Privacy Policy

Privacy Statement

This privacy statement informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within our online offering and the associated websites, functions, and content as well as external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering"). Regarding the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

BrennerMedien GmbH
Managing Director: Andreas Brenner
Breitachweg 20h
86163 Augsburg

Phone: +49 (0) 821 / 999 666 0
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Types of Data Processed:

- Master data (e.g., names, addresses).
- Contact data (e.g., email addresses, phone numbers).
- Content data (e.g., text inputs, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).

Categories of Data Subjects

Visitors and users of the online offering (hereinafter collectively referred to as "users").

Purpose of Processing

- Provision of the online offering, its functions, and content.
- Responding to contact inquiries and communication with users.
- Security measures.
- Reach measurement/marketing.

Used Terminology

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is broad and covers almost any handling of data.

"Pseudonymization" means processing personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

The "controller" is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.

"Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Legal Bases

In accordance with Article 13 GDPR, we inform you about the legal bases of our data processing. If the legal basis is not explicitly mentioned in this privacy statement, the following applies: The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR; for processing for the performance of a contract or pre-contractual measures, Art. 6(1)(b); for processing to fulfill legal obligations, Art. 6(1)(c); and for processing based on legitimate interests, Art. 6(1)(f). In cases where vital interests of the data subject or another person require processing, Art. 6(1)(d) applies.

Security Measures

We implement appropriate technical and organizational measures according to Art. 32 GDPR, considering the state of the art, implementation costs, nature, scope, context, and purposes of processing as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons to ensure a level of security appropriate to the risk.

Measures include securing confidentiality, integrity, and availability of data by controlling physical access, access rights, input, transmission, availability, and separation. We also have procedures in place to ensure data subject rights, deletion of data, and responses to data breaches. Furthermore, data protection by design and by default is considered in the development and selection of hardware, software, and procedures according to Art. 25 GDPR.

Collaboration with Processors and Third Parties

If we disclose data to other persons and companies (processors or third parties), transmit data to them, or grant access to the data, this only occurs based on legal permission (e.g., if transmission to third parties such as payment service providers is necessary for contract fulfillment under Art. 6(1)(b) GDPR), consent, legal obligations, or legitimate interests (e.g., for contractors, web hosting providers, etc.).

If we commission third parties for processing based on a so-called "processor agreement," this is done according to Art. 28 GDPR.

Transfers to Third Countries

If data is processed in a third country (outside the EU or EEA) or transferred to third parties, this only occurs to fulfill contractual obligations, based on consent, legal obligations, or legitimate interests. Unless permitted by law or contract, data is processed or transferred to third countries only if special conditions under Art. 44 ff. GDPR are met, e.g., adequacy decisions (like the EU-US Privacy Shield) or standard contractual clauses.

Rights of Data Subjects

You have the right to obtain confirmation as to whether personal data concerning you are being processed and access to such data as per Art. 15 GDPR.

You have the right to request correction of inaccurate data or completion of incomplete data under Art. 16 GDPR.

You have the right to request deletion or restriction of processing under Art. 17 and 18 GDPR.

You have the right to data portability under Art. 20 GDPR.

You have the right to lodge a complaint with the supervisory authority under Art. 77 GDPR.

Right to Withdraw Consent

You have the right to withdraw given consent at any time with future effect under Art. 7(3) GDPR.

Right to Object

You may object to future processing of your data under Art. 21 GDPR at any time, especially for direct marketing purposes.

Cookies and Objection to Direct Marketing

"Cookies" are small files stored on users' devices. They store various information to identify a user or device during or after visiting an online offering. "Session cookies" are temporary and deleted after closing the browser, while "persistent cookies" remain longer to remember login status or preferences. "Third-party cookies" are set by other providers than the operator.

We use both session and persistent cookies and inform you accordingly in this privacy statement.

You can disable cookies in your browser settings. Deleting or disabling cookies may limit the functionality of this online offering.

You can object to cookies used for online marketing via US website http://www.aboutads.info/choices/ or EU website http://www.youronlinechoices.com/. Note that disabling cookies may affect the full use of the website.

Data Deletion

Data is deleted or restricted according to Art. 17 and 18 GDPR when no longer necessary for its purpose unless legal retention periods require storage. Data needed for legal reasons will be blocked but not further processed.

Legal retention periods in Germany are 10 years for certain documents and 6 years for commercial correspondence. In Austria, retention is 7 years generally, 22 years for real estate-related documents, and 10 years for specific electronic services.

Business-Related Processing

Additionally, we process
- Contract data (e.g., contract subject, duration, customer category).
- Payment data (e.g., bank details, payment history)
from our customers, prospects, and business partners for contractual services, customer care, marketing, and research.

Order Processing in Online Shop and Customer Account

We process customer data during order processing to enable product selection, ordering, payment, and delivery or service execution.

Data includes master data, communication, contract, payment, and data subjects include customers, prospects, and partners. We use session cookies for cart contents and persistent cookies for login status.

Processing is based on Art. 6(1)(b) and (c) GDPR. Data disclosure to third parties occurs only for delivery, payment, or legal obligations. Third-country processing only if necessary for contract fulfillment.

Users may create accounts to view orders. Accounts are not public or indexed by search engines. Data deletion follows legal retention rules. IP addresses are stored on legitimate interest basis and anonymized after 7 days.

Agency Services

We process customer data for services such as consulting, campaign planning, software and design development, server administration, data analysis, and training.

Data includes master, contact, content, contract, payment, usage, and metadata. Special categories are not processed unless part of specific contracts. Data subjects include customers, prospects, users, visitors, employees, and third parties.

Processing is based on Art. 6(1)(b) and (f) GDPR. Data disclosure to externals only if contractually required. Data is deleted after legal retention periods.

Data provided to us under contracts is deleted according to contract terms after completion.

External Payment Providers

We use external payment providers (e.g., PayPal, Klarna, Skrill, Giropay, Visa, Mastercard, American Express) to process transactions.

Payment providers process master data, bank and contract information, passwords, TANs, and related details necessary for transactions. We do not receive account or card details, only confirmation of payment.

Payment providers may share data with credit agencies for identity and credit checks. Terms and privacy policies of providers apply.

For more information and to exercise rights, please refer to the payment providers’ websites.

Administration, Accounting, Office Organization, Contact Management

We process data for administrative tasks, accounting, and legal compliance using data from contractual services.

Data may be disclosed to tax authorities, advisors, and payment providers.

We also store business-related data about suppliers and partners for future contact, usually indefinitely.

Business Analysis and Market Research

To operate efficiently and understand market trends, we analyze data related to business transactions and customers.

Analysis is based on Art. 6(1)(f) GDPR and concerns customers, prospects, and users.

Analyses improve user experience and business efficiency and are not shared externally unless anonymized.

Personal data in analyses is deleted upon account termination or after two years.

Participation in Affiliate Programs

We use standard tracking measures for our affiliate system based on legitimate interests under Art. 6(1)(f) GDPR.

Affiliate links track referrals and conversions using pseudonymous online identifiers.

Online identifiers contain no personal data but allow us and partners to confirm conversions for commission payments.

Registration Function

Users can create accounts. Registration data is processed to provide the account based on Art. 6(1)(b) GDPR.

Data includes login information such as name, password, and email.

Users may receive account-related info by email.

Account data is deleted upon termination, except where legal retention applies.

IP addresses during registration and login are stored for security on legitimate interest grounds and anonymized after 7 days.

Contact

Contact requests via forms, email, phone, or social media are processed under Art. 6(1)(b) GDPR for handling inquiries.

Data may be stored in CRM systems.

Requests are deleted when no longer needed, reviewed every two years, with legal retention obligations applying.

Newsletter

We inform you about the newsletter contents, subscription, dispatch, analysis, and objection rights. Subscribing implies consent.

Newsletters contain advertising content sent only with consent or legal permission.

We use double opt-in and log subscription data.

Subscription requires an email address; name is optional.

Sending and success measurement are based on consent or legitimate interest.

You can unsubscribe anytime; data is stored up to 3 years for proof of consent.

Newsletter Success Measurement

Newsletters contain a "web beacon" pixel that records technical info and IP on opening.

Data is used to improve services and analyze user behavior.

Individual tracking is not the goal; analysis is anonymous or pseudonymous.

Opt-out of tracking requires unsubscribing.

Hosting and Email Services

We use hosting services for infrastructure, storage, email, security, and maintenance.

Data processed includes master, contact, content, contract, usage, and meta data based on legitimate interest under Art. 6(1)(f) GDPR and processor agreements (Art. 28 GDPR).

Access Data and Server Log Files

We or our hosting provider collect access data (server log files) based on legitimate interests under Art. 6(1)(f) GDPR.

Data includes requested URL, file, date/time, data volume, status code, browser type/version, operating system, referrer URL, IP address, and provider.

Log files are stored max. 7 days for security and deleted unless needed for legal investigation.

Google Analytics

We use Google Analytics based on legitimate interests under Art. 6(1)(f) GDPR. Google LLC ("Google") uses cookies to collect usage data sent to US servers.

Google complies with Privacy Shield certification.

Google uses data to analyze website use, generate reports, and provide related services, creating pseudonymous user profiles.

We enable IP anonymization. Full IP is only sent to US servers in exceptional cases.

IP addresses are not merged with other Google data. Users can disable cookies or tracking with a browser plugin: http://tools.google.com/dlpage/gaoptout?hl=de.

More info: https://policies.google.com/technologies/ads
Ad settings: https://adssettings.google.com/authenticated
Data is deleted or anonymized after 14 months.

Google Universal Analytics

We use Google Analytics "Universal Analytics" which tracks users with pseudonymous IDs across devices (cross-device tracking).

Crazy Egg

We use Crazy Egg based on legitimate interests (Art. 6(1)(f) GDPR) for A/B testing, click tracking, and heatmaps to improve user experience.

Cookies are used only for testing with pseudonymous data. More info: here.

Opt-out: Click here to opt-out.

Integration of Third-Party Services and Content

We integrate third-party content and services (e.g., videos, fonts) based on legitimate interests (Art. 6(1)(f) GDPR). Third parties receive user IP addresses to deliver content.

Third parties may use pixel tags ("web beacons") for statistics or marketing. Data may be stored in cookies and combined with other data.

YouTube

We embed videos from YouTube (Google LLC). Privacy policy: https://www.google.com/policies/privacy/. Opt-out: https://adssettings.google.com/authenticated.

Google Fonts

We use Google Fonts (Google LLC). Privacy policy and opt-out same as above.

Google ReCaptcha

We use Google ReCaptcha to detect bots on online forms. Privacy policy and opt-out same as above.

Google Maps

We embed Google Maps. Data such as IP and location may be processed, only with user consent (usually via device settings). Privacy policy and opt-out same as above.