Privacy Policy | invidis

We take the protection of personal data very seriously. We want you to know when we store which data and how we use it.

As a company under private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the supplementary provisions of the German Federal Data Protection Act (BDSG-neu). We have taken appropriate technical and organizational measures to ensure that both we and our external service providers comply with data protection regulations.

1. Person responsible

The controller pursuant to Art. 4 para. 7 GDPR and other national data protection laws of the member states of the European Union as well as other data protection regulations is

invidis consulting GmbH
Gisela-Stein-Straße 6
81671 München
Germany

Phone: +49 [0]89 2000-416-17
E-Mail: info@invidis.com

2. Definitions

In our privacy policy, we use terms that are used and defined in the GDPR. We would like to explain the most important terms so that you know what they mean.

2.1 Personal data

Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. IP address or cookies) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2 Processing

Processing is any operation or set of operations which is performed on personal data, whether or not by automated means. This basically includes any handling of personal data such as the collection, storage, modification, use, transmission, dissemination, erasure or destruction, etc.

2.3 Person responsible

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The controller must ensure the permissibility of data processing through the use of technical and organizational measures that are regularly reviewed.

2.4 Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

2.5 Processor

A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2.6 Receiver

Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

2.7 Third party

Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

2.8 Consent

Consent is an expression of self-determination under data protection law. It is the voluntary, informed and unambiguous expression of will in the form of a statement or other unambiguous affirmative act by which the data subject indicates that they consent to the processing of their personal data. Consent that has been given can be revoked at any time.

3. General information on data processing

3.1 Scope of the processing of personal data

In principle, we only process your personal data insofar as this is necessary to provide our website. The collection and use of your personal data only takes place regularly with your consent or if the processing of the data is permitted by legal regulations.

3.2 Legal basis for the processing of personal data

In data protection, the so-called prohibition with reservation of permission applies. This means that the processing of personal data is generally unlawful unless the data subject has given consent or it is legitimized by a legally regulated reason for permission. We are obliged to inform you of the legal basis for data processing.

If we obtain your consent for the processing of personal data, Art. 6 para. 1 lit. a GDPR serves as the legal basis.

In the case of processing operations that are necessary for the performance of a contract concluded between you and us or for the implementation of pre-contractual measures, Art. 6 para. 1 lit. b GDPR serves as the legal basis.

If the processing of personal data is necessary to fulfill a legal obligation to which we are subject, such as statutory retention and storage obligations, Art. 6 para. 1 lit. c GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR is the legal basis.

If the processing is necessary to protect our legitimate interests or those of a third party and your interests, fundamental rights and freedoms do not override the former interest, the processing of personal data is legitimized by Art. 6 para. 1 lit. f GDPR.

3.3 Disclosure of personal data to third parties and processors

As a matter of principle, we do not pass on any personal data to third parties without your express consent. If we nevertheless disclose your data to third parties in the course of processing, transfer it to them or otherwise grant them access to the data, this is also done exclusively on the basis of one of the aforementioned legal bases. For example, we transmit data to payment service providers if this is necessary for the fulfillment of the contract. If we are obliged to do so by law or by court order, we must transfer your data to authorities entitled to receive information.

In some cases, we use carefully selected external service providers to process your data. If data is passed on to service providers as part of so-called order processing, this is done on the basis of Art. 28 GDPR. Our processors are carefully selected, are bound by our instructions and are regularly monitored by us. We only commission processors who offer sufficient guarantees that suitable technical and organizational measures are taken to ensure that processing is carried out in accordance with the requirements of the GDPR and the new German Federal Data Protection Act (BDSG-neu) and that your rights are protected.

3.4. Data transfer to third countries

The GDPR guarantees the same high level of data protection within the European Union. When selecting our service providers and cooperation partners, we therefore rely on European partners wherever possible if your personal data is to be processed. Only in exceptional cases will we have data processed outside the European Union or the European Economic Area as part of the use of third-party services.

We only allow your data to be processed in a third country if the special requirements of Art. 44 et seq. GDPR are met. This means that your data may then only be processed on the basis of special guarantees, such as the EU Commission’s officially recognized determination of a level of data protection corresponding to the EU or compliance with officially recognized special contractual obligations, the so-called “standard contractual clauses”. We require US service providers to use these standard clauses or to submit to the “Privacy Shield”, the data protection agreement negotiated between the European Union and the United States (privacyshield.gov).

3.5 Deletion of data and storage duration

We will delete or block your personal data as soon as the purpose for storing it no longer applies. In addition, however, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which we are subject. This applies, for example, to data that must be stored for commercial or tax law reasons, such as billing data for subscriptions. Your data will be blocked or deleted if a storage period prescribed by these regulations expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

3.6 Existence of automated decision-making

We do not use automated decision-making or profiling.

4. Rights of data subjects

If your personal data is processed, you are a data subject within the meaning of the GDPR. You have the following rights vis-à-vis us as the controller:

4.1 Right to revoke a declaration of consent under data protection law

If the processing of personal data is based on your consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

4.2 Right to information

You have the right to request confirmation from us as to whether we are processing personal data concerning you. If this is the case, you can request the following information:

the purposes of the processing;
the categories of personal data being processed;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, including, in the case of transfer to a third country or to an international organization, the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR
if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
the existence of a right to rectification or erasure of personal data concerning you or to restriction of processing by us or a right to object to such processing
the existence of a right to lodge a complaint with a supervisory authority
if the personal data is not collected from you, all available information about the origin of the data
the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and para. 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

We will provide you with a copy of the personal data that is the subject of the processing within one month of receiving your request for information. For any further copies you request, we may charge a reasonable fee based on administrative costs. If you make the request electronically, we will provide you with the information in a commonly used electronic format, unless you specify otherwise.

4.3 Right to rectification

You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.4 Right to erasure (“right to be forgotten”)

You have the right to obtain from us the erasure of personal data concerning you without undue delay and we are obliged to erase personal data without undue delay where one of the following grounds applies:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
You withdraw your consent on which the processing was based and there is no other legal basis for the processing.
You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing.
The personal data has been processed unlawfully.
The personal data must be erased for compliance with a legal obligation in Union or Member State law.
The personal data have been collected in relation to the offer of information society services referred to in Art. 8 para. 1 GDPR.

If we have made the personal data concerning you public and we are obliged to delete it, we will take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you have requested them to delete all links to this personal data or copies or replications of this personal data.

The right to erasure (“right to be forgotten”) does not exist if the processing is necessary:

for exercising the right of freedom of expression and information
for compliance with a legal obligation which requires processing by Union or Member State law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us
for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
for the establishment, exercise or defense of legal claims.

4.5 Right to restriction of processing

You have the right to demand that we restrict the processing of your personal data if one of the following conditions is met:

you contest the accuracy of the personal data concerning you for a period enabling us to verify the accuracy of the personal data
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
you have objected to processing pending the verification whether our legitimate grounds override yours.

If processing has been restricted in accordance with the above conditions, these personal data – apart from their storage – will only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, we will inform you before the restriction is lifted.

4.6 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and carried out by automated means.

In exercising the right to data portability, you may request that the personal data be transmitted directly from us to another controller, insofar as this is technically feasible. The exercise of the right to data portability does not affect the right to erasure (“right to be forgotten”). This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

4.7 Right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on lit. e or lit. f of Art. 6 para. 1 GDPR. This also applies to profiling based on these provisions. We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding the ePrivacy Directive, you may exercise your right to object by automated means using technical specifications.

4.8 Automated decisions in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

is necessary for the conclusion or performance of a contract between you and us
is authorized by Union or Member State law to which we are subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
with your express consent.

We will take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person on the part of the controller, to express your point of view and to contest the decision.

4.9 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

5. Use of our website

In principle, you can use our website without disclosing your identity. In this section, we explain when and in what context we process data when you use our website, which offers from service providers and cooperation partners we have implemented, how they work and what happens to your data.

5.1 Data collection when visiting our websites

If you use our websites purely for information purposes, i.e. if you do not register, conclude a contract with us or otherwise disclose information to us, we only collect the personal data that your browser transmits to our servers. When you access our websites, we collect the following data, which is technically necessary for us to be able to display our websites to you and to ensure stability and security.

IP address of the user
Date and time of the request
Content of the request (specific page)
Access status/HTTP status code
Amount of data transferred in each case
Website from which the request originates
Operating system of the user
Language and version of the browser software.

This data is temporarily stored in the log files of our hosting provider for a maximum of seven days. Storage beyond this period is possible, but in this case the IP addresses are partially deleted or anonymized so that it is no longer possible to identify the accessing client. The log files are not stored together with other personal data relating to you in this context. The legal basis for these processing operations is Art. 6 para. 1 lit. f GDPR.

Since the collection of data to display the websites and the storage of data in log files is absolutely necessary for the operation of our websites and the maintenance of IT security, you have no option to object in this respect.

5.2 Use of cookies

In addition to the aforementioned data, cookies are stored on your device during or after your visit to our website. These are small text packages that can be sent from a website to the browser, which stores them and sends them back. Cookies can store different information that is read by the body that sets the cookie. As a rule, they contain a characteristic character string (ID) that enables the browser to be uniquely identified when the website is called up again or a page is changed. They are primarily used to make our website more user-friendly and effective overall. The user data collected in cookies is pseudonymized by technical precautions, which means that it is generally no longer possible to assign the data to the accessing user. Insofar as identifiability is given, such as in the case of a login cookie whose session ID is necessarily linked to the user’s account, we will point this out to you at the appropriate point.

We use different types of cookies:

Transient cookies, also known as temporary or “session cookies”, are cookies that are deleted after you leave our website and close your browser. Such cookies are used, for example, to store data when our editors and employees log in.
Persistent or permanent cookies remain stored even after the browser is closed. For example, the login status or search terms entered can be saved. Among other things, we use such cookies for the opt-out option of our anonymized website statistics. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. However, you can delete these cookies at any time in the security settings of your browser.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR.

Technically required cookies for all website visitors

Name	Runtime	Purpose
PHPSESSID	Session	PHP Session Cookie: Cookie to store a simple message when submitting a form that can be displayed on a separate page.
MATOMO_SESSID	Session	Temporary “nonce” cookie when using the opt-out for Matomo website statistics. Protects against cross-site request forgery (CSRF).
matomo_ignore	2 years	Matomo opt-out cookie (prevents analysis by Matomo website statistics).
borlabs-cookie	1 year	Borlabs Cookie to store your cookie consent.

Technically required cookies for website employees

Name	Runtime	Purpose
wordpress_test_cookie	Session	For employees only: This cookie is set when you navigate to the WordPress login page. This allows our website to check whether the browser is set to allow cookies.
wordpress_[hash]	Session	For employees only: When logging in, the CMS WordPress uses this cookie to store the user’s authentication data. Its use is restricted to the administration area.
wordpress_logged_in_[hash]	Session	For employees only: After logging in, WordPress sets this cookie, which indicates that the user is logged in – and who the user is. The latter information is relevant for some interface applications of the CMS.
wordpress_sec_[hash]	Session	For employees only: Cookie for logged-in WordPress users.
wp-settings-[UID]	1 year	For employees only: Cookie for logged-in WordPress users (e.g. for assigning personal customizations to the user interface).
wp-settings-{time}-[UID]	1 year	For employees only: Cookie for logged-in WordPress users (contains the time at which the wp-settings cookie was created).

5.3 Contact forms and e-mail contact

On our website you will find contact forms and e-mail links (mailto) that can be used to contact us electronically. Among other things, this enables us to comply with the legal requirement to facilitate rapid electronic contact with us. If you use this option, your details will be processed and automatically stored for the purpose of responding to the request in accordance with Art. 6 para. 1 lit. c GDPR. We delete the inquiries if they are no longer required and no statutory archiving obligations apply.

5.4 External links

Our website contains links to other websites. We have no influence on whether their operators comply with data protection regulations.

5.5 Use of Matomo

On this website, data is collected and stored using the web analysis service software Matomo (www.matomo.org), a service of the provider InnoCraft Ltd, 150 Willis St, 6011 Wellington, New Zealand, (“Mataomo”) on the basis of our legitimate interest in the statistical analysis of user behavior for optimization and marketing purposes in accordance with Art. 6 para. 1 lit. f GDPR. Anonymized user profiles can be created and evaluated from this data for the same purpose. The data collected using Matomo technology (including your anonymized IP address) is processed on our servers.

If you do not agree to the storage and analysis of this data from your visit, you can object to its storage and use at any time by clicking below. In this case, a so-called opt-out cookie will be stored in your browser, which means that Matomo will not collect any session data. Please note that the complete deletion of your cookies means that the opt-out cookie will also be deleted and may have to be reactivated by you.

5.6 Use of Borlabs Cookie

Our website uses Borlabs Cookie. This cookie consent technology is used to obtain the legally required consent to the storage of certain cookies in your browser and to document this in compliance with data protection regulations. The legal basis for this is Art. 6 para. 1 lit. c GDPR. The provider of this technology is Borlabs – Benjamin A. Bornschein, Georg-Wilhelm-Str. 17, 21107 Hamburg, Germany (hereinafter referred to as Borlabs).

When you enter our website, a technically necessary cookie (borlabs-cookie) is stored in your browser. This cookie stores the consents you have given or the revocation of these consents. This data is not passed on to the provider of Borlabs. Borlabs does not process any personal data. You can change your Borlabs Cookie settings here:

If you wish to revoke this consent, simply delete the cookie in your browser. When you re-enter/reload the website, you will be asked for your cookie consent again. Details on the data processing of Borlabs can be found at https://de.borlabs.io/kb/welche-daten-speichert-borlabs-cookie/

6. Children

Our services are generally aimed at adults. Persons under the age of 16 may not transmit any personal data to us without the consent of their parents or legal guardians.

7. Changes

The rapid development of the Internet makes it necessary from time to time to adapt our privacy policy. You will be informed about the changes here.

30.11.2023: First version of our privacy policy