Privacy Policy

Current version: as of 15 November 2025

Previous versions are archived in Customer Service.

Suchen Technology GmbH, Dieselstraße 11, 30916 Isernhagen, Germany

(hereinafter referred to as ‘Suchen Technology GmbH’, ‘Suchen Technology Services’ or ‘we’) is the controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data when using the suchen.expert platform.

This privacy policy applies to all German and multilingual websites under suchen.expert, the associated mobile applications and other online services provided by us (hereinafter collectively referred to as the ‘platform’).

The protection of your personal data and your privacy is very important to us. We process your data exclusively in accordance with the applicable data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

§ 1 General information

1.1 Suchen Technology GmbH attaches great importance to the careful and responsible handling of personal data. We process personal data exclusively in accordance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).

1.2 This privacy policy informs you in accordance with Articles 13 and 14 of the GDPR about the nature, scope, purposes and legal basis of the processing of your personal data, as well as your rights as a data subject in connection with the use of our platform suchen.expert.

1.3 This privacy policy applies to all data processing operations that take place when visiting and using suchen.expert. For other processing situations (e.g. in the context of job applications, contractual relationships with business partners or other offline processes), we may provide separate privacy notices.

1.4 Use of suchen.expert requires that you take note of this privacy policy. However, depending on the process, your personal data will be processed on the respective legal basis specified (e.g. Art. 6(1)(b) GDPR for contractual relationships or Art. 6(1)(f) GDPR for legitimate interests). If consent is required, it will be obtained separately.

1.5 The purpose of this privacy policy is to ensure transparent and appropriate protection of your personal data against unauthorised access, unauthorised disclosure, loss or misuse, and to inform you about our data processing in an understandable form.

1.6 The privacy policy applies to all personal data that we collect, use or store about you in connection with your use of the suchen.expert platform.

1.7 If you do not agree with the data processing described in this privacy policy, you may not be able to use certain services or functions of suchen.expert, or only to a limited extent. Legal claims, in particular your rights as a data subject under the GDPR, remain unaffected by this.

1.8 This privacy policy applies exclusively to the suchen.expert platform. We accept no responsibility for third-party content and offers to which we link or which are integrated via interfaces (e.g. external websites). The processing of your data by such third parties is subject to their own privacy policies.

1. 9 We provide technical and organisational options that allow you to view and update your personal data in your user account. Nevertheless, you are required to ensure that the data you provide is accurate and up to date.

1.10 By registering or using the platform, users confirm that they have read and understood the privacy policy.

However, personal data is processed exclusively on the basis of the relevant legal provisions or, if necessary, on the basis of separately obtained consent.

The current versions of the privacy policy, the general terms of use and any other usage guidelines are available at any time at suchen.expert.

§ 2 Definitions

In this privacy policy, the following terms are used in accordance with the General Data Protection Regulation (GDPR), unless otherwise expressly stated:

2.1 ‘Personal data’

Personal data is any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR). A person is considered identifiable if they can be identified directly or indirectly, in particular by association with a name, an identification number, location data, an online identifier or one or more special characteristics (e.g. name, address, telephone number, email address, user name, date of birth, payment details).

2.2 ‘Processing’

Processing means any operation or set of operations which is performed on personal data, whether or not by automated means (Art. 4 No. 2 GDPR), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.3 ‘Data subject’

A data subject is any identified or identifiable natural person whose personal data is processed by us.

2.4 ‘User’

A user is any person who visits the suchen.expert platform, registers an account or uses the services of suchen.expert – regardless of whether they are a private individual, a company or another organisation.

2.5 ‘Controller’

The controller is Suchen Technology GmbH, which alone or jointly with others determines the purposes and means of the processing of personal data (Art. 4 No. 7 GDPR).

2.6 ‘Processor’

The processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller (Art. 4 No. 8 GDPR).

2.7 ‘Profile’

Profile refers to the personal or commercial user area on suchen.expert, where the user can manage their details, place and view advertisements, and configure certain settings (e.g. contact details, visibility, notifications).

2.8 ‘Services’ Services are all functions and services provided by Suchen Technology GmbH via the platform, in particular the ability to search for, view or publish information about found, lost, missing or stolen items, advertisements, services, incidents and other content.

2.9 ‘Data’

Data includes all information and content provided by users in the context of using suchen.expert (e.g. advertisement texts, images, messages), including personal data, insofar as this is contained in the information provided.

§ 3 Controller (Art. 4 No. 7 GDPR)

3.1 Controller

The controller responsible for the processing of personal data on the suchen.expert platform within the meaning of the General Data Protection Regulation (GDPR) is:

Suchen Technology GmbH

Dieselstraße 11

30916 Isernhagen, Germany

The controller decides on the purposes and means of data processing. Data protection concerns can be addressed at any time via the contact form or by post to the above address.

3.2 Data protection officer

Under current law, Suchen Technology GmbH is not obliged to appoint a data protection officer in accordance with Art. 37 GDPR.

3.3 Competent supervisory authority

Without prejudice to your rights under Art. 77 GDPR, you can lodge a complaint with a data protection supervisory authority. The competent authority for us is:

The State Commissioner for Data Protection of Lower Saxony

Prinzenstraße 5

30159 Hanover

Telephone: +49 (0)511 120 45 00

Fax: +49 (0)511 120 45 99

Email: poststelle@lfd.niedersachsen.de

§ 4 Terms of use in connection with data protection

4.1 Registration and conditions of use

Registration is required to use the suchtsuch.expert platform. The user assures that they have provided all necessary information correctly and that they are authorised to use the platform. Use of the platform requires the provision of certain personal data that is technically and contractually necessary for registration, login and range of functions.

4.2 Obligation to provide correct and up-to-date information

The user undertakes to provide correct, truthful and up-to-date personal data during registration and when using the platform. The user must immediately update any changes in their profile.

4.3 Visibility of publicly available data

If the user voluntarily makes information or content (e.g. name, profile details, advertisements, texts, images, reviews) publicly available, this may be viewed, saved or redistributed by other users and, depending on the visibility settings, also by internet users. The user is responsible for any information they voluntarily publish.

4.4 Restriction on deletion

Certain content provided by the user cannot be completely deleted retrospectively if it has already been copied by other users or stored outside the platform. Statutory retention obligations remain unaffected.

4.5 Acknowledgement of the privacy policy

The user confirms that they have taken note of this privacy policy. However, depending on the process, personal data is processed on the relevant legal basis (Art. 6 GDPR). If consent is required, it will be obtained separately and clearly.

4.6 Responsibility for information provided Suchen Technology GmbH is not obliged to check the content provided by the user for accuracy, completeness or timeliness. A check will only take place if this is required by law (e.g. to fulfil legal obligations) or is necessary to ensure the proper functioning of the platform.

4.7 Measures in the event of violations

In the event of violations of these terms and conditions – in particular in the case of false information, misuse or illegal publications – Suchen Technology GmbH reserves the right to restrict or block user accounts or to remove content. Further legal claims remain unaffected.

§ 5 Purposes and legal basis of data processing

5.1 Overview

We process the personal data of suchen.expert users for clearly defined purposes and on the basis of the legal grounds provided for in Art. 6 GDPR. The most important purposes and legal grounds are summarised below. The categories of personal data concerned are described in § 6.

5.2 Contractual relationship and platform use (Art. 6(1)(b) GDPR)

An essential purpose of data processing is the initiation, establishment, implementation and termination of the user agreement via the suchen.expert platform. This includes in particular:

- Registration and administration of the user account,

- Provision of platform functions (e.g. creation, management and display of advertisements, messaging functions, reviews),

- Processing of chargeable services, including invoicing and payment processing,

- Verification of accounts and identity, where necessary,

- Processing of enquiries regarding existing contracts.

Without the processing of the data required for this purpose, use of the platform is only possible to a limited extent or not at all.

5.3 Communication with users (Art. 6(1)(b) and (f) GDPR)

We process data in order to communicate with users, in particular:

- Responding to contact requests (e.g. via contact form or email),

- Support and technical assistance,

- Providing information about changes to services, functions or legal

framework conditions.

Insofar as the communication is directly related to an existing or initiated contractual relationship, the legal basis is Art. 6 (1) lit. b GDPR. Otherwise, processing is carried out to safeguard our legitimate interests in proper and efficient communication (Art. 6 (1) lit. f GDPR).

5.4 Operation, security and prevention of misuse

(Art. 6(1)(f) GDPR)

To ensure the secure and stable operation of suchen.expert, we process technical data and log data (e.g. IP address, time of access, device and browser information) in order to:

- ensure the technical functionality of the platform,

- detect and rectify malfunctions and errors,

- prevent and investigate misuse or illegal use,

- ensure the security of systems, networks and data.

Our legitimate interest here is to maintain a secure, stable and functional online service.

5.5 Analysis, improvement and further development

(Art. 6 para. 1 lit. f GDPR, if applicable Art. 6 para. 1 lit. a GDPR)

We process usage and behavioural data in aggregated or pseudonymised form in order to:

- better understand usage behaviour,

- continuously improve our services and develop new functions,

- optimise the user-friendliness and performance of the platform.

If cookies or similar technologies are used for this purpose that are not technically necessary (e.g. for analysis or marketing purposes), this is done exclusively on the basis of your consent (Section 25 (1) TDDDG in conjunction with Art. 6 (1) (a) GDPR). In all other respects, we base the analysis on our legitimate interest in the economic and user-friendly design of our offering (Art. 6 para. 1 lit. f GDPR).

5.6 Marketing, newsletters and direct advertising

(Art. 6 para. 1 lit. a and lit. f GDPR, Section 7 UWG)

We may use your data for marketing and information purposes, in particular:

- Sending newsletters and information emails about our products and services (only with prior consent, Art. 6(1)(a) GDPR),

- personalised content and offers, provided you have consented to this,

- direct advertising to existing customers for our own similar products and services by e-mail under the conditions of Section 7 (3) UWG (legitimate interest, Art. 6 (1) lit. f GDPR).

You can object to the use of your data for direct marketing purposes at any time and revoke your consent (see Section 14 of this privacy policy, Art. 21 GDPR).

5.7 Cooperation with partners and service providers

(Art. 6(1)(b), (f) and, where applicable, (a) GDPR)

We work with selected service providers and partners to provide certain functions (e.g. payments, map and map services, analysis and marketing tools, app tracking). The data is processed:

- to fulfil the user agreement with you (Art. 6(1)(b) GDPR),

- to safeguard our legitimate interests in efficient and secure service provision (Art. 6(1)(f) GDPR),

- and – where necessary – on the basis of your consent (Art. 6(1)(a) GDPR), in particular for advertising IDs (e.g. GAID, IDFA),

app tracking and personalised advertising.

Further details on the tools and service providers used can be found in the relevant sections of this privacy policy (e.g. cookies, tracking tools, payment service providers).

5.8 Contact form and other contact

(Art. 6 para. 1 lit. b and lit. f GDPR)

If you send us enquiries via the contact form, e-mail or other means, we will process your details (e.g. name, contact details, content of the enquiry) exclusively for the purpose of processing and responding to the enquiry and, if necessary, for follow-up questions.

The legal bases are:

- Art. 6(1)(b) GDPR, if the enquiry is related to an existing or prospective contractual relationship,

- Art. 6 (1) lit. f GDPR, our legitimate interest in the proper processing of customer and user enquiries.

The data will be deleted as soon as the purpose of the processing no longer applies and there are no legal retention obligations.

5.9 Processing of location data (Geoposition)

(Art. 6(1)(b) and (f) GDPR, Art. 6(1)(a) GDPR if applicable)

If you use functions based on location information, we process location data (e.g. IP-based localisation, GPS data) in order to:

- display geographically relevant content and advertisements to you,

- personalise search results and recommendations,

- perform statistical evaluations of the use of location-based functions.

You can deactivate the transmission of precise location data via your device at any time in the settings of your browser or operating system.

The legal bases are:

- Art. 6 para. 1 lit. b GDPR, insofar as location processing is necessary for certain contractual functions,

- Art. 6(1)(f) GDPR, our legitimate interest in a user-friendly, locally relevant offering,

- and, where applicable, your consent pursuant to Art. 6(1)(a) GDPR, insofar as we use location-based data for more extensive personalised services.

5.10 Communication and notification tools

(Art. 6(1)(b), (f) and, where applicable, (a) GDPR)

We use communication and notification tools (e.g. email, SMS, in-app or push notifications) to:

- send security-related notices, system messages or information about your account,

- inform you about new messages, activities or relevant changes on the platform,

- provide you with marketing information, if you have consented to this.

Security-related and contract-related messages are based on Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in security and user information). For marketing notifications, we obtain your consent in accordance with Art. 6 (1) (a) GDPR.

5.11 Cooperation with law enforcement and supervisory authorities

(Art. 6 (1) (c) and (f) GDPR)

We may transfer personal data to law enforcement or supervisory authorities if we are legally obliged to do so (Art. 6(1)(c) GDPR) or if this is necessary to safeguard our legitimate interests (Art. 6(1)(f) GDPR), e.g. to investigate cases of abuse, to defend against legal claims or to cooperate in official or court proceedings.

In this context, data will be stored for as long as is necessary to fulfil legal obligations or to assert, exercise or defend legal claims.

5.12 Legal obligations

(Art. 6(1)(c) GDPR)

We are subject to various legal obligations that may require the processing of personal data. These include in particular:

- commercial and tax law retention periods,

- supervisory and reporting requirements,

- other legal documentation and evidence requirements.

In these cases, processing is carried out on the basis of Art. 6 para. 1 lit. c GDPR.

5.13 Legal enforcement and defence

(Art. 6(1)(f) GDPR)

We also process personal data to assert and enforce our rights and to defend ourselves against legal claims. This includes, for example:

- preservation of evidence,

- extrajudicial and judicial enforcement of claims,

- defence against unjustified claims.

The legal basis is Art. 6 para. 1 lit. f GDPR, our legitimate interest in protecting and enforcing our rights.

5.14 Consent and revocation

(Art. 6 para. 1 lit. a GDPR)

Insofar as we process data on the basis of your consent (e.g. for newsletters, certain marketing measures, location-based services, app tracking or personalised advertising), the processing is carried out exclusively for the purposes specified in the consent.

You can revoke your consent at any time with effect for the future. This does not affect the lawfulness of the processing carried out until the revocation. Information on revocation can be found in this privacy policy and in the respective declarations of consent.

§ 6 Categories of personal data

Depending on the use of the platform and the functions you have activated, we process the categories of personal data described below. Not all data is collected from every user.

6.1 Master data

This includes in particular:

- Full name

- Address (primary), other addresses if applicable

- Date of birth (e.g. for age verification)

- Telephone number(s)

- Email address(es)

- Company-related data (e.g. company name, VAT ID, commercial register data)

Depending on usage, this data is required for registration, identification, communication and contract execution.

6.2 Contract and billing data

This includes in particular:

- User account information

- Booking/service data

- Payment information (e.g. IBAN, invoices, transactions)

- Details of booked paid services

- Verification data (e.g. account/identity verification)

We process this data for contract execution and billing purposes.

6.3 Profile data and content provided by the user

This includes in particular:

- Profile picture and other uploaded photos

- Public profile information and descriptive texts

- Advertisements (texts, images, categories, metadata)

- Reviews, star ratings, comments

- Interactions with other users (e.g. follows, subscriptions)

- Content shared via social networks

This information is publicly visible, depending on its visibility settings.

6.4 Communication data

This includes:

- Messages via internal messenger functions

- Emails, support requests, contact forms

- Push notifications and system settings

- Verification codes (e.g. SMS or email for login)

This data is used for communication and account security.

6.5 Usage and behaviour data

This includes in particular:

- Date and time of registration

- Login history, online status, activity logs

- Areas/sections visited and length of stay

- Interactions with advertisements (creating, saving, sharing, clicking)

- Favourites lists

- Profiles followed and own followers

- User activity in the rating system

- Reports, complaints, disputes

- Invitations, referral codes, referrals

- Mentions by other users

This data is used to improve, analyse and personalise the platform functions.

6.6 Location and geolocation data

This includes:

- IP-based rough location determination

- Precise location data via device/operating system services (e.g. GPS),

if approved by the user

- Time/region settings

We only process this data if you use the corresponding functions or give your consent.

6.7 Technical data and server log data (web)

This includes in particular:

- Date and time of access

- Browser type and version

- Operating system type and version

- Language settings of the browser

- Referrer URL

- Host name of the accessing device

- Screen resolution and device information

- User agent data - Server request logs (‘log files’)

This data is necessary for functionality, security and error analysis.

6.8 Device data when using Android

If you use our Android app, the following data may be processed, depending on device permissions

- Device type, device name, model

- Android operating system version

- Manufacturer ID (if provided by the system)

- GAID (Google Advertising ID) – only with consent

- OpenUDID or App Flyer ID (only for approved marketing tools)

- Time zone, preferred language

- Wi-Fi information (SSID, MAC address) – only if the OS transmits this

- Mobile network information (network operator, MNC)

- Type of internet connection (mobile/Wi-Fi)

- App version and technical device status

Some of these features are considered uniquely identifying identifiers under data protection law and may only be used for marketing or tracking purposes with consent.

6.9 Device data when using iOS

When using our iOS app, the following data categories may be processed, depending on the settings:

- Device type, device name, model and OS version

- IDFA (Identifier for Advertisers) – only with consent / ‘App Tracking Transparency’

- OpenUDID/AppsFlyer UID (only if activated)

- Time zone, preferred language

- Manufacturer's device ID (if available)

- Wi-Fi information (SSID/MAC, only if OS allows)

- Mobile network information (network operator, MNC)

- App version, technical status

Here too, advertising IDs may only be used with consent.

6.10 Data from third-party sources and data generated by third parties

This may include:

- User feedback from other users (comments, ratings)

- Reports of violations or disputes

- Mentions and links within the platform

- Invitations via recommendation systems

- Data from cooperation partners (e.g. payment service providers) for contract processing

- Statistical data provided by partners on user behaviour in anonymised or pseudonymised form

This data is always processed in accordance with legal requirements.

6.11 Sensitive data (special categories of personal data)

We do not collect any special categories of personal data within the meaning of Art. 9 GDPR (e.g. health data, religious affiliation), unless the user voluntarily publishes such information in content or messages. Such publication is the sole responsibility of the user.

§ 7 Principles of personal data processing

Suchen Technology GmbH complies with the legal principles of Art. 5 GDPR in all processing operations involving personal data.

These principles ensure the responsible and lawful handling of personal data.

7.1 Lawfulness, processing in good faith and transparency

Personal data is processed exclusively on a legal basis and only in a manner that is comprehensible and transparent to the persons concerned. Users are informed about the purposes, legal bases, recipients, storage periods and their rights in accordance with Articles 13 and 14 GDPR.

7.2 Purpose limitation

Data is collected only for specified, explicit and legitimate purposes. Further processing for other purposes takes place only if there is a legal basis or if the user has given their consent.

7.3 Data minimisation

Only personal data that is necessary for the respective purposes is processed. Data collection, scope and storage period are limited to the necessary extent.

7.4 Accuracy

Suchen Technology GmbH takes appropriate measures to ensure that the personal data processed is factually correct and, if necessary, up to date. Users can update their data themselves in their profile at any time or request a correction (Art. 16 GDPR).

7.5 Storage limitation Personal data will only be stored for as long as is necessary for the processing purposes or as long as there are legal retention obligations. After that, the data will be deleted or anonymised (see Section 12 of this privacy policy).

7.6 Integrity and confidentiality

We use appropriate technical and organisational measures to ensure that personal data is protected against unauthorised or unlawful processing, accidental loss, destruction or damage. These include access restrictions, encryption technologies, logging, security and authorisation concepts.

7.7 Accountability

Suchen Technology GmbH is responsible for ensuring that data protection regulations are complied with and can provide evidence of this if necessary (Art. 5 (2) GDPR). This includes, among other things, the documentation of processing activities, risk analyses, technical and organisational measures, and data processing agreements.

7.8 No unauthorised data linking

Data sets that have been collected for different, incompatible purposes are not merged. Data is only linked if there is a legal basis for doing so or if the user has expressly consented to this.

7.9 Data protection through technology design and privacy-friendly default settings

The suchen.expert platform is designed in such a way that data protection and data minimisation are already taken into account at the technical level (Art. 25 GDPR). By default, only those functions that are necessary for normal use are activated (‘privacy by default’).

7.10 Responsibility of users

Users are responsible for the accuracy and visibility of the data they voluntarily publish (e.g. advertisements, photos, reviews). We recommend that users carefully consider what content they wish to make publicly available, especially if sensitive data is involved.

§ 8 Use of cookies and similar technologies

8.1 General information

Our website uses cookies and similar technologies (e.g. local storage, session storage, pixels, tracking codes) to provide certain functions, evaluate usage and operate our website from a technical perspective. Cookies are small text files that are stored on your device and do not contain any malicious programs or viruses.

We distinguish between technically necessary cookies and cookies that require consent (§ 25 TDDDG and Art. 6 GDPR).

8.2 Types of cookies and technologies

(1) Technically necessary cookies

These cookies are essential for the operation and basic functions of the website, e.g.:

- Login/session management

- Security functions

- Cookie consent management

- Language selection/basic settings

Legal basis:

Section 25(2)(2) TDDDG (permitted without consent)

Article 6(1)(f) GDPR (legitimate interest in the operation of the website)

(2) Functional cookies

These enable additional functions and convenience, such as:

- Storage of settings

- User preferences

Legal basis:

Depending on how they function, either legitimate interest or consent.

(3) Analysis/statistics cookies

These are used to analyse user behaviour (e.g. page views, duration of use, click behaviour).

Legal basis:

Section 25 (1) TDDDG + Art. 6 (1) lit. a GDPR (only with consent)

(4) Marketing/tracking cookies

Enable personalised advertising, retargeting or reach measurement across different services. Example: Google Ads, remarketing, app tracking.

Legal basis:

Section 25 (1) TDDDG + Art. 6 (1) lit. a GDPR (only with consent)

(5) Third-party cookies

These are set by external providers (e.g. analysis, marketing, map or video services) and may allow tracking across multiple websites.

(6) Session cookies

These are automatically deleted when the browser is closed.

(7) Persistent cookies

These remain stored for a defined period of time and enable recognition when you visit again.

(8) Secure cookies (Secure, HttpOnly)

These are transmitted exclusively via HTTPS and some of them cannot be read via JavaScript (protection against XSS).

8.3 Cookie consent tool

When you first visit our website, a banner appears in which you can select or reject non-essential cookies. Your selection is stored in the cookie consent tool and can be changed or revoked there at any time.

Legal basis:

Art. 6 para. 1 lit. a GDPR (consent)

§ 25 para. 1 TDDDG (storage access)

Consent is logged in accordance with Art. 7(1) GDPR.

8.4 Management and revocation of cookies

You can:

- deactivate all non-essential cookies in the consent banner,

- revoke your consent at any time with future effect,

- manually delete cookies in your browser,

- configure cookie settings in your browser (blocking, exceptions).

Please note: Deactivating technically necessary cookies may impair the functionality of the website.

8.5 Cloudflare Turnstile (CAPTCHA)

We use the security and validation procedure ‘Turnstile’ security and validation procedure provided by:

Cloudflare, Inc.

101 Townsend St, San Francisco, CA 94107, USA

For EU/EEA data processing:

Cloudflare Portugal, Unipessoal Lda or other Cloudflare subsidiaries in the EU.

8.5.1 Type of processing

Cloudflare processes certain technical information as part of the Turnstile service to assess whether access originates from a human or an automated system. The specific data processed depends on the technical procedures provided by Cloudflare. This may include, among other things:

- IP address

- Browser and device information

- Referrer URL

- Technical connection data

- Interaction and system signals automatically transmitted by the end device.

The specific processing is carried out by Cloudflare according to its own technical procedures.

8.5.2 Purpose

The use of Turnstile serves to:

- Secure our website and forms against bots,

- Maintain the functionality of our services,

- Reduce abusive or harmful access.

These measures are in line with our legitimate interest pursuant to Art. 6(1)(f) GDPR.

8.5.3 Legal basis

Processing is based on our legitimate interest in the security, stability and functionality of the platform (Art. 6(1)(f) GDPR).

8.5.4 Data transfer

Cloudflare may transfer data to locations outside the EU/EEA as part of its security services. Cloudflare bases such transfers on the applicable mechanisms of the GDPR (e.g. standard contractual clauses or other permissible safeguards).

8.5.5 Further information

Cloudflare privacy policy:

https://www.cloudflare.com/privacypolicy/

8.5.6 Note

Without Turnstile, the use of certain functions – in particular forms or registration – may be technically restricted.

8.6 Google Analytics (GA4)

We use the web analytics service Google Analytics (GA4) on our website, provided by:

Google Ireland Limited

Gordon House, Barrow Street

Dublin 4, Ireland

(‘Google’)

8.6.1 Type of data processing

Google Analytics uses technologies such as cookies, pixels or device-related identifiers to analyse information about the use of our website. The specific data collected and how it is processed depends on Google's technical specifications. This may include, in particular:

- Page views, click and scroll behaviour

- Duration and frequency of sessions

- Browser and device information

- Operating system, language settings

- Referrer URL

- Timestamps and interaction events

- Shortened or anonymised IP addresses (if provided by Google)

The actual data processing is carried out by Google in accordance with its own technical procedures and settings.

8.6.2 Purpose

Google Analytics can be used to analyse the use of our website, measure its reach and improve our online offering.

8.6.3 Legal basis

Google Analytics is used exclusively with your consent in accordance with:

- Section 25 (1) TDDDG

- Art. 6 (1) lit. a GDPR

Google Analytics is only used if the relevant consent has been given. The data is processed by Google and is subject to the technical mechanisms provided by Google.

8.6.4 Transfer to third countries / EU–US Data Privacy Framework (DPF)

The transfer of personal data to the USA cannot be ruled out in connection with the use of Google Analytics. Google LLC may be certified under the EU–US Data Privacy Framework (DPF).

If such certification exists, the transfer is based on an adequacy decision by the European Commission in accordance with Art. 45 GDPR. The current certification status can be viewed in the official DPF list of the European Commission.

8.6.5 Storage period

The storage period for event and usage data is configured to the minimum possible duration within the available settings of Google Analytics (currently a maximum of 14 months).

8.6.6 Withdrawal of consent

You can withdraw or change your consent at any time using our cookie consent tool. This does not affect the lawfulness of the processing carried out until the withdrawal.

8.6.7 Data protection information from Google

Further information on the processing of personal data by Google can be found at:

https://policies.google.com/privacy

8.7 Google Ads and Google Remarketing

Provided you give your consent, we use functions of the advertising services Google Ads and Google Remarketing, provided by:

Google Ireland Limited

Gordon House, Barrow Street, Dublin 4, Ireland

Technical processing is carried out by Google in accordance with the systems and mechanisms provided by Google.

8.7.1 Type of processing

Google may use various technologies to display, measure or optimise advertisements. The data processed in each individual case depends on the processes defined by Google. This may include:

- Information about pages visited and content accessed

- Information about interactions (clicks, views, navigation behaviour)

- Device and browser information

- Pseudonymous advertising IDs such as GAID or IDFA (only with consent)

- Technical meta information

- IP address (according to Google's settings)

Google uses this information to personalise advertisements, measure reach and form target groups, among other things.

8.7.2 Purpose

If provided by Google and requested by you, the data may be used for the following purposes:

- Display of relevant and interest-based advertising,

- Analysis and measurement of the success of advertising campaigns (conversion measurement),

- Formation of pseudonymous target groups for remarketing.

8.7.3 Legal basis

The use of Google Ads and remarketing is based exclusively on your consent, in particular for the use of cookies and similar technologies in accordance with:

- Section 25 (1) TDDDG

- Art. 6 (1) lit. a GDPR

These services will not be activated without your consent.

8.7.4 Transfer to third countries / EU-US Data Privacy Framework (DPF)

Personal data may be transferred to the USA within the scope of the services provided by Google.

Google LLC is certified under the EU-US Data Privacy Framework (DPF) and thus guarantees an adequate level of data protection in accordance with Art. 45 GDPR.

8.7.5 Revocation / opt-out

You can revoke your consent at any time via our cookie consent tool. Google also offers its own opt-out options:

- https://adssettings.google.com

- https://optout.networkadvertising.org/

8.7.6 Data protection information from Google

Further information on data processing by Google can be found at:

https://policies.google.com/privacy

8.8 Google Consent Mode v2

We use Google Consent Mode v2 to adapt the integration of certain Google services (e.g. Analytics, Ads, Conversion Tracking, Remarketing) to your chosen consent status. The technical processes of Consent Mode v2 are provided and controlled by Google.

8.8.1 How it works

Consent Mode v2 enables Google to adapt the processing of certain data to the user's consent status. Consent Mode transmits signals such as:

- ad_user_data (granted / denied)

- ad_personalisation (granted / denied)

The actual data processing, its scope and the type of information collected are determined by Google and the Google services used in each case. Google adapts its systems based on the consent settings you have selected.

8.8.2 Purpose

Consent Mode can be used to

- technically implement your consent decision,

- adapt the integration of Google services to your preferences,

- enable the control of certain Google functions in accordance with data protection regulations.

8.8.3 Legal basisInsofar as Google services use storage technologies or tracking, this is done exclusively on the basis of your consent in accordance with:- Section 25 (1) TDDDG- Art. 6 (1) lit. a GDPRConsent Mode itself represents a technical interface for implementing your decision.8.8.4 Data transferWithin the scope of Consent Mode, technically necessary meta information may be transmitted to Google (e.g. domain information, consent status or comparable signals).Further processing of this information is carried out by Google in accordance with its own data protection regulations.Transfers to the USA may take place. Google LLC is certified under the EU-US Data Privacy Framework (DPF).8.8.5 RevocationYou can change or revoke your consent at any time via our cookie consent tool. Google implements changes to consent in accordance with its technical specifications.8.8.6 Further informationGoogle's privacy policy:https://policies.google.com/privacyFurther information on consent mode:https://support.google.com/google-ads/answer/135157838.9 Apple App Tracking Transparency (ATT)Our iOS app uses functions provided by Apple as part of the App Tracking Transparency (ATT) framework, provided you give your consent. Provider:Apple Inc.One Apple Park Way, Cupertino, CA 95014, USA.8.9.1 How it worksWithin the ATT framework, Apple itself determines the conditions under which apps may access certain device information.iOS devices display a consent pop-up for this purpose, which is controlled and managed by Apple. The data that Apple collects or provides in this context depends on the settings of the user and the operating system. This may include, among other things:- the advertising ID (Identifier for Advertisers – IDFA),- device-related information,- system-side signals for attribution and reach measurement,- cross-app interactions, to the extent permitted by Apple.8.9.2 Processed dataThe data processed in each individual case depends on the technical mechanisms provided by Apple and the settings of the end device. Depending on the consent given, Apple may release certain information, e.g.:- IDFA (if permitted by the user),- Device and system information,- Anonymous or pseudonymous attribution data,- Interaction and usage events.8.9.3 PurposeDepending on your consent and the functions of the end device, the data provided via ATT may be used for the following purposes:- Measurement of app installations and campaign reach,- Attribution purposes and technical analysis,- Optional: personalised advertising (only with consent).8.9.4 Legal basisInsofar as personal data is processed via ATT, this is done exclusively on the basis of your consent (Art. 6 (1) (a) GDPR, § 25 TDDDG).The actual processing is carried out by Apple in accordance with its own data protection regulations.8.9.5 RevocationYou can revoke or adjust your consent at any time via the iOS settings under ‘Settings → Privacy → Tracking’.8.9.6 Apple privacy informationFurther information:https://www.apple.com/legal/privacy/8.10 Android app tracking and Google Advertising ID (GAID)Our Android app can – provided you give your consent – access functions provided by Google as part of the Google Advertising ID (GAID). Provider:Google Ireland LimitedGordon House, Barrow Street, Dublin 4, Ireland.8.10.1 Processed identifiersThe data that can be processed in each individual case depends on the settings of your Android device, the technology provided by the operating system and the consent you have given.

Depending on the system configuration, this may include, among other things:

- Google Advertising ID (GAID),

- Device information (model, OS version, language/region),

- Basic usage and interaction signals,

- Technically provided attribution and installation data.

The actual provision and processing of this information is carried out by Google or Android on the system side.

8.10.2 Purpose

If the GAID or related data is released by the system, it may be used for the following purposes, depending on your consent and device settings:

- Technical attribution and installation measurement,

- Analysis of app usage in anonymised or pseudonymised form,

- Optional: personalised advertising (only with consent).

8.10.3 Legal basis

If personal data is processed via GAID, this is done exclusively on the basis of your consent in accordance with:

- Art. 6 (1) lit. a GDPR

- § 25 (1) TDDDG

The actual technical data processing is carried out by Google in accordance with its own data protection regulations.

8.10.4 Revocation / device settings

You can adjust or deactivate the provision and use of GAID at any time in the settings of your Android device:

Settings / Google / ‘Advertising’ / “Ads” -

‘Reset advertising ID’ or ‘Deactivate personalised advertising’.

8.10.5 Further information

Further information on data processing by Google can be found at:

https://policies.google.com/privacy

8.11 Server-side tracking / server-side tagging

We use server-side tracking technologies (e.g. server-side tagging systems, server-side Google Tag Manager or comparable technical solutions) that enable certain tracking and analysis processes to be carried out via a server operated by us.

8.11.1 How it works

With server-side tracking, certain requests are not sent directly from the user's device to external providers, but are routed via an intermediate technical step. The actual type of processing depends on the respective technical settings and the mechanisms of the services used. Which data is further processed or transferred depends in particular on your consent and the specifications of the respective third-party providers.

8.11.2 Possible processed data

Depending on your consent and the services used, the following information, among other things, may be processed via the server-side approach:

- Technical information provided by the system

(e.g. device or browser data),

- usage events and interaction signals,

- pseudonymous identifiers or comparable technical characteristics (only if consent has been given for this),

- technically necessary meta information.

The exact data processing is carried out in accordance with the specifications of the respective third-party providers (e.g. Google, Microsoft).

8.11.3 Purpose

The use of server-side systems serves the following purposes, among others:

- technically optimised execution of analysis and marketing functions,

- improvement of the stability and reliability of measurement processes,

- reduction of direct connections between end devices and third-party providers.

8.11.4 Legal basis

The legal basis depends on the purpose of the data processing:

- for technically necessary processing: Art. 6(1)(f) GDPR,

- for analysis, statistical and marketing purposes: exclusively with consent

in accordance with Section 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

8.11.5 Transfer to third-party providers

Data will only be transferred to analysis or marketing services (e.g. Google, Microsoft) if you have given your consent. Further processing is carried out by the respective providers on their own responsibility.

8.11.6 Transfers to third countries

Data will only be transferred to providers outside the EU/EEA (e.g. USA) in accordance with the applicable provisions of the GDPR (e.g. EU-US Data Privacy Framework or standard contractual clauses), insofar as this is provided for by the respective service.

8.12 Microsoft Advertising / Universal Event Tracking (UET)

We use – provided you give your consent – functions of the advertising service ‘Microsoft Advertising’ (formerly Bing Ads), including Universal Event Tracking (UET). Provider:

Microsoft Corporation

One Microsoft Way, Redmond, WA 98052-6399, USA

For EU/EEA:

Microsoft Ireland Operations Limited

One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland The specific technical processing is carried out by Microsoft in accordance with the systems and mechanisms provided by Microsoft.

8.12.1 Type of processing

Microsoft may use various technologies such as cookies, pixels or similar identifiers to perform advertising and analysis functions.

The data collected or processed in each individual case is determined by Microsoft's technical specifications. This may include, among other things:

- IP address (in accordance with Microsoft's systems),

- browser and device information,

- interaction and usage data (e.g. pages visited, click behaviour),

- pseudonymous Microsoft advertising IDs or comparable identifiers,

- technical meta information (times, referrers, retrieval events).

Further processing of this information is carried out by Microsoft on its own responsibility.

8.12.2 Purpose

If you wish and if provided by Microsoft, the data may be used for the following purposes:

- Measuring the success and analysing advertising campaigns (conversion tracking),

- Measuring reach,

- Creating pseudonymous target groups (remarketing),

- Displaying interest-based advertising (only with consent).

8.12.3 Legal basis

The use of Microsoft Advertising / UET is based exclusively on your consent:

- Section 25 (1) TDDDG (storage and access technologies),

- Art. 6 (1) (a) GDPR (consent).

The corresponding functions will not be activated without your consent.

8.12.4 Transfers to third countries

Personal data may be transferred to the USA as part of Microsoft's services.

Microsoft is certified under the EU–US Data Privacy Framework (DPF) and thus ensures an adequate level of data protection in accordance with Art. 45 GDPR.

8.12.5 Revocation/opt-out

You can change or revoke your consent at any time via our cookie consent tool. Microsoft also provides its own options for deactivation:

https://account.microsoft.com/privacy/ad-settings/signedout

8.12.6 Data protection information from Microsoft

Further information on data processing by Microsoft can be found at:

https://privacy.microsoft.com/de-de/privacystatement

8.13 PayPal (payment service provider)

On suchen.expert, we offer the option of processing payments via the PayPal service. The provider is:

PayPal (Europe) S.à r.l. et Cie, S.C.A.

22–24 Boulevard Royal

L-2449 Luxembourg

(‘PayPal’)

8.13.1 Type of data processing

If you choose to pay via PayPal as part of a payment transaction, certain data relating to the payment will be transmitted to PayPal. The specific data involved is determined by the input fields in the respective payment form and the interface provided by PayPal. This may include, in particular:

- Name,

- Address,

- Email address,

- Telephone number, if applicable,

- Payment information (e.g. account details, card details, transaction amounts, contract or order information),

- Other data required for the processing of the payment.

The specific processing of this data is carried out by PayPal on its own responsibility in accordance with its technical procedures and contractual terms and conditions.

8.13.2 Purpose

The data is transferred to PayPal for the purpose of executing and processing the payment transaction you have selected and, if necessary, for fraud prevention and risk assessment by PayPal.

8.13.3 Legal basis

The legal basis for the transfer of data to PayPal is generally Art. 6(1)(b) GDPR (contract performance, payment processing). Insofar as PayPal carries out its own risk, creditworthiness or fraud checks, the processing may be based on the legitimate interests of PayPal and us in secure and efficient payment processing (Art. 6(1)(f) GDPR).

8.13.4 Independent responsibility of PayPal

PayPal processes the transferred data under its own responsibility for data protection. PayPal may use the data, among other things:

- to execute and process payments,

- to check creditworthiness and identity,

- for fraud prevention and risk analysis,

- to fulfil legal obligations.

PayPal may pass on data to affiliated companies, external service providers or credit agencies (e.g. credit agencies) insofar as this is necessary for the fulfilment of the contract or on the basis of its own legal grounds.

These processes are governed exclusively by PayPal's data protection provisions.

8.13.5 Transfer to third countries

It cannot be ruled out that PayPal may transfer personal data to countries outside the EU/EEA (e.g. to the USA). PayPal undertakes to comply with the applicable data protection regulations and to apply appropriate safeguards within the meaning of the GDPR (e.g. standard contractual clauses or equivalent protection mechanisms).

8.13.6 Voluntary use / alternatives

The use of PayPal as a payment method is voluntary. If we offer alternative payment methods, you can choose these if you do not wish to transfer data to PayPal.

8.13.7 Further information

For details on data processing by PayPal, please refer to PayPal's privacy policy:

https://www.paypal.com/de/webapps/mpp/ua/privacy-full

8.14 General note on technical data processing by third-party providers

Insofar as third-party services (e.g. Google, Apple, Microsoft, Cloudflare, PayPal) are used in this privacy policy, the technical processing of personal data is carried out by the respective provider in accordance with its own privacy policy and technical mechanisms.

We have no influence on which data is collected, transmitted or processed in individual cases. The actual data processing depends on the settings of your device, your browser, your operating system and the technical implementation of the respective third-party provider.

Such services are only used if you have given your consent or if there is another legal basis for doing so.

§ 9 Collection and disclosure of user data to third parties

9.1 Collection of personal data

We collect personal data from users in the following situations:

a) Registration and account creation

When registering a user account, the information required to set up and use the account is requested (e.g. name, email address, password, other mandatory information if applicable). .

b) Login and authorisation

Each time you log in, technical data (e.g. IP address, time, device/browser information) and account data are processed in order to protect access and manage the session.

c) Profile maintenance and voluntary information

After registration, users can voluntarily enter or change additional information in their profile (e.g. further contact details, profile photo, company information). This data is only processed if the user actively provides it.

d) Use of services and functions

When using the platform (e.g. when creating advertisements, submitting reviews, sending messages), the data entered or generated in the process is processed.

e) Communication

For enquiries via contact forms, emails or other communication channels, we process the data provided (e.g. name, contact details, content of the message) for processing purposes.

f) Automated collection of technical data

When visiting the website and using the app, technical data (e.g. IP address, browser type, operating system, referrer URL, date and time of access) and log files are automatically collected (see § 6.7 of this privacy policy).

9.2 Storage and processing

Personal data is predominantly processed electronically and stored on servers within the EU or the EEA. Processing is automated or, in individual cases, non-automated (manual), e.g. in the context of support or testing processes.

We take appropriate technical and organisational measures to protect the data from unauthorised access, loss, destruction or alteration.

The storage period depends on the purposes of the processing and the statutory retention obligations (see Section 12 of this privacy policy).

9.3 Principle: No disclosure without legal basis

Personal data will only be disclosed to third parties if:

- this is necessary for the performance of a contract with the user (Art. 6(1)(b) GDPR),

- we are legally obliged to do so (Art. 6(1)(c) GDPR),

- the transfer is necessary to safeguard our legitimate interests and there are no overriding interests of the users (Art. 6(1)(f) GDPR),

- or the user has expressly consented to this (Art. 6 (1) (a) GDPR).

Personal data will not be ‘sold’ to third parties for their own marketing purposes without a legal basis.

9.4 Use of service providers (processors)

We use external service providers who process personal data on our behalf and in accordance with our instructions (Art. 28 GDPR), e.g.:

- Hosting and cloud providers,

- Email/newsletter service providers,

- Payment service providers (insofar as they act as processors),

- Technical support and maintenance service providers,

- Analysis and tracking service providers (only with consent).

We conclude contracts for order processing with all processors, which regulate in particular data security, confidentiality and the obligation to follow instructions.

9.5 Independently responsible parties (third parties with their own responsibility)

In certain cases, data is transferred to third parties who process it under their own data protection responsibility, e.g.:

- Payment service providers (e.g. PayPal), banks,

- Tax advisors, lawyers,

- Platform and cooperation partners with their own contractual relationship with the user,

- App stores (Apple, Google) if users purchase services through them.

The processing by these third parties is subject to their own privacy policies.

9.6 Disclosure within group and partner structures

Insofar as we work with affiliated companies or selected partners (e.g. for technical provision, fraud prevention or billing purposes), personal data may be disclosed to them, provided that:

- this is necessary for the performance of a contract (Art. 6(1)(b) GDPR),

- or there is a legitimate interest (Art. 6(1)(f) GDPR),

- and – where necessary – appropriate safeguards for any transfers to third countries

(e.g. standard contractual clauses, EU-US Data Privacy Framework) are in place.

Any further use of the data by these companies for their own purposes will only take place if there is a separate legal basis (e.g. consent).

9.7 Disclosure to authorities and for law enforcement purposes

We may transfer personal data to authorities, courts or other public bodies if we are legally obliged to do so (Art. 6(1)(c) GDPR) or if this is necessary for the establishment, exercise or defence of legal claims (Art. 6(1)(f) GDPR).

This includes in particular:

- Requests for information from law enforcement authorities,

- Participation in civil or administrative proceedings,

- Investigation of cases of abuse or fraud.

9.8 Visibility and publication of profile data

Certain information provided by the user may be visible to other users or the public, depending on the settings, e.g.:

- Name or profile name,

- Profile picture,

- City/region,

- Date of registration,

- Advertisements (e.g. in the sections ‘Found, Lost, Given Away, Incidents, Services, Exchange’),

- Ratings, reviews, follower/subscriber numbers.

If the user publishes content in public areas of the platform, this content may also be found, stored and redistributed via search engines. The user is responsible for the publication of such content.

The user can control the visibility of certain information via the privacy settings in the user account, insofar as such settings are offered.

9.9 Special categories of personal data

We ask users not to publish any special categories of personal data within the meaning of Art. 9 GDPR (e.g. information on health, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation) when using the platform.

If users nevertheless voluntarily provide such information in advertisements, profiles or messages, they do so at their own risk. Please note that once information has been made public, it can be viewed, copied or disseminated by third parties and we cannot completely prevent this.

9.10 User control and consequences of non-provision

Users generally have control over what voluntary information they provide in their profile or in advertisements and what information they make available to third parties.

However, the provision of certain personal data is necessary for the use of the platform or individual functions (e.g. registration data, contact details for contract processing). Without this data, we cannot provide the corresponding services or can only provide them to a limited extent.

If processing is based on consent, this is voluntary. However, revocation of consent only has effect for the future; certain functions based on consent (e.g. newsletters, personalised advertising) may then no longer be available.

§ 10 Recipients of personal data

10.1 Internal access within Suchen Technology GmbH

Within our company, only those departments and employees who need personal data to perform their tasks are given access to it. These include in particular:

- Customer service and support

- Technical development/operations (IT)

- Accounting/finance

- Legal/compliance

- Product management and quality assurance

Access is based on the ‘need-to-know’ principle and is subject to strict internal data protection and security guidelines.

10.2 External service providers (processors – Art. 28 GDPR)

We use carefully selected external service providers who process personal data on our behalf, e.g.:

- Hosting and cloud providers

- Email and newsletter service providers

- Technical maintenance and IT security service providers

- Payment service providers (insofar as they act as processors)

- Analysis/tracking/marketing service providers (only with consent)

These service providers are contractually obliged:

- to process data exclusively in accordance with our instructions,

- to use appropriate technical and organisational measures (TOM),

- not to use the data for their own purposes.

10.3 Independent controllers (own responsibility)

Some partners do not act as processors, but are themselves responsible for processing under data protection law. Examples:

- Payment service providers (e.g. PayPal)

- Banks

- Lawyers, tax advisors

- App store providers (Apple, Google)

- Cooperation partners with their own contractual relationship with the user

The data protection provisions of the respective third parties apply to these processing operations.

10.4 Disclosure to consultants and auditing bodies

In individual cases, it may be necessary to disclose personal data to persons bound by professional secrecy, e.g.:

- Auditors

- Tax consultants

- Lawyers

These persons are subject to legal confidentiality obligations and process the data exclusively for the purpose of fulfilling their consulting tasks.

10.5 Disclosure to authorities and courts

We may transfer personal data to authorities or courts if we:

- are legally obliged to do so (Art. 6 (1) (c) GDPR),

- or if data is necessary for the assertion, exercise or defence of legal claims

(Art. 6 (1) (f) GDPR).

10.6 Transfer to partner companies

Insofar as this is necessary for the technically secure provision of the platform, for fraud prevention or for the fulfilment of contractual services, data may be transferred to affiliated companies or technical partners. No further use for our own purposes will take place without a separate legal basis or consent.

10.7 Security measures during transmission

We use appropriate technical and organisational measures for every data transmission, e.g.:

- encrypted transmission channels (TLS/HTTPS),

- access controls,

- contractual guarantees (e.g. standard contractual clauses for third-country transfers), - regular security checks of service providers.

§ 11 Rights of users (rights of data subjects)

Users of the suchen.expert platform have the following rights as data subjects within the meaning of the GDPR. These rights can be exercised at any time via the contact channels specified in this privacy policy.

11.1 Access to own data (Art. 15 GDPR)

Users can view the information they have provided themselves in their personal account. In addition, they have the right to obtain information from us about all personal data processed.

11.2 Rectification and updating (Art. 16 GDPR)

Users can correct or update their personal data themselves in their account at any time. In addition, the correction of incorrect data can be requested at any time.

11.3 Deletion (‘right to be forgotten’, Art. 17 GDPR)

The user may request the deletion of their personal data, provided that this does not conflict with any legal retention obligations or legitimate interests. Content that has been copied or archived by other users may not be completely removed.

11.4 Restriction of processing (Art. 18 GDPR)

Under certain circumstances, users may request the restriction of the processing of their data, e.g. if the accuracy is disputed or the data is no longer required.

11.5 Data portability (Art. 20 GDPR)

Users may request to receive their personal data in a structured, commonly used and machine-readable format or to have it transferred directly to another controller.

11.6 Right to object (Art. 21 GDPR)

Users may object to the processing of personal data at any time, provided that this is based on Art. 6(1)(f) GDPR (legitimate interest).

There is an absolute right to object, particularly in the case of direct marketing.

11.7 Withdrawal of consent (Art. 7(3) GDPR)

Consent that has been given (e.g. for cookies, tracking, newsletters) can be withdrawn at any time with effect for the future. The lawfulness of the processing carried out until the withdrawal remains unaffected.

11.8 Responsibility for published content

Users are responsible for the content they make publicly available (e.g. advertisements, photos, reviews). We recommend that you carefully consider what information you share in publicly accessible areas.

11.9 Responsibility for account security

The user is obliged to treat their password as confidential and to notify us immediately if they suspect unauthorised use of their account.

11.10 Visibility via interfaces

The user is aware that information they make publicly available is accessible to other users and, where applicable, internet users. This also includes sharing via interfaces, social media links or search engines.

11.11 No responsibility for the actions of third parties

We are not liable for the use or dissemination of publicly disclosed data by other users or third parties. Users determine the visibility of their data themselves.

§ 12 Duration of data storage and deletion of personal data

12.1 Principle: Storage only for as long as necessary

We only process and store personal data for as long as is necessary for the respective purposes (Art. 5 (1) (e) GDPR). This also includes periods of contract initiation, the implementation of a usage relationship and processing after termination of the contract.

12.2 Statutory retention obligations

Regardless of the purpose of processing, statutory retention obligations may require longer storage:

- Commercial law (Section 257 HGB): 6 years

(e.g. commercial letters, accounting documents)

- Tax law (Section 147 AO): 10 years

(e.g. books, records, invoices, tax-relevant documents)

During these periods, the data will be blocked and not processed for other purposes.

12.3 Storage for law enforcement

Data may also be stored for the preservation of evidence in accordance with the statutory limitation periods (Sections 194 ff. BGB).

The regular limitation period is 3 years, but in special cases, periods of up to 30 years may apply.

12.4 Deletion upon request

Upon request, we will delete personal data immediately, provided that:

- there is no legal reason to retain it,

- there are no legitimate interests in further processing (e.g. assertion of claims),

- or the data is not required for the fulfilment of the contract or system security.

If there are legal retention obligations, the data will be blocked.

12.5 Regular review

We regularly review whether personal data is still required. Data that no longer serves a purpose and is not subject to any retention obligations will be deleted or anonymised.

12.6 Revocation and objection

If you exercise your right to revoke your consent (Art. 7(3) GDPR) or your right to object (Art. 21 GDPR), we will delete the data concerned, unless there are compelling legitimate grounds or legal obligations to the contrary.

12.7 Deletion upon termination of the business relationship

After termination of a user account, personal data will be deleted as soon as:

- there are no longer any contractual or legal obligations,

- and no further claims are to be expected.

12.8 Restrictions due to backups and archive systems

Data contained in backups can only be removed as part of regular deletion cycles. Until final deletion, this data remains blocked and is not further processed.

12.9 Notification obligations under Art. 19 GDPR

If personal data has been deleted, corrected or restricted, we will also inform recipients to whom this data has been transferred, insofar as this is required by law.

12.10 Right to be forgotten (Art. 17 (2) GDPR)

If personal data has been published and deletion is requested, we will take measures within the scope of what is technically reasonable to inform third parties who process this data about the deletion request.

12.11 Note on data security during transport

Despite comprehensive security measures, data transmissions over the Internet may be subject to security vulnerabilities. Absolute protection against access by third parties is not technically possible.

§ 13 Data security

13.1 General protective measures

We take comprehensive technical, organisational and legal measures to protect personal data from unauthorised access, loss, alteration, destruction or other security risks (Art. 32 GDPR).

13.2 Technical and organisational measures (TOM)

The measures used include, among others:

- Encryption of data transmission via TLS/HTTPS

- Access restrictions and role/rights concepts

- Secure password and authentication procedures

- Logging of access events

- Regular software and security updates

- Protection against malware and attacks (e.g. firewalls, anti-DDoS)

We would like to point out that data transfers via email may have technical security vulnerabilities. Complete protection against access by third parties is not possible.

13.3 Authorisation and login

Registration with suchen.expert is done via the email address provided by the user.

The user is obliged to keep their access data secret and to report any unauthorised use immediately.

13.4 Data integrity and timeliness

We ensure that personal data is kept complete, accurate and up to date. Users can update their data themselves at any time or request a correction (Art. 16 GDPR).

13.5 Training and awareness

Employees who have access to personal data receive regular training on data protection and information security.

13.6 Monitoring, audits and incident response

We carry out regular internal and external IT security audits. Security incidents are documented, analysed and reported to the competent supervisory authority within 72 hours (Art. 33 GDPR). Affected users are informed if required by law (Art. 34 GDPR).

13.7 Deletion and storage management

Personal data is only stored for as long as is necessary for the purposes or as required by law (see § 12). After the expiry of the deadlines, it is securely deleted or anonymised.

13.8 Processors

Third parties who process personal data on our behalf are selected subject to strict data protection requirements and are contractually bound in accordance with Art. 28 GDPR.

13.9 Backup and recovery procedures

We create regular backups, which are stored exclusively in secure system environments. Structured recovery procedures are in place for emergencies to enable operations to be resumed quickly.

§ 14 Your rights as a data subject

As a data subject within the meaning of the GDPR, you have the following rights. You can exercise these rights at any time by using the contact details provided in this privacy policy.

14.1 Information (Art. 15 GDPR)

You have the right to request information about whether we process personal data about you. If this is the case, you may request information in particular about:

- the purposes of processing,

- the categories of personal data,

- the recipients or categories of recipients,

- the planned storage period or the criteria for determining this period,

- the origin of the data, if it was not collected from you,

- the existence of rights to rectification, erasure, restriction of processing or objection,

- the existence of a right to lodge a complaint with a supervisory authority,

- where applicable, the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the significance of the processing,

- where applicable, appropriate safeguards for transfers to third countries.

You also have the right to a copy of the personal data processed. Legal restrictions (e.g. under Sections 34, 35 BDSG) remain unaffected.

14.2 Rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate personal data or the completion of incomplete personal data without undue delay. You can also update your data directly in your user account.

14.3 Erasure (‘right to be forgotten’, Art. 17 GDPR)

You may request the erasure of your personal data if one of the conditions provided for by law is met, in particular if:

- the data is no longer required for the purposes for which it was collected,

- you withdraw your consent and there is no other legal basis,

- you object to the processing and there are no overriding legitimate grounds,

- the data has been processed unlawfully,

- the erasure is necessary to comply with a legal obligation.

The right to erasure does not apply, among other things, if the processing is necessary:

- to comply with a legal obligation,

- to assert, exercise or defend legal claims,

- for archiving, research or statistical purposes in the public interest, provided that the right to erasure would seriously impair these purposes.

14.4 Restriction of processing (Art. 18 GDPR)

You may request the restriction of processing if:

- you dispute the accuracy of the data (for the duration of the verification),

- the processing is unlawful and you request restriction instead of erasure,

- we no longer need the data for the purposes of processing, but you need it to assert, exercise or defend legal claims,

- you have objected to the processing pursuant to Art. 21(1) GDPR, as long as it is not yet clear whether our legitimate reasons prevail.

In the event of restriction, the data may only be processed – apart from storage – with your consent or for the assertion, exercise or defence of legal claims or for the protection of the rights of another person or for important reasons of public interest. We will inform you before the restriction is lifted.

14.5 Data portability (Art. 20 GDPR)

You have the right to receive the personal data you have provided to us and which we process on the basis of consent (Art. 6(1)(a) GDPR) or a contract (Art. 6 (1) (b) GDPR) using automated procedures, in a structured, commonly used and machine-readable format or – where technically feasible – to have it transferred to another controller. This must not adversely affect the rights and freedoms of other persons.

14.6 Withdrawal of consent (Art. 7 (3) GDPR)

You may revoke your consent to the processing of personal data at any time with future effect. The lawfulness of the processing carried out until the revocation remains unaffected. The revocation can be made informally, e.g. by email to the contact address provided in this declaration or via the unsubscribe links provided (e.g. in the newsletter).

14.7 Right to object (Art. 21 GDPR)

a) Objection to processing based on legitimate interests Insofar as we process data on the basis of Art. 6 para. 1 lit. f GDPR (legitimate interest), you have the right to object at any time for reasons arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

b) Objection to direct marketing

If personal data is processed for direct marketing purposes, you have the right to object to the processing for such marketing purposes at any time. This also applies to profiling insofar as it is related to direct marketing. In the event of an objection, we will no longer process the data for this purpose.

14. 8 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. In particular, you can contact the supervisory authority of your habitual residence, your place of work or the place of the alleged violation.

14.9 Contact person, form and deadlines (Art. 12 GDPR)

To exercise your rights, you can contact us at any time:

Suchen Technology GmbH

Dieselstraße 11

30916 Isernhagen, Germany

We always respond to enquiries immediately, but at the latest within one month of receipt. In complex cases, this period may be extended by a further two months; in this case, we will inform you of the extension and the reasons within one month.

We may request additional information to verify your identity and ensure that rights are not being asserted by unauthorised third parties. The exercise of your rights is generally free of charge. Only in cases of manifestly unfounded or excessive requests may we charge a reasonable fee or refuse to process the request.

§ 15 Obligation to provide personal data

15.1 Voluntary nature and necessity

The provision of personal data is generally voluntary. However, the transmission of certain data is necessary for the use of certain functions or services of suchen.expert (e.g. registration, login, communication, payment processing). Without this data, we cannot provide the corresponding services or can only provide them to a limited extent.

15.2 Contractual and technical requirements

If data is necessary for the performance of a contract or for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b GDPR), it is not possible to use specific platform functions without this data. This applies, for example, to:

- Creation and operation of a user account

- Contact via internal messaging functions

- Publication of advertisements

- Payment processing for paid services

15.3 Identification of voluntary information

Voluntary information is marked accordingly in the registration or profile area. It is not required, but can contribute to a better user experience or extended functions.

15.4 Legal obligations

For certain services, there may be a legal obligation to provide certain data (e.g. tax law requirements, commercial law documentation obligations). In such cases, we will inform you separately about the scope and consequences of non-provision.

15.5 Consequences of non-provision

If you do not provide the required data, this may result in:

- the registration cannot be completed,

- certain functions cannot be used,

- enquiries cannot be processed,

- contracts cannot be executed,

- we cannot fulfil certain legal obligations.

15.6 Automatically collected technical data

When you visit our website or use our app, certain technical data is automatically collected (e.g. IP address, browser type, operating system). This data is technically necessary in order to:

- deliver content correctly,

- ensure stability, security and system functionality,

- prevent misuse and attacks.

This technical data will only be linked to other personal data if there is a legal basis for doing so or if you have given your consent.

15.7 Requirements of third-party providers

If third-party providers (e.g. card or payment services) are integrated into our platform, it may be necessary to transfer certain data directly to these providers. In such cases, the privacy policies of the respective third-party providers apply. We have no influence on the processing of data by these providers.

§ 16 Automated decision-making and profiling

16.1 No automated decisions in individual cases

We do not use automated decision-making processes within the meaning of Art. 22 GDPR. Decisions that have legal effect or could significantly affect you in a similar way are not made exclusively by automated means.

16.2 No profiling

We do not carry out profiling within the meaning of Art. 4 No. 4 GDPR. In particular, the use of the platform does not lead to an automated evaluation of personal aspects such as behaviour, preferences or economic situation without the user's knowledge.

16.3 Exceptions for tracking tools

If pseudonymous usage profiles are created within the scope of analysis or marketing tools (e.g. for statistical purposes), this is done exclusively:

- with your consent (Article 6(1)(a) GDPR)

- and never in a form that has legal effects or significantly affects you.

16.4 Transparency and control

You have the right to be informed about the tools used, to refuse their use or to revoke your consent at any time. Our cookie and tracking settings give you full control.

§ 17 Newsletter and direct advertising

17.1 Newsletter subscription

If you subscribe to our newsletter, we will use your email address to send you regular information about our offers, products or services. Registration is done using a double opt-in procedure, in which you must actively confirm your email address.

17.2 Legal basis

The processing of your data for the purpose of sending the newsletter is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.

17.3 Revocation

You can revoke your consent at any time with effect for the future. This is possible, among other things:

- via the unsubscribe link in each newsletter

- or by sending us a message via the contact form.

The processing carried out until the revocation remains lawful.

17.4 Direct marketing to existing customers

If you are already a customer, we may also send you information about our own similar products or services by email without separate registration. The legal basis for this is Section 7 (3) UWG in conjunction with Art. 6 (1) lit. f GDPR (legitimate interest in customer-related communication).

You can object to this use at any time without incurring any costs other than the transmission costs according to basic tariffs.

§ 18 Social networks and plugins

18.1 Own social media presences

We maintain publicly accessible profiles on social networks (e.g. Facebook, Instagram, LinkedIn, YouTube).

When using these sites, the data protection provisions of the respective provider apply.

18.2 Joint responsibility (Art. 26 GDPR)

Insofar as we process statistical data (e.g. insights) jointly with platform operators, this is done within the framework of joint responsibility.

The essential content of these agreements is provided by the platforms.

18.3 Social plugins on our website

Our website may contain social plugins.

These are deactivated by default, so that no data is initially transferred to the providers. Only when you actively click on a plugin is a connection to the respective network established.

18.4 Legal basis

The use of social plugins is based – depending on the type – on your consent (Art. 6 (1) (a) GDPR) or our legitimate interest in a user-friendly design of our online offerings (Art. 6 (1) (f) GDPR).

§ 19 Information for minors

19.1 Offers are not directed at children

Our services are not intended for persons under the age of 16.

19.2 Consent of legal guardians

If you are under the age of 16, you may only provide personal data if your parents or legal guardians have given their consent.

19.3 Deletion of data of minors

If we nevertheless receive personal data from children without the consent of their legal guardians, we will delete it immediately.

§ 20 Up-to-dateness and changes to this privacy policy

20.1 Relationship to the terms of use and usage guidelines

This privacy policy supplements our terms of use and our usage guidelines.

All documents should be read together in order to fully understand the use of the platform and the associated processing of personal data. In the event of contradictions, the statutory data protection regulations (in particular the GDPR and BDSG) take precedence over the other provisions.

Note:

The privacy policy does not form part of the contract.

It serves exclusively to fulfil our legal information obligations in accordance with Articles 12–14 of the GDPR.

Consent to the privacy policy is not required and is not requested. Consent is only required where required by law (e.g. for cookies, tracking technologies, marketing communications or app tracking in accordance with Art. 6(1)(a) GDPR in conjunction with Section 25 TDDDG).

All other processing is based on the respective legal bases specified.

20.2 Regular review

We review this privacy policy regularly and update it when legal or technical changes require it.

20.3 Information about changes

We will inform you appropriately about any significant changes, e.g.:

- through notices on our website,

- by email,

- or via your user account or the app.

20.4 Validity and versions

The current version of this privacy policy is available on our website at any time.

20.5 Access to older versions

We archive previous versions of this privacy policy for documentation purposes and they can be viewed on request. You can also find the most recent valid older versions at any time on our platform in the section:

Support service / Legal & Guidelines / Privacy Policy

(e.g. ‘As of 20 August 2025’ or ‘As of 21 October 2023’).

20.6 Recommendation to review regularly

We recommend that you review the content of the privacy policy regularly.

20.7 Continued use as consent

Continued use of our services after changes have been published is considered an indication that you have taken note of the updated provisions. If you do not agree with the changes, you can discontinue use and delete your user account.

Log In

Location services not available

Sind Sie einverstanden?