Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as "Online Offer").

The terms used are not gender-specific.

Last updated: March 16, 2025

Table of Contents

  • Preamble

  • Data Controller

  • Overview of Data Processing

  • Legal Bases for Processing

  • Security Measures

  • General Information on Data Storage and Deletion

  • Business Services

  • Provision of the Online Offer and Web Hosting

  • Contact and Inquiry Management

  • Newsletters and Electronic Notifications

  • Presence on Social Networks (Social Media)

  • Plug-ins and Embedded Features and Content

Data Controller

Sabine Zoltnere Photography
 Immanuelkirchstr. 36
10405 Berlin, Germany

Email: hello@studiosoftberlin.com
Impressum: https://www.studiosoftberlin.com/impressum

Overview of Data Processing

The following overview summarizes the types of data we process, the purposes of their processing, and the affected data subjects.

Types of Processed Data

  • Master data (e.g., names, addresses)

  • Payment data

  • Location data

  • Contact details

  • Content data

  • Contract data

  • Usage data

  • Metadata, communication, and procedural data

  • Log data

Categories of Affected Persons

  • Customers and clients

  • Interested parties

  • Communication partners

  • Users

  • Business and contract partners

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations

  • Communication

  • Direct marketing

  • Audience measurement

  • Office and organizational procedures

  • Conversion tracking

  • Organizational and administrative procedures

  • Server monitoring and error detection

  • Feedback collection

  • Providing our online services and user experience improvements

  • IT infrastructure management

  • Public relations

  • Business processes and economic procedures

Legal Bases for Processing

Relevant Legal Bases under the GDPR

Below is an overview of the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the GDPR, national data protection regulations may apply in your or our country of residence or business location. If specific legal bases apply in individual cases, we will inform you of them in this privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.

  • Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to carry out pre-contractual measures at the data subject’s request.

  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary to comply with a legal obligation to which the data controller is subject.

  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, provided that such interests do not override the fundamental rights and freedoms of the data subject requiring the protection of personal data.

National Data Protection Regulations in Germany

In addition to the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission of data, as well as automated decision-making in individual cases, including profiling. Furthermore, data protection laws of individual German federal states may apply.

Notice on the Applicability of GDPR and Swiss FADP

This privacy notice serves to provide information in accordance with both the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For clarity and broader applicability, we use the terminology of the GDPR. Specifically, instead of the terms used in the Swiss FADP, such as "processing" of "personal data," "overriding interest," and "particularly sensitive personal data," we use the corresponding GDPR terms: "processing" of "personal data," "legitimate interest," and "special categories of data." However, within the scope of the Swiss FADP, the legal meaning of these terms remains determined by Swiss law.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, context, and purpose of processing, as well as varying likelihoods and severity of risks to the rights and freedoms of natural persons.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as managing data access, entry, transmission, availability, and separation. Additionally, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data breaches. We also take data protection into account in the development and selection of hardware, software, and processes, in accordance with the principle of privacy by design and default.

General Information on Data Storage and Deletion

We delete personal data in accordance with legal requirements as soon as the underlying consent is revoked or there are no longer any legal bases for processing. This applies when the original processing purpose no longer exists or the data is no longer needed.

Exceptions to this rule apply if:

  • Legal obligations require the retention of data for a longer period.

  • Specific interests justify longer storage or archiving, such as legal claims or the protection of the rights of third parties.

Retention and Deletion of Data

Certain data must be archived in accordance with commercial or tax laws or for legal enforcement and protection purposes. Our privacy policy contains additional information on data retention and deletion specific to certain processing activities.

If multiple retention periods apply to the same data, the longest period is always binding.

  • If a retention period does not begin on a specific date and lasts at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred.

  • In the case of ongoing contractual relationships, the triggering event is the termination or expiration of the legal agreement.

If data is no longer required for its original purpose but must be stored for legal reasons, it will only be processed for those specific purposes.

Retention and Archiving Periods Under German Law

The following general retention periods apply under German law:

  • 10 years – Retention of books, records, annual financial statements, inventories, management reports, opening balance sheets, and other organizational documents required for understanding them.
    (§ 147 (1) No. 1 in conjunction with (3) AO, § 14b (1) UStG, § 257 (1) No. 1 in conjunction with (4) HGB)

  • 8 years – Retention of accounting documents, such as invoices and cost receipts.
    (§ 147 (1) No. 4 and 4a in conjunction with (3) sentence 1 AO, § 257 (1) No. 4 in conjunction with (4) HGB)

  • 6 years – Retention of other business documents, including received and sent business letters, tax-relevant documents, payroll records (unless considered accounting records), and cash register receipts.
    (§ 147 (1) No. 2, 3, 5 in conjunction with (3) AO, § 257 (1) No. 2 and 3 in conjunction with (4) HGB)

  • 3 years – Data required for the handling of potential warranty or compensation claims, or other contractual claims, will be stored for the statutory limitation period of three years.
    (§§ 195, 199 BGB)

Business Services

We process data from our contractual and business partners, such as customers and interested parties (collectively referred to as "contractual partners"), in the context of contractual and similar legal relationships, as well as related measures and communication with contractual partners (including pre-contractual interactions), such as responding to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, the obligation to provide agreed services, fulfill any update obligations, and address warranty claims or other service-related issues. Additionally, we process the data to protect our rights and for administrative tasks associated with these obligations, as well as corporate organization. Furthermore, we process data based on our legitimate interest in ensuring proper and economically efficient business operations and implementing security measures to protect our contractual partners and our business from misuse, threats to their data, confidentiality, information, and rights (e.g., involving telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or financial authorities).

In compliance with applicable laws, we only disclose data from contractual partners to third parties when necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners will be informed of any further data processing, such as for marketing purposes, within this privacy policy.

We inform contractual partners about the data required for these purposes before or during data collection, for example, in online forms, through special markings (e.g., colors) or symbols (e.g., asterisks), or in person.

We delete the data after the expiration of statutory warranty and comparable obligations, typically after four years, unless the data is stored in a customer account or must be retained for legal reasons (e.g., for tax purposes, generally ten years). Data disclosed to us as part of an assignment by the contractual partner is deleted in accordance with legal requirements and typically at the end of the assignment.

Processed Data Categories:

  • Basic Data: Full name, residential address, contact details, customer number, etc.

  • Payment Data: Bank details, invoices, payment history.

  • Contact Data: Postal and email addresses, telephone numbers.

  • Contract Data: Contract details, duration, customer category.

Affected Individuals:

  • Service recipients and clients.

  • Interested parties.

  • Business and contractual partners.

Purposes of Processing:

  • Provision of contractual services and fulfillment of contractual obligations.

  • Communication.

  • Office and organizational procedures.

  • Business and economic processes.

Retention and Deletion:

  • Data is deleted as specified under "General Information on Data Storage and Deletion."

Legal Basis:

  • Contract fulfillment and pre-contractual inquiries (Article 6(1)(b) GDPR).

  • Legal obligations (Article 6(1)(c) GDPR).

  • Legitimate interests (Article 6(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

Agency Services:

We process customer data as part of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development, maintenance, campaign execution, process handling, server administration, data analysis, consulting, and training services.

Legal Basis: Contract fulfillment and pre-contractual inquiries (Article 6(1)(b) GDPR).

Event Management:

We process the data of participants in events, activities, and similar engagements (collectively referred to as "participants" and "events") to enable their participation and provide related services.

If we process health-related, religious, political, or other sensitive data categories in this context, this is done either as part of the public nature of the event (e.g., topic-specific events), for health and safety reasons, or with the participant’s explicit consent.

Required information is marked accordingly in orders, registrations, or similar agreements and includes details necessary for service delivery, billing, and communication. If we gain access to data concerning end customers, employees, or other individuals, we process it in accordance with legal and contractual regulations.

Legal Basis: Contract fulfillment and pre-contractual inquiries (Article 6(1)(b) GDPR).

Online Services and Web Hosting

We process users’ data to provide our online services. This includes processing the user's IP address, which is necessary to deliver online content and functionalities to their browser or device.

Processed Data Categories:

  • Usage Data: Page visits, time spent on pages, click paths, usage frequency and intensity, device types, operating systems, interactions with content and features.

  • Meta, Communication & Procedural Data: IP addresses, timestamps, identification numbers, involved individuals.

  • Log Data: Login records, data retrieval logs, access times.

  • Content Data: Text or image messages, posts, and related information (e.g., author details, creation timestamps).

Affected Individuals: Users (e.g., website visitors, online service users).

Purposes of Processing:

  • Provision of online services and user experience.

  • IT infrastructure (operation and maintenance of IT systems and devices).

  • Audience measurement (e.g., visitor statistics, identifying returning users).

  • Conversion tracking (measuring marketing effectiveness).

  • Server monitoring and error detection.

Retention and Deletion: As specified under "General Information on Data Storage and Deletion."

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).

Additional Notes on Processing, Procedures, and Services:

  • Hosting Online Services on Rented Storage Space: We utilize third-party server space, computing power, and software for hosting our online services.
    Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).

  • Email Sending and Hosting: Our web hosting services include sending, receiving, and storing emails. Email addresses, sender and recipient details, transmission data, and email content are processed for these purposes. This data may also be processed to detect spam.
    Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).

  • Squarespace: We use Squarespace’s software-as-a-service for website creation and hosting.
    Service Provider: Squarespace Ireland Ltd., Dublin, Ireland.
    Legal Basis: Legitimate interests (Article 6(1)(f) GDPR).
    Privacy Policy: Squarespace Privacy Policy.

Contact and Inquiry Management

When individuals contact us (e.g., by mail, contact form, email, phone, or social media) and in the context of existing business relationships, we process their information to respond to inquiries and handle any related measures.

Processed Data Categories:

  • Basic Data: Name, address, contact details, customer number.

  • Contact Data: Email addresses, phone numbers.

  • Content Data: Messages, posts, associated information (e.g., author details, timestamps).

  • Usage Data: Page visits, time spent on pages, click paths, frequency, device types, interactions with content.

  • Meta, Communication & Procedural Data: IP addresses, timestamps, identification numbers.

Affected Individuals: Communication partners.

Purposes of Processing:

  • Communication.

  • Organizational and administrative processes.

  • Feedback collection.

  • Providing online services and enhancing user experience.

Retention and Deletion: As specified under "General Information on Data Storage and Deletion."

Legal Basis:

  • Legitimate interests (Article 6(1)(f) GDPR).

  • Contract fulfillment and pre-contractual inquiries (Article 6(1)(b) GDPR).

Newsletter and Electronic Notifications

We send newsletters, emails, and other electronic notifications (collectively referred to as "newsletters") only with recipient consent or based on legal grounds.

Data Processing for Newsletters:

  • Basic Data: Name, address, contact details, customer number.

  • Contact Data: Email addresses, phone numbers.

  • Meta & Communication Data: IP addresses, timestamps, identification numbers.

  • Usage Data: Page visits, reading behavior, device types.

Legal Basis: Consent (Article 6(1)(a) GDPR).

Opt-Out: You can unsubscribe from our newsletter at any time via the unsubscribe link at the bottom of each newsletter or by contacting us.

Presences in Social Networks (Social Media)
 We maintain online presences within social networks and process user data in this context to communicate with active users or provide information about us.
Please note that user data may be processed outside the European Union. This may result in risks for users, such as difficulties in enforcing user rights.
Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage behavior and resulting user interests may be used to create user profiles. These profiles may then be used to display advertisements within and outside of networks, which are presumed to align with the users' interests. Therefore, cookies are typically stored on users' devices to track their behavior and interests. Additionally, data can be stored in user profiles regardless of the devices they use (particularly if they are members of the respective platforms and logged in).
For a detailed representation of the respective processing activities and opt-out options, we refer to the privacy policies and information of the platform operators.
Even in the case of requests for information and the assertion of rights by data subjects, we point out that these can be most effectively asserted with the providers. Only the providers have access to user data and can take direct measures and provide information. If you still need assistance, you can contact us.

  • Processed data types: Contact data (e.g., postal and email addresses or phone numbers); Content data (e.g., textual or visual messages and posts, including associated information such as authorship or creation time); Usage data (e.g., page views, time spent, click paths, frequency and intensity of use, device types and operating systems used, interactions with content and functions).

  • Affected individuals: Users (e.g., website visitors, online service users).

  • Purposes of processing: Communication; feedback (e.g., collecting feedback via online forms); public relations.

  • Storage and deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion".

  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing processes, procedures, and services:

  • Instagram: Social network allowing sharing of photos and videos, commenting and favoriting posts, sending messages, and subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).

Plugins and Embedded Functions as well as Content
 We integrate functional and content elements into our online offering that are sourced from the servers of their respective providers (hereafter referred to as "third-party providers"). These may include graphics, videos, or maps (hereafter referred to as "content").
Integration always requires that the third-party providers of this content process users' IP addresses, as they would not be able to send the content to their browsers without the IP address. The IP address is necessary for the presentation of this content or functions. We strive to only use content where the respective providers apply the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can evaluate information such as visitor traffic on this website. The pseudonymous information may also be stored in cookies on users' devices and contain technical details about the browser and operating system, referring websites, visit times, and additional information about the use of our online offerings, which may also be linked with information from other sources.
Notes on legal bases: If we request users' consent for the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, cost-effective, and user-friendly services). In this context, we would also like to draw your attention to the information regarding the use of cookies in this privacy policy.

  • Processed data types: Usage data (e.g., page views and time spent, click paths, frequency and intensity of use, device types and operating systems used, interactions with content and functions); Meta, communication, and process data (e.g., IP addresses, time stamps, identification numbers, involved persons); Location data (information about the geographical position of a device or person).

  • Affected individuals: Users (e.g., website visitors, users of online services).

  • Purposes of processing: Provision of our online offering and user-friendliness.

  • Storage and deletion: Deletion according to the information in the section "General Information on Data Storage and Deletion". Storage of cookies for up to 2 years (unless otherwise specified, cookies and similar storage methods can be stored on users' devices for a period of up to two years).

  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further notes on processing processes, procedures, and services:

  • Google Fonts (from Google server): Fonts (and symbols) are sourced to ensure a technically secure, maintenance-free, and efficient use of fonts and symbols regarding updates and load times, uniform display, and consideration of possible licensing restrictions. The provider of the fonts is informed of the user's IP address so that the fonts can be provided in the user's browser. Additionally, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for providing the fonts depending on the devices and technical environment. This data may be processed on the font provider's server in the USA. When visiting our online offering, users' browsers send HTTP requests to the Google Fonts Web API. The Google Fonts Web API provides users with the cascading style sheets (CSS) of Google Fonts and the fonts specified in the CSS.

  • Google Maps: We integrate the maps from the service "Google Maps" provided by Google. Processed data may include IP addresses and location data of users. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Privacy policy: https://policies.google.com/privacy.

Created with the free privacy generator by Dr. Thomas Schwenke.