1) Introduction and Contact Information of the Data Controller

1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we will inform you about the handling of your personal data when using our website. Personal data refers to all data that can be used to personally identify you.

1.2 The data controller responsible for processing personal data on this website, in accordance with the General Data Protection Regulation (GDPR), is Christoph Maximilian Huber, ebility.consulting, Herzog-Otto-Weg 31, 85604 Zorneding, Germany, Tel.: +49 8106 3929409, Email: info@ebilityconsulting.de. The data controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.

2) Data Collection When Visiting Our Website

2.1 When using our website for informational purposes only, meaning you do not register or otherwise provide us with information, we only collect the data that your browser transmits to the server (so-called “server log files”). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:

• The website visited

• Date and time of access

• Amount of data sent in bytes

• Source/reference from which you accessed the site

• Browser used

• Operating system used

• IP address used (if applicable: in anonymized form)

This data processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website. The data will not be shared or used for any other purpose. However, we reserve the right to review the server log files later if there are specific indications of illegal use.

2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g., orders or inquiries to the data controller), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the “https://” and the lock symbol in your browser’s address bar.

3) Hosting & Content Delivery Network

3.1 For hosting our website and displaying the site’s content, we use a provider that performs its services either directly or through selected subcontractors, exclusively on servers within the European Union.

All data collected on our website is processed on these servers.

We have entered into a data processing agreement with the provider to ensure the protection of our website visitors’ data and prevent unauthorized disclosure to third parties.

3.2 IONOS

We use a content delivery network (CDN) provided by the following company: 1&1 IONOS Internet SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.

This service enables us to deliver large media files, such as graphics, website content, or scripts, faster through a network of regionally distributed servers. The processing is carried out to safeguard our legitimate interest in improving the stability and functionality of our website, in accordance with Art. 6 para. 1 lit. f GDPR.

We have entered into a data processing agreement with the provider to ensure the protection of our website visitors’ data and prevent unauthorized disclosure to third parties.

4) Contacting Us

When you contact us (e.g., via contact form or email), personal data is processed solely for the purpose of handling and responding to your inquiry and only to the extent necessary for this purpose.

The legal basis for processing this data is our legitimate interest in responding to your inquiry in accordance with Art. 6 para. 1 lit. f GDPR. If your contact aims to conclude a contract, an additional legal basis for processing is Art. 6 para. 1 lit. b GDPR. Your data will be deleted once it is clear from the circumstances that the matter has been conclusively resolved, provided there are no legal retention obligations to the contrary.

5) Use of Customer Data for Direct Marketing

Cart Reminder Emails

If you abandon your shopping cart on our website before completing the purchase, you have the option to receive a one-time reminder via email about the contents of your virtual shopping cart.

The only required information for sending this reminder is your email address. Providing additional data is voluntary and may be used to address you personally. We use the double opt-in procedure to ensure that you only receive a notification if you have expressly confirmed your consent by clicking on a verification link sent to the provided email address.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6 para. 1 lit. a GDPR for sending the cart reminder. We also store your IP address, as registered by the internet service provider (ISP), as well as the date and time of your registration, to trace any potential misuse of your email address at a later time. The data collected during registration for our email notification service is used strictly for this purpose.

You can unsubscribe from cart reminders at any time by sending a message to the contact information provided at the beginning of this policy. After unsubscribing, your email address will be promptly removed from our reminder distribution list unless you have expressly consented to further use of your data, or if we are legally permitted to use your data for other purposes, which we will inform you of in this policy.

6) Data Processing for Order Handling

6.1 To the extent necessary for fulfilling the contract for delivery and payment purposes, the personal data we collect will be shared with the assigned shipping company and financial institution in accordance with Art. 6 para. 1 lit. b GDPR.

If we are obliged to provide you with updates for goods containing digital elements or for digital products under a relevant contract, we will process the contact details you provided during the order (name, address, email address) to notify you of upcoming updates, as required by law, via an appropriate communication method (e.g., by post or email) within the legally prescribed period. Your contact details will be strictly used for notifications related to the updates we are obligated to provide and will be processed only to the extent necessary for this purpose.

To handle your order, we also collaborate with the following service providers who assist us, fully or partially, in executing contracts. Personal data will be transmitted to these service providers as outlined below.

6.2 Use of Payment Service Providers

• PayPal

This website offers one or more online payment methods from the following provider: PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

If you select a payment method from this provider where payment is made in advance, your payment data provided during the ordering process (including name, address, bank or card information, currency, and transaction number) as well as information about your order will be shared with PayPal, in accordance with Art. 6 para. 1 lit. b GDPR. This data transfer occurs solely for the purpose of payment processing and only as necessary.

If you choose a payment method where we provide the service in advance, you will also be asked during the ordering process to provide specific personal data (first and last name, street, house number, postal code, city, date of birth, email address, phone number, and possibly information about an alternative payment method).

In such cases, to safeguard our legitimate interest in verifying your payment ability, we forward this data to the provider for a credit check, as per Art. 6 para. 1 lit. f GDPR. The provider checks the personal data you provided, along with other data (such as cart details, invoice amount, order history, and payment experiences), to assess whether the selected payment method can be granted with regard to payment and/or default risks.

The credit report may include probability values (so-called score values). If score values are included in the credit report, they are based on a scientifically recognized mathematical-statistical method. Address data is one of the factors included in the calculation of the score values.

You may object to this data processing at any time by sending a message to us or the provider. However, the provider may still be entitled to process your personal data if it is necessary for the contractual payment process.

• Stripe

This website offers one or more online payment methods from the following provider: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

If you select a payment method from Stripe where you pay in advance (e.g., credit card payment), your payment data provided during the ordering process (including name, address, bank or card information, currency, and transaction number) as well as order details will be shared with Stripe, in accordance with Art. 6 para. 1 lit. b GDPR. This data transfer occurs solely for the purpose of payment processing and only as necessary.

If you select a payment method where Stripe provides the service in advance (e.g., invoice or installment payment or direct debit), you will also be asked during the ordering process to provide specific personal data (first and last name, street, house number, postal code, city, date of birth, email address, phone number, and possibly information about an alternative payment method).

To safeguard our legitimate interest in verifying the payment ability of our customers, we forward this data to Stripe for a credit check, as per Art. 6 para. 1 lit. f GDPR. Stripe checks the personal data you provided, along with other data (such as cart details, invoice amount, order history, and payment experiences), to assess whether the selected payment method can be granted with regard to payment and/or default risks.

The credit report may include probability values (so-called score values). If score values are included in the credit report, they are based on a scientifically recognized mathematical-statistical method. Address data is one of the factors included in the calculation of the score values.

You may object to this data processing at any time by sending a message to us or Stripe. However, Stripe may still be entitled to process your personal data if it is necessary for the contractual payment process.

7) Web Analytics Services

1&1 IONOS WebAnalytics

This website uses the web analytics service provided by: 1&1 IONOS Internet SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.

Using cookies and/or similar technologies (tracking pixels, web beacons, algorithms for reading device and browser information), the service collects and stores pseudonymized visitor data, including device information such as IP address and browser details. This data is used to perform statistical analyses of usage behavior on our website and to create pseudonymized user profiles. This includes the evaluation of movement patterns (so-called heatmaps), showing the duration of page visits and interactions with page content (e.g., text inputs, scrolling, clicks, and mouse-overs). Pseudonymization generally prevents the direct identification of individuals. No merging with other clear data collected about you will take place.

All the above-mentioned processes, especially the reading or storing of information on the device used, are carried out only if you have given us your explicit consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with future effect by disabling this service in the “cookie consent tool” provided on the website.

We have entered into a data processing agreement with the provider to ensure the protection of our website visitors’ data and prevent unauthorized disclosure to third parties.

8) Website Functionality

Endereco

To enable real-time validation of specific inputs in the address form during the checkout process in our webshop, we use the services of the following provider: Endereco UG, Balthasar-Neumann-Straße 4b, 97236 Randersacker, Germany.

The provider validates the entered address, verifies its accuracy, and supplements missing data if necessary. In the case of ambiguous addresses, correct alternative suggestions are displayed. For this purpose, the address data you entered is transmitted to the provider, stored, and analyzed.

This processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR based on our legitimate interest in properly recording the correct address data of the customer to ensure the reliable fulfillment of our contractual delivery obligations and to prevent issues with contract execution.

The provider processes the relevant data separately, does not merge it with other data sets, and deletes it once its status or accuracy has been confirmed, but no later than 30 days.

9) Tools and Miscellaneous

Cookie Consent Tool

This website uses a “cookie consent tool” to obtain effective user consent for cookies and cookie-based applications that require consent. The “cookie consent tool” is displayed to users when they access the site as an interactive interface, where users can grant consent for specific cookies and/or cookie-based applications by checking boxes. Only cookies and services requiring consent are loaded when the user grants consent by ticking the relevant boxes. This ensures that such cookies are set on the user’s device only if consent has been given.

The tool uses technically necessary cookies to store your cookie preferences. Personal user data is generally not processed in this case.

If, in specific instances, personal data (such as an IP address) is processed for the purpose of storing, assigning, or logging cookie settings, this is done in accordance with Art. 6 para. 1 lit. f GDPR, based on our legitimate interest in providing a legally compliant, user-specific, and user-friendly consent management system for cookies, and ensuring that our website complies with legal requirements.

Another legal basis for this processing is Art. 6 para. 1 lit. c GDPR. As the data controller, we are legally obligated to make the use of non-essential cookies dependent on the user’s consent.

If necessary, we have entered into a data processing agreement with the provider to ensure the protection of our website visitors’ data and prevent unauthorized disclosure to third parties.

For more information about the operator and the settings of the cookie consent tool, please refer to the corresponding interface on our website.

10) Data Subject Rights

10.1 Under applicable data protection law, you have the following rights (information and intervention rights) regarding the processing of your personal data by the data controller, with reference to the respective legal basis for the conditions of their exercise:

• Right of access in accordance with Art. 15 GDPR;

• Right to rectification in accordance with Art. 16 GDPR;

• Right to erasure in accordance with Art. 17 GDPR;

• Right to restriction of processing in accordance with Art. 18 GDPR;

• Right to notification in accordance with Art. 19 GDPR;

• Right to data portability in accordance with Art. 20 GDPR;

• Right to withdraw consent in accordance with Art. 7 para. 3 GDPR;

• Right to lodge a complaint in accordance with Art. 77 GDPR.

10.2 Right to Object

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST IN THE CONTEXT OF A BALANCING OF INTERESTS, YOU HAVE THE RIGHT TO OBJECT TO THIS PROCESSING AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, WITH EFFECT FOR THE FUTURE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL STOP PROCESSING THE DATA IN QUESTION. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR IF THE PROCESSING IS FOR THE PURPOSE OF ASSERTING, EXERCISING, OR DEFENDING LEGAL CLAIMS.

IF WE PROCESS YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH ADVERTISING PURPOSES. YOU MAY EXERCISE THIS RIGHT AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING YOUR DATA FOR DIRECT MARKETING PURPOSES.

11) Duration of Storage of Personal Data

The duration of the storage of personal data is determined based on the respective legal basis, the purpose of processing, and, where applicable, the relevant statutory retention period (e.g., commercial and tax-related retention periods).

When personal data is processed based on explicit consent in accordance with Art. 6 para. 1 lit. a GDPR, the data will be stored until you revoke your consent.

If there are statutory retention periods for data processed in the context of contractual or similar obligations based on Art. 6 para. 1 lit. b GDPR, the data will be routinely deleted after the expiration of these retention periods, provided the data is no longer necessary for the performance or initiation of the contract, and there is no legitimate interest on our part in continuing to store the data.

When personal data is processed based on Art. 6 para. 1 lit. f GDPR, the data will be stored until you exercise your right to object under Art. 21 para. 1 GDPR, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or if the processing serves the establishment, exercise, or defense of legal claims.

When personal data is processed for direct marketing purposes based on Art. 6 para. 1 lit. f GDPR, the data will be stored until you exercise your right to object under Art. 21 para. 2 GDPR.

Unless otherwise specified in this declaration, personal data will be deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.