Privacy Policy

preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

As of January 21, 2024

Table of Contents

• preamble
• Responsible
• Overview of processing activities
• Relevant legal bases
• Transfer of personal data
• Deletion of data
• Rights of data subjects
• Business services
• Payment methods
• Provision of the online service and web hosting
• Contact and inquiry management
• Communication via Messenger
• Presences in social networks (social media)

Responsible

Sandra Brugger, BruggerPhotography

Zielgasse 11
79618 Rheinfelden

E-mail address: info@bruggerphotography.net

Phone: 4917662954159

Overview of processing activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of data processed

• Inventory data.
• Payment details.
• Contact details.
• Content data.
• Contract details.
• Usage data.
• Metadata, communication data and process data.




Categories of affected persons




• Customers.
• Interested parties.
• Communication partner.
• Users.
• Business and contractual partners.




Purposes of processing




• Provision of contractual services and fulfillment of contractual obligations.
• Contact requests and communication.
• Security measures.
• Direct marketing.
• Office and organizational procedures.
• Managing and responding to inquiries.
• Feedback.
• Marketing.
• Provision of our online services and user-friendliness.
• Information technology infrastructure.







Relevant legal bases




Relevant legal bases according to the GDPR: Below you will find an overview of the GDPR legal bases on which we process personal data. Please note that in addition to the GDPR regulations, national data protection regulations may apply in your or our country of residence or establishment. Furthermore, should more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.




• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
• Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) - The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.




National data protection regulations in Germany: In addition to the GDPR's data protection regulations, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG). The BDSG contains specific provisions regarding the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and data transfers, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may also apply.




Note regarding the applicability of the GDPR and Swiss data protection law: This privacy notice serves to provide information in accordance with both the Swiss Federal Act on Data Protection (Swiss DSG) and the General Data Protection Regulation (GDPR). Therefore, please note that, due to its broader geographical scope and clarity, the terms used here are those of the GDPR. In particular, instead of the terms "processing" of "personal data," "overriding interest," and "special categories of personal data" used in the Swiss DSG, the terms "processing" of "personal data," "legitimate interest," and "special categories of data" used in the GDPR are employed. However, the legal meaning of these terms will continue to be determined according to the Swiss DSG when it applies.







Transfer of personal data




As part of our processing of personal data, it may be necessary to transfer or disclose data to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.







Deletion of data




The data we process will be deleted in accordance with legal requirements as soon as the consent to process it is withdrawn or other permissions cease to apply (e.g., if the purpose for processing this data no longer exists or it is no longer necessary for that purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to those purposes. This means that the data will be blocked and not processed for any other purpose. This applies, for example, to data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person. Our privacy policy may also contain further information on the retention and deletion of data that takes precedence for the respective processing activities.







Rights of data subjects




Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:




• Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right of withdrawal for consents: You have the right to withdraw your consent at any time.
• Right to information: You have the right to request confirmation as to whether your personal data is being processed, and to access this data as well as further information and a copy of the data in accordance with legal requirements.
• Right to rectification: In accordance with legal requirements, you have the right to request the completion of your data or the correction of inaccurate data concerning you.
• Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately, or alternatively, in accordance with legal requirements, to request a restriction of the processing of the data.
• Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used and machine-readable format, or to request its transmission to another controller, in accordance with the legal requirements.
• Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.







Business services




We process data of our contractual and business partners, e.g. customers and prospective customers (collectively referred to as "contractual partners"), within the framework of contractual and similar legal relationships as well as related measures and in the context of communication with the contractual partners (or pre-contractually), e.g. to answer inquiries.




We process this data to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any update obligations, and remedying warranty claims and other service disruptions. Furthermore, we process the data to protect our rights and for the purposes of the administrative tasks associated with these obligations, as well as for company organization. We also process the data based on our legitimate interests in proper and efficient business management and security measures to protect our contractual partners and our business operations from misuse, compromise of their data, secrets, information, and rights (e.g., involving telecommunications, transport, and other support services, as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the framework of applicable law, we only disclose contractual partner data to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about other forms of processing, e.g., for marketing purposes, within the scope of this privacy policy.




We will inform our contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special markings (e.g. colors) or symbols (e.g. stars or similar), or personally.




We delete data after the expiry of statutory warranty periods and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, for example, as long as it must be retained for legal archiving purposes. The statutory retention period is ten years for tax-relevant documents, as well as for commercial books, inventories, opening balance sheets, annual financial statements, the work instructions necessary for understanding these documents, and other organizational documents and accounting records. For received commercial and business correspondence and copies of sent commercial and business correspondence, the retention period is six years. This period begins at the end of the calendar year in which the last entry was made in the book, the inventory, opening balance sheet, annual financial statement, or management report was prepared, the commercial or business correspondence was received or sent, the accounting record was created, the record was made, or the other documents were created.




Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and privacy policies of the respective third-party providers or platforms apply to the relationship between users and the providers.




• Data types processed: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email addresses, telephone numbers); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
• Affected persons: Customers; prospective customers; business and contractual partners.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; security measures; handling contact requests and communication; office and organizational procedures. Administration and response to inquiries.
• Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).




Further information on processing procedures, methods and services:




• Online shop, order forms, e-commerce and delivery: We process our customers' data to enable them to select, purchase, or order their chosen products, goods, and related services, as well as to facilitate payment, delivery, and fulfillment. If necessary for order fulfillment, we use service providers, particularly postal, freight forwarding, and shipping companies, to carry out delivery to our customers. We utilize the services of banks and payment service providers for processing payments. The required information is marked as such during the ordering or similar purchase process and includes the data necessary for delivery, provision, and invoicing, as well as contact information to allow for any necessary follow-up. Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

  
  

  
  

  Payment methods

  
  

  Within the framework of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer the data subjects efficient and secure payment options and use additional service providers besides banks and credit institutions for this purpose (collectively "payment service providers").

  
  

  The data processed by payment service providers includes master data such as name and address, bank details such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, amount, and recipient-related information. This information is required to process the transactions. However, the entered data is processed and stored only by the payment service providers. This means we do not receive any account or credit card information, but only confirmation or rejection of the payment. The payment service providers may transmit the data to credit reference agencies for identity and creditworthiness verification. Please refer to the terms and conditions and privacy policies of the payment service providers for further information.

  
  

  The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions and can be accessed on their respective websites or transaction applications. We also refer you to these for further information and to exercise your rights of withdrawal, access, and other data subject rights.

  
  

  • Data types processed: Inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., subject matter of the contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
  • Affected persons: Customers. Prospective customers.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

  
  

  Further information on processing procedures, methods and services:

  
  

  • PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR); Website: https://www.paypal.com/de. Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

    
    

    
    

    Provision of the online service and web hosting

    
    

    We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

    
    

    • Data types processed: Usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
    • Affected persons: Users (e.g., website visitors, users of online services).
    • Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); security measures. Provision of contractual services and fulfillment of contractual obligations.
    • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

    
    

    Further information on processing procedures, methods and services:

    
    

    • Collection of access data and log files: Access to our online services is logged in the form of so-called "server log files." These server log files may contain the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, typically, IP addresses and the requesting provider. Server log files can be used for security purposes, for example, to prevent server overload (especially in the case of malicious attacks, so-called DDoS attacks), and to ensure server capacity and stability. Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.
    • 1&1 IONOS: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/auftragsverarbeitung/.

    
    

    
    

    Contact and inquiry management

    
    

    When you contact us (e.g. by mail, contact form, email, telephone or via social media) and within the framework of existing user and business relationships, the information provided by the requesting persons is processed to the extent necessary to answer the contact requests and any requested measures.

    
    

    • Data types processed: Contact details (e.g., email addresses, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
    • Affected persons: Communication partner.
    • Purposes of processing: Handling contact requests and communication; managing and responding to inquiries; feedback (e.g., collecting feedback via online form). Providing our online services and ensuring user-friendliness.
    • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

    
    

    Further information on processing procedures, methods and services:

    
    

    • Contact form: When users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to handle the communicated request; legal bases: performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

      
      

      
      

      Communication via Messenger

      
      

      We use messengers for communication purposes and therefore ask you to take note of the following information regarding the functionality of the messengers, encryption, the use of communication metadata and your options to object.

      
      

      You can also contact us via alternative methods, such as by phone or email. Please use the contact options provided to you or those listed within our online services.

      
      

      In the case of end-to-end encryption of content (i.e., the content of your message and attachments), we would like to point out that the communication content (i.e., the content of the message and attached images) is encrypted end-to-end. This means that the content of the messages is not visible, not even to the messenger providers themselves. You should always use an up-to-date version of the messenger with encryption enabled to ensure the encryption of message content.

      
      

      However, we would also like to point out to our communication partners that while the messenger providers cannot see the content, they can find out that and when communication partners communicate with us, and that technical information about the communication partners' devices and, depending on their device settings, location information (so-called metadata) are processed.

      
      

      Information on legal bases: If we request permission from communication partners before communicating with them via messenger, the legal basis for processing their data is their consent. Otherwise, if we do not request consent and they contact us on their own initiative, for example, we use messengers in our dealings with our contractual partners and during contract negotiations as a contractual measure, and in the case of other interested parties and communication partners based on our legitimate interests in fast and efficient communication and fulfilling the needs of our communication partners for communication via messenger. Furthermore, we would like to point out that we will not transmit the contact details you provide to the messenger service for the first time without your consent.

      
      

      Revocation, objection and deletion: You can revoke your consent at any time and object to communication with us via Messenger at any time. In the case of communication via Messenger, we delete the messages in accordance with our general deletion policies (i.e., as described above, after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that we have answered any inquiries from the communication partners, provided that no reference to a previous conversation is to be expected and that no legal retention obligations prevent deletion.

      
      

      • Data types processed: Contact details (e.g., email, telephone numbers); usage data (e.g., websites visited, interest in content); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers).
      • Affected persons: Communication partner.
      • Purposes of processing: Contact requests and communication; direct marketing (e.g., via email or post).
      • Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

      
      

      
      

      Presences in social networks (social media)

      
      

      We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about ourselves.

      
      

      Please note that user data may be processed outside the European Union. This may pose risks for users, as it could, for example, make it more difficult to enforce their rights.

      
      

      Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on usage patterns and the resulting user interests. These user profiles can then be used to display advertisements, both within and outside the networks, that are likely to correspond to the users' interests. For these purposes, cookies are typically stored on users' computers, recording their usage patterns and interests. Additionally, user profiles can also store data independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).

      
      

      For a detailed description of the respective processing methods and the options for objecting (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

      
      

      Regarding requests for information and the assertion of data subject rights, we would like to point out that these can be most effectively addressed directly with the service providers. Only the providers have access to user data and can take appropriate action and provide information directly. However, should you require assistance, you can contact us.

      
      

      • Data types processed: Contact details (e.g., email addresses, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., websites visited, interest in content, access times); meta, communication and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).
      • Affected persons: Users (e.g., website visitors, users of online services).
      • Purposes of processing: Contact requests and communication; feedback (e.g., collecting feedback via online form). Marketing.
      • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

      
      

      Further information on processing procedures, methods and services:

      
      

      • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com. Privacy Policy: https://instagram.com/about/legal/privacy.

        
        

        Created with the free data privacy generator Datenschutz-Generator.de by Dr. Thomas Schwenke