Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: August 22, 2024

Table of Contents

Preamble
Controller
Overview of Processing
Relevant Legal Bases
Security Measures
Transfer of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Business Services
Business Processes and Procedures
Providers and Services Used in the Course of Business Activities
Payment Procedures
Provision of the Online Offer and Web Hosting
Use of Cookies
Special Notes on Applications (Apps)
Obtaining Applications via App Stores
Registration, Login, and User Account
Community Functions
Single Sign-On Login
Blogs and Publication Media
Contact and Inquiry Management
Communication via Messenger
Push Notifications
Video Conferences, Online Meetings, Webinars, and Screen Sharing
Cloud Services
Newsletters and Electronic Notifications
Promotional Communication via Email, Mail, Fax, or Phone
Surveys and Questionnaires
Web Analysis, Monitoring, and Optimization
Online Marketing
Customer Reviews and Evaluation Procedures
Social Network Presences (Social Media)
Plugins and Embedded Functions and Content
Management, Organization, and Support Tools
Application Procedures
Changes and Updates
Definition of Terms

Controller

SU SKIN GmbH
Susann Herdegen
Wilhelmstr. 9
53111 Bonn
Germany

Email Address: info@subeauty.de
Phone: 0163 5021 328
Legal Notice: https://www.subeauty.de/impressum-datenschutz

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of Data Processed

• Inventory data

• Payment data

• Location data

• Contact data

• Content data

• Contract data

• Usage data

• Meta, communication, and procedural data

• Applicant data

• Image and/or video recordings

• Audio recordings

• Contact information (Facebook)

• Event data (Facebook)

• Log data

• Creditworthiness data

Categories of Data Subjects

• Service recipients and clients

• Interested parties

• Communication partners

• Users

• Applicants

• Members

• Business and contractual partners

• Education and course participants

• Participants

• Depicted persons

• Customers

Purposes of Processing

• Provision of contractual services and fulfillment of contractual obligations

• Communication

• Security measures

• Direct marketing

• Reach measurement

• Tracking

• Office and organizational procedures

• Conversion measurement

• Target group formation

• Organizational and administrative procedures

• Application procedure

• Feedback

• Surveys and questionnaires

• Marketing

• Profiles with user-related information

• Registration procedures

• Provision of our online offer and user-friendliness

• Assessment of creditworthiness

• IT infrastructure

• Financial and payment management

• Public relations

• Sales promotion

• Business processes and economic procedures

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations in your or our country of residence or business location may apply in addition to the GDPR. If more specific legal bases are applicable in individual cases, we will inform you of them in the privacy policy.

• Consent (Art. 6(1)(1)(a) GDPR) – The data subject has given their consent to the processing of their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6(1)(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or to take pre-contractual measures at the request of the data subject.

• Legal obligation (Art. 6(1)(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6(1)(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

• Application procedure as a pre-contractual or contractual relationship (Art. 6(1)(1)(b) GDPR) – If special categories of personal data (e.g., health data, such as disability status or ethnic origin) are requested from applicants during the application process so that the controller or the data subject can exercise rights arising from labor law and social security law, their processing takes place under Art. 9(2)(b) GDPR, or in case of protection of vital interests, under Art. 9(2)(c) GDPR, or for purposes of preventive or occupational medicine, assessment of working capacity, medical diagnosis, health or social care, or the management of health or social care systems under Art. 9(2)(h) GDPR. If special categories of data are voluntarily provided, their processing is based on Art. 9(2)(a) GDPR.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection regulations apply in Germany. These include, in particular, the Federal Data Protection Act (BDSG), which contains specific regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases including profiling. Furthermore, state data protection laws of individual federal states may apply.

Note on the applicability of the GDPR and Swiss DPA: These data protection notices serve both for information under the Swiss DPA and the GDPR. Therefore, please note that the terms of the GDPR are used due to broader geographic application and comprehensibility. In particular, instead of the terms used in the Swiss DPA such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the GDPR terms “processing” of “personal data” as well as “legitimate interest” and “special categories of data” are used. The legal meaning of the terms under Swiss law remains unaffected.

Security Measures

We take appropriate technical and organizational measures to ensure a level of security appropriate to the risk in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as the access, input, disclosure, availability, and separation of the data. We also have procedures in place to ensure data subject rights, data deletion, and responses to data compromise. Furthermore, we consider the protection of personal data during the development or selection of hardware, software, and procedures according to the principles of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the foundations of secure data transmission on the Internet. These technologies encrypt the information exchanged between the website or app and the user’s browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions comply with the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, serving as an indicator to users that their data is securely and encryptedly transmitted.

Transfer of Personal Data

In the context of our processing of personal data, it may happen that data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or persons. These recipients may include IT service providers or providers of services and content embedded in a website. In such cases, we observe legal requirements and conclude appropriate contracts or agreements to protect your data.

Data Transfer Within the Organization:
Data transfer within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to it. If the data transfer is for administrative purposes, it is based on our legitimate business and economic interests or is necessary for the fulfillment of our contractual obligations, or if consent or legal authorization is given.

International Data Transfers

Data Processing in Third Countries:
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or processing takes place in the context of using third-party services or disclosure or transfer of data to other persons, entities, or companies, this is done only in accordance with legal requirements. If the data protection level in the third country is recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only occur if the data protection level is otherwise guaranteed, in particular through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or if the transfer is necessary for contractual or legal reasons (Art. 49(1) GDPR). We inform you of the basis of the third-country transfer for each relevant third-party provider, giving priority to adequacy decisions. Information on third-country transfers and adequacy decisions can be found on the EU Commission’s website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de

EU-US Trans-Atlantic Data Privacy Framework:
Under the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level for certain US companies as secure by adequacy decision dated 10.07.2023. The list of certified companies and further information on the DPF can be found on the US Department of Commerce’s website: https://www.dataprivacyframework.gov/ (in English). We inform you in our data protection notices which of our service providers are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal requirements as soon as the underlying consent is revoked or no other legal grounds for the processing exist. This applies in cases where the original purpose of the processing no longer exists or the data is no longer needed. Exceptions exist if legal obligations or specific interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons or data necessary for legal prosecution or the protection of the rights of other natural or legal persons must be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data that apply specifically to certain processing procedures.

If there are multiple statements on retention duration or deletion periods for certain data, the longest period always applies.

If a period does not explicitly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships under which data is stored, the period begins...

​

Information According to Art. 13 GDPR

Responsible Entity / Contact Details of the Controller

[Insert your company name and address here]
Email: [Insert your email]
Phone: [Insert your phone number]

Data Categories / Personal Data Processed

We process the following categories of personal data:

• Inventory data (e.g., name, address)

• Contact data (e.g., email address, phone number)

• Content data (e.g., text entries, photos, videos)

• Usage data (e.g., websites visited, interest in content, access times)

• Meta/communication data (e.g., device information, IP addresses)

Categories of Data Subjects

We process data of the following persons:

• Customers and prospects

• Participants of events or training courses

• Users of online offers

• Business partners and service providers

• Newsletter subscribers

• Job applicants

Purposes of Processing

We process the data for the following purposes:

• Provision of contractual services

• Customer care and support

• Answering contact inquiries and communication

• Security measures

• Reach measurement/marketing

• Organization of events and webinars

• Job application process

Legal Basis of Processing

We process personal data based on the following legal grounds according to the GDPR:

• Art. 6(1)(a) GDPR – Consent

• Art. 6(1)(b) GDPR – Contractual performance or pre-contractual measures

• Art. 6(1)(c) GDPR – Legal obligation

• Art. 6(1)(f) GDPR – Legitimate interests (e.g., optimization of our offer)

Disclosure to Third Parties

Data is only disclosed to third parties if:

• It is necessary for the fulfillment of a contract

• It is based on your consent

• There is a legal obligation to do so

• It is based on our legitimate interest (e.g., use of service providers)

Transfer to Third Countries

A transfer to third countries (outside the EU/EEA) only occurs if:

• It is necessary for the fulfillment of our contractual obligations

• You have given your consent

• It is required by law

• Adequate safeguards exist (e.g., standard contractual clauses)

Duration of Storage

We store personal data only as long as necessary for the respective purpose or until the legal retention obligations have expired.

Your Rights

You have the following rights:

• Right of access (Art. 15 GDPR)

• Right to rectification (Art. 16 GDPR)

• Right to erasure (Art. 17 GDPR)

• Right to restriction of processing (Art. 18 GDPR)

• Right to data portability (Art. 20 GDPR)

• Right to object (Art. 21 GDPR)

• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

• Right to withdraw consent (Art. 7(3) GDPR)

Obligation to Provide Data

There is no general obligation to provide personal data. However, certain data is necessary for the performance of the contract or use of the services.

Automated Decision-Making / Profiling

Automated decision-making or profiling does not take place.

Special Notes on Data Processing in the Context of Our Services

1. Educational and Training Services (Online Courses, Coaching, etc.)
We process participant data (e.g., registration data, usage behavior in learning platforms) to carry out and improve our educational services.

2. Coaching and Consulting
Personal data from coaching sessions (e.g., notes, session recordings with consent) are processed confidentially and stored only with explicit consent.

3. E-Commerce and Online Shops
In the context of orders, we process personal data such as address and payment data to fulfill the contract.

4. Events and Webinars
When registering for events, we process your data (name, contact data) for the organization and execution. This may also include the use of video conferencing systems (e.g., Zoom).

5. Marketing and Newsletter
We use your data for marketing purposes only with your consent or under the conditions of legitimate interest (e.g., existing customer advertising). You can unsubscribe at any time.

​

​