1. General Information
Welcome to the privacy policy for our website skigaudi.org. We take the protection of your personal data very seriously. This policy explains what personal information we collect when you use our website, how we process and protect it, and what rights you have. We comply with the General Data Protection Regulation (GDPR) and other applicable data protection laws. All personal data will be handled in accordance with legal requirements and with transparency, security, and confidentiality in mind. We have designed this privacy policy to be legally precise yet understandable for non-experts.
No Automated Decision-Making: We do not use your data for any automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (as defined in Art. 22 GDPR).
Please read this policy carefully. If you have any questions, you can contact us using the information in the Contact Information section below.
2. Name and Contact of the Controller
The “controller” (the responsible organization determining the purposes and means of processing personal data) for this website is:
Spirit Crew GmbH
Freisinger Landstraße 25
85748 Garching bei München
Germany
Email: support@spirit-crew.de
(Hereinafter referred to as “we”, “us” or “our”.)
3. Data Protection Officer
We have appointed a Data Protection Officer (“DPO”) to oversee compliance with data protection regulations. If you have any questions or concerns about data privacy, you may contact our DPO at the above postal address (Attn: Data Protection Officer) or via email at privacy@spirit-crew.de (please include “Attn: DPO” in the subject line). The DPO will treat your inquiry confidentially.
4. Types of Personal Data We Process
We only collect personal data when it is necessary to provide our services or when you voluntarily provide it. The types of personal data we may process include:
• Contact Data: e.g. name, email address, telephone number, postal address, or WhatsApp number that you provide when contacting us or signing up (such as for a newsletter or event).
• Communication Content: Any messages or content you send to us or submit on the website, including inquiries, emails, chat messages (including questions asked to our AI assistant), job application documents (CV, cover letter), etc.
• Usage Data: Technical information automatically collected when you visit our site, such as your IP address, device type, browser type, operating system, referring URL, pages viewed, date and time of access, and other information about how you use our website. This can include cookie identifiers or similar tracking technologies (explained below).
• Account/Applicant Data: If you apply for a job with us via the site or email, we will process the personal data you provide in your application (e.g. contact details, CV, qualifications, etc.) for recruitment purposes.
• Media Usage Data: If you interact with embedded third-party content on our site (such as an Instagram feed, YouTube video, or SoundCloud audio player), certain data (like your IP address and possibly cookies or other identifiers) may be transmitted to the respective third-party provider.
• Newsletter Data: If you subscribe to our newsletter, we process your email address (and any other information you provide, such as your name) for sending the newsletter.
We do not intentionally collect sensitive personal data (such as information about health, political opinions, religious beliefs, etc.) through our website. We kindly ask you not to submit such information through our contact forms, chat, or other channels. If you do choose to provide sensitive data for any reason, it may be processed if necessary for the purpose you provided it, but always with special care and appropriate safeguards.
5. Purposes of Processing Personal Data
We process personal data for various purposes in connection with operating an effective and user-friendly website and conducting our business. In particular, we process personal data for the following purposes:
• Providing the Website and Its Features: To properly display our website and all its functions to you, ensure technical availability, and optimize your user experience. This includes loading fonts, media, and plugins, as well as adapting content to your device.
• Server Logs & Security: To monitor, maintain, and improve the security and performance of our website. We log certain usage data (IP address, time of access, etc.) to detect and prevent fraud, attacks (e.g. malware, DDoS), or other misuse of our site and to troubleshoot technical issues.
• Communication and Responding to Inquiries: To respond to messages or inquiries you send us, whether by email, contact form, telephone, or WhatsApp. We use your contact information and message content to communicate with you and provide the information or assistance you request.
• Newsletter Distribution: To send you our email newsletter if you have subscribed. We process your email address (and name, if provided) to deliver news, updates, and marketing information about our offerings. We also use this data to manage your subscription (e.g. to send confirmation emails and record your consent, and to remove you from the list when you unsubscribe).
• Providing AI-Powered Q&A Support: To offer an interactive question-answer service on our website using artificial intelligence. When you ask our AI assistant a question, we process the question (and any data it contains) to generate and display a helpful answer. This purpose is solely to assist you by providing automated information in response to your queries.
• Analytics and Website Improvement: To analyze how our website is used, in order to understand user behavior and preferences. This helps us improve our website’s structure, content, and services. For example, we use web analytics tools (like Google Analytics) to gather aggregated statistics on visitor numbers, popular pages, or user pathways. The insights we gain allow us to enhance usability and tailor our content to user interests.
• Social Media and Media Plugins: To enrich our website with content from social networks and media platforms. For instance, we embed Instagram feeds, YouTube videos, and SoundCloud audio tracks on our site so you can view and play them directly. Processing your data in this context allows the content to be fetched from the respective provider and displayed to you.
• Handling Job Applications: To process applications for employment that you submit to us. We use the personal data in your CV, cover letter, and other submitted materials to evaluate your qualifications, contact you about the recruitment process, and make hiring decisions.
• Compliance with Legal Obligations: To fulfill our legal obligations, such as keeping certain records for tax, commercial, or accounting purposes, or providing information when legally required by authorities or court order.
• Enforcement of Legal Rights: If necessary, to establish, exercise or defend legal claims. For example, we may retain certain information as evidence in case of a legal dispute or in response to regulatory inquiries.
We will not use your personal data for any purpose that is incompatible with the original purposes described above, unless we obtain your consent or it is permitted by law. We do not sell or rent personal data to third parties for their own marketing purposes.
6. Legal Bases for Processing
We always ensure that we have a lawful basis under the GDPR for processing your personal data. Depending on the specific processing activity, one or more of the following legal bases apply:
• Consent (Art. 6(1)(a) GDPR): We will process your data if you have given us explicit consent for a specific purpose. For example, we rely on your consent to send you our newsletter or to use certain cookies and analytics tools that are not strictly necessary. If we ask for your consent, we will explain why and you can withdraw your consent at any time (with effect for the future).
• Performance of a Contract or Pre-Contractual Steps (Art. 6(1)(b) GDPR): If you request a service from us or enter into an agreement (for example, if you purchase something or sign up for an event through our site, or if you apply for a job as a step towards an employment contract), we process your data as necessary to fulfill that contract or to take steps at your request before entering into a contract. Similarly, responding to your specific inquiries can be seen as a pre-contractual activity when it pertains to our services or products.
• Legal Obligation (Art. 6(1)(c) GDPR): We will process personal data where needed to comply with a legal obligation to which we are subject. For instance, laws may require us to retain certain business records for a minimum period, or to disclose information to authorities under certain conditions. In such cases, we process and possibly retain the data as required by law.
• Legitimate Interests (Art. 6(1)(f) GDPR): We may process your data as necessary for the purposes of our legitimate interests, provided such processing is not overridden by your interests or fundamental rights and freedoms. We rely on this legal basis, for example, to ensure the security and proper functioning of our website (e.g. using server logs and security measures), to respond to unsolicited inquiries and communications you send us, to improve our services (basic analytics or feedback), to embed third-party content (for a richer user experience), and to defend our legal rights if needed. When we use legitimate interests, we carefully consider and balance our interest against your privacy rights, and we take steps to minimize impacts (for instance, using pseudonymization or the least data necessary). You have the right to object to processing based on legitimate interests in certain cases (see Rights of Data Subjects below).
Special Basis for Job Applications (Germany): If you apply for a position with us, we process your application data for the purpose of the potential employment relationship. In Germany, this is additionally based on Section 26(1) of the Federal Data Protection Act (BDSG), which permits processing personal data necessary for hiring decisions. If we keep your application data beyond the application process (for example, to consider you for future job openings), we will ask for your consent (Art. 6(1)(a) GDPR) unless another legal basis allows the extended retention.
If we ever need to process personal data for a new purpose not listed here, we will inform you and, if required, obtain your consent or provide a suitable legal basis.
7. Disclosure of Personal Data to Third Parties
We treat your personal data as confidential and do not share it with third parties except as necessary for the purposes described in this policy, as permitted or required by law, or with your consent. In particular, we may share or disclose data in the following circumstances:
• Service Providers and Processors: We employ trusted third-party companies and individuals to help us operate our website and provide our services (for example, hosting providers, email/newsletter services, analytics providers, or technology platforms that enable certain features like our AI chat). These third parties may process personal data on our behalf as “processors” under strict instructions and under contractual obligations to keep your data secure and confidential. For instance, our website is hosted by an external hosting company, and we use external providers for analytics, newsletter distribution, and embedding content (detailed below). We ensure that we have appropriate Data Processing Agreements (DPAs) in place as required by Art. 28 GDPR with all processors, binding them to comply with GDPR standards and only process data for our purposes.
• Within Spirit Crew GmbH: Your data may be accessed by authorized personnel within our organization who need it to perform their duties (e.g. our support team handling inquiries, HR staff reviewing job applications, IT administrators ensuring website functionality). We ensure that access to personal data is restricted to those people and purposes necessary.
• Legal Requirements and Safety: If we are under a legal obligation to disclose personal data, we will comply (for example, in response to a lawful request by public authorities, a court order, or to meet national security or law enforcement requirements). We may also disclose information if it is necessary to enforce our terms of use or other agreements, or to protect the rights, property, or safety of Spirit Crew GmbH, our customers, or others. This could include exchanging information with other companies or organizations for fraud protection and credit risk reduction, as long as data protection laws are respected.
• Business Transfers: In the unlikely event that our company undergoes a business transaction such as a merger, acquisition, corporate reorganization, or asset sale, personal data might be transferred to the succeeding entity. In such a case, we will ensure that your data remains protected in line with this privacy policy and applicable laws, and we will inform you of any changes in data handling.
• With Your Consent: If you explicitly request or consent to us sharing your data with a third party (outside the situations above), we will do so only according to your consent. For example, if you ask us to introduce you to a partner company or you consent to optional cookies/tools, we will transfer data accordingly.
Importantly, we do not sell your personal data to any third-party for their own independent use. Any third parties that we engage as processors are carefully selected and bound by confidentiality and data protection obligations. In the next sections, we detail the key third-party services and tools we use on our website along with what data is shared and why.
8. International Data Transfers
We are based in Germany and generally process your data within the European Union (EU)/European Economic Area (EEA). However, some of our service providers are located or may process data outside the EEA (for example, in the United States). Whenever personal data is transferred to a country outside the EEA (a “third country”) that does not have an EU Commission adequacy decision, we will ensure appropriate safeguards are in place as required by GDPR Chapter V.
Transfers to the United States: Some of our third-party partners (such as Google, Meta (Instagram/WhatsApp), and possibly our AI service provider) are based in the U.S. or may process data on servers in the U.S. The EU considers the U.S. a third country without automatic data protection adequacy (although this is changing under new frameworks). Where we transfer data to the U.S., we take the following measures:
• EU-U.S. Data Privacy Framework (DPF): If applicable, we rely on the new EU-U.S. Data Privacy Framework. For example, Google LLC and Meta Platforms, Inc. (the parent company of Instagram and WhatsApp) have certified their compliance under the DPF. This means that, for these providers, transfers of personal data to the U.S. are recognized as having an adequate level of protection by the European Commission.
• Standard Contractual Clauses (SCCs): For other transfers not covered by an adequacy decision or framework, we have entered into EU Standard Contractual Clauses with the service provider. SCCs are standardized contractual commitments approved by the European Commission to ensure that personal data enjoys a similar level of protection even after it leaves the EU/EEA. These clauses contractually bind the recipient to protect your data according to EU privacy standards.
• Additional Safeguards: Where needed, we implement additional technical and organizational measures to supplement international transfer arrangements. This may include data encryption, pseudonymization, and careful review of any government access requests. We also assess on a case-by-case basis that the data importer can comply with the terms of data transfer agreements in practice.
You can request more information about our international data transfer safeguards (including copies of SCCs where applicable) by contacting us. We will not transfer your personal data to any third country or international organization unless it is done in compliance with GDPR requirements and using the mechanisms described above.
9. Data Retention
We store personal data only for as long as it is necessary to fulfill the purposes for which it was collected, or as required by applicable laws. In general:
• Website Usage Data: Server log data (IP addresses, etc.) are kept for a short period for security and troubleshooting purposes and then automatically deleted or anonymized. Typically, our server logs are retained for no longer than 8 weeks before deletion, unless a security incident requires extended retention (in which case, data might be kept until the issue is resolved).
• Contact and Inquiry Data: If you contact us (e.g. by email or WhatsApp), we will retain your communications and our responses for as long as needed to address your inquiry and any follow-up issues. Once the conversation is concluded and resolved, we typically delete the correspondence after a reasonable period (for example, after 6 to 12 months) unless further retention is required (e.g. if the inquiry leads to a contract or if legal obligations apply). Business correspondence may be archived for up to 6 years in accordance with German commercial law requirements.
• Newsletter Subscription Data: We process your email address for sending the newsletter until you unsubscribe or withdraw your consent. Once you unsubscribe, we will immediately stop sending the newsletter. We may retain your email on a suppression list thereafter to ensure you do not receive further mailings (this is a legitimate interest to respect your opt-out). Any other data collected for the newsletter (e.g. logs of your consent, confirmation of opt-in) may be kept as proof of compliance with legal obligations (typically up to 2 years after you unsubscribe, to defend against any legal claims regarding unsolicited emails).
• Analytics Data: Data collected via analytics tools (like Google Analytics) is typically aggregated and anonymized for statistical purposes. Any user-level data that is stored (such as unique identifiers or associated usage data) is retained according to the configurations we set. We have configured Google Analytics to retain data for no more than 14 months at the user-level; older data is automatically deleted by the analytics system. We do not keep identifiable analytics data longer than necessary.
• Job Application Data: If you apply for a job and are not selected, we retain your application data for up to 6 months after the completion of the recruitment process (e.g. after our final decision) to address any questions or legal claims related to the hiring process (this retention is based on our legitimate interest in legal defense, e.g. under the German General Act on Equal Treatment). If you are hired, your application data will be retained and transferred into your personnel file and then kept for the duration of your employment (and for any additional period required by law for employee records). If we wish to hold your application for consideration in future job openings beyond the 6-month period, we will ask for your explicit consent to do so.
• Cookies: Cookies can have varying retention durations. Session cookies (used for essential functionality) expire when you close your browser. Persistent cookies (e.g. for preferences or analytics) remain on your device until they expire or you delete them. We provide details on cookie lifespan in our Cookies section below. You can also clear cookies from your browser at any time, which deletes the data stored in those cookies.
• Other Third-Party Content Data: If you interact with embedded third-party content (videos, social media plugins, etc.), we do not store that interaction data on our servers (though the third-party providers might, as explained in their sections). We do not retain personal data about your viewing of an Instagram feed or a YouTube video beyond the immediate need to display that content.
Once the applicable retention period expires, or if the processing purpose no longer applies, we either permanently delete or irreversibly anonymize the personal data in a secure manner, unless we are legally required to keep it longer. In cases where we anonymize data, it will no longer be identifiable and thus no longer considered personal data.
10. Rights of Data Subjects
As a data subject (someone whose personal data we process), you have several rights under the GDPR. You can exercise these rights at any time by contacting us (see Contact Information below). Your rights include:
• Right of Access: You have the right to obtain confirmation as to whether or not we are processing personal data about you. If so, you can request a copy of that data and additional information about how we process it (Art. 15 GDPR). This includes information on the purposes of processing, the categories of data, the recipients, the envisaged storage period, and the existence of your other rights, among other details.
• Right to Rectification: You have the right to request that we correct or complete any inaccurate or incomplete personal data we hold about you (Art. 16 GDPR). We strive to ensure that your data is accurate and up to date, and we will promptly make corrections based on your instructions.
• Right to Erasure (Right “to be forgotten”): You have the right to request that we delete your personal data (Art. 17 GDPR) if the data is no longer needed for its original purpose, if you have withdrawn your consent and no other legal basis for processing exists, if you have validly objected to the processing (see below), if the data was processed unlawfully, or if erasure is required to comply with a legal obligation. Please note that this right is not absolute – sometimes we may have to retain certain data to comply with legal obligations or to establish, exercise or defend legal claims. We will inform you if any such exceptions apply in your case.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data (Art. 18 GDPR) in certain circumstances, e.g. if you contest the accuracy of the data (for a period allowing us to verify it), if the processing is unlawful but you oppose erasure and prefer restriction instead, if we no longer need the data but you need it for legal claims, or if you have objected to processing (pending verification of overriding grounds). When processing is restricted, the data will be marked and only processed for specific purposes (your consent, legal claims, important public interest, etc.).
• Right to Data Portability: To the extent that we process your personal data by automated means based on your consent or on a contract with you, you have the right to receive that personal data in a structured, commonly used, machine-readable format and the right to transmit it to another controller (Art. 20 GDPR). If technically feasible, you can also ask us to directly transfer the data to another provider on your behalf. This right applies only to data you provided to us, not to data derived or inferred by us.
• Right to Object: You have the right to object, on grounds relating to your particular situation, to any processing of your personal data that we conduct based on legitimate interests (Art. 6(1)(f) GDPR) (Art. 21 GDPR). If you lodge an objection, we will review your request and cease processing the data in question unless we have compelling legitimate grounds to continue processing that override your interests, rights, and freedoms, or if continuing to process is necessary for establishing, exercising, or defending legal claims. Right to object to direct marketing: If we were to process your data for direct marketing purposes, you have an absolute right to object at any time. We will then stop using your data for such marketing. (Note: We currently only send you marketing communications like newsletters if you have opted in, and you can opt out at any time.)
• Right to Withdraw Consent: If we rely on your consent for any processing of your personal data, you have the right to withdraw that consent at any time (Art. 7(3) GDPR). Withdrawing consent will not affect the lawfulness of processing done before the withdrawal, but once withdrawn, we will stop the processing that was based on consent. For example, you can unsubscribe from our newsletter or decline analytics cookies, and we will cease processing your data for those purposes. Withdrawing consent is as easy as giving it – for instance, use the “unsubscribe” link in emails or adjust your cookie preferences, or contact us directly.
• Right to Lodge a Complaint: If you believe that our processing of your personal data violates data protection law, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You can do this in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. For example, in Germany you can contact the relevant State Data Protection Authority. Our company is registered in Bavaria, so our lead supervisory authority is the BayLDA (Bavarian State Office for Data Protection Supervision). We would, however, appreciate the chance to address your concerns directly before you approach a regulator – please feel free to contact us with any complaints or issues, and we will do our best to resolve them.
Exercising Your Rights: You can contact us at any time via the contact details provided to exercise any of the rights above. We may need to verify your identity to ensure that we do not disclose data to the wrong person. We will respond to your request as soon as possible, and at the latest within the statutory time limits (generally one month, extendable by another two months if necessary with notification to you). Exercising your rights is free of charge. However, manifestly unfounded or excessive/repetitive requests may result in a reasonable fee or refusal as permitted by law.
Your privacy and control over your data are important to us. We will assist you in exercising your rights and explain any decisions or actions we take in response to your requests.
11. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to provide and improve our services. Cookies are small text files that are stored on your device (computer, smartphone, etc.) when you visit a website. They serve various functions, from enabling core site functionality to remembering your preferences and gathering analytics data.
Types of Cookies We Use:
• Essential / Necessary Cookies: These cookies are required for the operation of our website and to use its core features. For example, they may enable basic functions like page navigation, access to secure areas of the site, or remembering your cookie consent choices. The website cannot function properly without these cookies. We place essential cookies without requiring your consent, as they are necessary for delivering the service you explicitly request.
• Preferences / Functional Cookies: These cookies allow our website to remember choices you make and provide enhanced, more personalized features (for example, language preferences or the region you are in). They may be set by us or by third-party services whose features we have added to our pages. We might use such cookies to improve your experience, but we will typically ask for your consent to set them if they are not strictly necessary.
• Analytics / Performance Cookies: These cookies collect information about how visitors use our website (pages visited, time spent, any errors encountered, etc.). We use this information to improve our site’s performance and to understand user interests. For instance, we use Google Analytics cookies to help analyze site traffic and usage patterns. Analytics cookies will only be set with your prior consent. The data collected is usually aggregated and anonymized, meaning it does not directly identify you.
• Third-Party / Embedded Content Cookies: When we integrate third-party content and features (such as Instagram posts, YouTube videos, or SoundCloud players), those providers may set cookies on your device when you access that content through our site. These cookies might be used by the third parties to track your browser across other sites, build profiles of your interests, or for analytics and advertising purposes on their own platforms. We do not have direct control over these cookies. For example, YouTube might set cookies to remember your preferences or track video views, and Instagram/Facebook might set cookies if you have an account or to track usage of the embedded feed. We ensure that such content is embedded in compliance with privacy requirements (for instance, using YouTube’s privacy-enhanced mode as described below). We will request your consent before enabling certain third-party integrations that involve cookies or tracking.
Cookie Consent and Control: When you first visit our website, you will see a cookie banner or consent pop-up explaining that we use cookies and asking for your consent for non-essential cookies (like analytics or third-party cookies). You have the choice to accept or reject these.
• If you consent, we will set cookies as described, and you help us improve our site and integrate additional features.
• If you decline certain categories of cookies, we will not set them, and associated features (like analytics or personalized content) may be disabled or limited. The site should still function for essential purposes.
• You can change or withdraw your consent at any time. This can be done by using our cookie management tool (if provided on the site) or by clearing cookies in your browser settings and revisiting the site to adjust preferences.
Browser Settings: In addition to our site controls, you have the option to manage cookies through your web browser settings. Most browsers allow you to view, delete, or block cookies (either all cookies or cookies from specific sites). You can also often set rules to delete cookies automatically when you close the browser. Please note that if you block all cookies (including essential ones) via your browser, some parts of our website may not function properly. For more information on how to manage cookies in popular browsers: Chrome, Firefox, Safari, Edge.
Do Not Track: Our website currently does not respond to “Do Not Track” (DNT) signals from browsers. DNT is a feature some browsers offer to request that a website not track your online activities. Given that there is not yet a common standard for DNT and how to interpret it, we treat preferences via our cookie consent mechanism as the primary way for you to control tracking on our site.
For detailed information about specific cookies and their purposes, you can refer to our cookie consent tool (if available) or contact us. Below, we also outline the key third-party tools and services we use, some of which involve cookies or similar technologies.
12. Third-Party Services and Tools
Our website integrates several third-party services and content in order to provide certain features and enhance user experience. These third-party services may collect or receive personal data (such as your IP address or cookies, as described) when you use our site. We carefully select and monitor these providers, and where possible, we limit data sharing to the minimum needed for the service. Below is a list of the main third-party services and tools used on our site, with details on how each one processes data:
12.1 Web Hosting and Server Log Files (IONOS)
Our website is hosted by IONOS SE, a professional web hosting provider (address: Elgendorfer Str. 57, 56410 Montabaur, Germany). All data that you transmit to our website (such as when browsing pages or submitting forms) is processed on IONOS’s servers. IONOS acts as a data processor on our behalf, providing the infrastructure and storage for our website in a secure, GDPR-compliant manner.
Server Log Data: Whenever you visit our site, IONOS’s web servers automatically record certain information in server log files. This data includes your IP address, the date and time of the request, the page or file requested (URL), the HTTP status code (success or error code), the amount of data transferred, the referrer URL (the page you visited before ours, if any), and information about your browser and device (user agent, browser type/version, operating system). These logs do not directly identify you by name, but an IP address can be considered personal data. We do not merge server logs with other data sources, and we do not use them to profile individual visitors.
Purpose: The log data is processed primarily for technical monitoring and security. It helps us ensure the website runs smoothly and allows us to detect and resolve any technical problems. For example, logs are used to analyze errors on the site, manage server capacity, and defend against malicious activities (such as hacking attempts or denial-of-service attacks). Logging IP addresses is necessary to protect our systems and trace any potential misuse. Additionally, aggregate log information (e.g., counts of page views, peak usage times) may be used for internal analysis to optimize our website’s performance.
Legal Basis: The processing of server log data is based on our legitimate interests (Art. 6(1)(f) GDPR) in providing a stable, secure, and efficient website. It is in our interest (and that of our users) to maintain the security and integrity of our web services. This use of data is fundamental for internet communication and is common practice for any website operation.
Retention: Server log files are kept for a limited period by our host. Typically, raw logs are retained for no more than 8 weeks. Older log entries are automatically deleted or anonymized (unless we need to retain them longer for investigation of specific security incidents). In cases of suspicious or unlawful activity, relevant log data may be kept until the matter is fully resolved.
IONOS is contractually bound to process any personal data from our website only following our instructions and to implement strict security measures. For more information on IONOS’s privacy practices, you can visit their Privacy Policy (available on the IONOS website). However, in using our website, your relationship remains with us as the controller, and we ensure your data is protected while using IONOS’s services.
12.2 Web Analytics (Google Analytics)
We use Google Analytics on our website to better understand how visitors engage with our site. Google Analytics is a web analytics service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) in the EEA, and by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as the parent company in the U.S.
What Google Analytics Collects: Google Analytics uses cookies and similar technologies to collect information about your use of our site. This includes data such as the pages you view, the time spent on pages, the links you click, your approximate geolocation (country/region based on IP), technical information about your browser and device, and how you arrived at our site (e.g. via search engine or a referring website). Importantly, Google Analytics collects your IP address to determine geolocation, but we have implemented IP anonymization so that Google truncates/anonymizes the last octet of your IP address within the EU/EEA before storing it (this means the IP collected is not used to identify you precisely and cannot be traced back to you by Google). Google Analytics does not collect your name, email, or other direct identifiers — it focuses on user behavior information in aggregate.
Google Analytics may also generate a unique user ID for your browser to recognize returning visitors, but this ID is a random string and not linked to your personal identity. The information generated by the Google Analytics cookie about your use of our website is generally transmitted to and stored by Google on servers, which may be in the United States or other countries. However, as noted under International Data Transfers, Google is certified under the EU-U.S. Data Privacy Framework, and we have a Data Processing Agreement including the EU Standard Contractual Clauses in place with Google to safeguard data transfers.
Purpose: We use this analytics data to evaluate and improve our website. It helps us answer questions like: Which pages are most popular? How do users navigate the site? Do certain campaigns or referrals bring more traffic? By analyzing these patterns, we can optimize content, design, and performance to enhance user experience. For instance, if we see many visitors dropping off on a particular page, we might investigate and improve that page. Analytics also helps us measure the effectiveness of advertising or promotional efforts (if any).
Legal Basis: We only activate Google Analytics with your prior consent (Art. 6(1)(a) GDPR). On your first visit, you are given the choice to accept analytics cookies. If you opt in, you are helping us gather valuable insights. If you decline, Google Analytics will remain disabled and no analytics cookies will be set in your browser. You can withdraw your consent at any time by adjusting your cookie settings (for example, using our cookie consent tool or browser settings to delete/block cookies).
Data Sharing and Controls: Google Analytics data may be processed by Google for the above purposes on our behalf. We have configured Google Analytics to not share data with other Google services (like advertising) by disabling Data Sharing settings where possible. We also do not use more invasive Google Analytics features like User-ID tracking or demographics data in any personally identifiable way without consent. Google acts as our data processor, and is contractually prohibited from using the analytics data for their own purposes or combining it with data they hold for other services, unless you’ve separately consented to such combination via your Google account settings (which is outside our control).
Retention: We have set Google Analytics to retain user-level and event data for 14 months. This means that data linked to cookies, user identifiers, or advertising identifiers is automatically deleted from Google’s servers after 14 months. Aggregate reports may remain for analysis, but they no longer contain personal data.
Opt-Out Options: Apart from refusing/withdrawing consent for the cookie, you can also opt-out of Google Analytics tracking by installing the official Google Analytics Opt-out Browser Add-on. This plugin instructs Google Analytics JavaScript not to send your visit info to Google Analytics. It’s available for most modern browsers. Additionally, if you have a Google account, Google allows you to adjust your Ads settings and data personalization, which might influence data collection on sites that use Google Analytics and integrated advertising (though we do not use Google Ads on our site at this time).
For more information, see Google’s privacy policy for Analytics: Google’s “Privacy & Terms” site provides details on how Google processes data collected via Analytics and also explains the Data Privacy Framework compliance and safeguards  . We value your privacy and have configured Analytics to respect it as much as possible. Whether or not you allow analytics tracking is entirely your choice and our site is usable even if you choose not to be tracked.
12.3 Newsletter Subscription (Teleforms)
If you subscribe to our email newsletter, we will collect and process personal data to manage your subscription and send you periodic updates. Our newsletter is integrated via an external service called Teleforms (which we use as a newsletter sign-up and distribution tool). Teleforms allows us to embed a subscription form on our website and to handle the logistics of sending newsletters to our subscribers.
Data Collected: When you sign up for the newsletter, we (and Teleforms on our behalf) collect the information you enter into the subscription form. Typically, this will be your email address, and possibly your name if we ask for it (providing a name may be optional and is used only to personalize emails). We also record the date and time of your subscription and the IP address used at the time of subscribing. This information is collected to have evidence of your sign-up (proof of consent) and to protect against misuse of our email system.
Double Opt-In: Our newsletter employs a double opt-in process to ensure that no one is subscribed without their explicit consent. After you submit the subscription form on our site, Teleforms will send an automated email to the address you provided, asking you to confirm your subscription by clicking a confirmation link. Only after you click that confirmation link will your subscription be activated and you will begin receiving our newsletters. This confirmation step is recorded (time, date, and possibly IP) as proof that you verified your email and consent.
Purpose: We use the collected information to send you the newsletter and to administer your subscription. The content of our newsletters includes news about our company, upcoming events or offers (like “Skigaudi” event updates, if applicable), and other information we believe may be of interest to our subscribers. We may also occasionally include customer satisfaction surveys or requests for feedback in the emails. Teleforms, as our email service provider, uses the data to actually send out the emails and to manage the subscriber list (additions, deletions, bounces, etc.).
Legal Basis: The sending of our newsletter is based on your consent (Art. 6(1)(a) GDPR). By signing up and confirming via the double opt-in email, you explicitly agree to receive our newsletter. You can withdraw this consent at any time, which will stop future newsletters from being sent to you.
Unsubscribe: Every newsletter email we send will contain an “Unsubscribe” link at the bottom. You can click that link to instantly opt out of further emails. Alternatively, you can contact us directly (via email to support@spirit-crew.de) and request to be removed from the mailing list. Once you unsubscribe, Teleforms will stop sending you newsletters. As noted in the Data Retention section, we may keep your email on a suppression list to ensure we honor your opt-out and do not accidentally re-add you, but you will no longer receive mailings.
Data Processing & Third Party: Teleforms operates as a data processor for us. This means it handles your personal data (email, name, etc.) only as we instruct and for the purpose of sending the newsletter on our behalf. We have a data processing agreement in place with Teleforms to ensure your data is handled securely and in compliance with GDPR. Teleforms is obligated not to disclose your data or use it for any other purpose. The servers of Teleforms and the exact location of processing: Teleforms is subject to GDPR (assuming it’s an EU-based or GDPR-compliant service). If Teleforms or its mailing infrastructure processes data outside the EU, we will ensure appropriate safeguards (e.g., standard contractual clauses) are in place, though primarily we believe the service operates within the EU. We will treat your subscription data confidentially and not share it with others outside of Teleforms.
Newsletter Analytics: We may receive certain analytics about the newsletter’s performance, for example, whether an email was delivered, whether it was opened or if links within it were clicked (open rates and click-through rates). This information helps us gauge interest and improve content. These analytics are generally provided by the newsletter service (Teleforms) in aggregate form. We do not use this data to profile individual subscribers, only to understand overall engagement. You can disable images in your email client if you wish to reduce tracking of opens (since tracking often relies on a tiny image loading).
We will only send you the types of content you signed up for, and we aim to keep the newsletter relevant and not excessive. If at any point you feel you no longer want to receive it, please use the unsubscribe function with confidence. There are no hard feelings – your decision will be immediately respected.
12.4 Contact and Communication (Email, Phone, WhatsApp)
Our website provides you with various ways to contact us directly – including email, telephone, and even WhatsApp chat. We value your inquiries and will use any information you provide to assist you. Below is how we handle data in each communication channel:
Email: If you send us an email (for example, to our support address support@spirit-crew.de), we will receive your email address and any information you include in the message (which may include your name, contact details in your signature, and of course the content of your inquiry). Our email servers (and those of our provider) will process this data to deliver the message. We will use the information in your email solely to respond to your inquiry and any follow-up questions. Emails are stored on our mail system which is secured and accessed only by authorized staff. Please be aware that email communication, if not encrypted, can theoretically be intercepted; if you need to send very sensitive information, you can ask us about secure alternatives.
Telephone: If you call us by phone (for instance, using a number provided on our website or in our signature), we may process personal data such as the phone number (if it is not withheld), your name if you provide it, and any information you convey during the call. We do not record calls without explicit notice and consent. We might make brief notes of the conversation to help address your request (e.g., noting your contact details or the nature of your inquiry). These notes are treated confidentially. If we need to call you back, we will use your number for that purpose. We will not use your phone number for marketing or share it with third parties without your permission.
WhatsApp: We also offer the option for you to contact us via WhatsApp messenger for convenience. If you choose to message us on WhatsApp (using the link or number provided on our site), the following will apply:
• WhatsApp Data: We will receive the phone number you use for WhatsApp, any profile name or picture you have (depending on your privacy settings), and of course the content of any messages you send. WhatsApp messages are end-to-end encrypted between your device and ours, which means the content is not visible to WhatsApp itself or any other third party while in transit. However, WhatsApp (owned by Meta Platforms) does process metadata such as the sender/receiver information and timestamp, and possibly stores messages on their servers briefly for delivery. We advise you not to send highly sensitive personal data via WhatsApp, since we do not have full control over WhatsApp’s environment and it is a third-party platform.
• Purpose: We use WhatsApp communications solely to respond to your inquiries or to have a conversation at your request. It offers a convenient channel for quick questions and customer service. For example, you might ask about event details or support issues through WhatsApp, and we will reply with the information.
• Legal Basis: When you contact us via WhatsApp, we consider this as initiated by you, so processing your data (phone number, message content) is based on our legitimate interest (Art. 6(1)(f) GDPR) in effectively communicating with our users/clients, or potentially on Art. 6(1)(b) if it’s regarded as pre-contractual communication. By messaging us, you are effectively consenting to us using that platform to communicate with you. If you prefer not to use WhatsApp, you can always use other channels.
• WhatsApp as a Third-Party: WhatsApp is a service of WhatsApp Ireland Limited (Merrion Road, Dublin 4, Ireland) for users in the EEA. According to WhatsApp’s policies, messages are encrypted, but WhatsApp may have access to some personal data (phone numbers and device info, for instance) and it may share information with other Meta companies. We have limited control over WhatsApp’s own data processing. We do not create separate backups of WhatsApp chats outside of the app, and we don’t use your number for any purpose other than responding to you. We will not add you to any broadcast lists or groups without your consent. If you message us on WhatsApp, we encourage you to review WhatsApp’s Privacy Policy as well, so you are aware of how they handle personal data.
• Opting Out: If you no longer wish to communicate via WhatsApp, simply let us know or stop messaging us on that platform. You can request that we delete the chat history on our device and we will comply (unless we need to retain certain info for a specific legitimate reason, like evidence of a transaction or consent).
Regardless of the channel, confidentiality is important to us. Only authorized personnel responsible for customer communications will access your messages or call details. We do not share the content of your inquiries with third parties unless it is necessary to fulfill your request (for example, if your inquiry involves a third-party service we use, we might liaise with them, but we would inform you where possible).
Retention of Communications: As noted in Data Retention, we typically keep correspondence for a certain period. Emails and WhatsApp chats are usually retained until your inquiry is resolved and then for some time thereafter in case you follow up (commonly up to 6-12 months). Telephone call notes, if any, are similarly kept only as long as needed. If any communication could have legal significance (e.g. evidence of a transaction or legal notice), we may keep it as required by law or for legal defense (up to statutory limitation periods).
By reaching out to us through any of these methods, you agree that we can use the information you provide to respond to you. We will not use your contact details to send you unsolicited communications unrelated to your inquiry. For instance, contacting us via email or phone will not subscribe you to our newsletter (unless you specifically request it).
12.5 AI-Based Q&A Chat Service
On our website, we offer an interactive AI-powered question-and-answer assistant to help answer your questions automatically. This service uses artificial intelligence to understand your queries and provide relevant responses. The AI chat feature is there to enhance your experience by giving quick information about our services, events, or other content you might ask about.
How it Works: When you enter a question or message into the AI chat interface on our site, your query (the text you input) is sent to an AI processing service. The AI analyzes your question and generates a reply, which is then displayed to you in the chat. The underlying technology may involve natural language processing and machine learning models.
Data Processed: The content of your query may include personal data if you choose to provide such (for example, if you ask “Can I reserve a ticket under the name John Doe?” the name you provided is personal data). We do not require you to enter personal data into the AI chat for general questions (and we advise against sharing sensitive personal information via the chat). However, if you do include personal details in your question, that information will be processed by the AI service to formulate an answer. Additionally, technical data like your IP address, device type, and time of query might be automatically collected by the service for processing and delivery of the answer.
AI Service Provider: The AI chat functionality is powered by a third-party provider specializing in AI and language model services. (For transparency: We currently use a state-of-the-art AI service to handle these queries – for example, this might be an OpenAI or similar service via an integration, though we will not name a specific provider here in case it changes. The provider operates under our instructions as a processor and may process data on servers located outside the EU, including in the USA.) We have ensured that the AI provider is contractually bound to GDPR standards via a data processing agreement. If the provider is outside the EU, we have implemented appropriate safeguards such as Standard Contractual Clauses, and we rely on the provider’s compliance with frameworks (if applicable) as described in the International Data Transfers section.
Purpose: The sole purpose of processing your query is to generate the helpful response you see. The AI chat is like an automated customer support/chatbot tool – it allows you to get information quickly without waiting for a human, especially outside of our normal business hours. The AI’s knowledge is based on information we have provided or general sources up to a certain point, so it can answer FAQs about our event (Skigaudi) or services. We may also use aggregated data about the questions asked to improve our content or the AI’s responses (for example, if many people ask a similar question, we know we should address that clearly on our site).
Legal Basis: When you use the AI chat, we process the data based on our legitimate interest (Art. 6(1)(f) GDPR) in providing an efficient and innovative way to assist our users. You are voluntarily interacting with the AI assistant, effectively requesting an information service, so alternatively the processing can be seen as necessary to take steps at your request (similar to a pre-contractual information service under Art. 6(1)(b) GDPR). Either way, we ensure that your rights and interests are respected – you can always choose not to use the AI feature and contact a human representative instead.
Data Minimization and Storage: We do not permanently store the content of your AI chat queries in our own systems linked to you personally. Temporary logs or records may exist in the AI provider’s system for processing and quality assurance. These are typically transient. We do not build user profiles from your chat questions. If we do retain some chat transcripts for improving our services, we will anonymize them such that they are not linked to individual users. For example, we might review what general questions are common, but without focusing on who asked them.
Caution: While we strive to configure the AI to provide accurate and relevant information, the answers are generated automatically and might occasionally be incorrect or inappropriate. Please consider the AI’s responses as helpful guidance but not as legally binding or absolutely authoritative. We are not making decisions about you through the AI – it’s purely a tool for information. If the AI cannot adequately answer or you need confirmation, please reach out to us directly.
Third-Country Note: If our AI provider processes data in the U.S. or another third country, note that the query content (which could include personal data if you included any) might be transferred to that provider’s servers. As described earlier, we ensure protections like encryption in transit and contractual safeguards. By using the AI chat, you acknowledge that your query will be handled by this external AI service.
We hope the AI assistant is useful to you. If you have any concerns about the AI’s processing of your data or want a particular chat query deleted from the system, please contact us and we will do our best to assist (noting that often the chat data isn’t stored long-term). Using the AI chat is optional; you can always choose to not use it if you prefer that your data not be processed by the AI.
12.6 Instagram Plugin (Social Media Embed)
Our website integrates content from our Instagram social media profile to showcase recent posts and media. We do this by embedding an Instagram feed or posts directly on our site. Instagram is a service provided by Meta Platforms Ireland Limited, located at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (with Meta Platforms, Inc. in the USA as the parent company).
How the Instagram Embed Works: When you visit a page on our website that contains an Instagram plugin (e.g., an embedded Instagram photo carousel or a “Follow us on Instagram” feed), your browser will connect to Instagram’s servers to retrieve and display that content. This is similar to visiting Instagram directly, but it’s happening through our site.
Data Transferred: In the process of loading Instagram content, certain data about you is transmitted to Instagram/Meta. This includes:
• Your IP address (so that the content can be delivered to your browser).
• Page information (that you visited a specific page on our site which has the Instagram embed, which indirectly tells Instagram that you are interested in our content).
• Cookies: Instagram may place or read cookies on your browser if you have them. If you are logged into an Instagram or Facebook account on the same browser, Instagram could potentially associate your visit to our site with your account. Instagram’s embedded content may trigger their own tracking (for example, they might load a pixel or the Instagram cookies to know you saw a post).
• Browser details: Standard info such as your browser type, device, operating system, etc., as part of the request.
We, as the website provider, do not receive this data from Instagram. We only see the outcome (the content displayed). But Instagram’s system can use the data for their own purposes, which typically include analytics and personalizing services, and possibly advertising.
Purpose: We embed Instagram content to make our website more lively and to present you with our latest social media updates in one place. It enhances user experience by not requiring you to leave our site to see our Instagram posts. Our legitimate interest is to engage our audience with social content and broaden our reach.
Legal Basis: The integration of Instagram occurs only with your consent (Art. 6(1)(a) GDPR) if such embedding could involve non-essential cookies or tracking. When you accepted our cookie/tracking preferences that include social media content, the Instagram plugin will be activated. If you did not consent to social media embeds or tracking, we will either not load the Instagram content or will block it until you actively choose to enable it (depending on our site’s implementation). In some cases, we might use a placeholder or “two-click” solution where you have to click to load the Instagram feed, thereby giving implicit consent.
If we rely on legitimate interest for basic embedding (for example, if no cookies are set until you interact), then the legal basis would be Art. 6(1)(f) GDPR. However, given Instagram likely sets cookies, we treat it as a consent-based embed.
What Instagram/Meta Does: Once data is transmitted to Instagram/Meta, they become responsible for that data. It can be used in accordance with Instagram’s privacy policy. Meta may use the data to:
• Analyze usage of the embed (for example, to know how often their content is viewed outside Instagram).
• Enrich profiling if you’re a user (e.g., to personalize your Instagram/Facebook feed or ads, by knowing you looked at our content).
• Set cookies or similar for functionality and tracking.
We do not have control over Instagram’s use of the data. However, Meta Platforms Ireland and we might be considered joint controllers for the initial collection of data via the social plugin (based on a precedent from the Court of Justice of the EU regarding Facebook Like buttons). This means we have a responsibility to inform you of this data collection (which we’re doing here), while Instagram/Meta is responsible for fulfilling your rights regarding how they subsequently use the data. Meta has statements about such joint controller arrangements in their policies (for example, they typically say that Meta Ireland is primarily responsible for providing you with information and handling data subject rights for plugin data).
Preventing Instagram Data Collection: If you do not want Instagram/Meta to collect information about you via our site, you should refrain from interacting with the embedded content. You can also log out of your Instagram/Facebook account before visiting our site, and/or clear your cookies, so that Meta has less ability to link the visit to an existing profile. You could use browser extensions or content blockers that block social media embeds. Our site may also allow you to decline social media features upon first load (as mentioned, via the cookie consent options).
For more information, see Instagram’s Privacy Policy and the Instagram Help Center on embedding. Instagram’s privacy policy can be found at https://privacycenter.instagram.com/policy (this covers how they handle data from embedded content as well).
In summary, by viewing the Instagram content on our site, you agree that data will be transmitted to Instagram/Meta. We embed this content in good faith to inform and entertain, but please use it only if you’re comfortable with Instagram’s data practices.
12.7 YouTube Videos
We occasionally embed YouTube videos on our website to provide engaging multimedia content (for example, promotional videos or relevant footage for our events). YouTube is a video platform operated by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), with its parent company Google LLC in the USA.
How the Embed Works: When we embed a YouTube video, we typically use YouTube’s “privacy-enhanced mode” (also known as the “nocookie” domain). In privacy-enhanced mode, YouTube does not set cookies or collect identifying data about viewers unless they actually play the video. This means simply loading a page with an embedded video (but not clicking play) should not immediately send personal data to Google for advertising or tracking purposes. (However, note that even in this mode, a connection to YouTube is established to fetch the video player, and it’s possible that your IP address and certain technical data may be transmitted in the process of loading the frame. Google claims no cookies are used until playback.)
Data upon Playing Video: If you click the YouTube video to play it, YouTube/Google will receive data about you, including:
• The fact that you are playing a video on our site (and which video it is).
• Your IP address and possibly a unique identifier from cookies if you have previously visited YouTube or other Google services (even in privacy mode, once you play, YouTube might set cookies like VISITOR_INFO1_LIVE or others).
• If you are logged into a Google account (e.g., Gmail/YouTube) while playing the video, Google can associate your viewing with your account.
• Technical details of your browser and device, and video play statistics (like length of play, resolution used, etc.).
Google may use this information for analytics and personalization. For example, your viewing might influence the recommended videos you see on YouTube in the future, or Google’s ad profiling.
Purpose: We embed YouTube videos to provide you with rich content and information in video format. Videos can make explanations more clear or showcase experiences (like event highlights) that text can’t fully convey. It’s in our interest to make our site engaging and informative. By including YouTube, we leverage a widely-used platform for video delivery that is convenient for users.
Legal Basis: We only load the YouTube video content when you have given consent for external media/functional content (Art. 6(1)(a) GDPR). If our cookie banner or settings allow you to enable/disable media embeds, the video frame will remain inactive unless you consent. Alternatively, if we utilize the privacy-enhanced mode effectively, initial load might not require consent as no cookies are placed until action. But to be safe, we treat the act of clicking “Play” as your consent to connect to YouTube. We inform you that by playing the video, you agree to your data being transmitted to Google. If you do not agree, simply do not play the video.
No Auto-Play: We do not set our embedded videos to autoplay without user interaction. You have control to start them or not.
Data Transfers: Viewing a YouTube video will result in data being transferred to Google servers which might be in the USA or globally. Google is part of the EU-U.S. Data Privacy Framework as mentioned, and we have SCCs in place if needed. But once you interact with YouTube, you also come under YouTube’s terms.
Your Choices: If you do not want Google/YouTube to collect your data through embedded videos, you have a few choices:
• Don’t click on the video. We often provide context or alternatives in text nearby.
• Log out of your Google accounts and clear Google-related cookies before browsing our site, so that any YouTube interaction is more anonymous (though still tracked by IP/cookie).
• Use browser settings or extensions to block YouTube embeds (some privacy tools can replace the embed with a placeholder unless you explicitly allow it).
• Visit YouTube’s site or account settings where you can manage your ad personalization and privacy settings.
More Info: For details on how YouTube (Google) handles data, see Google’s Privacy Policy  . It covers YouTube as well. Google also provides info on the privacy-enhanced mode here: https://support.google.com/youtube/answer/171780?hl=en.
In summary, when you play an embedded YouTube video on our site, personal data (especially IP address and possibly cookies identifiers) will be shared with Google. We embed videos responsibly and only to improve your understanding of our content. Your viewing is voluntary.
12.8 SoundCloud Player
We embed audio content from SoundCloud on our website, such as music tracks or audio clips related to our events (for example, playlists or theme songs for Skigaudi, etc.). SoundCloud is an audio streaming platform operated by SoundCloud Limited, with headquarters at Rheinsberger Str. 76/77, 10115 Berlin, Germany.
How it Works: We use SoundCloud’s widget/player to stream audio directly on our site. When you access a page on our website that contains an embedded SoundCloud player (for instance, a music player interface), your browser establishes a direct connection to SoundCloud’s servers to load the audio content and player scripts.
Data Transferred: In doing so, SoundCloud receives certain information:
• IP address: As with any embedded resource, your IP is communicated to SoundCloud because it needs to send the audio data to your browser.
• Page info: SoundCloud will know that the request came from our website (the referrer URL will show the page on skigaudi.org where the player is embedded).
• SoundCloud Cookies: If you have previously used SoundCloud or are logged into SoundCloud, they may have cookies on your browser. The embed might allow SoundCloud to read/write cookies. For example, SoundCloud may set cookies to detect if you have liked a track or to remember your volume settings.
• Interaction data: If you click play, pause, or interact with the SoundCloud widget, that information can be sent to SoundCloud (e.g., it may register plays for the track, which the track owner can see as part of stats). If you are a logged-in SoundCloud user, your interactions (like liking a track or adding to a playlist) will be associated with your account.
• Account association: If you are logged in to SoundCloud, SoundCloud can tie the fact that you listened to the track (on our site) to your SoundCloud user profile (just as if you listened to it on their website/app).
Purpose: We embed SoundCloud content to provide audio entertainment and context on our site. For instance, if our event has a soundtrack or if we have audio messages, using SoundCloud allows easy playability without requiring you to download files. Our aim is to enhance your experience with relevant audio content seamlessly.
Legal Basis: Similar to other embeds, we rely on legitimate interest (Art. 6(1)(f) GDPR) for basic embedding of SoundCloud content in order to enrich our content, but we also respect that this may involve third-party cookies/tracking. We will not activate SoundCloud embeds unless you have either given consent or deliberately clicked to play (which implies consent to contact SoundCloud’s servers). In practice, we may present the SoundCloud player but require a user action to start streaming, at which point you’ll be interacting with SoundCloud.
Data Use by SoundCloud: Since SoundCloud is EU-based (Germany), data transmitted to them (like IP and usage info) is handled under EU law. SoundCloud will use the data to:
• Deliver the audio stream and ensure it plays correctly.
• Provide metrics to content uploaders (e.g., how many plays a track gets, possibly coarse location of listeners, etc.).
• If you are a user, to reflect that you played something, or to remember your preferences.
• SoundCloud’s privacy policy (available on their website) details that they may use certain data to personalize services and possibly for their internal analytics.
SoundCloud does not, as far as known, use embedded player interactions for advertising in the way social media might, especially if you are not logged in. The data is more for functional and analytical purposes. They might, however, track usage to recommend tracks to users or so.
No Third Country Transfer (usually): SoundCloud’s servers are likely in Europe for European users (the company being in Berlin). So using the SoundCloud embed should not involve your data leaving the EU, except SoundCloud might use global CDNs. But as the controller, SoundCloud Ltd. in Germany is responsible for your data. We mention in International Transfers mainly US services; SoundCloud is not a US service (despite being popular globally).
Opt-Out/Control: If you do not want SoundCloud to process your data via our site:
• Don’t press play on the audio. (No streaming will occur).
• If you are a SoundCloud user and don’t want your listen logged to your account, log out of SoundCloud before using the embed.
• You can also block soundcloud.com domains via browser or script blockers, though then the audio might not load at all.
Further Information: For more on SoundCloud’s data practices, you can read SoundCloud’s Privacy Policy at https://soundcloud.com/pages/privacy. It explains what data they collect and how they use it, including data from embedded players.
In summary, when you use the SoundCloud player on our site, SoundCloud receives your IP and usage info to play the audio. We use this feature in good faith to provide music/audio content conveniently. The data shared is limited to what is necessary for streaming and standard platform analytics.
12.9 Google Web Fonts
For a visually consistent and attractive design, our website uses Google Web Fonts. This is a font library service provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Using Google Web Fonts allows us to display our site’s text in specific fonts that might not be installed on your device, ensuring the look and feel is the same for all users.
How it Works: When you load a page on our site, your browser will check if the required custom fonts (chosen by our web design) are already on your device. If not, it will download the font files from a Google server (usually from domains like fonts.googleapis.com or fonts.gstatic.com). This happens in the background quickly as the page loads.
Data Transmitted: In the process of fetching fonts from Google:
• Your browser connects to Google’s font server. This means Google receives a request that includes things like your IP address, the resource requested (which font), the browser type, device, and the referring website (that it’s our site making the request).
• According to Google, the Google Fonts service is designed to be fast and efficient, and they claim not to use font requests to track users. Specifically, Google states that requests for fonts are separate from other Google services and that they do not set or use cookies for serving fonts .
• Google may keep logs of font requests (to monitor usage and performance). These logs reportedly include the IP address for a short period, but Google typically anonymizes or aggregates this data and uses it for technical purposes (like caching and statistics on popularity of fonts).
Purpose: The purpose of using Google Web Fonts is purely visual enhancement and efficiency. Instead of using generic fonts or forcing you to download our own font files (which could be large and slow), we use Google’s global content delivery network to quickly load fonts. This ensures our site looks as intended with the chosen typography and that fonts load quickly from a server likely close to you. It also reduces the load on our own servers.
Legal Basis: We consider the loading of Google Fonts as based on our legitimate interest (Art. 6(1)(f) GDPR) in presenting a consistent and appealing website. The impact on your privacy is minimal – the data transmitted is limited to technical requisites for delivering the font, and Google does not collect additional personal info or use cookies for fonts. We have weighed our interest in using external fonts against the data protection implications and find it to be a proportionate use. However, we acknowledge the legal discussion around IP addresses. Since an IP address is personal data, and it’s sent to Google, we mention it here transparently. If you object to this, see the control options below.
Data Transfer: Because Google’s font servers might be located worldwide, your IP might be transmitted to a server outside the EU (e.g., in the USA) during the font request. As noted in International Transfers, Google is under the Data Privacy Framework and/or SCCs for such basic service data. Google Font requests are considered low-risk by many because the data is used only to serve the content (fonts) and not for other purposes like advertising.
Retention: We do not have access to or control of any logs Google keeps of font requests. Google likely retains aggregated usage data of fonts indefinitely to measure popularity and improve their service, but your individual IP address would not be kept longer than necessary on their systems (Google has stated to purge IPs typically within a short timeframe in such contexts).
Alternatives/Control: If you for some reason do not want Google to receive your IP for font loading, you can:
• Adjust your browser settings or use an extension to block Google Fonts. There are plugins that will prevent loading external fonts and either substitute with local ones or just not display them.
• However, note that if Google Fonts are blocked, our site’s typography might revert to a default font which could alter the layout slightly.
• Another alternative is that we could host fonts locally. (We are considering this for the future to remove third-party font dependencies entirely.)
At present, we trust Google’s handling of the font service to be privacy-friendly and more efficient for you as a user.
You can find more information in Google’s FAQ on Privacy and Google Fonts . Also, Google’s general privacy policy applies for content delivery: https://policies.google.com/privacy.
In summary, using Google Web Fonts helps us make the site look nice and professional. The trade-off is that your browser makes a quick connection to Google for the fonts, sending an IP address. We believe this processing is low intrusion, but we still want you to be aware.
13. Data Security
We are committed to protecting your personal data and have implemented appropriate technical and organizational security measures to safeguard it against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
• Encryption: Our website is secured via SSL/TLS encryption (you will see a padlock in your browser’s address bar and the URL will start with HTTPS). This means that any data you submit through forms (such as contact messages, login information, etc.) or that we transmit is encrypted while in transit between your browser and our server, making it much harder for any third party to intercept or read. Similarly, if we transfer data to third-party services, we ensure those transfers are encrypted (e.g., using HTTPS or secure API calls).
• Access Control: Internally, access to personal data is restricted to authorized employees and contractors who need that data to perform their job duties. For example, only HR staff can access job application emails, and only IT administrators can access raw server logs. Each such person is bound by confidentiality obligations. We follow the principle of least privilege, giving the minimum access necessary.
• Secure Hosting: Our hosting provider (IONOS) maintains robust security protocols, including firewalls, intrusion detection systems, and regular security audits. Data centers are physically secured and comply with industry standards (like ISO 27001 certification or similar, if applicable).
• Data Minimization: We collect and process only the personal data that is necessary for the purposes stated. We also pseudonymize or anonymize data wherever feasible (for instance, analytics data is in aggregate form, and IP addresses in Google Analytics are anonymized).
• Updates and Patch Management: We keep our website’s software, content management system, and any related applications up to date with the latest security patches. This helps protect against known vulnerabilities that attackers could exploit.
• Regular Backups: We perform regular backups of website data and databases. Backups are encrypted and stored securely. This ensures that we can restore data in case of accidental loss or technical incidents, with minimal downtime.
• Monitoring: We monitor our systems for potential vulnerabilities and attacks. Suspicious activities (such as repeated failed login attempts or unusual traffic patterns) are flagged for investigation. We also utilize anti-malware and anti-virus solutions as necessary to protect our IT infrastructure.
• Employee Training: Our team is educated on the importance of data protection and security. We train relevant staff on best practices for handling personal data and recognizing social engineering attempts (like phishing).
• Data Protection by Design: When developing or adopting new website features or services, we take privacy into account from the start, implementing data protection principles (privacy by design and by default).
Despite all these measures, it’s important to note that no method of transmitting or storing data is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. However, we continuously review and enhance our security practices to meet or exceed standard requirements.
If we ever experience a data breach that poses a significant risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by law (Art. 33 and 34 GDPR), and we will take immediate steps to mitigate the breach.
Your account (if any) or personal data is protected by your cooperation as well. For instance, if we provide credentials or if you have an account with us, keep your password confidential and do not share it. If you suspect any unauthorized access or have reason to believe your interaction with us is no longer secure, please contact us immediately so we can investigate and address the issue.
14. Data Deletion
We process and store your personal data only for the period necessary to achieve the stated purposes, or as mandated by law. When the information is no longer needed, we ensure it is securely deleted or anonymized.
Routine Deletion: As detailed in our Data Retention section, each category of data has a defined retention period. After that period expires, or once the purpose of processing is fulfilled, our policy is to delete the data. For example, if you withdraw your consent for the newsletter, we will remove your email from our active mailing list promptly. If a job application process concludes and the data is past the retention period, we will delete those application files.
Deletion Process: Deletion is carried out in a manner that the data cannot be reconstructed or recovered. For digital data, we will delete files or entries from our systems or databases. For backups, the data will eventually cycle out and be overwritten according to our backup retention schedule. For physical data (if any, like printed documents), we use shredding or secure disposal.
In cases where complete deletion is not immediately feasible (for example, data stored in long-term backups that are not easily editable, or data we have to keep for legal reasons), we will isolate or lock the data so that it is not readily accessible or used. Once the retention requirement is over, that data will be deleted as well.
Anonymization: In some situations, instead of outright deletion, we may anonymize personal data. Anonymization is an irreversible process after which the data is no longer personal (because individuals can no longer be identified). For instance, we might keep aggregated statistical information about site usage but remove any personal identifiers from it. Anonymized data may be retained longer for analysis, as it no longer poses a privacy risk.
Your Right to Deletion: As noted in the Rights of Data Subjects section, you have the right to request erasure of your data. Upon such a request, we will erase your personal data without undue delay provided that one of the grounds in Art. 17 GDPR applies (e.g., the data is no longer necessary, or was processed based on consent which you now withdraw, etc.), and as long as no exception applies (like a legal obligation requiring us to keep it). We will also inform any processors or third parties who have your data on our behalf to delete it as needed.
Exceptions to Deletion: We might refuse a deletion request or retain certain data if an exception applies. These exceptions can include:
• Compliance with a legal obligation (for example, some financial transaction data might need to be stored for 10 years under tax law, even if you request deletion).
• Establishment, exercise, or defense of legal claims (we may retain certain information if necessary for legal disputes or litigation).
• Public interest archiving, research, or statistical purposes, if deletion would seriously impair those objectives and if we have appropriate safeguards.
In any case where we must retain data despite a deletion request, we will inform you of the reason.
We ensure that deletion processes are a regular part of our data management. We have schedules and checks (for example, periodic review of what data can be purged) to avoid holding onto data longer than needed.
If you have specific questions about our deletion practices or want to request deletion of your data, please refer to the Contact Information below and reach out to us.
Last Updated: September 4, 2025