Privacy Policy

1. General Notes and Principles of Data Processing

We are pleased that you are visiting our website. Protecting your privacy and your personal data (so-called “personal data”) when using our website is important to us.

According to Art. 4(1) GDPR, personal data includes all information relating to an identified or identifiable natural person. This includes, for example, your first and last name, address, telephone number, email address, and also your IP address. Data that cannot be linked to your person, for example due to anonymization, is not personal data. The processing of personal data (e.g., collection, storage, reading, retrieval, use, transmission, deletion, or destruction) pursuant to Art. 4(2) GDPR always requires a legal basis or your consent. Processed personal data must be deleted as soon as the purpose of processing has been achieved and there are no statutory retention obligations to observe.

Below you will find information on how we handle your personal data when you visit our website. In order to provide the functions and services of our website, it is necessary for us to collect personal data about you. We also explain the type and scope of the respective data processing, the purpose and the corresponding legal basis, and the respective storage period.

This privacy policy applies only to this website. It does not apply to third-party websites to which we merely refer via a hyperlink. We cannot assume responsibility for the confidential handling of your personal data on these third-party websites, as we have no influence over whether these companies comply with data protection regulations. Please inform yourself directly on these websites about how your personal data is handled by these companies.

For project applications as well as application inquiries, we provide separate privacy notices, which can also be accessed on our website via the contact link.

2. Controller

The controller responsible for processing personal data on this website is (see imprint):

3. Data Protection Officer

If you have any questions about data protection, a data protection officer acting on behalf of SPRIND is available at the following business address:

4. Collection of General Data and Information

a) Type and scope of data processing

When you use the website for informational purposes only, i.e., if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website to you and to ensure stability and security (legal basis is Art. 6(1) sentence 1 lit. f GDPR):

• browser types and versions used;
• the operating system used by the accessing system;
• the website from which an accessing system arrives at our website (so-called referrer);
• the subpages that are accessed on our website by an accessing system;
• the date and time of access to the website;
• an Internet Protocol address (IP address);
• the Internet service provider of the accessing system;
• other similar data and information used for hazard prevention in the event of attacks on our IT systems.

b) Purpose and legal basis

As a matter of law, any processing of personal data is generally prohibited and only permitted if the processing falls under one of the following grounds for justification:

• Art. 6(1) sentence 1 lit. a GDPR (Consent): The data subject has given consent for one or more specific purposes;
• Art. 6(1) sentence 1 lit. b GDPR: Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Art. 6(1) sentence 1 lit. c GDPR: Compliance with a legal obligation to which the controller is subject (e.g., statutory retention obligations);
• Art. 6(1) sentence 1 lit. d GDPR: Protection of vital interests of the data subject or of another natural person;
• Art. 6(1) sentence 1 lit. e GDPR: Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Art. 6(1) sentence 1 lit. f GDPR (Legitimate interests): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject (in particular when the data subject is a minor).

Furthermore, the storage of information in your terminal equipment as an end user and access to information already stored in your terminal equipment takes place solely after consent pursuant to Section 25(1) TDDDG, unless it is dispensable under Section 25(2) TDDDG. For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing may also be based on multiple legal bases.

c) Storage period

Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. Your data is generally stored only on our servers in Germany, subject to any transfer according to the provisions in No. 7 below.

Storage may nevertheless take place beyond the specified period in the event of a (threatened) legal dispute with you or other legal proceedings, or if storage is provided for by statutory provisions to which we, as controller, are subject (e.g., Section 257 HGB, Section 147 AO). When the storage period prescribed by statutory provisions expires, the personal data is blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

5. Disclosure of Data to Third Parties

As is the case with any larger company, we also use external domestic and foreign service providers to process our business transactions (e.g., in the areas of IT, logistics, telecommunications, sales, and marketing). They act solely on our instructions and are contractually obliged under Art. 28 GDPR to comply with data protection regulations.

6. Data Transfer to a Third Country

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transmitting data to third parties, this is done only if it is necessary for the performance of our (pre-)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special requirements of Art. 44 et seq. GDPR are met.

Some third countries are certified by the European Commission via adequacy decisions as providing a level of data protection comparable to the EEA standard (you can find a list of these countries and a copy of the adequacy decisions here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

In other third countries to which personal data may be transferred, a consistently high level of data protection may not exist due to a lack of legal regulations. Where this is the case, we ensure adequate data protection, e.g., through binding corporate rules, the European Commission’s Standard Contractual Clauses, certifications, or recognized codes of conduct. With respect to individual services, we inform you in the relevant sections (see No. 8) about the prerequisites for data transfers to third countries. Please contact our Data Protection Officer (see above) if you would like more information.

7. Cookies

The SPRIND websites use cookies. Cookies are text files that are placed and stored on a computer system via an Internet browser. Many cookies contain a so-called cookie ID, a unique identifier of the cookie.

The use of cookies enables us to provide user-friendly services on our websites that would not be possible without the cookie setting. For example, you may not have to enter your login data again each time you visit our site.

You can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. You can also delete cookies that have already been set at any time via your Internet browser or other software programs. If you deactivate the setting of cookies, not all functions of our website may be fully usable.

8. Services in Detail

a) Tag management via Google Tag Manager

We use Google Tag Manager (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to manage and deploy marketing and analytics tags on our website. Google Tag Manager itself does not collect personal data but enables the controlled loading of other services. The tool helps us manage various tracking codes and marketing pixels efficiently.

Legal basis: Art. 6(1)(f) GDPR for legitimate interests in website optimization and marketing management. Data may be transferred to Google servers in the USA based on adequacy decisions or Standard Contractual Clauses.

Privacy policy: https://policies.google.com/privacy

b) Website analytics via Google Analytics

We use Google Analytics (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) to analyze website usage and improve our services. Google Analytics uses cookies and similar technologies to collect information about your use of our website, including IP addresses, browser information, pages visited, and time spent on pages.

We have configured Google Analytics to anonymize IP addresses and have disabled data sharing with Google for advertising purposes. Data is stored on Google servers, which may include servers in the USA.

Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG for cookie usage. You can withdraw consent at any time through our cookie settings or by opting out via Google's browser add-on.

Privacy policy: https://policies.google.com/privacy • Opt-out: https://tools.google.com/dlpage/gaoptout

c) Website analytics via Hotjar

We use Hotjar (Hotjar Ltd., Level 2, St Julian's Business Centre, 3, Elia Zammit Street, St Julian's STJ 1000, Malta) to better understand user behavior and improve our website experience. Hotjar records anonymized user sessions, heatmaps, and feedback to help us optimize our website design and functionality.

Hotjar collects information about your device, browser, IP address (anonymized), screen size, and interactions with our website. No personally identifiable information is collected without explicit consent. Data is stored on servers within the EU.

Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG. You can opt out of Hotjar tracking at any time through our cookie settings or directly via Hotjar's opt-out mechanism.

Privacy policy: https://www.hotjar.com/legal/policies/privacy/ • Opt-out: https://www.hotjar.com/legal/compliance/opt-out

d) Product analytics via PostHog

We use PostHog (PostHog Inc., 2261 Market Street #4008, San Francisco, CA 94114, USA) for product analytics and feature usage tracking. PostHog helps us understand how users interact with our platform features and make data-driven product decisions.

PostHog collects usage data including page views, feature interactions, and technical information such as browser type and device information. We have configured PostHog to respect user privacy preferences and anonymize personal identifiers where possible.

Legal basis: Art. 6(1)(a) GDPR (consent) and Section 25(1) TDDDG for data collection and storage. Data may be processed on servers in the USA with appropriate safeguards including Standard Contractual Clauses.

Privacy policy: https://posthog.com/privacy

e) Newsletter via CleverReach

With your consent, you can subscribe to our newsletter (double opt-in). The only mandatory information is your email address. Legal basis: Art. 6(1) sentence 1 lit. a GDPR as well as, regarding the storage of information in your end device and/or access to information already stored in your device, Section 25 (1) TTDSG. You can revoke your consent at any time, e.g., via the link provided in each newsletter email, by email to info@sprind.org, or by contacting us via the details provided in the imprint.

The newsletter is sent via CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede (CleverReach). A data processing agreement is in place. Data (e.g., email address) is stored on servers in Germany and Ireland. Newsletters contain web beacons/tracking pixels to determine whether a newsletter was opened and which links were clicked. Technical information (time of retrieval, IP address, browser, OS) may be collected to optimize content.

f) Processing of personal data when using social networks

SPRIND maintains online presences on X (Twitter), LinkedIn, Instagram, and YouTube for public relations. No social plug-ins are used; references are simple links.

Use of these services is at your own responsibility. Providers may process data (e.g., IP address, device information, location) and transfer it to third countries. SPRIND has no influence on the scope, location, duration of storage, or dissemination. Privacy notices:

• X (Twitter): https://x.com/de/privacy
• LinkedIn: https://www.linkedin.com/legal/privacy-policy
• Instagram: https://help.instagram.com/581066165581870/?helpref=hc_fnav
• Google/YouTube: https://policies.google.com/privacy?hl=de&gl=de

More information about X privacy settings: https://help.twitter.com/de/safety-and-security/x-privacy-settings.

9. Your Rights

You have the right at any time to:

• request information pursuant to Art. 15 GDPR about your personal data processed by us (purposes of processing, categories of data, recipients, storage period, existence of rights to rectification, deletion, restriction, objection, source of data if not collected from you, existence of automated decision-making including profiling, and meaningful information about the details);
• request rectification without undue delay pursuant to Art. 16 GDPR of inaccurate or completion of incomplete personal data stored by us;
• request erasure pursuant to Art. 17 GDPR of personal data stored by us unless processing is required for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims;
• request restriction of processing pursuant to Art. 18 GDPR where the accuracy of the data is contested, the processing is unlawful but you oppose the erasure, we no longer need the data but you require it for legal claims, or you have objected pursuant to Art. 21 GDPR;
• receive your personal data pursuant to Art. 20 GDPR in a structured, commonly used, machine-readable format or to request transmission to another controller;
• object to processing pursuant to Art. 21 GDPR where processing is based on Art. 6(1) sentence 1 lit. e or f GDPR. Unless the objection concerns direct marketing, please explain the reasons why we should not process your data as we have done. We will review the situation and either stop or adjust the processing or demonstrate compelling legitimate grounds for continuing it; to exercise your right to object, an email to DATENSCHUTZ@SPRIND.ORG is sufficient.
• withdraw your consent at any time pursuant to Art. 7(3) GDPR (also if granted before 25 May 2018). Consequently, we may no longer continue data processing based on this consent in the future; and
• lodge a complaint pursuant to Art. 77 GDPR with a supervisory authority, typically at your habitual residence or place of work or at our place of business.