Disclaimer and Data Protection

I. Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States, as well as other data protection regulations, is:

paulyTon GmbH
Neesbacher Strasse 25
65597 Huenfelden, Germany

CEO: Daniel Schimidt

II. General Information on Data Processing

1. Scope of Personal Data Processing
We generally process our users’ personal data only internally. The processing of our users’ personal data is typically carried out only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.

We do not use:
Google Analytics
Cookies
or Facebook and other links.
We do not disclose any customer data to third parties.

2. Legal basis for the processing of personal data
To the extent that we obtain the data subject’s consent for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures.
To the extent that the processing of personal data is necessary to comply with a legal obligation to which our company is subject, Article 6(1)(c) of the GDPR serves as the legal basis.
In the event that vital interests of the data subject or of another natural person require the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the aforementioned interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing.

3. Data Deletion and Retention Periods
The data subject’s personal data will be deleted or blocked as soon as the purpose for which it was stored no longer applies. Data may also be retained if this is provided for by European or national legislation in EU regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or deleted when a retention period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

III. Provision of the website and creation of log files

1. Description and Scope of Data Processing

Every time our website is accessed, our system automatically collects data and information from the accessing computer’s system.
The following data is collected:

Information about the browser type and version used
The user’s operating system
The user’s Internet service provider
The user’s IP address
Date and time of access
Websites from which the user’s system accesses our website
Websites accessed by the user’s system via our website

The data is also stored in our system’s log files. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of the data and log files is Article 6(1)(f) of the GDPR.

3. Purpose of data processing

The system temporarily stores the IP address in order to deliver the website to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.
The data is stored in log files to ensure the website’s functionality. In addition, the data helps us optimize the website and ensure the security of our IT systems. The data is not analyzed for marketing purposes in this context.
These purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f) of the GDPR.

4. Duration of storage

The data is deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collected for the purpose of providing the website, this occurs when the respective session ends.
In the case of data stored in log files, this occurs after seven days at the latest. Storage beyond this period is possible. In this case, the users’ IP addresses are deleted or anonymized so that the client making the request can no longer be identified.

5. Right to object and request removal

The collection of data for the purpose of providing the website and the storage of this data in log files is essential for the operation of the website. Consequently, users do not have the option to object.

IV. No cookies are used

We do not use cookies on our website. Cookies are small files that your browser automatically creates and stores on your device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not cause any damage to your device and do not contain viruses, Trojans, or other malware.
Information is stored in the cookie that relates to the specific device being used. However, this does not mean that we thereby gain direct knowledge of your identity.
The use of cookies serves, on the one hand, to make the use of our website more convenient for you. For example, we use so-called session cookies to recognize that you have already visited individual pages of our website. These are automatically deleted when you leave our site.
In addition, to optimize user-friendliness, we also use temporary cookies that are stored on your device for a specific, predetermined period of time. If you visit our site again to use our services, the system automatically recognizes that you have previously visited us and recalls the entries and settings you made, so you do not have to re-enter them.
The data processed by cookies is necessary for the aforementioned purposes to safeguard our legitimate interests and those of third parties pursuant to Art. 6(1)(f) GDPR.
Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a notification always appears before a new cookie is created. However, completely disabling cookies may prevent you from using all the features of our website.

V. SSL or TLS encryption

For security reasons and to protect the transmission of confidential information that you send to us as the website operator, our website uses SSL or TLS encryption. This ensures that data you transmit via this website cannot be read by third parties. You can recognize an encrypted connection by the “https://” in your browser’s address bar and the lock icon in the browser’s status bar.

VI. Email-Contact

When you contact us (e.g., via email, phone, or social media), your information is processed in accordance with Article 6(1)(b) of the GDPR to handle and resolve your inquiry. Your information may be stored in a customer relationship management system or a similar inquiry management system.
We delete the requests once they are no longer necessary. We review the necessity of retention every two years; furthermore, statutory archiving obligations apply.

VII. Social Media Presence

If we maintain a presence on social media networks and platforms to communicate with customers, prospective customers, and users active there and to inform them about our services, the following applies: When accessing these networks and platforms, the terms of service and data processing policies of their respective operators apply.
Unless otherwise specified in our Privacy Policy, we process users’ data when they communicate with us on social networks and platforms, e.g., by posting on our online presences or sending us messages.

VIII. Services

We process our customers’ data as part of our contractual services.

In doing so, we process master data (e.g., customer master data such as names or addresses), contact data (e.g., email addresses, phone numbers), content data (e.g., text entries, photographs, videos), contract data (e.g., subject matter of the contract, term), and payment data (e.g., bank details, payment history) . We generally do not process special categories of personal data, unless they are part of commissioned processing. Data subjects include our customers, prospective customers, and their customers, users, website visitors, or employees, as well as third parties. The purpose of processing is to provide contractual services, billing, and our customer service. The legal basis for processing is derived from Art. 6(1)(b) GDPR (contractual services) and Art. 6(1)(f) GDPR (analysis, statistics, optimization, security measures). We process data necessary for the establishment and fulfillment of contractual services and indicate the necessity of providing such data. Disclosure to third parties occurs only if required within the scope of a contract. When processing data entrusted to us within the scope of a contract, we act in accordance with the client’s instructions and the legal requirements for data processing on behalf of a client pursuant to Article 28 of the GDPR, and we process the data for no other purposes than those specified in the contract.

We delete the data after the expiration of statutory warranty and comparable obligations. The necessity of retaining the data is reviewed every three years; in the case of statutory archiving obligations, deletion occurs after their expiration (6 years, pursuant to Section 257(1) of the German Commercial Code (HGB); 10 years, pursuant to Section 147(1) of the German Fiscal Code (AO)).

IX. Administration, Financial Accounting, Office Organization, Contact Management

We process data in connection with administrative tasks, the organization of our operations, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in connection with the provision of our contractual services. The legal basis for processing is Article 6(1)(c) of the GDPR and Article 6(1)(f) of the GDPR. This processing affects customers, prospective customers, business partners, and website visitors. The purpose and our interest in the processing lie in administration, financial accounting, office organization, and data archiving—that is, tasks that serve to maintain our business operations, fulfill our duties, and provide our services. The deletion of data regarding contractual services and contractual communication corresponds to the information provided for these processing activities.
In this context, we disclose or transfer data to tax authorities, advisors such as tax consultants or auditors, as well as other billing agencies and payment service providers.
Furthermore, based on our business interests, we store information regarding suppliers, event organizers, and other business partners, e.g., for the purpose of contacting them at a later date. We generally store this predominantly company-related data on a permanent basis.

X. Rights of the Data Subject
If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of Access
You have the right to request confirmation from the controller as to whether we are processing personal data concerning you.
If such processing is taking place, you have the right to request the following information from the controller:

the purposes for which the personal data is processed;
the categories of personal data that are processed;
the recipients or categories of recipients to whom your personal data has been or will be disclosed;
the planned duration of the storage of the personal data concerning you or, if specific details are not possible, the criteria for determining the storage period;
the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
the existence of a right to lodge a complaint with a supervisory authority;
all available information regarding the origin of the data, if the personal data is not collected from the data subject;
the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and—at least in such cases—meaningful information regarding the logic involved, as well as the significance and intended consequences of such processing for the data subject.
You have the right to request information regarding whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to Rectification
You have the right to request that the controller rectify and/or complete your personal data if the personal data concerning you is inaccurate or incomplete. The controller must rectify the data without undue delay.

3. Right to Restriction of Processing
Under the following conditions, you may request that the processing of your personal data be restricted:

if you contest the accuracy of the personal data concerning you for a period that allows the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of the use of the personal data;
the controller no longer needs the personal data for the purposes of processing, but you need it to assert, exercise, or defend legal claims, or
if you have objected to the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the controller’s legitimate grounds override your grounds.
If the processing of your personal data has been restricted, such data—apart from its storage—may be processed only with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a Member State.

If the restriction on processing has been imposed in accordance with the above conditions, the controller will notify you before the restriction is lifted.

4. Right to Erasure

a) Obligation to Erase
You may request that the controller erase your personal data without undue delay, and the controller is obligated to erase such data without undue delay if any of the following grounds apply:

The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.
You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
The personal data concerning you has been processed unlawfully.
The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
Information to third parties

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the erasure of all links to such personal data or of copies or replicas of such personal data.

b) Exceptions
The right to erasure does not apply where the processing is necessary

to exercise the right to freedom of expression and information;
to comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;
for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of such processing, or
for the establishment, exercise, or defense of legal claims.

5. Right to be Informed
If you have exercised your right to rectification, erasure, or restriction of processing with the controller, the controller is obligated to notify all recipients to whom your personal data has been disclosed of such rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about these recipients.

6. Right to Data Portability
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and
the processing is carried out using automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, provided this is technically feasible. The freedoms and rights of other individuals must not be infringed upon as a result.

The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
In connection with the use of information society services—notwithstanding Directive 2002/58/EC—you have the option to exercise your right to object by means of automated procedures using technical specifications.

8. Right to Withdraw Consent Under Data Protection Law
You have the right to withdraw your consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of processing carried out on the basis of your consent prior to its withdrawal.

9. Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

is necessary for the conclusion or performance of a contract between you and the controller,
is permitted under Union or Member State law to which the controller is subject, and such law provides for appropriate safeguards to protect your rights and freedoms as well as your legitimate interests, or
is based on your explicit consent.

However, these decisions may not be based on special categories of personal data as defined in Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.
With regard to the cases mentioned in points (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to request the intervention of a person on the part of the controller, to present your own point of view, and to challenge the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place where the alleged infringement occurred, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint was submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.