Privacy Policy
Current version: as at 17 April 2026
Previous versions are archived in Customer Service.
Suchen Technology GmbH, Dieselstraße 11, 30916 Isernhagen, Germany
(hereinafter “Suchen Technology GmbH”, “Suchen Technology Services” or “we”), is the data controller within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data when using the suchen.expert platform.
This privacy policy applies to all German and multilingual websites under suchen.expert, the associated mobile applications and other online services provided by us (hereinafter collectively referred to as the “Platform ”).
The protection of your personal data and your privacy is of the utmost importance to us. We process your data exclusively in accordance with the applicable data protection regulations, in particular the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
§ 1 General Information
1.1 Suchen Technology GmbH attaches great importance to the careful and responsible handling of personal data. We process personal data exclusively in accordance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
1.2 This Privacy Policy informs you, in accordance with Articles 13 and 14 of the GDPR, about the nature, scope, purposes and legal bases for the processing of your personal data, as well as your rights as a data subject in connection with the use of our platform suchen.expert.
1.3 This privacy policy applies to all data processing operations that take place when visiting and using suchen.expert. For other processing situations (for example, in the context of job applications, contractual relationships with business partners or other offline processes), we provide provide separate privacy notices where necessary.
1.4 Use of suchen.expert requires that you take note of this privacy policy. However, the processing of your personal data takes place – depending on the operation – on the respective legal basis specified (e.g. Article 6(1)(b) GDPR for contractual relationships or Article 6(1)(f) f GDPR for legitimate interests). Where consent is required, this will be obtained separately.
1.5 The purpose of this privacy policy is to ensure transparent and appropriate protection of your personal data against unauthorised access, unauthorised disclosure, loss or misuse, and to inform you about our data processing in an easily understandable manner.
1.6 This privacy policy applies to all personal data that we collect, use or store about you in connection with your use of the suchen.expert platform.
1.7 If you do not agree with the data processing described in this privacy policy, you may not be able to use certain services or features of suchen.expert not at all or only to a limited extent. Legal claims, in particular your rights as a data subject under the GDPR, remain unaffected by this.
1.8 This privacy policy applies exclusively to the suchen.expert platform. We accept no responsibility for third-party content and offers to which we link or which are integrated via interfaces (e.g. external websites) , we accept no responsibility. The processing of your data by such third parties is governed by their own privacy policies.
1.9 We provide technical and organisational means by which you can view and update your personal data in your user account. Nevertheless, you are required to ensure that the data you provide is accurate and up to date.
1. 10 By registering or using the platform, users confirm that they have taken note of the privacy policy.
However, the processing of personal data takes place exclusively on the basis of the relevant legal provisions or – where necessary – on the basis of consent obtained separately.
The current versions of the privacy policy, the General Terms of Use and any further usage guidelines are available at any time on suchen.expert .
§ 2 Definitions
In this Privacy Policy, the following terms – unless otherwise expressly stated – are used in accordance with the General Data Protection Regulation (GDPR):
2.1 “personal data”
Personal data means any information relating to an identified or identifiable natural person (Art. 4(1) GDPR). A person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (e.g. name, address, telephone number, email address, username, date of birth, payment details).
2.2 “Processing”
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means (Art. 4(2) GDPR), such as collection, recording, organisation, structuring, storage, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing or destroying.
2.3 “Data Subject”
A data subject is any identified or identifiable natural person whose personal data is processed by us.
2.4 “User”
A user is any person who visits the suchen.expert platform, registers an account or uses services provided by suchen.expert – regardless of whether they are an individual acting in a private capacity, a company or another organisation.
2.5 “Controller”
The controller is Suchen Technology GmbH, which, alone or jointly with others, determines the purposes and means of the processing of personal data (Art. 4(7) 7 GDPR).
2.6 “Processor”
A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Art. 4(8) GDPR) .
2.7 “Profile”
Profile refers to the personal or business user area on suchen.expert where the user can manage their details, post and view listings, and configure certain settings (e.g. contact details, visibility, notifications).
2.8 “Services”
Services are all functions and services provided by Suchen Technology GmbH via the platform, in particular the ability to search for, view or publish information about found, lost, missing or stolen items, listings, services, incidents and other content.
2.9 “Data”
Data comprises all information and content provided by users in the course of using suchen.expert (e.g. listing texts, images, messages), including personal data, insofar as this is contained in the information provided.
§ 3 Data Controller (Art. 4(7) GDPR)
3.1 Data Controller
The data controller responsible for the processing of personal data on the suchen.expert platform within the meaning of the General Data Protection Regulation (GDPR) is:
Suchen Technology GmbH
Dieselstraße 11
30916 Isernhagen, Germany
Email: datenschutz@suchen.technology
The controller determines the purposes and means of data processing. Data protection concerns may be addressed at any time via the contact form or by post to the above address.
3.2 Data Protection Officer
Under current legislation, Suchen Technology GmbH is not obliged to appoint a data protection officer in accordance with Article 37 of the GDPR.
3.3 Competent supervisory authority
Without prejudice to your rights under Article 77 of the GDPR, you may lodge a complaint with a data protection supervisory authority. The competent authority for us is:
The State Data Protection Commissioner of Lower Saxony
Prinzenstraße 5
30159 Hanover
Telephone: +49 (0)511 120 45 00
Fax: +49 (0)511 120 45 99
Email: poststelle@lfd.niedersachsen.de
§ 4 Terms of Use in relation to data protection
4.1 Registration and conditions of use
Registration is required to use the suchen.expert platform. The user warrants that they have provided all necessary information correctly and are authorised to use the platform. Use of the platform requires the provision of certain personal data which is technically and contractually necessary for registration, login and the range of functions.
4.2 Obligation to provide accurate and up-to-date information
The user undertakes to provide accurate, truthful and up-to-date personal data during registration and throughout their continued use of the platform. The user must immediately update any changes in their profile themselves.
4. 3 Visibility of publicly shared data
Where the user voluntarily makes information or content (e.g. name, profile details, listings, texts, images, reviews) publicly accessible, this may be viewed, stored or shared by other users and – depending on visibility settings – also by internet users. The user bears responsibility for information published voluntarily.
4.4 Restriction on deletion
Certain content provided by the user cannot be completely deleted retrospectively if it has already been copied by other users or stored outside the platform. Statutory retention obligations remain unaffected.
4.5 Acknowledgement of the Privacy Policy
The user confirms that they have taken note of this Privacy Policy. However, the processing of personal data takes place – depending on the process – on the relevant legal basis (Art. 6 GDPR). Where consent is required, this will be obtained separately and unambiguously.
4.6 Responsibility for information provided
Suchen Technology GmbH is not obliged to verify the accuracy, completeness or timeliness of content provided by the user. Verification shall only take place where this is required by law (e.g. to fulfil legal obligations) or to ensure the proper functioning of the platform.
4.7 Measures in the event of breaches
In the event of breaches of these terms and conditions – in particular in the case of false information, misuse or unlawful publications – Suchen Technology GmbH reserves the right to restrict user accounts, or to remove content. Further legal claims remain unaffected.
This applies in particular to automated registrations, repeated deletion and re-registration cycles, the circumvention of technical safeguards, the use of bots or similar automated systems, and in the event of excessive or abusive strain on the technical infrastructure.
§ 5 Purposes and legal bases of data
5.1 Overview
We process the personal data of suchen.expert users for clearly defined purposes and on the basis of the legal grounds provided for in Article 6 of the GDPR. The most important purposes and legal grounds are summarised below. The relevant categories of personal data are described in § 6.
5.2 Contractual relationship and platform use (Article 6(1)(f) b GDPR)
A key purpose of data processing is the initiation, establishment, performance and termination of the user agreement for the suchen.expert platform. This includes, in particular:
- Registration and administration of the user account,
- Provision of platform functions (e.g. creating, managing and displaying listings, messaging functions, reviews),
- Processing of paid services, including invoicing and payment processing,
- Verification of accounts and identity, where necessary,
- Processing of enquiries regarding existing contracts.
Without the processing of the data required for this purpose, use of the platform is only possible to a limited extent or not at all.
The above processing activities also include registration and authentication via external login services (e.g. Google), insofar as such login procedures are offered.
5.3 Communication with users (Art. 6(1)(b) and (f) GDPR)
We process data to communicate with users, in particular:
- Responding to contact enquiries (e.g. via contact form or email),
- Support and technical assistance,
- Information regarding changes to services, features or legal
framework conditions.
Where the communication is directly related to an existing or proposed contractual relationship, the legal basis is Article 6(1)(b) of the GDPR. In all other cases, processing is carried out to safeguard our legitimate interests in appropriate and efficient communication (Article 6(1)(f) of the GDPR) .
5.4 Operation, security and prevention of misuse
(Art. 6(1)(f) GDPR)
To ensure the secure and stable operation of suchen.expert, we process technical data and log data (e.g. IP address, time of access, device and browser information) in order to:
- ensure the technical functionality of the platform,
- detect and rectify malfunctions and errors,
- prevent and investigate misuse or unlawful use,
- guarantee the security of systems, networks and data.
Our legitimate interest here lies in maintaining a secure, stable and functional online service.
This also includes the processing of technical security and abuse indicators to prevent automated mass registrations, unusual registration
and deletion cycles, circumvention of technical safeguards, excessive server loads, and other abusive or unlawful use of the platform. For this purpose, the following may be processed in particular: timestamps of security-relevant events, IP-based security events, device and browser information, rate-limiting events, and pseudonymised identifiers.
Where identifiers from external login services, email addresses or comparable identification features are used for this purpose, this is done in pseudonymised or hashed form wherever possible. Our legitimate interest lies in protecting the platform, users and technical infrastructure, as well as in preventing and investigating misuse, fraud and automated attacks.
5.5 Analysis, Improvement and Further Development
(Art. 6(1)(f) GDPR, where applicable Art. 6(1)(a) GDPR)
We process usage and behavioural data in aggregated or pseudonymised form in order to:
- better understand usage behaviour,
- continuously improve our services and develop new features,
- optimise the user-friendliness and performance of the platform.
Where cookies or similar technologies are used for this purpose that are not technically necessary (e.g. for analysis or marketing purposes), this is done exclusively on the basis of your consent (Section 25(1) TDDDG in conjunction with Article 6(1)(a) GDPR). Furthermore, we base the analysis on our legitimate interest in the economic and user-friendly design of our offering (Art. 6(1)(f) GDPR).
5.6 Marketing, newsletters and direct marketing
(Art. 6(1)( a and f of the GDPR, Section 7 of the UWG)
We may use your data for marketing and informational purposes, in particular:
- sending newsletters and informational emails regarding our products and services (only with prior consent, Article 6(1)(a) of the GDPR),
- personalised content and offers, provided you have consented to this,
- Direct marketing to existing customers for our own similar products and services by email under the conditions of Section 7(3) of the UWG (legitimate interest, Art. 6(1)(f) GDPR).
You may object to the use of your data for direct marketing purposes at any time and withdraw any consent given (see Section 14 of this Privacy Policy, Art. 21 GDPR).
5.7 Cooperation with partners and service providers
(Art. 6(1)(b), (f) and, where applicable, (a) GDPR)
To provide certain functions (e.g. payments, map and mapping services, analytics and marketing tools, app tracking), we work with selected service providers and partners. The processing of data is carried out:
- to fulfil the user agreement with you (Art. 6(1)(b) GDPR),
- to safeguard our legitimate interests in the efficient and secure provision of services (Art. 6(1)(f) GDPR),
- and – where necessary – on the basis of your consent (Art. 6(1)(a) GDPR), in particular for advertising IDs (e.g. GAID, IDFA),
app tracking and personalised advertising.
Further details on the tools and service providers used can be found in the relevant sections of this privacy policy (e.g. cookies, tracking tools, payment service providers).
5.8 Contact form and other forms of contact
(Art. 6(1)(b) and (f) GDPR)
If you send us enquiries via the contact form, by email or by other means, we process your details (e.g. name, contact details, content of the enquiry) solely for the purpose of processing and responding to the enquiry and, where applicable, for follow-up questions.
The legal bases are:
- Article 6(1)(b) of the GDPR, provided the enquiry relates to an existing or prospective contractual relationship,
- Article 6(1)(f) of the GDPR, our legitimate interest in the proper handling of customer and user enquiries.
The data will be deleted as soon as the purpose of the processing ceases and provided there are no conflicting statutory retention obligations.
5.9 Processing of location data (geolocation)
(Art. 6(1)(b) and (f) GDPR, where applicable Art. 6(1)(a) GDPR)
Where you use functions based on location information, we process location data (e.g. IP-based localisation, GPS data) in order to:
- display geographically relevant content and advertisements to you,
- personalise search results and recommendations,
- carry out statistical analyses of the use of location-based functions.
You can disable the transmission of precise location data via your device at any time in the settings of your browser or operating system.
The legal bases are:
- Article 6(1)(b) of the GDPR, insofar as the processing of location data is necessary for specific contractual functions,
- Article 6(1)(f) of the GDPR, our legitimate interest in providing a user-friendly, locally relevant service,
- and, where applicable, your consent pursuant to Article 6(1)(a) of the GDPR, insofar as we use location-based data for further personalised services.
5.10 Communication and notification tools
(Art. 6(1)(b), (f) and, where applicable, (a) of the GDPR)
We use communication and notification tools (e.g. email, SMS, in-app or push notifications) to:
- send security-related notices, system messages or information about your account,
- inform you about new messages, activities or relevant changes on the platform,
- provide you with marketing information, provided you have given your consent.
Security-related and contract-related messages are based on Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) 1(f) GDPR (legitimate interest in security and user information). For marketing notifications, we obtain your consent in accordance with Article 6(1)(a) GDPR.
5.11 Cooperation with law enforcement and supervisory authorities
(Art. 6(1)(c) and (f) GDPR)
We may transfer personal data to law enforcement or supervisory authorities where we are legally obliged to do so (Art. 6(1)(c) GDPR) or where this is necessary to safeguard our legitimate interests (Art. 6(1)(f) GDPR) , e.g. to investigate cases of misuse, to defend against legal claims or to cooperate in administrative or judicial proceedings.
In this context, data is stored for as long as is necessary to fulfil legal obligations or to establish, exercise or defend legal claims.
5.12 Legal obligations
(Art. 6(1)(c) GDPR)
We are subject to various legal obligations which may require the processing of personal data. These include, in particular:
- retention periods under commercial and tax law,
- regulatory and reporting requirements,
- other legal documentation and evidence obligations.
In these cases, processing is carried out on the basis of Article 6(1)(c) of the GDPR.
5.13 Legal enforcement and defence
(Art. 6(1)(f) GDPR)
We also process personal data in order to assert and enforce our rights and to defend ourselves against legal claims. This includes, for example:
- the preservation of evidence,
- the extrajudicial and judicial enforcement of claims,
- the defence against unjustified claims.
The legal basis is Article 6(1)(f) of the GDPR, our legitimate interest in safeguarding and enforcing our rights.
5.14 Consent and withdrawal
(Article 6(1)(a) of the GDPR)
Where we process data on the basis of your consent (e.g. for newsletters, certain marketing measures, location-based services, app tracking or personalised advertising), the processing is carried out exclusively for the purposes specified in the consent.
You may withdraw your consent at any time with effect for the future. This does not affect the lawfulness of the processing carried out prior to the withdrawal. You can find information on withdrawal in this privacy policy and in the respective consent forms.
§ 6 Categories of personal data
Depending on your use of the platform and the functions you have activated, we process the categories of personal data described below. Not all data is collected from every user.
6.1 Master data
This includes, in particular:
- Full name
- Address (primary), other addresses where applicable
- Date of birth (e.g. for age verification)
- Telephone number(s)
- Email address(es)
- Company-related data (e.g. company name, VAT number, commercial register details)
Depending on usage, this data is required for registration, identification, communication and contract performance.
When using external login services, additional identification data transmitted by the respective provider may be processed, in particular external user IDs, verified email addresses, profile names or profile pictures.
6.2 Contract and billing data
This includes, in particular:
- User account information
- Booking/service data
- Payment information (e.g. IBAN, invoices, transactions)
- Details of paid services booked
- Verification data (e.g. account/identity verification)
We process this data for the purposes of contract performance and billing.
6.3 Profile data and content provided by the user
This includes, in particular:
- Profile picture and other uploaded photos
- Public profile details and description texts
- Listings (texts, images, categories, metadata)
- Reviews, star ratings, comments
- Interactions with other users (e.g. follows, subscriptions)
- Content shared via social networks
This information is publicly visible, depending on its visibility settings.
6.4 Communication data
This includes:
- Messages via internal messenger functions
- Emails, support enquiries, contact forms
- Push notifications and system settings
- Verification codes (e.g. SMS or email for login)
This data is used for communication and account security.
6.5 Usage and behavioural data
This includes in particular:
- Date and time of registration
- Login history, online status, activity logs
- Sections/categories visited and time spent
- Interactions with listings (creating, saving, sharing, clicking)
- Favourites lists
- Profiles followed and own followers
- User activity in the rating system
- Reports, complaints, disputes
- Invitations, referral codes, referrals
- Mentions by other users
This data is used to improve, analyse and personalise the platform’s features.
6.6 Location - and geolocation data
This includes:
- IP-based approximate location
- Precise location data via device/operating system services (e.g. GPS),
provided the user has given consent
- Time/region settings
We only process this data if you use the relevant functions or give your consent.
6.7 Technical data and server log data (web)
This includes in particular:
- Date and time of access
- Browser type and version
- Operating system type and version
- Browser language settings
- Referrer URL
- Hostname of the accessing device
- Screen resolution and device information
- User-agent data - Server request logs (“log files”)
This data is necessary for functionality, security and error analysis.
6.8 Device data when using Android
If you use our Android app, the following
data may be processed:
- Device type, device name, model
- Android operating system version
- Manufacturer ID (if provided by the system)
- GAID (Google Advertising ID) – only with consent
- OpenUDID or AppFlyer ID (only for authorised marketing tools)
- Time zone, preferred language
- Wi-Fi information (SSID, MAC address) – only if the OS transmits this
- Mobile network information (network operator, MNC)
- Type of internet connection (mobile/Wi-Fi)
- App version and technical device status
Some of these characteristics are considered unique identifiers under data protection law and may only be used for marketing or tracking purposes with consent.
6.9 Device data when using iOS
When using our iOS app, the following data categories may be processed, depending on your settings:
- Device type, device name, model and OS version
- IDFA (Identifier for Advertisers) – only with consent / “App Tracking Transparency”
- OpenUDID/AppsFlyer UID (only if enabled)
- Time zone, preferred language
- Manufacturer’s device ID (where available)
- Wi-Fi information (SSID/MAC, only if permitted by the OS)
- Mobile network information (network operator, MNC)
- App version, technical status
The same applies here: advertising IDs may only be used with consent.
6.10 Data from third-party sources and data generated by third parties
This may include, in particular:
- User feedback from other users (comments, reviews),
- Reports of violations, complaints or disputes,
- Mentions and links within the platform,
- Invitations or recommendations via referral systems,
- Data from external login services or payment service providers,
- Data from cooperation partners, insofar as this is necessary for the performance of the contract, fraud prevention, identity verification or support processing.
Where personal data is not collected directly from the data subject but from third-party sources, we process it only on the basis of a relevant legal legal basis. In such cases, the data subject will be informed in accordance with Article 14 of the GDPR regarding the data source, data categories, purposes of processing, legal bases and recipients, unless a statutory exception applies.
6.11 Sensitive data (special categories of personal data)
We do not collect special categories of personal data within the meaning of Article 9 of the GDPR (e.g. health data, religious affiliation), unless the user voluntarily publishes such information in content or messages. Such publication is the sole responsibility of the user.
§ 7 Principles of personal data processing
In all processing operations involving personal data, Suchen Technology GmbH complies with the legal principles set out in Article 5 of the GDPR.
These principles ensure the responsible and lawful handling of personal data.
7.1 Lawfulness, processing in good faith and transparency
Personal data is processed exclusively on a legal basis and only in a manner that is comprehensible and transparent to data subjects. Users are informed in accordance with Articles 13 and 14 of the GDPR regarding the purposes, legal bases, recipients, retention periods and their rights.
7.2 Purpose limitation
Data is collected only for specified, explicit and legitimate purposes. Further processing for other purposes takes place only if there is a legal basis or the user has given their consent.
7.3 Data minimisation
Only such personal data is processed as is necessary for the respective purposes. The collection of data, its scope and the storage period are limited to what is necessary.
7.4 Accuracy
Suchen Technology GmbH takes appropriate measures to ensure that the personal data processed is factually accurate and, where necessary, up to date. Users may update their data themselves in their profile at any time or request a correction (Art. 16 GDPR).
7.5 Storage limitation
Personal data is stored only for as long as is necessary for the purposes of processing or as required by statutory retention obligations. Thereafter, the data is deleted or anonymised (see Section 12 of this Privacy Policy).
7.6 Integrity and confidentiality
We ensure, through appropriate technical and organisational measures, that personal data is protected against unauthorised or unlawful processing, and from accidental loss, destruction or damage. These include, amongst other things, access restrictions, encryption technologies, logging, and security and authorisation concepts.
7.7 Accountability
Suchen Technology GmbH is responsible for ensuring compliance with data protection regulations and can demonstrate this where necessary (Art. 5(2) GDPR ). This includes, amongst other things, the documentation of processing activities, risk analyses, technical and organisational measures, as well as data processing agreements.
7.8 No unauthorised data linking
Data sets collected for different, incompatible purposes are not merged. Data is only linked if there is a legal basis for doing so or if the user has given their express consent.
7.9 Data protection by design and by default
The suchen.expert platform is designed in such a way that data protection and data minimisation are taken into account at the technical level (Art. 25 GDPR). By default, only those functions necessary for normal use are activated (“Privacy by Default”).
7.10 User Responsibility
Users are responsible for the accuracy and visibility of the data they voluntarily publish (e.g. listings, photos, reviews) . We recommend that users carefully consider what content they wish to make publicly available, particularly where sensitive data is concerned.
§ 8 Use of cookies and similar technologies
8.1 General information
Our website uses cookies and similar technologies (e.g. local storage, session storage, pixels, tracking codes) to provide certain functions, analyse usage and technically operate our service. Cookies are small text files stored on your device and do not contain any harmful programmes or viruses.
We distinguish between technically necessary cookies and those for which consent is required (Section 25 TDDDG and Article 6 GDPR).
8.2 Types of cookies and technologies
(1) Technically necessary cookies
These cookies are strictly necessary for the operation and basic functions of the website, e.g.:
- Login / session management
- Security functions
- Cookie consent management
- Language selection / default settings
Legal basis:
Section 25(2)(2) TDDDG (permitted without consent)
Art. 6(1)(f) GDPR (legitimate interest in the operation of the website)
(2) Functional cookies
Functional cookies and similar technologies enable certain settings, convenience features and optional website displays.
Where such technologies are technically essential for a service expressly requested by the user, we treat them as technically necessary.
Where they merely enable additional convenience or optional functions, we use them only on the basis of the relevant consent.
Legal basis:
Where functional technologies are strictly necessary for a service expressly requested by the user, their use is based on Section 25(2)(2) of the TDDDG and Article 6(1)(f) of the GDPR.
Where they merely enable additional convenience or optional functions, their use is based exclusively on your consent in accordance with Section 25(1) of the TDDDG and Article 6(1)(a) of the GDPR.
(3) Analytics / statistics cookies
These are used to analyse user behaviour (e.g. page views, duration of use, click behaviour).
Legal basis:
Section 25(1) TDDDG + Article 6(1)(a) GDPR (only with consent)
(4) Marketing / Tracking cookies
These enable personalised advertising, retargeting or reach measurement across various services. Example: Google Ads, remarketing, app tracking.
Legal basis:
Section 25(1) TDDDG + Article 6(1)(a) GDPR (only with consent)
(5) Third-party cookies
These are set by external providers (e.g. analytics, marketing, map or video services) and may allow tracking across multiple websites.
(6) Session cookies
Are automatically deleted when the browser is closed.
(7) Persistent cookies
Remain stored for a defined period and enable recognition upon a return visit.
(8) Secure cookies (Secure, HttpOnly)
These are transmitted exclusively via HTTPS and are in some cases not readable via JavaScript (protection against XSS).
8.3 Cookie consent tool
When you first visit our website, a notification banner appears, allowing you to select, reject or later change non-essential cookies and similar technologies. Your selection is saved so that your consent preferences can be taken into account when you visit the site again.
Legal basis:
- Section 25(2)(2) TDDDG, insofar as storage or access is technically essential to provide the consent management service expressly requested by the user,
- Article 6(1)(f) GDPR, insofar as the processing serves the legally compliant management and documentation of consents granted or refused.
Consent is logged to fulfil our obligations to provide evidence in accordance with Art. 7(1) GDPR.
You may change your selection at any time via our cookie consent tool or withdraw your consent with effect for the future. The lawfulness of the processing carried out up to the point of withdrawal remains unaffected by this.
8.4 Management and withdrawal of cookies
You can:
- deactivate all non-essential cookies in the consent banner,
- withdraw your consent at any time with effect for the future,
- manually delete cookies in your browser,
- configure cookie settings in your browser (blocking, exceptions).
Please note: Deactivating technically necessary cookies may impair the functionality of the website.
8.5 Cloudflare Turnstile (CAPTCHA)
To protect our platform from automated requests, bots and misuse, we use the ‘Turnstile’ security and validation procedure, provided by:
Cloudflare, Inc.
101 Townsend St, San Francisco, CA 94107, USA
For EU/EEA data processing:
Cloudflare Portugal, Unipessoal Lda or other Cloudflare branches in the EU.
8.5.1 Nature of processing
As part of the Turnstile service, Cloudflare processes certain technical information to assess whether access originates from a human or an automated system. The specific data processed depends on the technical procedures provided by Cloudflare. This may include, amongst other things:
- IP address
- Browser and device information
- Referrer URL
- Technical connection data
- Interaction and system signals automatically transmitted by the end device.
The specific processing is carried out by Cloudflare in accordance with its own technical procedures.
8.5.2 Purpose
The use of Turnstile serves to:
- protect our website and forms against bots,
- maintain the functionality of our services,
- reduce abusive or harmful access.
These measures correspond to our legitimate interest pursuant to Article 6(1)(f) of the GDPR.
8.5.3 Legal basis
The use of Turnstile is based on our legitimate interest in the security, stability, functionality and prevention of misuse of the platform in accordance with Article 6(1)(f) of the GDPR.
Insofar as access to information on the user’s terminal equipment takes place within the scope of the service or such information is stored, this is done only to the extent permitted under Section 25 of the TDDDG.
8.5. 4 Data transfer
Where personal data is transferred to recipients outside the EU/EEA in connection with Turnstile, this is done solely on the basis of the relevant data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided upon request, provided that this does not infringe the rights of third parties.
8.5.5 Further information
Cloudflare’s privacy policy:
https://www.cloudflare.com/privacypolicy/
8.5.6 Note
Without Turnstile, the use of certain functions – in particular forms or registration – may be technically restricted.
8.6 Google Analytics (GA4)
We use the web analytics service Google Analytics (GA4) on our website, provided by:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
(“Google”)
8.6.1 Type of data processing
Google Analytics uses technologies such as cookies, pixels or device-specific identifiers to analyse information about the use of our website. The specific data collected and how it is processed depends on Google’s technical specifications. This may include, in particular:
- Page views, click and scroll behaviour
- Duration and frequency of sessions
- Browser and device information
- Operating system, language settings
- Referrer URL
- Timestamps and interaction events
- Truncated or anonymised IP addresses (where provided by Google)
The specific data processing is carried out by Google in accordance with its own technical procedures and settings.
8.6.2 Purpose
Google Analytics may be used to analyse the use of our website, measure reach and improve our online offering.
8.6.3 Legal basis
The use of Google Analytics takes place exclusively with your consent in accordance with:
- Section 25(1) TDDDG
- Article 6(1)(a) GDPR
Google Analytics is only used if the relevant consent has been given. The data is processed by Google and is subject to the technical mechanisms provided by Google.
8.6. 4 Transfer to third countries
Where personal data is transferred to recipients outside the EU/EEA in connection with Google Analytics, this is done solely on the basis of the relevant data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided upon request, provided that this does not infringe the rights of third parties.
8.6.5 Retention period
The retention period for event and usage data is configured to the minimum possible duration within the available settings of Google Analytics (currently a maximum of 14 months).
8.6.6 Withdrawal of consent
You may withdraw or amend your consent at any time via our cookie consent tool. The lawfulness of the processing carried out up to the point of withdrawal remains unaffected.
8.6.7 Google’s privacy policy
Further information on the processing of personal data by Google can be found at:
https://policies.google.com/privacy
8.7 Google Ads and Google Remarketing
We use – provided you give your consent – features of the advertising services Google Ads and Google Remarketing, provided by:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
Technical processing is carried out by Google in accordance with the systems and mechanisms provided by Google.
8.7.1 Type of processing
Google may use various technologies to display, measure or optimise advertisements. The data processed in each individual case depends on the processes defined by Google. This may include, amongst other things:
- Information on pages visited and content accessed,
- Details of interactions (clicks, page views, navigation behaviour),
- device and browser information,
- pseudonymous advertising IDs such as GAID or IDFA (only where consent has been given),
- technical meta-information,
- IP address (in accordance with Google’s settings).
Google uses this information, amongst other things, to personalise adverts, measure reach or create target groups.
8.7.2 Purpose
Where provided by Google and requested by you, the data may be used for the following purposes:
- Display of relevant and interest-based advertising,
- Analysis and performance measurement of advertising campaigns (conversion tracking),
- Creating pseudonymous target groups for remarketing.
8.7.3 Legal basis
The use of Google Ads and remarketing is subject exclusively to your consent, in particular for the use of cookies and similar technologies in accordance with:
- Section 25(1) TDDDG
- Article 6(1)(a) GDPR
These services will not be activated without consent.
8.7.4 Transfer to third countries
Where personal data is transferred to recipients outside the EU/EEA in connection with Google Ads or Google Remarketing, this is done solely on the basis of the relevant data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided upon request, provided this does not infringe the rights of third parties.
8.7.5 Withdrawal / Opt-out
You may withdraw your consent at any time via our cookie consent tool. Google also offers its own opt-out options:
- https://adssettings.google.com
- https://optout.networkadvertising.org/
8.7.6 Data protection information from Google
Further information on data processing by Google can be found at:
https://policies.google.com/privacy
8.8 Google Consent Mode v2
We use Google Consent Mode v2 to adapt the integration of certain Google services (e.g. Analytics, Ads, Conversion Tracking, Remarketing) to the consent status you have selected. The technical processes of Consent Mode v2 are provided and controlled by Google.
8.8.1 How it works
Consent Mode v2 enables Google to adapt the processing of certain data to the user’s consent status. In doing so, Consent Mode transmits signals such as, e.g.:
- ad_user_data (granted / denied)
- ad_personalization (granted / denied)
The actual data processing, its scope and the type of information collected are determined by Google and the respective Google services used. Google adapts its systems based on the consent settings you have selected.
8.8.2 Purpose
Consent Mode may serve to
- technically implement your consent decision,
- adapt the integration of Google services to your preferences,
- to enable the data protection-compliant control of certain Google functions.
8.8.3 Legal basis
Where Google services use storage technologies or tracking, this is done exclusively on the basis of your consent in accordance with:
- Section 25(1) TDDDG
- Article 6(1)(a) GDPR
The Consent Mode itself constitutes a technical interface for implementing your decision.
8.8.4 Data transfer
Where personal data is transferred to recipients outside the EU/EEA within the scope of Google Consent Mode v2, this is done solely on the basis of the relevant data protection transfer mechanisms.
Further processing of this information is carried out by the relevant Google services in accordance with the data protection responsibilities applicable there.
8.8.5 Withdrawal
You can change or withdraw your consent at any time via our cookie consent tool. Google implements changes to consent in accordance with its technical specifications.
8.8.6 Further information
Google’s privacy policy:
https://policies.google.com/privacy
Further information on Consent Mode:
https://support.google.com/google-ads/answer/13515783
8.9 Apple App Tracking Transparency (ATT)
Our iOS app uses – provided you give your consent – functions provided by Apple as part of the “App Tracking Transparency” (ATT) framework. Provider:
Apple Inc.
One Apple Park Way, Cupertino, CA 95014, USA.
8.9.1 How it works
Under the ATT framework, Apple itself determines the conditions under which apps may access certain device information.
iOS devices display a consent pop-up for this purpose, which is controlled and managed by Apple. The data that Apple collects or provides in this context depends on the user’s settings and those of the operating system. This may include, amongst other things:
- the advertising ID (Identifier for Advertisers – IDFA),
- device-related information,
- system-level signals for attribution and reach measurement,
- cross-app interactions, to the extent permitted by Apple.
8.9.2 Processed Data
Which data is processed in individual cases depends on the technical mechanisms provided by Apple and the settings of the end device. Depending on the consent granted, Apple may share certain information, e.g. :
- IDFA (if permitted by the user),
- device and system information,
- anonymous or pseudonymous attribution data,
- interaction and usage events.
8.9.3 Purpose
The data provided via ATT may – depending on your consent and the functions of the end device – be used for the following purposes:
- measuring app installations and campaign reach,
- attribution purposes and technical analysis,
- optional: personalised advertising (only with consent).
8.9.4 Legal basis
Where personal data is processed via ATT, this is done exclusively on the basis of your consent (Art. 6(1)(a) GDPR, Section 25 TDDDG).
The actual processing is carried out by Apple in accordance with its own data protection guidelines.
8.9.5 Withdrawal
You can withdraw or adjust your consent at any time via the iOS settings under “Settings → Privacy → Tracking”.
8.9.6 Apple privacy notices
Further information:
https://www.apple.com/legal/privacy/
8.10 Android app tracking and Google Advertising ID (GAID)
Our Android app may – provided you give your consent – access functions provided by Google as part of the Google Advertising ID (GAID). Provider:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland.
8.10.1 Processed identifiers
The data that may be processed in individual cases depends on the settings of your Android device , the technology provided by the operating system, and the consent granted.
Depending on the system configuration, this may include, amongst other things:
- Google Advertising ID (GAID),
- device information (model, OS version, language/region),
- basic usage and interaction signals,
- technically provided attribution and installation data.
The actual provision and processing of this information is carried out by Google or Android at the system level.
8.10.2 Purpose
Insofar as the GAID or associated data is released by the system, this data may – depending on your consent and the device settings – be used for the following purposes:
- technical attribution and installation measurement,
- analysis of app usage in anonymised or pseudonymised form,
- optional: personalised advertising (only with your consent).
8.10.3 Legal basis
Where personal data is processed via the GAID, this is done exclusively on the basis of your consent in accordance with:
- Art. 6(1)(a) GDPR
- Section 25(1) TDDDG
The actual technical data processing is carried out by Google in accordance with its own privacy policy.
8. 10.4 Withdrawal / Device settings
You can adjust or disable the provision and use of the GAID at any time in the settings of your Android device:
Settings / Google / “Advertising” / “Ads” -
“Reset advertising ID” or “Disable personalised ads”.
8.10.5 Further information
Further information on data processing by Google can be found at:
https://policies.google.com/privacy
8.11 Server-side tracking / server-side tagging
We use server-side tracking technologies (e.g. server-side tagging systems, server-side Google Tag Manager or comparable technical solutions), which enable certain tracking and analysis processes to be carried out via a server operated by us.
8.11.1 How it works
With server-side tracking, certain requests are not sent directly from the user’s device to external providers, but are routed via a technical intermediate step. The actual nature of the processing depends on the respective technical settings and the mechanisms of the services used. Which data is further processed or transmitted depends in particular on your consent and the specifications of the respective third-party providers.
8.11.2 Data that may be processed
Depending on your consent and the services used, the following information, amongst others, may be processed via the server-side approach:
- technical information provided by the system
(e.g. device or browser data),
- usage events and interaction signals,
- pseudonymous identifiers or comparable technical characteristics (only where consent has been given for this),
- technically necessary meta-information.
The precise data processing takes place in accordance with the specifications of the respective third-party providers (e.g. Google, Microsoft).
8.11.3 Purpose
The use of server-side systems serves, among other things, the following purposes:
- technically optimised execution of analysis and marketing functions,
- improvement of the stability and reliability of measurement processes,
- reduction of direct connections between end devices and third-party providers.
8.11.4 Legal basis
The legal basis depends on the purpose of the data processing:
- for technically necessary processing: Article 6(1)(f) of the GDPR,
- for analysis, statistical and marketing purposes: exclusively with consent
in accordance with Section 25(1) of the TDDDG in conjunction with Article 6(1)(a) of the GDPR.
8.11.5 Disclosure to third-party providers
Data will only be transferred to analytics or marketing services (e.g. Google, Microsoft) if you have given your consent for this. Further processing is carried out by the respective providers on their own responsibility.
8.11.6 Transfers to third countries
Insofar as personal data is transferred to recipients outside the EU/ the EEA, this is done solely on the basis of the relevant data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided upon request, provided this does not infringe the rights of third parties.
8.12 Microsoft Advertising / Universal Event Tracking (UET)
We use – provided you give your consent – features of the advertising service “Microsoft Advertising” (formerly Bing Ads), including Universal Event Tracking (UET). Provider:
Microsoft Corporation
One Microsoft Way, Redmond, WA 98052-6399, USA
For EU/EEA:
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland The specific technical processing is carried out by Microsoft in accordance with the systems and mechanisms provided by Microsoft.
8.12.1 Type of processing
Microsoft may use various technologies such as cookies, pixels or similar identifiers to perform advertising and analytics functions.
The data collected or processed in each individual case is determined by Microsoft’s technical specifications. This may include, amongst other things:
- IP address (in accordance with Microsoft’s systems),
- browser and device information,
- interaction and usage data (e.g. pages visited, click behaviour),
- pseudonymous Microsoft advertising IDs or comparable identifiers,
- technical meta-information (timestamps, referrers, access events).
Further processing of this information is carried out by Microsoft under its own responsibility.
8.12.2 Purpose
Where you have requested it and Microsoft has provided it, the data may be used for the following purposes:
- Performance measurement and analysis of advertising campaigns (conversion tracking),
- Reach measurement,
- Creation of pseudonymous target groups (remarketing),
- Display of interest-based advertising (only with consent).
8.12.3 Legal basis
The use of Microsoft Advertising / UET is based exclusively on your consent:
- Section 25(1) TDDDG (storage and access technologies),
- Article 6(1)(a) GDPR (consent).
Without your consent, the relevant functions will not be activated.
8.12.4 Transfers to third countries
Where personal data is transferred to recipients outside the EU/EEA in connection with Microsoft Advertising / UET, this is done solely on the basis of the relevant data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided on request, provided that this does not infringe the rights of third parties.
8.12.5 Withdrawal / Opt-out
You may change or withdraw your consent at any time via our cookie consent tool. In addition, Microsoft provides its own options for deactivation:
https://account.microsoft.com/privacy/ad-settings/signedout
8.12.6 Microsoft’s privacy information
Further information on data processing by Microsoft can be found at:
https://privacy.microsoft.com/de-de/privacystatement
8.13 PayPal (payment service provider)
On suchen.expert, we offer the option to process payments via the PayPal service. The provider is:
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22–24 Boulevard Royal
L-2449 Luxembourg
(“PayPal”)
8.13.1 Type of data processing
If you choose to pay via PayPal as part of a payment transaction, certain data relating to the payment will be transmitted to PayPal. The specific data involved is determined by the input fields in the respective payment form and the interface provided by PayPal. This may include, in particular:
- Name,
- Address,
- Email address,
- telephone number (if applicable),
- payment information (e.g. account details, card details, transaction amounts, contract or order information),
- other data required to process the payment.
The specific processing of this data is carried out by PayPal on its own responsibility in accordance with its technical procedures and contractual terms.
8.13.2 Purpose
Data is transferred to PayPal for the purpose of carrying out and processing the payment transaction you have selected, as well as, where applicable, for fraud prevention and risk assessment by PayPal.
8.13.3 Legal basis
The legal basis for the transfer of data to PayPal is generally Article 6(1)(b) of the GDPR (performance of a contract, payment processing). Insofar as PayPal carries out its own risk, creditworthiness or fraud checks, the processing may be based on the legitimate interests of PayPal and us in secure and efficient payment processing (Article 6(1)(f) of the GDPR).
8.13.4 PayPal’s independent responsibility
PayPal processes the transmitted data under its own responsibility under data protection law. PayPal may use the data, inter alia:
- to execute and process payments,
- for creditworthiness and identity checks,
- for fraud prevention and risk analysis,
- to fulfil legal obligations.
PayPal may pass on data to affiliated companies, external service providers or credit reference agencies (e.g. credit reference agencies), insofar as this is necessary for the performance of the contract or on the basis of its own legal grounds.
PayPal’s privacy policy applies exclusively to these processes.
8.13.5 Transfer to third countries
Insofar as PayPal, companies affiliated with PayPal or service providers engaged by PayPal process personal data outside the EU/EEA or access such data, this is done solely on the basis of the applicable applicable data protection transfer mechanisms.
Where required by law, a copy of appropriate safeguards may be provided upon request, provided this does not infringe the rights of third parties.
8.13.6 Voluntary use / Alternatives
The use of PayPal as a payment method is voluntary. Where we offer alternative payment methods, you may choose these if you do not wish to transmit data to PayPal.
8.13.7 Further information
For details on data processing by PayPal, please refer to PayPal’s privacy policy:
https://www.paypal.com/de/webapps/ mpp/ua/privacy-full
8.14 General note on technical data processing by third-party providers
Where third-party services (e.g. Google, Apple, Microsoft, Cloudflare, PayPal) are used in this privacy policy, the respective data processing takes place within the framework of the technical integration selected by us and the functions provided by the respective provider.
The nature, scope and technical design of the processing may vary in detail depending on the specific service used, the user’s settings, the device used and the technical parameters of the third-party provider.
The description of the respective processing operations in this privacy policy is based on our current knowledge as well as on the basis of the provider information and documentation available to us.
Insofar as third-party providers process data under their own responsibility under data protection law, their respective privacy policies shall apply in addition.
§ 9 Collection and Disclosure of User Data to Third Parties
9.1 Collection of Personal Data
We collect users’ personal data in the following circumstances:
a) Registration and account creation
When registering a user account, the information required to set up and use the account is requested (e.g. name, email address, password, and any other mandatory details).
b) Login and authorisation
Each time a user logs in, technical data (e.g. IP address, time, device/browser information) and account data are processed to protect access and manage the session.
c) Profile maintenance and voluntary information
After registration, users may voluntarily add or amend additional information in their profile (e.g. further contact details, profile photo, company details) . This data is only processed to the extent that the user actively provides it.
d) Use of services and functions
When using the platform (e.g. when creating listings, submitting reviews, sending messages), the data entered or generated in the process is processed.
e) Communication
When enquiries are made via contact forms, emails or other communication channels, we process the data provided (e.g. name, contact details, content of the message) for the purpose of handling the enquiry.
f) Automated collection of technical data
When visiting the website and using the app, technical data (e.g. IP address, browser type, operating system, referrer URL, date and time of access) as well as log files (see Section 6.7 of this Privacy Policy).
g) Registration via Google (Social Login)
Users can also register or log in to the platform via an existing account with an external provider (so-called social login), currently in particular via Google.
If the user utilises this function, we receive from Google the personal data necessary for authentication and for setting up or assigning the user account. This may include, in particular:
- Name,
- Email address,
- Unique external user identifier (e.g. Google ID),
- Profile picture, if applicable, provided this has been shared by the user with Google.
The specific data transmitted depends on the settings of the Google account and the permissions granted by the user.
Processing is carried out for the purposes of registration, authentication, account assignment, account linking, account management and the secure provision of platform functions.
The legal basis is Article 6(1)(b) of the GDPR, insofar as the processing is necessary for the performance of the user relationship, and Article 6(1)(f) of the GDPR with regard to ensuring system security, preventing misuse and efficient login management.
To ensure account security and to prevent abusive registration, deletion and re-registration cycles, external user identifiers, in particular the unique user identifier provided by Google, may also be processed in pseudonymised or hashed form. This serves, in particular, to technically assign a user account, detect unauthorised multiple uses, prevent automated mass registrations and implement appropriate security measures such as rate limits, temporary registration blocks or manual checks.
Such processing is not carried out for advertising or tracking purposes, but solely for account security, the prevention of misuse and the protection of the platform’s technical infrastructure.
There may be a technical link between your user account with us and your Google account. Where technically possible, you can manage or remove this link in your user account with us or via Google’s settings.
Removing the link to Google does not automatically result in the deletion of the user account on our platform. The provisions of Section 12 and the rights under Article 17 of the GDPR apply to the deletion of the user account.
Google processes personal data as part of the social login process under its own responsibility under data protection law. Google’s privacy policy applies exclusively to data processing by Google.
h) Collection of personal data from third-party sources
Where personal data is not collected directly from the data subject but via other users, cooperation partners, payment service providers, external login services or other third-party sources, we process this data only to the extent that there is a legal basis for doing so.
This may include, in particular, identification data, contact details, transaction and communication data, review, complaint or report data, as well as other data necessary for processing a specific matter.
Processing takes place in particular for the purposes of contract performance, account allocation, handling complaints, reports or support enquiries, preventing misuse, and safeguarding the security and integrity of the platform.
The legal basis is – depending on the individual case – Article 6(1)(b), (c) or (f) of the GDPR.
In such cases, the data subject shall be informed, in accordance with Article 14 of the GDPR, of the data source, the categories of data concerned, the purposes, the legal bases and the recipients of the processing, unless a statutory exception applies.
9.2 Storage and processing
Personal data is primarily processed electronically and stored on servers within the EU or the EEA. Processing is carried out automatically or – in individual cases – manually, e.g. as part of support or audit processes.
We take appropriate technical and organisational measures to protect the data against unauthorised access, loss, destruction or alteration.
The storage period depends on the purposes of the processing and the statutory retention obligations (see Section 12 of this Privacy Policy).
9.3 Principle: No disclosure without a legal basis
Personal data will only be disclosed to third parties if:
- this is necessary for the performance of a contract with the user (Article 6(1)(b) GDPR),
- we are legally obliged to do so (Art. 6(1)(c) GDPR),
- the disclosure is necessary to safeguard our legitimate interests and no overriding interests of the user stand in the way (Art. 6(1)(f) GDPR),
- or the user has expressly consented to this (Art. 6(1)(a) GDPR).
No “sale” of personal data for the independent marketing purposes of third parties takes place without a legal basis.
9.4 Use of service providers (data processors)
We use external service providers who process personal data on our behalf and in accordance with our instructions (Art. 28 GDPR), e.g.:
- hosting and cloud providers,
- email/newsletter service providers,
- payment service providers (insofar as they act as data processors),
- technical support and maintenance service providers,
- analytics and tracking service providers (only with consent).
We enter into data processing agreements with all processors, which specifically govern data security, confidentiality and compliance with our instructions.
9.5 Independent controllers (third parties with their own responsibility)
In certain cases, data is transferred to third parties who process it under their own responsibility under data protection law, e.g.:
- payment service providers (e.g. PayPal), banks,
- tax advisers, solicitors,
- platform and cooperation partners with their own contractual relationship with the user,
- app stores (Apple, Google), where users purchase services via these platforms.
The processing by these third parties is governed by their own privacy policies.
9.6 Disclosure within group and partner structures
Where we collaborate with affiliated companies or selected partners (e.g. for technical provision, fraud prevention or billing purposes), personal data may be disclosed to them, provided that:
- this is necessary for the performance of a contract (Art. 6(1)(b) GDPR),
- or there is a legitimate interest (Art. 6(1)(f) GDPR),
- and – where necessary – appropriate safeguards are in place for any transfers to third countries
(e.g. standard contractual clauses, EU-US Data Privacy Framework).
Any further use of the data by these companies for their own purposes shall only take place if there is a separate legal basis (e.g. consent).
9.7 Disclosure to authorities and for law enforcement
We may transfer personal data to authorities, courts or other public bodies if we are legally obliged to do so (Art. 6(1)(c) GDPR) or if this is necessary for the establishment, exercise or defence of legal claims (Art. 6(1)(f) GDPR).
This includes, in particular:
- requests for information from law enforcement authorities,
- cooperation in civil or administrative proceedings,
- investigation of cases of misuse or fraud.
9.8 Visibility and publication of profile data
Certain information provided by the user may – depending on settings – be visible to other users or publicly, e.g.:
- Name or profile name,
- Profile picture,
- City / region,
- Date of registration,
- Listings (e.g. in the sections ‘Found, Lost, Free, Incidents, Services, Swap’),
- Ratings, reviews, follower/subscriber numbers.
Where the user publishes content in public areas of the platform, this may also be found, stored and redistributed via search engines. Responsibility for the publication of such content lies with the user.
The user can control the visibility of certain information via the privacy settings in their user account, provided that such settings are available.
9.9 Special categories of personal data
We ask users not to publish any special categories of personal data within the meaning of Article 9 of the GDPR (e.g. information regarding health, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation ).
If users nevertheless voluntarily provide such information in listings, profiles or messages, they do so at their own risk. Please note that once information has been made public, it may be viewed, copied or disseminated by third parties, and we cannot completely prevent this.
9.10 User control and consequences of non-provision
Users generally have control over what voluntary information they provide in their profile or in advertisements and what information they make available to third parties.
However, the provision of certain personal data is necessary for the use of the platform or individual functions (e.g. registration data, contact details for contract processing). Without this data, we cannot provide the relevant services, or can only do so to a limited extent.
Where processing is based on consent, this is voluntary. However, a withdrawal of consent only applies prospectively; certain functions based on consent (e.g. newsletters, personalised advertising) may then no longer be available.
§ 10 Recipients of personal data
10.1 Internal access within Suchen Technology GmbH
Within our company, only those departments and employees who require personal data to perform their duties are granted access. These include, in particular:
- Customer service and support
- Technical development/operations (IT)
- Accounting/finance
- Legal/compliance
- Product management and quality assurance
Access is granted in accordance with the “need-to-know” principle and is subject to strict internal data protection and security guidelines.
10.2 External service providers (data processors – Art. 28 GDPR)
We use carefully selected external service providers who process personal data on our behalf, e.g.:
- Hosting and cloud providers
- Email and newsletter service providers
- Technical maintenance and IT security service providers
- Payment service providers (insofar as they act as data processors)
- Analytics/tracking/marketing service providers (only with consent)
These service providers are contractually obliged:
- to process data exclusively in accordance with our instructions,
- to implement appropriate technical and organisational measures (TOMs),
- not to use the data for their own purposes.
10.3 Independent data controllers (own responsibility)
Some partners do not act as data processors but bear data protection responsibility for the processing themselves. Examples:
- Payment service providers (e.g. PayPal)
- Banks
- Solicitors, tax advisers
- App store providers (Apple, Google)
- Cooperation partners with their own contractual relationship with the user
The data protection provisions of the respective third parties apply to these processing operations.
10.4 Disclosure to advisors and auditing bodies
In individual cases, it may be necessary to disclose personal data to persons bound by professional secrecy, e.g.:
- Auditors
- Tax advisers
- Lawyers
These persons are subject to statutory confidentiality obligations and process the data exclusively for the purpose of fulfilling their advisory duties.
10.5 Disclosure to authorities and courts
We may transfer personal data to authorities or courts if we:
- are legally obliged to do so (Art. 6(1)(c) GDPR),
- or if data is required to assert, exercise or defend legal claims
(Art. 6(1)(f) GDPR).
10.6 Transfer to partner companies
Where necessary for the technically secure provision of the platform, for fraud prevention or to fulfil contractual obligations, data may be transferred to affiliated companies or technical partners. No further use for our own purposes takes place without a separate legal basis or consent.
10.7 Security measures during transmission
For every data transmission, we implement appropriate technical and organisational measures, e.g.:
- encrypted transmission channels (TLS/HTTPS),
- access controls,
- contractual guarantees (e.g. standard contractual clauses for transfers to third countries), - regular security audits of service providers.
§ 11 Users’ rights (Data subject rights)
Users of the suchen.expert platform have – as data subjects within the meaning of the GDPR – the following rights. These may be exercised at any time via the contact channels specified in this privacy policy.
11.1 Access to one’s own data (Art. 15 GDPR)
Users can view the information they have provided themselves in their personal account. Furthermore, they have the right to receive information from us regarding all personal data processed.
11.2 Rectification and updating (Art. 16 GDPR)
Users may correct or update their personal data themselves at any time via their account. Furthermore, they may request the rectification of inaccurate data at any time.
11.3 Erasure (‘right to be forgotten’, Art. 17 GDPR)
The user may request the erasure of their personal data, provided that this is not prevented by statutory retention obligations or legitimate interests . Content that has been copied or archived by other users may not be able to be removed in full.
11.4 Restriction of processing (Art. 18 GDPR)
Under certain conditions, the user may request the restriction of the processing of their data, e.g. if its accuracy is disputed or the data is no longer required.
11.5 Data portability (Art. 20 GDPR)
Users may request to receive their personal data in a structured, commonly used and machine-readable format or to have it transferred directly to another controller.
11.6 Right to object (Art. 21 GDPR)
Users may object at any time to the processing of personal data, provided that such processing is based on Article 6(1)(f) of the GDPR (legitimate interest).
In the case of direct marketing in particular, there is an absolute right to object.
11.7 Withdrawal of consent (Art. 7(3) GDPR)
Consent given (e.g. for cookies, tracking, newsletters) may be withdrawn at any time with effect for the future. The lawfulness of the processing carried out up to the point of withdrawal remains unaffected.
11.8 Responsibility for published content
Users are personally responsible for the content they make publicly available (e.g. listings, photos, reviews). We recommend carefully considering what information is shared in publicly accessible areas.
11.9 Responsibility for account security
The user is obliged to keep their password confidential and to notify us immediately if there is any suspicion of unauthorised use of the account.
11.10 Visibility via interfaces
The user is aware that information they make publicly available is accessible to other users and, where applicable, internet users. This also includes sharing via interfaces, social media links or search engines.
11.11 No liability for third-party actions
We shall not be liable for the use or dissemination of publicly shared data by other users or third parties. Users themselves determine the visibility of their data.
§ 12 Duration of data storage and deletion of personal data
12.1 Principle: Storage only for as long as necessary
We generally process and store personal data only for as long as is necessary for the respective purposes (Art. 5(1)(e) GDPR). This also includes periods of contract initiation, the performance of a user relationship and the settlement of matters following the termination of the contract.
12.2 Statutory retention obligations
Irrespective of the purpose of processing, statutory retention obligations may require data to be stored for a longer period:
- Commercial law (Section 257 HGB): 6 years
(e.g. business correspondence, accounting documents)
- Tax law (Section 147 AO): 10 years
(e.g. books, records, invoices, tax-relevant documents)
During these periods, the data is blocked and not processed for other purposes.
12.3 Retention for legal enforcement
Data may also be stored to preserve evidence in accordance with the statutory limitation periods (Sections 194 et seq. BGB).
The standard limitation period is 3 years; in specific cases, periods of up to 30 years may apply.
12.4 Deletion upon request
Upon request, we will delete personal data without delay, provided that:
- there is no legal basis for retention,
- there are no legitimate interests in further processing (e.g. the assertion of claims),
- or the data is not required for the performance of a contract or system security.
If there are statutory retention obligations, the data will be blocked.
12.5 Regular review
We regularly review whether personal data is still required. Data for which there is no longer a purpose and which is not subject to any retention obligation will be deleted or anonymised.
12.6 Withdrawal and objection
If you exercise your right to withdraw consent (Art. 7(3) GDPR) or your right to object (Art. 21 GDPR), we will delete the relevant data unless there are compelling legitimate grounds or legal obligations to the contrary.
12.7 Deletion upon termination of the business relationship
Following the termination of a user account, personal data will be deleted as soon as:
- there are no longer any contractual or legal obligations,
- and no further claims are to be expected.
12.7a Disconnection of external login services
The disconnection of a linked external login service (e.g. Google) does not equate to the deletion of the user account.
The user account and the personal data it contains will only be deleted, blocked or anonymised as part of an account deletion in accordance with this Privacy Policy, provided that no legal retention obligations or legitimate interests prevent this.
12.7b Pseudonymised blocking and security features following account deletion
Following the deletion of a user account, personal profile data, voluntary information and publicly visible account content will be deleted, blocked or anonymised, provided that no statutory retention obligations, contractual processing purposes or legitimate interests prevent this.
However, to prevent misuse, automated mass registrations, repeated deletion and re-registration cycles, circumvention of technical safeguards, and to ensure IT and platform security, we may store pseudonymised technical blocking and security features for a limited period. These may include, in particular, hashed identifiers from external login services, hashed email addresses , times of registration and account deletion, rate-limiting events, indicators of misuse, and security-related technical log data.
This data is not used to restore the deleted profile, for advertising, or for general behavioural analysis. It serves exclusively for the prevention of misuse, system security, enforcing our Terms of Use, and preventing automated or unlawful use of the platform.
The legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest lies in protecting the platform, users and technical infrastructure from misuse, fraud, automated attacks and excessive technical load.
The retention period for these blocking and security features is limited to the extent necessary for this purpose. Insofar as a longer period is not required for the defence of legal claims , investigating misuse or fulfilling legal obligations, this data will be deleted or further anonymised upon expiry of the respective security period.
12.8 Restrictions due to backups and archiving systems
Data contained in backups can only be removed as part of regular deletion cycles. Until final deletion, this data remains blocked and is not further processed.
12.9 Notification obligations under Article 19 of the GDPR
If personal data has been deleted,
rectified or restricted, we shall – where required by law – also inform recipients to whom this data has been disclosed.
12.10 Right to be forgotten (Art. 17(2) GDPR)
Where personal data has been made public and a request for erasure is made, we shall take measures, within the limits of what is technically feasible, to inform third parties processing this data of the request for erasure.
12.11 Note on data security during transmission
Data transmissions over the internet may be subject to security vulnerabilities despite comprehensive security measures. Absolute protection against access by third parties is not technically possible.
§ 13 Data security
13.1 General protective measures
We take comprehensive technical, organisational and legal measures to protect personal data against unauthorised access, loss, alteration, destruction or other security risks (Art. 32 GDPR).
13.2 Technical and organisational measures (TOM)
The measures implemented include, among others:
- Encryption of data transmission via TLS/ HTTPS
- Access restrictions and role/permission concepts
- Secure password and authentication procedures
- Logging of access events
- Regular software and security updates
- Protection against malware and attacks (e.g. firewalls, anti-DDoS)
Please note that data transmissions via email may have technical security vulnerabilities. Complete protection against access by third parties is not possible.
13.3 Authorisation and login
Login to suchen.expert is carried out using the email address provided by the user.
The user is obliged to keep their login details confidential and to report any unauthorised use immediately.
13.4 Data integrity and up-to-date status
We ensure that personal data is kept complete, accurate and up to date. Users may update their data themselves at any time or request a correction (Art. 16 GDPR).
13.5 Training and Awareness
Employees who have access to personal data receive regular training on data protection and information security.
13.6 Monitoring, Audits and Incident Response
We carry out regular internal and external IT security audits. Security incidents are documented, analysed and reported to the relevant supervisory authority within 72 hours (Art. 33 GDPR). Affected users are informed where required by law (Art. 34 GDPR).
13.7 Deletion and storage management
Personal data is stored only for as long as is necessary for the purposes or as required by law (see § 12). Once the retention periods have expired, it is securely deleted or anonymised.
13.8 Data processors
Third parties who process personal data on our behalf are selected subject to strict data protection requirements and are contractually bound in accordance with Art. 28 GDPR.
13.9 Backup and recovery procedures
We create regular backups, which are stored exclusively in secure system environments. Structured recovery procedures are in place for emergencies to enable operations to resume quickly.
§ 14 Your rights as a data subject
As a data subject within the meaning of the GDPR, you are entitled to the following rights. You may exercise these rights at any time using the contact details provided in this privacy policy.
14.1 Right of access (Art. 15 GDPR)
You have the right to request information as to whether we process personal data concerning you. If this is the case, you may, in particular, request information regarding:
- the purposes of processing,
- the categories of personal data,
- the recipients or categories of recipients,
- the envisaged storage period or the criteria for determining this period,
- the origin of the data, if it was not collected from you,
- the existence of rights to rectification, erasure, restriction of processing or objection,
- the existence of a right to lodge a complaint with a supervisory authority,
- where applicable, the existence of automated decision-making, including profiling, as well as meaningful information about the logic involved and the scope of the processing,
- where applicable, appropriate safeguards in the event of transfers to third countries.
You also have the right to a copy of the personal data being processed. Legal restrictions (e.g. under Sections 34 and 35 of the BDSG) remain unaffected.
14.2 Rectification (Art. 16 GDPR)
You have the right to request the immediate rectification of inaccurate personal data or the completion of incomplete personal data. You can also update your data directly in your user account.
14.3 Erasure (‘right to be forgotten’, Art. 17 GDPR)
You may request the erasure of your personal data if one of the conditions provided for by law applies, in particular if:
- the data is no longer necessary for the purposes for which it was collected,
- you withdraw your consent and there is no other legal basis,
- you object to the processing and there are no overriding legitimate grounds,
- the data has been processed unlawfully,
- erasure is necessary to comply with a legal obligation.
The right to erasure does not apply, inter alia, where processing is necessary:
- to comply with a legal obligation,
- to establish, exercise or defend legal claims,
- for archiving, research or statistical purposes in the public interest, provided that the right to erasure would seriously impair these purposes.
14.4 Restriction of processing (Art. 18 GDPR)
You may request the restriction of processing if:
- you contest the accuracy of the data (for the duration of the verification),
- the processing is unlawful and you request restriction instead of erasure,
- we no longer require the data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims,
- you have objected to the processing pursuant to Article 21(1) of the GDPR, as long as it has not yet been established whether our legitimate grounds override yours.
In the event of restriction, the data – apart from storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another person or for important reasons of public interest. We will inform you before the restriction is lifted.
14.5 Data portability (Art. 20 GDPR)
You have the right to receive the personal data you have provided to us and which we process on the basis of consent (Art. 6(1)(a) GDPR) or a contract (Art. 6(1)(b) GDPR) by automated means, in a structured, commonly used and machine-readable format, or – where technically feasible – to have it transmitted to another controller. This must not adversely affect the rights and freedoms of others.
14.6 Withdrawal of consent (Art. 7(3) GDPR)
You may withdraw any consent you have given us to process personal data at any time with effect for the future. The lawfulness of the processing carried out prior to the withdrawal remains unaffected. The withdrawal may be made informally, e.g. by email to the contact address provided in this statement or via the unsubscribe links provided (e.g. for the newsletter).
14.7 Right to object (Art. 21 GDPR)
a) Objection to processing based on legitimate interests Where we process data on the basis of Art. 6(1)(f) GDPR (legitimate interest), you have the right to object at any time arising from your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
b) Objection to direct marketing
Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing for the purposes of such marketing. This also applies to profiling insofar as it is related to direct marketing. In the event of an objection, we will no longer process the data for this purpose.
14.8 Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a data protection supervisory authority. In particular, you may contact the supervisory authority of your habitual residence, your place of work or the place where the alleged infringement occurred.
14.9 Contact details, form and time limits (Art. 12 GDPR)
To exercise your rights, you may contact us at any time:
Suchen Technology GmbH
Dieselstraße 11
30916 Isernhagen, Germany
Email: datenschutz@suchen. technology
We generally respond to enquiries without delay, but at the latest within one month of receipt. In complex cases, this period may be extended by a further two months; in such cases, we will inform you of the extension and the reasons within one month.
Where necessary, we may request additional information to verify your identity and ensure that rights are not asserted by third parties without authorisation. The exercise your rights is generally free of charge. We may only charge a reasonable fee or refuse to process requests that are manifestly unfounded or excessive.
§ 15 Obligation to provide personal data
15.1 Voluntary nature and necessity
The provision of personal data is generally voluntary. However, the provision of certain data is required to use specific functions or services of suchen.expert (e.g. registration, login, communication, payment processing). Without this data, we cannot provide the relevant services, or can only do so to a limited extent.
15.2 Contractual and technical requirements
If data is necessary for the performance of a contract or for the implementation of pre-contractual measures (Art. 6(1)(b) GDPR) , it is not possible to use specific platform functions without this data. This applies, for example, to:
- Creation and operation of a user account
- Contact via internal messaging functions
- Publication of advertisements
- Payment processing for paid services
15.3 Indication of voluntary information
Voluntary information is marked accordingly in the registration or profile area. It is not required, but may contribute to a better user experience or enhanced functions.
15.4 Legal obligations
For certain services, there may be a legal obligation to provide specific data (e.g. tax law requirements, commercial law documentation obligations). In such cases, we will inform you separately of the scope and consequences of non-provision.
15.5 Consequences of non-provision
If you do not provide the required data, this may result in:
- registration not being completed,
- certain functions not being available,
- enquiries not being processed,
- contracts cannot be performed,
- we cannot fulfil certain legal obligations.
15.6 Automatically collected technical data
When you visit our website or use our app, certain technical data is automatically collected (e.g. IP address, browser type, operating system). This data is technically necessary in order to:
- deliver content correctly,
- ensure stability, security and system functionality,
- prevent misuse and attacks.
This technical data is only linked to other personal data if there is a legal basis for doing so or if you have given your consent.
15. 7 Requirements of third-party providers
Where third-party providers (e.g. map, payment, login, analytics or communication services) are integrated into our platform, it may be necessary to transfer certain data to these providers so that the relevant function can be provided. In such cases, processing takes place on the relevant legal basis.
Where providers process the data under their own responsibility, their privacy notices apply in addition. Details regarding the purpose, legal basis, recipients and any transfers to third countries are set out in the relevant sections of this privacy policy.
§ 16 Automated decision-making and profiling
16.1 No automated decisions in individual cases
We do not use exclusively automated decision-making processes within the meaning of Art. 22 of the GDPR. Decisions that produce legal effects or could similarly significantly affect you are not made exclusively by automated means.
16.2 Profiling and pseudonymous user profiles
Where we use analytics, advertising, remarketing or personalisation services, the creation of pseudonymous user profiles and the analysis of your usage behaviour may occur, depending on your consent and the settings you have selected. Such data will only be combined with directly identifying data where there is a separate legal basis for doing so.
16.3 Purposes and legal basis
Such processing serves exclusively statistical, technical, advertising or user-related optimisation purposes. Where storage or access technologies are used on end devices for this purpose, or where personal data is processed for analysis, advertising or personalisation purposes, this is done – where necessary – exclusively on the basis of your consent in accordance with Article 6(1)(a) of the GDPR in conjunction with Section 25( 1 TDDDG.
16.4 Transparency and control
Where profiling or the creation of pseudonymous user profiles is carried out on the basis of your consent, you may withdraw this consent at any time with effect for the future or adjust your settings accordingly. Further information on the services used and your options can be found in the relevant sections of this privacy policy.
§ 17 Newsletters and Direct Marketing
17.1 Subscription to the Newsletter
If you subscribe to our newsletter, we will use your email address to send you regular information about our offers, products or services. Registration takes place via a double opt-in procedure, in which you must actively confirm your email address.
17.2 Legal basis
The processing of your data for the purpose of sending the newsletter is based on your consent in accordance with Article 6(1)(a) of the GDPR.
17.3 Withdrawal
You may withdraw your consent at any time with effect for the future. This can be done, for example:
- via the unsubscribe link in every newsletter
- or by sending us a message via the contact form.
Any processing carried out up to the point of withdrawal remains lawful.
17.4 Direct marketing to existing customers
If you are already a customer, we may send you information about our own similar products or services by email even without a separate registration. The legal basis for this is Section 7( 3 UWG in conjunction with Art. 6(1)(f) GDPR (legitimate interest in customer-related communication).
You may object to this use at any time without incurring any costs other than the transmission costs according to standard rates.
§ 18 Social networks and plugins
18.1 Our own social media presence
We maintain publicly accessible profiles on social networks (e.g. Facebook, Instagram, LinkedIn, YouTube).
When using these sites, the data protection provisions of the respective provider apply.
18.2 Joint controllership (Art. 26 GDPR)
Insofar as we jointly decide with platform operators on certain processing activities in the operation of our social media presence, in particular in connection with aggregated usage statistics or insights functions, this is done within the framework of joint controllership pursuant to Art. 26 GDPR.
The key provisions of the respective joint controllership agreements are provided by the platform operators. Where provided for by law, data subjects may exercise their rights both against us and against the respective platform operator.
Unless another primary contact is specified, you may initially contact us regarding data protection matters using the contact details provided in this privacy policy. This does not affect the platform operator’s own responsibility under data protection law for further processing operations.
18.3 Social plugins on our website
Our website may contain social plugins.
These are disabled by default, so that no data is initially transferred to the providers. Only when you actively click on a plugin is a connection established with the relevant network.
18.4 Legal basis
The use of social plugins is based – depending on the type – on your consent (Art. 6(1)(a) GDPR) or our legitimate interest in the user-friendly design of our online services (Art. 6(1) 1(f) GDPR).
§ 19 Information for minors
19.1 Services are not intended for persons under the age of 16
Our services are not intended for persons under the age of 16.
19.2 No deliberate processing
We do not knowingly collect personal data from persons under the age of 16.
19.3 Deletion of such data
Should we become aware that personal data of persons under the age of 16 has been processed without the necessary authorisation, we will delete this data immediately or restrict its processing accordingly, provided there is no legal obligation to retain it.
§ 20 Validity and amendments to this Privacy Policy
20.1 Relationship to the Terms of Use and Guidelines
This Privacy Policy supplements our Terms of Use and our Guidelines.
All documents must be read together to fully understand the use of the platform and the associated processing of personal data. In the event of any contradictions, the statutory data protection regulations (in particular the GDPR and the BDSG) shall take precedence over the other provisions.
Note:
The Privacy Policy does not form part of the contract.
It serves solely to fulfil our statutory information obligations in accordance with Art. 12–14 of the GDPR. Consent to the Privacy Policy is not required and is not sought.
Consent is only required where this is provided for by law (e.g. for cookies, tracking technologies, marketing communications or app tracking pursuant to Article 6(1)(a) of the GDPR in conjunction with Section 25 of the TDDDG) . All other processing is based on the respective legal grounds specified.
20.2 Regular review
We review this privacy policy regularly and update it where legal or technical changes make this necessary.
20.3 Notification of changes
We will inform you of significant changes in an appropriate manner, e.g.:
- via notices on our website,
- by email,
- or via the user account or the app.
20.4 Validity and versions
The current version of this privacy policy is available on our website at all times.
20.5 Access to older versions
We archive previous versions of this privacy policy for documentation purposes and they can be viewed on request. You can also find the most recent valid older versions at any time via our platform in the section:
Support Service / Legal & Policies / Privacy Policy
(e.g. “Date: 20 August 2025” or “Date: 15 November 2025”) .
20.6 Recommendation to review regularly
We recommend that you review the content of the Privacy Policy regularly.
20.7 Continued use following changes
Your continued use of our services following the publication of changes shall be deemed to indicate that you have taken note of the updated provisions. If you do not agree with the changes, you may cease using the services and delete your user account.
