DATA PRIVACY

haebmau ag attaches great importance to the protection of your privacy and your personal data as well as the required data security and therefore collects, processes and uses your personal data exclusively in accordance with the principles described below as well as the requirements of the EU Data Protection Regulation (DSGVO) and the national data protection laws applicable to haebmau ag (Federal Data Protection Act (BDSG), Telecommunications Telemedia Data Protection Act (TTDSG)).

Content

I. Name and address of the person responsible
II. Address of the Data Protection Officer
III. Your personal data
IV. General information on data processing
V. Provision of the website and creation of log files / log files
VI. Use of cookies
VII. Communication & Events
VII.1 General contact enquiries and e-mail contact
VII.2 Career / Applications
VIII. Website Analysis & Marketing Services
VIII.1 Use of Google Tag Manager
VIII.2 Use of Google Analytics
VIII.3 Use of Google Ads
VIII.4 Use of the Facebook Pixel for our Conversion Tracking and Remarketing
IX. Plugins & Tools
IX.1 Data protection setting with Usercentrics Consent Management Platform
X. Rights of the data subject
XI. Automated decision making and profiling
XII. Links to other websites
XIII. Security
XIV. Availability and changes

I. Name and address of the person responsible

The person responsible for the operation of the haebmau.de website (hereinafter referred to as the “Website”) within the meaning of the DSGVO and other national data protection laws of the EU member states as well as other applicable data protection provisions is:

haebmau ag franz-joseph-str. 1
80801 munich, germany

Phone: +49 (0)89 381080
E-mail: kontakt@haebmau.de

represented by the Board of Directors: Christiane Stricker (hereinafter “Company”, “us” or “we”).

If you wish to object to the collection, processing or use of your data by us in accordance with this data protection declaration, either in whole or in respect of individual measures, you can send your objection by e-mail, fax or letter to the aforementioned contact details or to our Data Protection Officer. You can also obtain information about your personal data at any time and free of charge using the above contact details.

II. Address of the Data Protection Officer

You can reach the appointed data protection officer of the data controller at: BAY-Q GmbH Digital Consulting Crew
Hultschiner Street 8
81677 Munich

Email: datenschutz@haebmau.de.

III. Your personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). When visiting our website, it is not necessary for you to provide us with personal data. We only collect personal data, such as your name, telephone number, postal and e-mail address, date of birth and telephone number, if you provide it to us voluntarily or if you have consented to its collection. For the technically required data, please refer to the section “Provision of the website and creation of log files” and “Use of cookies”.

IV. General information on data processing

1. Scope of the processing of personal data

We process personal data (hereinafter also referred to as “data”) of persons concerned, i.e. of visitors to the website, via this website, insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users is generally only carried out after the user has given his or her consent to the processing. An exception applies in cases where the processing of data is permitted by legal regulations, required for the fulfilment of a contract or is technically necessary.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Art. 6 (1) lit. a DSGVO serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is required for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c DSGVO serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Art. 6 (1) lit. d DSGVO serves as the legal basis.

If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) lit. f DSGVO serves as the legal basis for the processing.

The storage of information in the terminal equipment of a data subject or the access to information already stored in the terminal equipment shall only take place on the basis of the consent of the data subject pursuant to Section 25 (1) TTDSG, unless the storage of information in the terminal equipment of the data subject or the access to information already stored in the terminal equipment by us is absolutely necessary (Section 25 (2) TTDSG) in order to provide the desired telemedia service to the data subject.

3. Data deletion and storage period

The personal data of the data subject shall be deleted or blocked as soon as the purpose of the storage ceases to apply. Storage may also take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the person responsible is subject. Blocking of further data processing or deletion of data also takes place if a legally prescribed storage period expires, unless there is a need for further storage of the data for the fulfilment of a contract.

V. Provision of the website and creation of log files / log files

1. Description and scope of data processing

In the case of mere informational use of the website, we only collect the personal data that your browser transmits to our server or provider and that is technically necessary for the purpose of displaying our website to you and ensuring its stability and security.

We have contracted the company Incsub LLC, PO Box 548 #88100 Birmingham, AL 35201, USA (hereinafter “Incsub”) for the hosting and technical provision of our website. We have concluded the required data protection agreement with Incsub for commissioned processing in accordance with Art. 28 DSGVO with valid standard contractual clauses. According to this agreement, Incsub undertakes to ensure the necessary protection of your data and to process it in accordance with the applicable data protection provisions exclusively on our behalf and in accordance with our instructions. You can find more information about Incsub on the website: https://incsub.com/.

The following data in log files are processed by Incsub for the hosting of the website:

(1) the type and version of browser used (if you have consented to transmission within your browser settings),
(2) the operating system of the user,
(3) Date and time of the server request,

(4) the domain of the accessed website,
(5) the status code of the website accessed and the amount of data transferred,
(6) the user’s internet service provider,
(7) the number of visits to the website,
(8) the anonymised IP address of the users.

The data ((1) – (8)) is stored on servers hosted in Germany by Incsub on our behalf. Incsub uses this information for the specified purpose on our behalf. There is no independent use of the data by Incsub and no unauthorised disclosure to third parties. This data is not stored together with other personal data of the user.

4. Legal basis for data processing

The legal basis for the temporary storage of the data and the log files as well as the involvement of technical hosting providers is Art. 6 para. 1 lit. f DSGVO.

5. Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the end device used by the user. For this purpose, the user’s IP address must be processed for the duration of the session.

All of the above information ((1) – (8)) is stored in log files in order to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the necessary security of our information technology systems. An evaluation of the data for marketing purposes does not take place.

6. Duration of storage

The IP addresses of the users are alienated as soon as they are no longer required to achieve the purpose of their collection. This is the case when the information is stored in log files or protocol files by shortening the IP address (anonymisation). It is then no longer possible to identify the calling client. The log files are stored on our web server for seven days.

7. Possibility of objection and removal

In principle, the user has the option to object to the processing of personal data under the conditions of Art. 21 DSGVO. The objection can be made at any time via the contact data under I. and II. The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, the user has no de facto possibility to object.

VI. Use of cookies

1. Description and scope of data processing

We use cookies to make your visit to our website more attractive. Cookies are small text files that are stored on your terminal device and enable us to recognise your browser, among other things. With the help of cookies, we can improve the comfort and quality of the services provided on the respective website. Cookies are also used to analyse and market the use of the website in an anonymous form. Some of the cookies we use are deleted after the end of your browser session, i.e. after you close your browser (so-called “session cookies”). Other cookies remain on your terminal device during their respective validity period (see below) and enable us to recognise your browser on your next visit.

When our website is called up, we inform website visitors by means of an information text about the use of cookies (technically necessary, analysis and marketing) and have technically set up the consent required by data protection law for the setting of cookies for which consent is necessary. With the exception of technically necessary cookies, consent must always be given in advance for cookies to be set on your end device. The user is also referred to this data protection declaration via the cookie banner. For further information on our consent banner, please refer to the section “Data protection settings with Usercentrics Consent Management Platform”. A list of the cookies we use, including their purpose and validity period per category (technically necessary, analysis and marketing) can be found at any time in our cookie banner and our data protection settings.

2. Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 para. 1 lit. f) DSGVO. The setting of technically necessary cookies is carried out in accordance with
§ 25 para. 2 (2) TTDSG.

The legal basis for the processing of personal data using cookies for statistical or marketing purposes or for storing preferences, based on your given consent via the cookie banner or our data protection settings, is Art. 6 para. 1 lit. a) DSGVO. The cookies are set on the basis of your consent pursuant to Section 25 (1) TTDSG.

3. Purpose of the data processing

The purpose of using technically necessary cookies is to enable you to use our websites. Some functions on our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a page change. The user data collected through technically necessary cookies are not used to create user profiles.

The use of the statistics and marketing cookies is for the purpose of improving the quality of our website and its content on the basis of your present consent. Through the cookies, we learn how the website is used and can thus constantly optimise our offer.
For information on the purpose of cookies for statistical or marketing purposes and on the storage of your preferences, please refer to the information provided under “Website analysis & marketing services” and “Plugins and tools”.

4. Duration of storage, possibility of objection and elimination

Cookies are stored on the user’s terminal device and transmitted from this to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically.

In addition, we offer you the option of changing the settings made via our cookie banner at any time or revoking your consent for the future via the link to the data protection settings (“fingerprint icon at the bottom left of the screen”) on our website. It is also possible to use our offers without optional cookies. However, this may lead to certain restrictions in the functions and user-friendliness of our offers on the website. If cookies are deactivated for our website, it may no longer be possible to use all the functions of the website to their full extent.

VII. Communication & Events

VII.1 General contact enquiries and e-mail contact

1. Description and scope of data processing

Our website offers contact via a telephone number and e-mail address for our customers, business partners and interested parties. In all cases, the personal data transmitted by the user via these channels is stored for the purpose of contacting the user. The scope of the personal data processed and which personal data is processed in each individual case may vary. This includes in particular the following data:

(1) Your salutation;
(2) Your first and last name;
(3) Your communication data (e-mail address, telephone number);
(4) Your address data (street, postcode, city);
(5) Details of your company;
(6) resulting correspondence (message – suggestions, questions, criticism or requests).

If you provide us with further personal data as part of your contact enquiry, this will be treated as strictly confidential and will only be made available to the employees who are entrusted with processing your enquiry.

Your data or the resulting correspondence will be processed exclusively by us. The data will not be passed on to third parties. The data is used exclusively for the conversation initiated by the user in order to contact you by telephone, post or e-mail regarding your enquiry.

2. Legal basis for data processing

The legal basis for the processing of data transmitted in the course of contacting us is Art. 6 para. 1 lit. a and f DSGVO. If the contact by the user is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 (1) (b) DSGVO.

3. Purpose of the data processing

The processing of personal data within the scope of contacting us or from the input mask serves us solely to process the contact. This also constitutes the necessary legitimate interest in the processing of the data.

4. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For the personal data sent in the context of contacting the user, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified.

5. Possibility of objection, revocation and removal

The user has the possibility at any time to revoke his consent to the processing of personal data or to object to the processing of his data. If the user contacts us by e-mail, he or she can revoke / object to the storage of his or her personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of contacting us will be deleted in this case.

VII.2 Career / Applications

1. Description, purpose and scope of data processing

If you apply to us, the application data you provide us with (e.g. contact and communication data, application documents, CV, certificates and any records made as part of the application process) will be processed exclusively for the purpose of carrying out the application process, insofar as this is necessary for the decision on an employment relationship. Within the scope of the application process, your application data is only accessible to the person responsible for personnel or the employee responsible for disciplinary matters. Your data will not be passed on to third parties.

2. Legal basis for data processing

Based on your voluntary sending of an application, the legal basis is Art. 6 para. 1 lit. a and b DSGVO in conjunction with. § 26 para. 1 p. 1 BDSG.

3. Duration of storage

We store your data as long as this is necessary to achieve the respective storage purpose,
i.e. until the respective application procedure has been completed. If your application is rejected, the data you have provided will generally be deleted after six months. This does not apply if you h a v e expressly consented in writing to longer storage in accordance with Art. 6 Para. 1 lit. a DSGVO, i . e. if we would like to use your application documents for future applications.

If we were to store job advertisements for which your profile might fit, we would do so for a maximum of 24 months after obtaining your express consent.

4. Possibility of objection and removal

The applicant has the option to revoke his/her consent to the processing of personal data at any time. The revocation can be made at any time via the contact data under I. or II. or by e-mail to jobs@haebmau.de. All personal data stored in the course of your application will be deleted in this case.

VIII. Website Analysis & Marketing Services

We use analysis and marketing services and offers from third-party providers on our website for the evaluation and analysis of your use of our website and for advertising & retargeting. In the process, personal data is often passed on to the third-party providers involved or analysed automatically. The type, scope and purpose of this processing of personal data are listed and explained below:

VIII.1 Use of Google Tag Manager

1. Description and scope of data processing

This website uses the Google Tag Manager, a service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (hereinafter “Google”). This service can be used to manage website tags. The Google Tag Manager only implements tags. No cookies are used and no personal data is collected within the tags. The Google Tag Manager triggers tags, which in turn may collect data. The Google Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.

Each time the Google Tag Manager is called up, a direct connection is established between your browser and a Google server (usually to a Google server in the USA). In the process, information about your visit and your IP address is processed on Google’s server. The temporary storage of the IP address by the system is necessary to enable the delivery of the functions of the Google Tag Manager.
We have concluded the Data Processing Addendum (as defined in Article 28 DSGVO with EU standard contractual clauses) with Google, in which Google undertakes to protect our users’ data and to process it exclusively on our behalf in accordance with the applicable data protection provisions. In addition, Google is certified in accordance with the Data Privacy Framework. You can find proof of this in the list of US companies voluntarily certified under this framework. Further information on data processing by Google can be found in Google’s privacy policy at https://poli- cies.google.com/privacy?hl=en&gl=en/.

2. Legal basis for data processing

The legal basis for the processing of personal data using the Google Tag Manager is Art. 6 (1) lit. f DSGVO in conjunction with. § 25 (2) (2) TTDSG.

3. Possibility of objection and removal

In principle, the user has the option to object to the processing of personal data under the conditions of Art. 21 DSGVO. The objection can be made at any time via the contact details under I. and II. The collection of data for the provision of the website is absolutely necessary for the operation of the website. Consequently, the user has no de facto possibility to object.

VIII.2 Use of Google Analytics

1. Description and scope of data processing

We have integrated functions of the web analytics service Google Analytics 4 (GA4) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our website using the Google Tag Manager. Google Analytics uses so-called “cookies” or “third party cookies”. These are text files that are stored on your computer or the end device you are using (tablet, smartphone, etc.) and which enable an analysis of your use of our website (see section “Use of cookies”). You can find a list of the cookies used by Google Analytics, including their purpose and validity period, at any time in our cookie banner or our privacy settings. The cookies are set exclusively on the basis of your consent.

The features provided in the website analytics service enable Google to associate data, sessions and interactions across multiple devices with an anonymised user ID and thus analyse the activities of an anonymised user across devices and websites.

The information generated by the cookie about your use of this website (including your IP address) will also be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Due to the activation of IP anonymisation on our website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission in order to exclude a direct personal reference. Outside the European Union or the European Economic Area, IP anonymisation is not set up by Google’s system.

We have concluded the Data Processing Addendum (as defined in Article 28 DSGVO with EU standard contractual clauses) with Google, in which Google undertakes to protect our users’ data and to process it exclusively on our behalf in accordance with the applicable data protection provisions. In addition, Google is certified in accordance with the Data Privacy Framework. You can find proof of this in the list of US companies voluntarily certified under this framework. Further information on data processing by Google can be found in Google’s privacy policy at https://poli- cies.google.com/privacy?hl=en&gl=en/.

More information on how Google Analytics handles user data can be found, for example, in Google’s privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

2. Purpose and legal basis for data processing

The legal basis for the processing of personal data using cookies for statistical and marketing purposes is based on your consent in this regard via the data protection settings or our cookie banner Art. 6 para. 1 lit. a DSGVO. The cookies from Google are set exclusively on the basis of your consent in accordance with Section 25 (1) TTDSG.

The information obtained through the use of Google Analytics is used in particular to better understand the use of our website and to improve its content, functionality and findability. As the operator of the website, we have an interest in analysing your user behaviour in order to improve both our offer and its performance. The aforementioned processing purposes are therefore also in our legitimate interest (Art. 6 para. 1 lit. f DSGVO), should anonymised information be forwarded to Google based on your consent.

3. Duration of storage

Sessions are terminated after 30 minutes of no activity and campaigns are terminated after six months. The time limit for campaigns can be a maximum of 14 months.

4. Possibility of revocation, objection and removal

You can object to the collection, storage and use of information by Google at any time with effect for the future via the following channels:

a) You can object by installing the deactivation add-on provided by Google. You can find more information on this at https://tools.google.com/dlpage/gaoptout?hl=de.
b) Alternatively, you can prevent the storage of cookies set by Google by selecting the appropriate settings on your browser software.
c) You can revoke your consent to the collection of your data by Google Analytics at any time by deactivating the slider in our privacy settings. You can access the data protection settings at any time by clicking on the fingerprint icon at the bottom left of each sub-page. However, we would like to point out that in the event of deactivation or opt-out, you may not be able to use all functions of the website to their full extent.

VIII.3 Use of GoogleAds

1. Description and scope of data processing

We use the online advertising programme “Google Ads” of the provider Google Ireland Limited, Gordon
House, Barrow Street, Dublin 4, Ireland (“Google”), for the purpose of using advertising tools (so- called “Ads”) to draw attention to our offers on third-party websites. We can determine how successful the individual advertising measures are in relation to the data of the advertising campaigns. In this way, we pursue the interest of showing you advertising that is of interest to you, of making our website more interesting for you and of achieving a fair calculation of advertising costs.

These advertisements are delivered by Google via so-called “ad servers”. For this purpose, we use ad server cookies, which can be used to measure certain parameters for measuring success, such as the display of ads or clicks by users. If you access our shop via a Google ad, Google will store cookies on your PC. These cookies are not intended to identify you personally and lose their validity after 30 days. As a rule, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are stored as analysis values. A list of the cookies used by Google, including their purpose and validity period, can be found at any time in our cookie banner or our privacy settings. Cookies are set exclusively on the basis of your consent.

The cookies enable Google to recognise the browser you are using. If a user visits certain pages of an Ads customer’s website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user has clicked on the ad and been redirected to this page. A different cookie is assigned to each Google Ads customer. Cookies can therefore not be tracked via the websites of Google Ads customers.

We ourselves do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can see which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising media; in particular, we cannot identify the users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of Ads Conversion, Google receives the information that you have called up the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.

For Information From Google to GoogleAds Convesion: https://ads.google.com/intl/de_de/home/faq/gdpr/

In addition to GoogleAds Conversion, we also use Ads Remarketing. This is a procedure with which we would like to address you again. Through this application, you can be shown our advertisements when you continue to use the internet after visiting our website. This is done by means of cookies stored in your browser, which are used by Google to record and evaluate your usage behaviour when visiting various websites. In this way, Google can determine your previous visit to our website. A combination of the data collected in the context of remarketing with your personal data, which may have been collected by

According to Google’s own statements, no data is stored by Google. In particular, according to Google, pseudonymisation is used for remarketing.

For Google’s information on GoogleAds Remarketing: https://support.google.com/google- ads/answer/9028179?hl=en.

The data collected by Google is made available to us in aggregated statistics. Here, we learn the total number of users who clicked on their ad and were redirected to a page marked with the Google Ads. This information is used by us to create conversion statistics and Custom Audiences and to evaluate these as well. We would like to point out that we do not provide Google with any data for the purpose of carrying out a Custom Audiences process.

2. Purpose and legal basis for data processing

It is important for us to make our website attractive and to increase the interaction with our visitors with the help of this service. We use the advertising and marketing services, in particular the use of Google Ads, for our conversion tracking and remarketing. We use the statistics provided by Google via the GoogleAds service exclusively for performance measurement of our advertisements in order to measure the success of specific marketing measures.

The legal basis for the processing of personal data using cookies for marketing purposes is based on your consent in this regard via the data protection settings or our cookie banner Art. 6 para. 1 lit. a DSGVO. The cookies from Google are set exclusively on the basis of your consent in accordance with Section 25 (1) TTDSG.

3. Duration of storage

We will delete the information provided to us by Google after six months at the latest.

4. Possibility of revocation, objection and removal

You can object to the collection, storage and use of information by Google at any time with effect for the future via the following channels:

c) You can revoke your consent to the collection of your data by Google Ads at any time by deactivating the slider in our privacy settings. You can access the data protection settings at any time by clicking on the fingerprint icon at the bottom left of each sub-page. However, we would like to point out that in the event of deactivation or opt-out, you may not be able to use all the functions of the website to their full extent.

VIII.4 Use of the Facebook Pixel for our Conversion Tracking and Remarketing

1. Description and scope of data processing

We use the online advertising programme “Facebook Business” and, as part of Facebook Busi- ness, the Facebook Pixel. The Facebook Pixel in Facebook Business is an analytics service provided by Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are a resident of the EU, Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; (hereinafter collectively “Facebook”). Facebook has provided corresponding regulations for joint processing within the meaning of Article 26 of the GDPR: https://www.facebook.com/le- gal/terms/page_controller_addendum.

Via the built-in pixel and your visit to our website, a direct connection (call is made via Facebook Connect) is established between your browser and a Facebook server. Facebook collects the following information via the connection: Your browser type, your end device, the website accessed and, for example, the effect of a Facebook ad and stores this in cookies, which are stored on your end device. Facebook makes the fact that this information is processed transparent in its privacy policy. We have no influence on the data and data processing procedures collected by Facebook, nor is the full extent of the data collection, the purposes of the processing and the storage periods known. We use the Facebook Pixel and the information generated in this way for a cost-benefit analysis and to optimise our Facebook ads. Facebook provides anonymised statistical evaluations for this purpose.

When you click on an ad placed by Facebook, a cookie for the Facebook Pixel is stored on your respective end device. You can find more information on cookies at
“Use of cookies”. A list of the cookies used by Facebook, including their purpose and validity period, can be found at any time in our cookie banner or our data protection settings. Cookies are set exclusively on the basis of your consent.

If you visit certain web pages on our website and the cookie has not yet expired, Facebook and we can recognise that you have clicked on one of our ads on Facebook and have been redirected to that page. Each Facebook Business customer receives a different pixel. Therefore, there is no way that cookies can be tracked across Facebook Business customers’ websites. The data collected by Facebook using the pixel is made available to us in aggregated statistics. This tells us the total number of users who clicked on their ad and were redirected to a page with a Facebook pixel. This information is used to create conversion statistics as well as Custom Audiences or Look-Alike Audiences and to evaluate these as well. We would like to point out that we do not provide Facebook with any data for carrying out a Custom Audiences process and do not carry out any list matching.

If you are logged in to Facebook with your profile, Facebook can link the information obtained via the pixel to your profile. Further information on data processing can be found in Facebook’s data protection information at http://www.facebook.com/policy and on the Facebook pixel at https://www.facebook.com/business/learn/facebook-ads-pixel.

2. Purpose and legal basis for data processing

It is important for us to make our website attractive and to increase the interaction with our visitors using the service. We use our advertising and marketing services, in particular the use of the Facebook Pixel, for our conversion tracking and remarketing. With the help of the Facebook Pixel, a cost-benefit analysis of Facebook ads placed and the optimisation of our ad placement is possible. The processing, i.e. the activation of the pixel as well as the setting and evaluation of information stored in cookies, takes place exclusively on the basis of your consent given via our cookie banner or our data protection settings for the use of retargeting or advertising tracking (Art. 6 para. 1 lit. a DSGVO). Google’s cookies are set exclusively on the basis of your consent in accordance with Section 25 (1) of the German Data Protection Act (TTDSG).

3. Possibility of revocation, objection and removal

You can revoke or object to the collection, storage and use of information by the Facebook pixel at any time with effect for the future via the following channels:

a) You can deactivate the storage of cookies through corresponding settings or set your browser so that you are notified as soon as cookies are set. To do this, you must change the necessary settings in the browser menus Preferences or Options. We would like to point out that some areas of our website may then no longer function properly, i.e. only to a limited extent.
b) You can object to the creation of user profiles for registered Facebook users by contacting Facebook directly to exercise this. As a Facebook member, you can edit your Facebook settings at https://www.facebook.com/settings?tab=ads and object to the collection of data using Facebook pixels. In addition, we would like to point out that you can prevent an allocation to your profile by logging out of your respective social media profile before visiting the website and additionally deleting the cookies used by the social media channel.
If you do not have a Facebook account, you can deactivate usage-based advertising from Facebook on the website of the European Interactive Digital Advertising Alliance: http://www.youronlinechoices.com/de/praferenzmanagement/.
c) You can revoke your consent to the collection of your data by Facebook at any time by deactivating the slider in our privacy settings. You can access the data protection settings at any time by clicking on the fingerprint icon at the bottom left of every sub-page. However, we would like to point out that in the event of deactivation or opt-out, you may not be able to use all functions of the website to their full extent.

IX. Plugins & Tools

We use extensions, plug-ins and offers from third-party providers on our website to ensure a uniform presentation of the website and to display social media content. In the process, personal data is often passed on to the third-party providers or transmitted automatically. The type, scope and purpose of this processing of personal data are listed and explained below:

IX.1 Data protection setting with Usercentrics Consent Management Platform

1. Description and scope of data processing

The website uses the services of Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany (hereinafter “Usercentrics”) for the provision of a consent management platform (in short: “CMP”) or a cookie banner, i.e. a system which manages the use of third-party providers, technical measures as well as cookies via a granted or rejected consent.

We, or our service provider trio-group, have concluded the data protection agreement with Usercentrics for commissioned processing in accordance with Art. 28 DSGVO. According to this agreement, Usercentrics undertakes to ensure the necessary protection of your data and to process it in accordance with the applicable data protection provisions exclusively on our behalf and in accordance with our instructions. Further information on Usercentrics can be found on the website: https://usercentrics.com/de/.

Usercentrics processes the following data for the provision and management of the CMP:

(1) Your IP address, which is anonymised when collected by Usercentrics, as well as further information on the end device used,
(2) Date and time of your visit to our website or time of consent,
(3) Information on the browser used and the browser version,
(4) Information about the accessed website (Refferer URL)
(5) Your given consents or individual data protection settings (opt-in and opt-out data, banner language, template version, consent type) incl. a randomly selected anonymous ID (Consent ID).

and uses both the local memory (also called local storage) on your end device and the setting of cookies to store this information locally in your browser. The data is also stored on cloud servers hosted by Usercentrics in the European Union (Frankfurt am Main and Brussels). The retention period is the period of time during which the data processed by the CMP is stored for the purpose of consent management. The consent data (consent given and withdrawal of consent) is kept for three years. Within this period, no new consent is required, unless new systems are introduced or due to legal or regulatory frameworks, it is necessary to obtain new consent. For further information on data processing by Usercentrics, please refer to the Usercentrics privacy policy at https://user- centrics.com/privacy-policy/.

2. Legal basis and purpose of data processing

The purpose of data processing by Usercentrics is to provide and manage the consents given by our website visitors in order to comply with a data protection compliant consent management. The use of Usercentrics serves the purpose of providing evidence of granted and non-granted consent as well as managing the individual data protection settings of our website visitors. The processing is carried out for the purpose of obtaining the website visitor’s consent, providing revocation and objection options, providing evidence of the consent received (time of consent, end device used) and identifying the user for the management of their individual data protection settings.

The use of a consent management platform as well as the management and storage of your consent to the processing of your personal data is based on our legal obligation to provide a data protection- compliant website (Art. 6 para. 1 lit. c DSGVO) ) in conjunction with § 26 TTDSG. § 26 TTDSG. The legal basis for the use of the service provider Usercentrics is also Art. 6 para. 1 lit. f DSGVO. Our legitimate interest lies in the legally secure documentation and verifiability of consent as well as the control of our analysis campaigns on the basis of your consent through the use of specialised processors and the associated technical implementation.

3. Possibility of objection and removal

In principle, the user has the option to object to the processing of personal data under the conditions of Art. 21 DSGVO. The objection can be made at any time via the contact details under I. and II. The processing of the data for the provision of a CMP solution is absolutely necessary for the operation of the website. The user has no right of objection as long as we have a legal obligation to obtain the user’s consent to certain data processing operations.

X. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller or the person responsible:

Right to information

You may request confirmation from the controller as to whether personal data relating to you is being processed by us.
If such processing has taken place, you can request the following information from the controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data which are processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage duration;
(5) the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
(6) the existence of a right of appeal to a supervisory authority;

You have the right to request information on whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards in accordance with Article 46 of the GDPR in connection with the transfer.

To exercise your right to free information, please contact us directly using the contact details in our imprint or contact our data protection officer (see sections I and II).

Right of rectification

You have a right of rectification and/or completion vis-à-vis the controller if the personal data processed concerning you are inaccurate or incomplete. The controller shall carry out the rectification without undue delay.

Right to restrict processing

You can request the restriction of the processing of your personal data under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse the erasure of the personal data and request the restriction of the use of the personal data instead;
(3) the controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defence of legal claims, or
(4) if you have objected to the processing pursuant to Art. 21 (1) DSGVO and it has not yet been determined whether the legitimate grounds of the controller outweigh your grounds.
Where the processing of personal data relating to you has been restricted, such data may be processed, with the exception of storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

Right to erasure

a) Obligation to delete

You may request the controller to delete the personal data concerning you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
(1) The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent on which the processing is based pursuant to Art. 6 (1) lit. a and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Art. 21 (1) DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) DSGVO.
(4) The personal data concerning you has been processed unlawfully.
(5) The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
(6) The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8(1) DSGVO.

b) Information to third parties

If the controller has made the personal data relating to you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers who process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.

c) Exceptions

The right to erasure does not exist insofar as the processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for the assertion, exercise or defence of legal claims.

Right to information

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate this rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.

Right to data portability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that
(1) the processing is based on consent pursuant to Art. 6 para. 1 lit. a DSGVO and

(2) the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Article 6(1)(e) or (f) DSGVO.

In addition, you have the right to object at any time to the processing of your personal data for direct marketing purposes; this also applies to profiling insofar as it is associated with such direct marketing.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to revoke the declaration of consent under data protection law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

The data protection authority responsible for us is the Bavarian State Office for Data Protection Supervision, home address, Promenade 18, 91522 Ansbach, Germany, postal address: Postfach 1349, 91504 An- sbach, Germany, further information on the Internet at www.lda.bayern.de.

XI. Automated decision making and profiling

As a responsible company, we do not carry out profiling or use automatic decision-making.

XII. Links to other websites

This data protection declaration applies exclusively to the haebmau.de website. The Internet pages on this website may contain links to Internet pages of our brands and products or third parties. Our data protection declaration does not extend to these Internet pages. When you leave the haebmau.de website, we recommend that you carefully read the privacy policy of each and every website that collects personal data.

XIII. Security

We take the necessary security measures to protect your personal data against unlawful or accidental access, deletion, alteration or loss and against unauthorised disclosure. We encrypt your data during transmission via our website and use so-called SSL (Secure Socket Layer) or TLS (Transport Layer Security) connections. We secure our website and our other systems and personal data through appropriate technical and organisational measures, in particular against loss, destruction, unauthorised access, modification or disclosure to third parties.

XIV. Availability and changes

You can view this privacy statement at https://www.haebmau.de/datenschutz. In addition, you can save or print this data protection declaration by using the corresponding functions of your browser.

We reserve the right to change this privacy policy from time to time or to adapt it to legal requirements and therefore ask you to check the current privacy policy each time you visit our website.

Version: October 2023

kontakt@haebmau.de

BüroOffice Berlin
Rosenthaler Str. 52
10178 Berlin
T +49 30 72 62 080

Showroom Berlin
Rosenthaler Str. 51
10178 Berlin

Büro MünchenOffice Munich
Franz-Joseph-Str. 1
80801 MünchenMunich
T +49 89 381 080

Showroom MünchenMunich
Franz-Joseph-Str. 1
80801 MünchenMunich

kontakt@haebmau.de

Büro München
Franz-Joseph-Str. 1
80801 München
T +49 89 381 080

Showroom München
Franz-Joseph-Str. 1
80801 München

Büro MünchenOffice Munich
Franz-Joseph-Str. 1
80801 München MünchenMunich
T +49 89 381 080

Showroom MünchenMunich
Franz-Joseph-Str. 1
80801 MünchenMunich

Kontakt

kontakt@haebmau.de

Büro Berlin

Büro Berlin
Rosenthaler Str. 52
10178 Berlin
T +49 30 72 62 080

Büro München

Büro München
Franz-Joseph-Str. 1
80801 München
T +49 89 381 080

Showroom

Showroom München
Franz-Joseph-Str. 1
80801 München

Showroom Berlin
Rosenthaler Str. 51
10178 Berlin

Contact

kontakt@haebmau.de

Office Berlin

Office Berlin
Rosenthaler Str. 52
10178 Berlin
T +49 30 72 62 080

Office Munich

Office Munich
Franz-Joseph-Str. 1
80801 Munich
T +49 89 381 080

Showroom

Showroom Munich
Franz-Joseph-Str. 1
80801 Munich

Showroom Berlin
Rosenthaler Str. 51
10178 Berlin