter. Other data during the registration process is used either to address you personally or to ensure the security of our services and prevent misuse of the email address used.
Your data will only be stored for as long as is necessary to achieve the purpose. Your email address will therefore be stored for the duration of your active newsletter subscription if you have given your consent. The data that we also collect automatically during your registration (IP address, date and time) will be deleted at the latest when you cancel your newsletter subscription. Data stored by us for other purposes remains unaffected by this.

Newsletter tracking:

Due to a tracking pixel implemented in our newsletters, which are based on your explicit consent, we can track whether the newsletter has been opened. We can also track whether links contained in the newsletter have been clicked on. This is done by briefly redirecting the recipient via the server of our newsletter service provider after clicking on a link and then forwarding them to the destination address. The IP address, browser, date and time of retrieval and opening of the newsletter and the click behavior on links contained in the newsletter are recorded and statistically evaluated. This function is helpful for us to understand whether our newsletter is opened and which topics are of particular interest.
Your user behaviour will only be evaluated if you have consented to the newsletter being sent and the associated personalized data evaluation. By creating a personal user profile, we would like to tailor our advertising to your interests and optimize our offers on our website for you. The legal basis for data processing is your consent in accordance with Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act TTDSG and Art. 6 (1) sentence 1 lit. a GDPR.
We receive aggregated statistics that our service provider (see below) creates automatically. As a rule, we therefore only have an overview of the percentage of recipients who have opened the newsletter or which content was particularly well received.
Newsletter marketing under Section 7 (3) UWG (German Unfair Competition Act)
If you provide your email address when using our services, by registering for free or purchasing a subscription, we may use it to send you our newsletter. This is done exclusively for the purpose of direct advertising for our own or similar goods or services.
The legal basis for sending newsletters in connection with the sale of goods or services is Section 7 (3) UWG (German Unfair Competition Act). If we send you a newsletter following an order on our website, we will store your email address for the purpose of advertising our own or similar goods or services until you unsubscribe from the newsletter. Newsletters sent on this legal basis do not contain tracking pixels.
Newsletter service provider
To send the newsletters, we use the email dispatch tool of CleverReach GmbH & Co KG, Schafjückenweg 2, 26180 Rastede, Germany (“CleverReach”). This means that the aforementioned information (email address, date and time of your newsletter registration and newsletter confirmation, IP address, other information that you voluntarily provide to us) is stored on Cleverreach’s servers. Cleverreach’s servers are located exclusively in the EU.
The processing of your data by CleverReach is based on an data processing agreement in accordance with Art. 28 GDPR, which we have concluded with CleverReach.
Right to Object / RIGHT TO WITHDRAW / Unsubscribe from newsletter
You can unsubscribe, object or withdraw the consent to receive our newsletter at any time. Unfortunately, it is not possible to withdraw your consent to newsletter tracking separately. If you wish to object to newsletter tracking, you must therefore also unsubscribe from the newsletter. You will find the link to do this at the end of each newsletter. By doing so, you withdraw your consent with effect for the future or object to any further use of your data for the purpose of sending the newsletter and tracking. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

11. Links to our profile pages in the social networks

On our website, we use small icons and possibly other links that refer to our website on the third-party platforms (social networks) listed below. These are hyperlinks, so no data is automatically transmitted by you, but only when you click on the icons or the corresponding link and a new window opens in your browser with the website of the third-party provider.
Facebook page (formerly “Facebook Fanpage”)
We operate a so-called Facebook page on the social media platform Facebook (Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4 Ireland (“Meta”)), which we link to on our website via the Facebook icon. As long as you do not click on the link, Meta will not receive any data from you. If you click on the link, for example to view our company profile on Facebook or to “like” our Facebook page, Meta will receive data from you (which data Meta receives also depends on whether you are logged in to Meta with your user profile while clicking on the page or not). Meta also uses so-called cookies, which are stored on your device when you visit our Facebook page even if you do not have your own Facebook profile or are not logged into it during your visit to our Facebook page. These cookies allow Meta to create user profiles based on your preferences and interests and to show you customized advertising (inside and outside Facebook). Cookies remain on your device until you delete them. You can find more information about the cookies used on Facebook at https://www.facebook.com/policies/cookies/
According to its own information, Meta uses this data for a wide variety of purposes and transmits it worldwide, both internally to other Meta companies and to a wide variety of external partners. Meta bases this data processing on various legal bases, details of which can be found in Meta’s Data Policy. The data policy can be found at the following link: https://www.facebook.com/policy.php
While Meta uses this data under its own responsibility for various purposes, we can only see aggregated data on our company Facebook page, i.e. statistics (e.g. user growth, user demographics, use of individual functionalities), which no longer have any personal reference. This data, which is called “page insights”, is created using so-called “events” logged by Meta. An “event” can be, for example, the fact that someone has marked a certain post with a “Like”. As the website operator, we do not have access to the personal data that is processed in the context of events, but only to the summarized page insights. Events that are used to create Page Insights do not store any IP addresses, cookie IDs or any other identifiers that are assigned to people or their devices, apart from a Facebook user ID for people logged in to Facebook. You can find more information about Page Insights at the following link: https://www.facebook.com/legal/terms/information_about_page_insights_data
In accordance with the provisions of the GDPR, we are jointly responsible with Meta for data processing on our Facebook page (Art. 26 GDPR). Accordingly, we have concluded an agreement with Meta provided by Meta in which this joint responsibility is regulated. You can find the agreement at the following link https://www.facebook.com/legal/terms/page_controller_addendum
This means that Meta is primarily responsible for the aggregated Insight Data. In addition, Meta will comply with all obligations under the GDPR with regard to the processing of Insight Data (including Art. 12, 13 GDPR, Art. 15-21 GDPR and Art. 32-34 GDPR). If you send us a request regarding our Facebook page, we will inform Meta promptly. Meta will respond to the request in accordance with our agreement.
Our legitimate interests in the processing of personal data lie in the use and linking of different communication channels, marketing via high-reach social media platforms and the analysis and evaluation of the success of our communication and marketing efforts. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If you consent to data processing (in particular to the setting of cookies), the processing is also carried out on the basis of Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) or Art. 6 (1) sentence 1 lit. a GDPR. You can withdraw your consent in accordance with the aforementioned legal bases at any time.
If you use our Facebook page to contact us (e.g., by creating your own posts, responding to one of our posts or sending us private messages), we process the data you provide exclusively to process your contact. The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified. You can inform us at any time that we should delete the data provided in the course of the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.
Note on data transfers to the USA:
However, Meta Platforms Ireland Limited is a subsidiary of the US group Meta, which means that your personal data may also be transferred to Meta’s US group companies (Meta Platforms, Inc.) and Meta servers located in the USA. The USA is a third country within the meaning of the GDPR, for which an adequacy decision of the EU Commission (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”) exists. Meta Platforms Inc. is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.b. website on Instagram. We operate a company profile on the social media portal Instagram. The operator of Instagram is Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4 Ireland, whereby the platforms Facebook and Instagram share the technical infrastructure according to Meta’s own information. In the following, the term “Instagram” is used for the social media portal and the term “Meta” for the operator of this portal.
On our website, we link to our company profile on Instagram using the Instagram icon. As long as you do not click on the link, Meta will not receive any data from you. If you click on the link, for example to view or subscribe to our company profile on Instagram, Meta will receive data from you (which data Meta receives also depends on whether you are logged in to Instagram with your user profile while clicking on the page or not). In addition, Meta uses so-called cookies, which are stored on your device when you visit our corporate website even if you do not have your own Instagram profile or are not logged into it during your visit to our corporate website. These cookies allow Meta to create user profiles based on your preferences and interests and to show you customized advertising (inside and outside Instagram). Cookies remain on your device until you delete them. You can find more information about the cookies used by Meta at https://privacycenter.instagram.com/policies/cookies/
According to its own information, Meta uses this data for a wide variety of purposes and transmits it worldwide, both internally to other Meta companies and to various external partners. Meta bases this data processing on various legal bases, which you can find in detail in Instagram’s privacy policy and Facebook’s data policy. Instagram’s privacy policy can be found at the following link: https://privacycenter.instagram.com/policy
While Meta uses this data under its own responsibility for various purposes, we can only see aggregated data on our company website, i.e. statistics (e.g. user growth, user demographics, use of individual functionalities), which no longer have any personal reference. These are called “Instagram Insights”. You can find more information about Instagram Insights on the corresponding information page of Meta, which refers to all Meta products (and thus also to Instagram). You can access this information page at the following link: https://www.facebook.com/legal/terms/information_about_page_insights_data
In accordance with the provisions of the GDPR, we are jointly responsible with Meta for data processing on our Instagram company profile (Art. 26 GDPR). Accordingly, we have concluded an agreement with Meta provided by Meta in which this joint responsibility is regulated. You can find the agreement in German at the following link https://www.facebook.com/legal/terms/page_controller_addendum
This means that Meta is primarily responsible for the aggregated Insight Data. In addition, Meta will comply with all obligations under the GDPR with regard to the processing of Insight Data (including Art. 12, 13 GDPR, Art. 15-21 GDPR and Art. 32-34 GDPR). If you send us a request regarding our Instagram company profile, we will inform Meta promptly. Meta will respond to the request in accordance with our agreement.
Our legitimate interests in the processing of personal data lie in the use and linking of different communication channels, marketing via high-reach social media platforms and the analysis and evaluation of the success of our communication and marketing efforts. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If you consent to data processing (in particular to the setting of cookies), the processing is also carried out on the basis of Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) or Art. 6 (1) sentence 1 lit. a GDPR. You can revoke your consent in accordance with the aforementioned legal bases at any time in the privacy settings on our website under “Manage consent”.
If you use our Instagram page to contact us (e.g. by creating your own posts, responding to one of our posts or sending us private messages), we process the data you provide exclusively to process your contact. The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified. You can inform us at any time that we should delete the data provided in the course of the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.
Note on data transfers to the USA:
However, Meta Platforms Ireland Limited is a subsidiary of the US group Meta, which means that your personal data may also be transferred to Meta’s US group companies (Meta Platforms, Inc.) and Meta servers located in the USA. The USA is a third country within the meaning of the GDPR, for which an adequacy decision of the EU Commission (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”) exists. Meta Platforms Inc. is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.

c. website on LinkedIn

We operate a website on the social media portal LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (“LinkedIn”)), which we link to on our website via the LinkedIn icon.
As long as you do not click on the link, LinkedIn will not receive any data from you. If you click on the link, for example to view our website on LinkedIn, LinkedIn will receive data from you (which data LinkedIn receives also depends on whether you are logged in to LinkedIn with your user profile while you click on the page or not). LinkedIn also uses so-called cookies, which are stored on your device when you visit our company website, even if you do not have your own LinkedIn profile or are not logged into it during your visit to our corporate website. These cookies allow LinkedIn to provide its own services, determine the performance of the services and display relevant ads (including job ads) inside and outside LinkedIn. Cookies remain on your device until you delete them. You can find more information about the cookies used by LinkedIn at
According to its own information, LinkedIn uses this data for a wide variety of purposes and transmits it to a wide variety of recipients, including recipients who are not based in the EU. LinkedIn bases this data processing on various legal bases, which you can find in LinkedIn’s privacy policy. The privacy policy can be found at the following link https://linkedin.com/legal/privacy-policy
While LinkedIn uses this data under its own responsibility for various purposes, we can only see aggregated data on our LinkedIn website, i.e., statistics that no longer have any personal reference. These are called “page analytics”. You can find more information on “Page Analytics” on the corresponding LinkedIn information page at https://www.linkedin.com/help/linkedin/answer/a547077/linkedin-page-analytics-overview?lang=en
In addition, if you decide to become a follower when you visit our LinkedIn website, we will also receive your name and your position in the company according to the information in your LinkedIn user profile, as well as the date on which you became our follower. https://www.linkedin.com/help/linkedin/answer/4499/linkedin-page-analytics-overview?lang=en In accordance with the provisions of the GDPR, we are jointly responsible with LinkedIn for data processing on our LinkedIn website (Art. 26 GDPR). Accordingly, we have concluded an agreement with LinkedIn provided by LinkedIn in which this joint responsibility is regulated. You can find the agreement at the following link https://legal.linkedin.com/pages-joint-controller-addendum
This means that LinkedIn is primarily responsible for the aggregated Insight data. In addition, LinkedIn will fulfill all obligations under the GDPR with regard to the processing of Insight data (including Art. 12 -22 GDPR and Art. 32-34 GDPR). If you send us a request regarding our LinkedIn website, we will inform LinkedIn promptly. LinkedIn will respond to the request in accordance with our agreement.
Our legitimate interests in the processing of personal data lie in the use and linking of different communication channels, marketing via high-reach social media platforms and the analysis and evaluation of the success of our communication and marketing efforts. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If you consent to data processing (in particular to the setting of cookies), the processing is also carried out on the basis of Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) or Art. 6 (1) sentence 1 lit. a GDPR. You can revoke your consent in accordance with the aforementioned legal bases at any time.
If you use our LinkedIn profile to contact us (e.g. by creating your own posts, responding to one of our posts or sending us private messages), we will only process the data you provide in order to process your contact. The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified. You can inform us at any time (see section 1 above) that we should delete the data provided in the course of the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.
Note on data transfers to the USA:
LinkedIn Ireland Unlimited Company processes data inside and outside the USA, so your personal data may also be transferred to US LinkedIn group companies (LinkedIN Corp.) and LinkedIn servers located in the USA. The USA is a third country within the meaning of the GDPR, for which an adequacy decision of the EU Commission (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”) exists. LinkedIN Corp is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list

. LinkedIn also relies on so-called standard contractual clauses. Further information can be found here: https://www.linkedin.com/help/linkedin/answer/a1343190/

d. Website on YouTube
We operate a company profile on the video sharing platform YouTube. The operator of YouTube is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. In the following, the term “YouTube” is used for the video sharing platform and the term “Google” for the operator of the platform.
On our website, we link to our company profile on YouTube using the YouTube icon. As long as you do not click on the link, Google will not receive any data from you. If you click on the link, for example to view or subscribe to our company profile on YouTube, Google will receive data from you (which data Google receives also depends on whether you are logged in to YouTube with your user profile while you click on the page or not). Google also uses so-called cookies, which are stored on your device when you visit our company profile, even if you do not have your own YouTube profile or are not logged into it during your visit to our company profile. These cookies allow Google, among other things, to collect and analyse data on target group interactions and website statistics (inside and outside YouTube). Cookies remain on your device until you delete them. You can find more information about the cookies used by Google at https://policies.google.com/technologies/cookies?hl=en&utm_source=ucb
According to its own information, Google uses this data for a wide variety of purposes and transmits it worldwide, both internally to affiliated companies and to companies, organizations or persons outside Google. Google bases this data processing on various legal bases, which you can find in detail in Google’s privacy policy. You can find Google’s privacy policy at the following link: https://policies.google.com/privacy?hl=en
While Google uses this data under its own responsibility for various purposes, we can only see aggregated data on our company website, i.e., statistics (e.g., playbacks, playback times and types of access sources), which no longer have any personal reference. This performance data is analyzed using the “YouTube Analytics” tool. You can find more information about the performance data on the corresponding information page of Google under the following link: https://support.google.com/youtube/answer/9002587?hl=en&sjid=407169541051816916-EU
Our legitimate interests in the processing of personal data lie in the use and linking of different communication channels, marketing via high-reach social media platforms and the analysis and evaluation of the success of our communication and marketing efforts. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If you consent to data processing (in particular to the setting of cookies), the processing is also carried out on the basis of Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) or Art. 6 (1) sentence 1 lit. a GDPR.
If you use our YouTube profile to contact us (e.g., by creating your own posts, responding to one of our posts, or sending us private messages), we will only process the data you provide in order to process your contact. The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified. You can inform us at any time that we should delete the data provided in the course of the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.
Note on data transfers to the USA:
However, Google Ireland Ltd. is a subsidiary of the US group Google, which means that your personal data may also be transferred to US Google group companies (in particular Google LLC) and Google servers located in the USA. The USA is a third country within the meaning of the GDPR for which the EU Commission has issued an adequacy decision (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”). Google LLC is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.

e. soundcloud
We operate a profile page on the Soundcloud platform (SoundCloud Global Limited & Co. KG Rheinsberger Str. 76/77, 10115 Berlin, Germany (“Soundcloud”)), which we link to on our website via the Soundcloud icon. As long as you do not click on the link, Soundcloud will not receive any data from you. If you click on the link to view our performance on Soundcloud, Soundcloud will receive data from you (which data Soundcloud receives also depends on whether you are logged in to Soundcloud with your user profile while clicking on the page or not). In addition, Soundcloud uses so-called cookies, which are stored on your device when you visit our Soundcloud page even if you do not have your own Soundcloud profile or are not logged into it during your visit to our Soundcloud page. Cookies remain on your device until you delete them. You can find more information about the cookies used on Soundcloud at https://soundcloud.com/pages/cookies
According to its own information, Soundcloud uses this data for a wide variety of purposes and transmits it worldwide, both internally to other companies in the Soundcloud Group and to various external partners. Soundcloud bases this data processing on various legal bases, which you can find in detail in Soundcloud’s data policy. The data policy can be found at the following link: https://soundcloud.com/pages/privacy
While Soundcloud uses this data under its own responsibility for various purposes, we can view various statistical data (such as plays, “likes”, reposts of tracks, comments and shares) on our Soundcloud profile on the jointly responsible Soundcloud Fan Insights service. Further information on the processing of this usage data can be found at https://soundcloud.com/pages/fan-insights and in the privacy policy https://soundcloud.com/pages/privacy
In accordance with the provisions of the GDPR, we are jointly responsible with Soundcloud for data processing on our Soundcloud profile (Art. 26 GDPR). Accordingly, we have concluded an agreement with Soundcloud provided by Soundcloud in which this joint responsibility is regulated. You can find the agreement in German at the following link https://soundcloud.com/pages/fan-insights-joint-controller-addendum
This means that Soundcloud is primarily responsible for the Fan Insight data. In addition, Soundcloud will comply with all obligations under the GDPR with regard to the processing of Insight data (including Art. 12, 13 GDPR, Art. 15-22 GDPR and Art. 32-34 GDPR). If you send us a request regarding our Soundcloud page, we will inform Soundcloud promptly. Soundcloud will respond to the request in accordance with our agreement.
Our legitimate interests in the processing of personal data lie in the use and linking of various communication channels, marketing via high-reach social media platforms and the analysis and evaluation of the success of our communication and marketing efforts. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f GDPR. If you consent to data processing (in particular to the setting of cookies), the processing is also carried out on the basis of Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG) or Art. 6 (1) sentence 1 lit. a GDPR. You can withdraw your consent in accordance with the aforementioned legal bases at any time.
If you use our Soundcloud page to contact us (e.g., by creating your own posts, responding to one of our posts, or sending us private messages), we process the data you provide exclusively to process your contact. The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to contact you. The data will be stored until it is no longer required to achieve the purpose of the conversation with you and your contact request has been fully clarified. You can inform us at any time that we should delete the data provided in the course of the conversation. In this case, to the extent permitted, all personal data from the conversation will be deleted and it will not be possible to continue the conversation.
Reference to international data transfers:
According to its own information, Soundcloud is a globally active company, which means that data may be transferred outside the European Economic Area. Soundcloud relies on so-called standard contractual clauses or other legal mechanisms. Further information on this can be found in Soundcloud’s privacy policy: https://soundcloud.com/pages/privacy

Integration of third-party services

a. Integration of YouTube videos on our website

We integrate videos from YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) in our website for the purpose of making our website appealing. In the following, the term “YouTube” is used for the video portal, the term “Google” for the operator of this portal.
When integrating YouTube videos, we use the extended data protection mode, in which, according to the provider, information about you is only shared with Google if you activate the video by clicking on the play button of the video.
If you activate the video, Google may use cookies to collect information for analysis and advertising purposes and to improve user-friendliness. According to Google, the data is processed pseudonymously. However, especially if you are logged into your Google or YouTube account, the data may be linked directly to these accounts.
According to its own information, Google uses this data for a wide variety of purposes and transmits it to a wide variety of recipients, including recipients who are not based within the EU. Google bases this data processing on various legal bases. You can find an overview of this in Google’s privacy policy, which you can access at the following link: https://policies.google.com/privacy?hl=en
In addition, so-called Google Fonts (fonts provided by Google) may be loaded when the video is played.
We have embedded YouTube videos on our website in such a way that they are only loaded once you have given your consent. The legal basis for the integration of the YouTube service on our website and the associated processing of your data is therefore your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.
If YouTube sets cookies when you actively click on and play a YouTube video on our site, we process your data on the basis of your consent (Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TDDDG) or Art. 6 (1) sentence 1 lit. a GDPR). You can revoke your consent in accordance with the aforementioned legal bases at any time in the privacy settings on our website under “Manage consent”. You can find information on YouTube cookies at https://policies.google.com/technologies/cookies?hl=en
Note on data transfers to the USA:
However, Google Ireland Ltd. is a subsidiary of the US group Google, which means that your personal data may also be transferred to US Google group companies (in particular Google LLC) and Google servers located in the USA. The USA is a third country within the meaning of the GDPR for which the EU Commission has issued an adequacy decision (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”). Google LLC is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.

b. Marker.io

On our website we use Marker.io a feedback tool offered by Marker.io SRL, Avenue Louise 231, 1050 Brussels, Belgium (“Marker.io”) to collect website feedback and technical information about errors. When using the feedback widget, the following data may be processed: IP address, browser details, operating system, timestamp, visited URL, technical diagnostic data (e.g., console logs), and any screenshots or information voluntarily submitted by the user.
Data may be transferred to servers outside the EU/EEA. Such transfers are carried out in accordance with the GDPR’s requirements for international data processing. Where Marker.io transfers personal data to a country not deemed to provide an adequate level of protection, such transfer shall be governed by the European Commission’s Standard Contractual Clauses (SCCs), incorporated herein by reference.
We have concluded a data processing agreement with Marker.io. Information about the data processing by Marker.io you can find here: https://marker.io/dpa and https://marker.io/privacy
The processing is based on our legitimate interest in improving website functionality and resolving technical issues (Art. 6 (1) sentence 1 lit f. GDPR). If Marker.io sets cookies when, we process your data on the basis of your consent (Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TDDDG) or Art. 6 (1) sentence 1 lit. a GDPR). You can revoke your consent in accordance with the aforementioned legal bases at any time in the privacy settings on our website under “Manage consent”.

13. Use of tracking technologies

a. User tracking for product and service improvement

In our FFOSSO software player, we use a tracking tool designed in-house to improve our products and services. We use largely anonymous device identification numbers (randomly assigned UUIDs) for this purpose. We can only establish a personal reference using these UUIDs in exceptional cases, e.g. if a specific instrument was downloaded from only one device on a specific date or if only one device was used in a specific country within a month.
We process the following data based on the UUIDS:

Metrics: Total users, Active Users, New (active Users), Most downloaded instruments / loaded instruments, Average active days, New User retention rate, Average downloads per User, Average instruments loaded per User, Instrument builders
Events: UI opened, Instrument downloaded, Instrument loaded, Instrument created, Device added to grid, Instrument saved

The legal basis for the processing of your personal data is therefore Art. 6 para. 1 sentence 1 lit. f GDPR. It is our legitimate interest to process your data transmitted to us in order to improve our products and services. The data will be stored until it is no longer required to achieve the purpose. You can inform us at any time that we should delete the data collected. In this case, to the extent permitted, this personal data will be deleted. You can object to the further processing of your data within the FFOSSO application on the profile page, that you can reach from the main sidebar menu.

We use analysis software from Mixpanel, Inc., One Front Street, Floor 28, San Francisco, CA 94111, USA (‘Mixpanel’) to analyse and statistically evaluate the above-mentioned user data. We make the collected data available to our data processor Mixpanel for statistical evaluation. Mixpanel acts as a processor and we have concluded a contract with Mixpanel for order processing in accordance with Art. 28 GDPR. This agreement is available here: https://mixpanel.com/legal/dpa/
The implementation of these technologies within our website and our application follows a strict privacy-by-design approach, under which we do not transmit any personal or personally identifiable information to Mixpanel – this information is therefore irreversibly anonymous for Mixpanel due to the lack of additional information required for identification. Information about the data processing by Mixpanel you find here: https://mixpanel.com/legal/privacy-policy/
Note on data transfers to the USA:
Mixpanel Inc. processes data also inside and outside the USA, so your personal data may also be transferred to servers located in the USA. The USA is a third country within the meaning of the GDPR, for which an adequacy decision of the EU Commission (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”) exists. Minpanel is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list. Mixpanel also relies on so-called standard contractual clauses. Further information can be found in the privacy statement linked above.

b. Meta pixels and use of other Meta technologies

On our website, we use the analytics tool Meta Pixel from Meta Platforms Inc. or Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland (“Meta”). The Meta Pixel works with a JavaScript code snippet that is executed when someone opens a page or performs a certain action. We use it to analyze the effectiveness of our advertising. We cannot identify individual users via our Facebook Business profile or address them specifically with advertising, but only user groups.
We use the Meta Pixel in such a way that the sending of pixel actions to Meta is interrupted until the cookie consent has been given. The legal basis for the setting of these cookies and the subsequent further processing of your personal data is your consent (Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG), Art. 6 (1) sentence 1 lit. a GDPR). You can revoke your consent at any time via the data protection settings on our website under “Manage consent”.
The meta pixel can record the following data:

HTTP header – all information that is usually contained in HTTP headers, e.g., IP addresses, information about the web browser, the location of the page, the document, the referrer, and the person using the website.
Pixel-specific data – including the pixel ID and the Facebook cookie.
Click data for buttons – all buttons that visitors to the website have clicked on, the labels of these buttons and all pages that were accessed as a result of these button clicks.
Optional values – we can optionally set custom data events to send additional information about the visit. Examples of custom data events include conversion value and page type.
Form field names – Including website field names such as “email”, “address”, “quantity”, for the purchase of a product or service.

With the Meta Pixel, we want to ensure that visitors to our website who fulfill certain characteristics (interest in certain products, gender, certain age, live in a certain city, etc.) are shown advertisements on Facebook. Meta calls the grouping of users based on certain characteristics “Custom Audiences”. The advertising on Facebook should be shown to potentially interested parties and not to those who are unlikely to be interested in our product. Our Custom Audience therefore consists of the “Website Custom Audiences” function, i.e., the Meta Pixel matches visitors to our website with people on Facebook so that we can then create a Facebook ad for this target group. This is called “retargeting.”
The pixel also helps to statistically track the effectiveness of advertisements. This is called Meta “conversion.” The Meta Pixel tells us whether people in the target group have visited our website, searched for a specific product on our website, looked at a specific product or product category, whether a purchase has been initiated, whether a purchase has been completed. The Meta Pixel also tells us whether people were directed to our site from a paid search engine result and whether people are interested in special offers. We can only see from the statistics whether or that this has happened – we cannot identify individual people.
In addition, our custom audience may also consist of “engagement custom audiences” (custom audiences by interaction) in relation to user interactions on Instagram or Facebook. “Engagement” means, for example, that a person has clicked on a video on our Facebook page or that the person has followed our Instagram profile or left a comment there. With Engagement Custom Audiences, we can show ads to these people.
While Engagement Custom Audiences are based on actions within the meta technologies, Website Custom Audiences are based on actions that take place on our website and are recorded by the meta pixel. Data is therefore only collected via the Meta Pixel in the latter case.
We also use the “Lookalike Audience” function. This allows us to reach new people who are likely to be interested in our company because they are similar to our existing customers.
In your Facebook profile, you can choose whether you want to receive personalized advertising. You can object to the collection by the Meta Pixel and the use of your data for Facebook Ads (as part of a Custom Audience). If your browser does not accept third-party cookies, the Meta Pixel will not be set.
The Facebook data policy can be found here: https://www.facebook.com/policy.php. Further information from Meta about the Meta Pixel and cookies used can be found here: https://www.facebook.com/business/help/651294705016616 and https://www.facebook.com/policies/cookies
We have concluded a data processing agreement with Meta. You can find out more at https://www.facebook.com/legal/technology_terms and https://www.facebook.com/legal/terms/dataprocessing

Note on data transfers to the USA:
The Meta Pixel is used on the basis of a contract that we have concluded with Meta Platforms Ireland. However, Meta Platforms Ireland is a subsidiary of the US group Meta Platforms Inc., which means that your personal data may also be transferred to US Meta group companies (in particular Meta Platforms Inc.) and Meta servers located in the USA. The USA is a third country within the meaning of the GDPR, for which an adequacy decision of the EU Commission (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”) exists. Meta Platforms Inc. is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.

b. Google Analytics 4

The analytics service Google Analytics 4 is implemented on our website, which is offered for users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (hereinafter: “Google Analytics 4”). You can find Google’s privacy policy at the following link: https://policies.google.com/privacy?hl=en. You can find information on cookies here: https://policies.google.com/technologies/cookies?hl=en
We have concluded a data processing agreement with Google Ireland Limited in accordance with Art. 28 GDPR.
Google Analytics 4 can record the following information, among others:

Type of internet browser used
Version of the internet browser
The operating system you are using,
Selected language,
Data on the requesting end device,
Referrer (previously visited website),
Your IP address (according to Google, the IP address is only used temporarily to determine a rough location of the requesting end device (city level) and then deleted),
(Rough) location data, i.e. city (including its longitude and latitude), continent, country, region and subcontinent of the requesting end device,
Date and time of the server request,
The duration of the session,
Click and scroll behavior including media playback, internal searches, content sharing,
Webshop interactions, such as product views and orders.

Google Analytics 4 only uses the IP address to derive location data. According to Google, IP addresses are otherwise not logged or stored.
We are only shown statistics via Google Analytics 4, which we use to optimize our website and offers. We have also configured Google Analytics 4 so that Google is not allowed to use the data for its own analysis of online trends or to improve its own products and services.
Before we use Google Analytics 4 to analyse your website visit, we obtain your consent to the processing of your personal data (Art. 6 para. 1 sentence 1 lit. a GDPR) and to the setting of the necessary cookies (§ 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TDDDG)). Further information on the cookies used can be found in our cookie information.
The legal basis for the processing of your personal data and the setting of cookies in the context of Google Analytics 4 is therefore your consent in accordance with Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TDDDG) and Art. 6 (1) sentence 1 lit. a GDPR. You can revoke your consent at any time via the data protection settings on our website under “Manage consent”. You can also prevent the collection of your personal data by Google Analytics 4 and the processing of this data by Google by downloading and installing the browser add-on available at the following link (https://tools.google.com/dlpage/gaoptout?hl=de) to deactivate Google Analytics. You can also make data protection settings for Google under the following link: https://safety.google/privacy/privacy-controls/
Finally, you can also prevent the storage of Google cookies yourself by making the appropriate settings in your browser settings.
Note on data transfers to the USA:
The use of Google Analytics 4 is based on a contract that we have concluded with Google Ireland Ltd. However, Google Ireland Ltd. is a subsidiary of the US Google Group, which means that your personal data may also be transferred to US Google Group companies (in particular Google LLC) and Google servers located in the USA. The USA is a third country within the meaning of the GDPR for which the EU Commission has issued an adequacy decision (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”). Google LLC is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list.

c. Google Tag Manager

We use the Google Tag Manager tag management system on our website (hereinafter: “Google Tag Manager”), which is offered for users from the European Economic Area, Switzerland and Liechtenstein by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other users by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. You can find Google’s privacy policy at the following link: https://policies.google.com/privacy?hl=en. You can find information on cookies here: https://policies.google.com/technologies/cookies?hl=en

We have concluded a data processing agreement with Google in accordance with Art. 28 GDPR.
Google Tag Manager is a tag management platform that allows us to load additional tools using a so-called “tag.” According to Google, in order to monitor the stability, performance and installation quality of the system and to obtain data for diagnosis, Google Tag Manager can be used to collect certain aggregated data for tag triggering. According to Google’s own information at https://support.google.com/tagmanager/answer/9323295, this data does not contain any IP addresses or measurement IDs that are linked to a specific person. With the exception of the data in standard HTTP request logs, which are all deleted within 14 days of receipt, and the diagnostic data described above, Google Tag Manager does not collect, store or share any information about visitors to our website. This also applies to the URLs of visited pages.
If the tools loaded by Google Tag Manager collect data for their part, Google Tag Manager does not access this data. If deactivation has been carried out at domain or cookie level, this remains in place for all tracking tags that are implemented with Google Tag Manager.

Legal basis: Google Tag Manager is used to store cookies, but only processes technical information and therefore does not require consent under the TDDDG. The legal basis for the use of Google Tag Manager is therefore Art. 6 para. 1 lit. f. GDPR. Our legitimate interest lies in the uniform and proper integration of cookies across different end devices.
Note on data transfers to the USA:
The use of Google Tag Manager is based on a contracligit that we have concluded with Google Ireland Ltd. However, Google Ireland Ltd. is a subsidiary of the US Google Group, which means that your personal data may also be transferred to US Google Group companies (in particular Google LLC) and Google servers located in the USA. The USA is a third country within the meaning of the GDPR for which the EU Commission has issued an adequacy decision (the so-called “EU-US Data Privacy Framework” or “EU-US DPF”). Google LLC is certified as a US company under the EU-US DPF, see https://www.dataprivacyframework.gov/list

14. Consent management tool Usercentrics

To obtain and document the consent of our visitors to the cookies and services we use on our website, we use the cookie consent tool of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (“Usercentrics”).
The legal basis for the use of Usercentrics is Art. 6 para. 1 sentence 1 lit. c and f GDPR, as the legally secure obtaining of consent is legally required and it is in our legitimate interest to use the services of a professional service provider to manage and document the cookie settings of our visitors.
Information on data processing by Usercentris can be found here: https://usercentrics.com/privacy-policy/. We have concluded a data processing Agreement with UserCentrics. Further information can be found at: https://usercentrics.com/wp-content/uploads/2023/10/Usercentrics_DPA_September-2023.pdf

15. Data processing in connection with the download and use of Instruments in FFOSSO

When you download and use our Content, we process your USER ID, your subscription type the date, and the name of the respective content (samples, presets etc.). Legal basis for data processing is Art. 6 para. 1 lit. b.) GDPR. We store this data permanently with AWS (see Section 4.a) until the contract is fulfilled and to support customer support.

16. Your rights
If we process your data, you are a “data subject” within the meaning of the GDPR. You have the following rights: right of access, right to rectification, right to restriction of processing, right to erasure, right to information (our notification obligation) and right to data portability. You also have the right to object, the right to withdraw consent and the right to lodge a complaint with the supervisory authority.
Below you will find some details on the individual rights:a. Right of access
You have the right to request confirmation from us as to whether we are processing your personal data. If we process your personal data, you have the right to obtain information in particular about the processing purposes, categories of personal data, recipients or categories of recipients and, if applicable, the storage period.b. Right of rectification
You have the right to correct and/or complete the data that we have stored about you if this data is incorrect or incomplete. We will make the correction or completion without delay.

c. Right to restriction of processing
Under certain circumstances, you have the right to request that we restrict the processing of your personal data. An example of this is if you dispute the accuracy of your personal data and we need to verify the accuracy for a certain period of time. Your data will only be processed to a limited extent for the duration of the check. Another example of restriction is if we no longer need your data, but you need it for a legal dispute.

d. Right to erasure

In certain situations, you have the right to request that we delete your personal data immediately. This is the case, for example, if we no longer need your personal data for the purposes for which we collected it or if we have processed your data unlawfully. Another example would be if we process your data on the basis of your consent, you withdraw your consent and we do not process the data on any other legal basis. However, your right to erasure does not always apply. For example, we may process your personal data in order to comply with a legal obligation or because we need it for a legal dispute.

e. Notification obligation

If you have exercised your right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom we have disclosed your personal data of the rectification, erasure or restriction of processing of your data, unless this proves impossible or involves a disproportionate effort.

f. Right to data portability
Under certain conditions, you have the right to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format and the right to have this data transmitted to another controller. This is the case if we process the data either on the basis of your consent or on the basis of a contract with you and that we process the data using automated procedures.
You have the right to obtain that we transfer your personal data directly to another controller, insofar as this is technically feasible and the freedoms and rights of other persons are not affected by this.

g. Right of objection
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6 (1) GDPR. This also applies to profiling based on these provisions.
After an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
If we process your personal data for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for the purpose of such marketing. This also applies to profiling insofar as it is associated with direct advertising. If you object to the processing of your personal data for direct marketing purposes, we will no longer process it for these purposes.

h. Right of withdrawal
In accordance with Art. 7 (3) GDPR, you have the right to withdraw your consent at any time. Withdrawal of consent does not retroactively invalidate the lawfulness of the processing.

i. Right to lodge a complaint with a supervisory authority
You have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy. In particular, you may exercise your right to lodge a complaint in the Member State of your place of residence, your place of work or the place of the alleged infringement if you believe that the processing of your personal data infringes the GDPR.
The competent supervisory authority for Baden-Württemberg is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Lautenschlagerstr. 20, 70173 Stuttgart, phone +49 711 6155410, fax +49 711 61554115, email poststelle@lfdi.bwl.de.
You can find an overview of the respective state data protection officers and their contact details under the following link:
https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

17. Status of this privacy notice
Status: 08.12.2025

Cookie information

We use cookies on our website. Cookies are text files that are sent to your browser by our web server when you visit our website and are stored on your computer for later retrieval. Cookies are then sent to the server of our website with every server request or page view. A cookie can therefore identify your Internet browser when you visit the website again. Some of the functions that we have integrated into our website also use web storage objects. These work in a similar way to cookies, but are temporarily stored in your browser and are generally not transmitted to the server.

There are session cookies, which are deleted when the browser is closed, and there are persistent cookies, which are stored on the hard disk until their preset expiration date is reached or until they are actively removed by you. Web storage objects are divided into local storage objects, which never expire, and session storage objects, which are deleted when the browser is closed.

A distinction is made between first party cookies (only visible from the domain you are currently visiting) and third party cookies (visible across domains and regularly set by third parties).

Cookies and web storage objects are divided into the following categories:

Technically necessary: These are absolutely necessary to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes or store which web pages you have visited. The legal basis for setting technically necessary cookies and web storage objects is Section 25 (2) of the German Telecommunications-Telemedia Data Protection Act TTDSG.

Optional: These are used, for example, for analysis and marketing purposes and to display external content such as videos. Analysis cookies and web storage objects collect information about how you use a website, which pages you visit and, for example, whether errors occur when using the website. Marketing cookies and web storage objects are used to show you customized advertising on the website or offers from third parties and to measure the effectiveness of these offers. These are technologies that are not technically necessary. The legal basis for setting these cookies and web storage objects is therefore your consent in accordance with Section 25 (1) of the German Telecommunications-Telemedia Data Protection Act (TTDSG).
Please note the following: You can ensure yourself that no cookies and similar technologies are stored on your computer at all, or that the storage of only certain cookies is permitted. You can select this in your Internet browser settings. You can also view and delete the stored cookies there. If you block all cookies, it is possible that not all functions of our website will be available to you.

a. Right of revocation / removal
As stated at the beginning of this section, you can enable or restrict the transmission of cookies and similar technologies by changing the settings in your internet browser. You can delete cookies and web storage objects that have already been saved by your internet browser at any time. If cookies and web storage objects are restricted or deactivated for our website, it is possible that not all functionalities can be used. You can revoke your consent at any time in the privacy settings on our website under “Manage consent”.

18. Information about the cookies and web storage objects on our website:
We use the following technically necessary cookies and web storage objects on our website:

Name	Purpose	Storage duration
__cf_bm	This is used for the bot protection solution provided by Cloudflare.	30 minutes
cf_clearance	This cookie is used to store the proof of challenge passed. It is used to no longer issue a challenge if present. It is required to reach an origin server.	30 minutes
_cfuvid	This cookie is used for rate limiting rules.	7 days
cf_chl_cc_XXX, cf_chl_rc_i, cf_chl_rc_ni	This cookie is used by Cloudflare for the execution of challenges. It is not used for tracking or beyond the scope of the challenge.	Session
__cflb	This is used to return an end user to the same customer origin for a specific period of time configured by the customer.	1 day
_cfseq	This cookie tracks the sequence and timing of user requests to enable Cloudflare Rules to identify valid or invalid request patterns.	60 minutes
cf_ob_info, cf_use_ob	These cookies provide information about the origin server’s HTTP status, the Ray ID of failed requests, the data center serving the traffic, and instruct Cloudflare to fetch resources from the Always Online cache on designated ports. They are persistent cookies that expire after 30 seconds	1 minute
__cfwaitingroom	This cookie is used to track visitors accessing a host and path combination protected by Cloudflare’s Waiting Room. It helps manage user placement in the queue and estimate wait times.	60 minutes
__cfruid	This cookie is strictly necessary to support Cloudflare’s Rate Limiting by identifying individual clients behind a shared IP address and managing incoming traffic. It helps distinguish legitimate users from potential threats. This cookie is temporary and typically expires at the end of the session.	Session
__stripe_mid	Fraud prevention and detection	Session
__stripe_sid	Fraud prevention and detection	Session
m	Fraud prevention and detection	Session
session	Login session for Stripe Dashboard	2 months, 29 days
lsession	Login session for Stripe Express	7 days
stripe.csrf	CSRF protection for Stripe Dashboard	1 year
cliauth_secret	Authentication for Stripe CLI	Session
art_token, cbt_token, cct_token, cdt_token, ect_token, svt_token, lc_token, prt_token, act_token	Authentication for recovery, security changes, support, device verification	Session
NID	Used by reCAPTCHA for security	Session
locale	Localization: language	Session
country	Localization: country	Session
long	Preferred programming language for docs	Session
has_intentionally_selected_curl	Preference for Curl examples	Session
persisted-tab-#{id}	Remembers selected documentation tab	Session
disable_cmd_f_override	Disables Stripe docs custom search override	Session
double_cmd_f_uses	Tracks usage of cmd/ctrl+F	Session
expanded-topics	Remembers expanded topics in docs	Session
checkout-test-session, checkout-live-session	Legacy Checkout memory	Session
_ga, _gat, _gat_UA-12675062-5, _gid	Google Analytics cookies	Session
cid	Stripe analytics client ID	Session
site_sid, __stripe_id	Stripe analytics session ID	2 hours, 30 minutes
__stripe_orig_props	Marketing campaign effectiveness	Session
__utma, __utmb, __utmc, __utmt, __utmz	Runkit Google Analytics	10 minutes
_mkto_trk	Tracks page views & email campaign performance	Session
ucString	Stores ControllerID, SettingsID, language, consent history	–
ucData	Stores Google Consent Mode data	–

We use the following optional cookies and web storage objects on our website objects:

Name	Purpose	Storage duration
_gcl_aw, _gcl_dc, _gcl_gb	This is the prefix used as part of the cookie names. The conversion linker tag sets ad click information in cookies and uses the top-most domain and root level path.	1 day
test_cookie	This cookie is used to store user preferences.	1 day
IDE	Contains a randomly generated user ID. Using this ID, Google can recognize the user across different websites across domains and display personalized advertising.	365 days
DSID	Contains a randomly generated user ID. Using this ID, Google can recognize the user across different websites across domains and display personalized advertising.	14 days
pm_sess	This cookie is used to prevent malicious sites from acting on behalf of a user without their knowledge.	30 minutes
pm_sess_NNN	This cookie is used to prevent malicious sites from acting on behalf of a user without their knowledge.	30 minutes
aboutads_sessNNN	This cookie is used to store information about a user’s preferences regarding online behavioral advertising, specifically whether they have opted out of receiving personalized ads.	30 minutes
FLC	This cookie is used for creating targeted ads.	0 minutes
RUL	This cookie is used to store user consent for cookies and session information.	365 days
PAIDCONTENT	This cookie is used to track whether a user has paid access for premium content.	30 days
APC	This cookie is used for remembering user preferences, authenticating users, preventing fraud, and improving website performance.	183 days
_fbp	Cookie from Meta used for website analytics, ad targeting and ad measurement.	91 days
fbc_	This cookie provides Meta with information about where the visitor was referred from.	Session
lastExternalReferrer	This cookie provides Meta with information about where the visitor was referred from.	Session
lastExternalReferrerTime	This cookie tracks when the lastExternalReferrer LocalStorage item was placed on the device of the visitor.	Session
_GRECAPTCHA	This cookie is set so that Google can provide risk analyses about the activities observed by Google reCAPTCHA.	180 days
NID	This is used to provide advertisements or retargeting.	6 months
__gads	This is used to provide advertisements or retargeting.	1 year, 1 month
pm_sess	This is used to make sure that requests come from a user.	30 minutes
ANID	This is used to show advertisements on websites outside of Google.	1 year, 1 month
_gcl_au	This is used to store and track conversions.	2 months, 29 days
FPGCLAW	This cookie is used to track campaign related information on the user.	2 months, 29 days
FPGCLGB	This cookie is used to track campaign related information on the user.	2 months, 29 days
_gcl_gb	This cookie is used to track campaign related information on the user.	2 months, 29 days
gac_gb wpid<>	This cookie is used to track campaign related information on the user.	2 months, 29 days
_gcl_aw	This cookie is set when a user arrives at the website via a click on a Google ad.	2 months, 29 days
YSC	This is used to store and track interaction.	Session
1P_JAR	This is used to collect information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.	30 days
AID	This is used to link activities on other devices the user has previously logged into with a Google account.	1 year, 1 month
FPAU	This is used to collect information about the users and their activity on the website through embedded elements with the purpose of analytics and reporting.	2 months, 29 days
_ga	Used to distinguish users.	2 years
ga<container-id>	Used to persist session state.	2 years
__sak	This is used to store information about the visitor’s video preferences.	–
LAST_RESULT_ENTRY_KEY	This is used to save the user settings when retrieving a YouTube video integrated on other web pages.	–
yt-player-bandaid-host, yt-player-bandwidth, yt-player-headers-readable	This is used to determine the optimal video quality based on the visitor’s device and network settings.	–
yt-remote-cast-installed, yt-remote-connected-devices, yt-remote-device-id, yt-remote-fast-check-period, yt-remote-session-app, yt-remote-session-name	This is used to store the user’s video player preferences using embedded YouTube video.	–
YEC	This is used to store the user’s video player preferences using embedded YouTube video.	1 year, 1 month
CONSENT	This is used to detect if the visitor has accepted the marketing category in the cookie banner.	2 years
DEVICE_INFO	This is used to track user’s interaction with embedded content.	5 months, 26 days
remote_sid	This is used for the implementation and functionality of YouTube video content on the website.	Session
test_cookie	This is a test for cookie setting permissions in user’s browser.	1 day
VISITOR_INFO1_LIVE	This is used to measure the users bandwidth to determine whether they get the new or old player interface.	6 months
YSC	This is set by the YouTube video service on pages with embedded YouTube videos.	Session
PREF	This is used to store information such as your preferred page configuration and playback settings.	8 months
pm_sess	This is used to maintain your browsing session.	30 minutes
CGIC	This is used to provide search results by auto-completing search queries based on a user’s initial input.	6 months
UULE	This is used to determine the users geographic location.	6 hours
_Secure-YEC	This is used to store the user’s video player preferences using embedded YouTube videos.	1 year, 1 month