Privacy Policy

1. Contact Information

1.1 Data Controller

The data controller responsible for data processing on this website and the services described herein is:

marbis GmbH
Griesbachstraße 10
76185 Karlsruhe

You can contact our customer service ([email protected]) or our data protection team ([email protected]) at any time. Please note that incoming emails may be read by personnel other than our Data Protection Officer.

1.2 Data Protection Officer

You may also contact our Data Protection Officer directly by postal mail at the above address (e.g., marked "Data Protection Officer") or by email at [email protected].

2. Definitions

• Analytics: Collection, evaluation, and interpretation of data about website visitors' behavior. Typically includes information such as visitor numbers, duration of stay, popular pages, geographical origin of visitors, and other demographic data.
• Conversion Tracking: Collection and evaluation of visitor interaction with content. It measures whether visitors perform actions on a website after viewing specific content or interacting with it in a particular way. Conversion tracking helps us understand the effectiveness of our marketing campaigns.
• Cookies: Information stored on the end device, consisting of a name, a value (ID), the storing domain, and an expiration date. Session cookies (e.g., PHPSESSID) are deleted after the session. Persistent cookies are deleted after a specified expiration date. Cookies can be manually removed.
• Events: Specific actions performed by users on a website, such as logging into a user account, clicking on links, or placing an order.
• JavaScript: Embedded or called programming codes (scripts) on the website, which can set cookies or actively capture information from the end device or about the users' behavior.
• Retargeting / Remarketing: Advertising technique where users who have previously visited a website or accessed specific products or services are recognized and targeted with personalized advertising.
• (Tracking-)Pixel: Tiny graphic that allows user recognition and measures activities like opening an email or visiting a website.
• Web Storage (Local Storage / Session Storage): Information stored on the end device consisting of a name and a value. Information in session storage is deleted after the session. Information in local storage remains stored unless a deletion mechanism is implemented (e.g., storing local storage with a time entry). Information in web storage can also be manually removed.

3. Data processing on our website

3.1 Website Access / Connection Data

Every time you access our website, we collect connection data that your browser automatically transmits to enable your visit. This connection data includes:

• Access status/HTTP status code;
• Accessed pages (date, time, URL, title);
• Information in cookies/web storage;
• IP address;
• Data volume transmitted;
• Referrer URL (previously visited page);
• Time zone difference to Greenwich Mean Time (GMT); and
• Technical information (operating system, browser type, version, language, device type, brand, model, resolution).

The legal basis for processing is Article 6(1)(b) GDPR if the page access is for initiating or executing a contract, otherwise Article 6(1)(f) GDPR. The legitimate interest is to enable website access and ensure the long-term functionality of our systems.

Access to information on the end device is performed according to Section 25(2) TTDSG.

3.2 Access Logs / Authentication and Authorization Data

To ensure the functionality and security of our IT systems, we log website access and store connection data, including the IP address used during login attempts (login IP) and other data necessary for verifying the authenticity of users and data (e.g., authentication tokens).

The legal basis for processing is Article 6(1)(f) GDPR. Our legitimate interest is to effectively prevent and investigate cyber-attacks and fraud attempts.

Authentication, authorization, and connection data are stored in access logs and deleted once they are no longer required to protect our legitimate interests. The retention period for investigating certain types of cyber-attacks or fraud attempts is typically 120 days. After this period, the data is automatically deleted unless required to fulfill a legal obligation or assert, exercise, or defend legal claims.

3.3 Registration / Registration Data

You can create a free user account on our website (registration). During registration, we collect the IP address, email address, and username (registration data). Upon registration, we also assign a user ID and a donation link. Registration is necessary to fully use our internet portal, top up your account, and order servers.

The legal basis is the fulfillment of a contract and the implementation of pre-contractual measures, Article 6(1)(b) GDPR.

3.4 Login, Account Use, Account Balance, and Account Linking / Third-Party, Account, and Payment Data

After registration, you can log into your user account and voluntarily provide certain account data (address, language, and currency). The legal basis for this processing is your consent under Article 6(1)(a) GDPR.

You can also top up your account balance and use it for orders. In this case, we process the registration, account, and payment data you provide to deliver services according to our General Terms and Conditions (GTC) and product-specific contract terms, especially in connection with domains.

The legal basis is the fulfillment of a contract and the implementation of pre-contractual measures, Article 6(1)(b) GDPR.

You can also link your user account with a third-party account (e.g., Facebook, Google, or Twitch account). In this case, the respective third-party provider provides us with certain data (account token, account status (created, updated, validated, expired), email address, and a universally unique identifier (UUID)) from your account.

The legal basis for processing is your consent under Article 6(1)(a) GDPR. You can withdraw your consent at any time with future effect, e.g., by unlinking the account in your user account.

3.5 Linking with tebex.io

We offer various options to individually configure rented servers, including using the monetization platform tebex.io by Tebex Limited, 37 Broadhurst Gardens, London, NW6 3QT, United Kingdom (Tebex). Tebex enables you to use web shops and control panels for managing purchases. If you want to use Tebex, you can click the "Link with Tebex" button in the server settings. By clicking the button, you authorize us to transmit your name and email address once to Tebex, so Tebex can send you a registration link and assign your Tebex account.

The legal basis for processing is your consent under Article 6(1)(a) GDPR.

3.6 MailerCheck

We use MailerCheck, a service provided by MailerCheck Inc., 228 Park Ave S, PMB 54955, New York, to verify the validity of email addresses and identify undeliverable or incorrect email addresses. As part of this verification process, the entered email addresses are transmitted to MailerCheck and checked accordingly. A technical analysis of the addresses is conducted to assess their validity. The following data is processed in particular:

• Email address
• Technical metadata for validation (e.g., address status, domain information)

The processing is based on our legitimate interest in accordance with Article 6(1)(f) GDPR, ensuring the effectiveness of our email campaigns and identifying and removing incorrect, duplicate, or inactive email addresses from our database.

We have signed a data processing agreement (DPA) with MailerCheck. Additionally, we have entered into Standard Contractual Clauses (SCCs) with MailerCheck in accordance with Article 46(2)(c) GDPR (Commission Implementing Decision (EU) 2021/914, Module 2).

For more information about how your data is processed, please refer to MailerCheck’s privacy policy.

4. Use of Tools on Our Website

This website uses various tools that utilize cookies and similar technologies to process personal data. You can adjust your settings to reject all or certain cookies or block scripts and graphics. If you completely block the storage of cookies, the display of graphics, and the execution of scripts, our services may not function or may not function correctly.

4.1 Necessary Tools

Some of the tools we use are necessary to operate our website. The legal basis for processing is Article 6(1)(b) GDPR if the page access is for initiating or executing a contract, otherwise Article 6(1)(f) GDPR. The legitimate interest is to provide basic functions of our website. Access to information on the end device is performed according to Section 25(2) TTDSG.

4.1.1 Cloudflare

We use the content delivery network (CDN) and infrastructure of Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (Cloudflare) to make accessing and operating our website faster and more secure. Cloudflare stores copies of our website on various servers and ensures that website content is delivered from the server that can display our website the fastest. It also detects threats like bots and defends against attacks like distributed denial-of-service (DDoS) attacks. When you visit our website, your browser requests are automatically forwarded to the nearest CDN server. Cloudflare receives your IP address and other connection data (such as the HTTP header with user-agent information). Cloudflare typically stores this information in access logs for up to 30 days. If the IP address triggers a security warning, the data may be stored longer on a case-by-case basis. Our legitimate interest in this data processing is to ensure the security and fast accessibility of our website.

We have entered into a data processing agreement with Cloudflare. Additionally, an adequacy decision by the EU Commission for the USA, the location of Cloudflare, came into effect on July 10, 2023. Cloudflare is certified under the Data Privacy Framework. More information can be found here.

4.1.2 Cookiebot

We use the consent management platform (CMP) Cookiebot CMP by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, to obtain and manage your consents. Cookiebot generates a banner that informs you about data processing on our website and allows you to consent to the processing of personal data by optional tools. This banner appears the first time you visit our website and on subsequent visits if you have disabled cookie storage, deleted cookies, or they have expired. You can access the banner anytime through the website's footer. Cookiebot learns which consents you have given, which is necessary to provide you with the legally required consent management and to comply with our documentation obligations.

We have entered into a data processing agreement with Usercentrics A/S. More information can be found here.

4.1.3 Google Tag Manager

Our website uses the Google Tag Manager, provided for individuals in the European Economic Area by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other individuals by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively Google). The Google Tag Manager is used to manage other tools by embedding so-called website tags. While Google collects information about which tags are embedded in a website, it only processes connection data necessary for establishing a connection (e.g., IP address). Our legitimate interest in this data processing is to be able to use tags on our website easily.

We have entered into a data processing agreement with Google. Additionally, an adequacy decision by the EU Commission for the USA, the location of Google LLC, came into effect on July 10, 2023. Google LLC is certified under the Data Privacy Framework. More information can be found here.

4.1.4 Google reCAPTCHA

We use Google reCAPTCHA. The tool checks whether inputs are genuinely made by a human and prevents automated software from performing abusive activities on the website. To this end, reCAPTCHA uses cookies, information from local storage, JavaScript, and tracking pixels. Specifically, it processes the input behavior (e.g., in answering the reCAPTCHA question) and a snapshot of the browser window. Additionally, Google reCAPTCHA reads cookies from other Google services. Our legitimate interest in processing this data lies in protecting IT security, ensuring the stability of our website, and preventing abuse.

We have entered into a data processing agreement with Google. More information can be found here.

4.1.5 Stripe

We use the services of Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland ("Stripe").
Stripe is an external payment service provider whose services we use to receive and process payments made to us on our behalf. For this purpose, Stripe also uses JavaScript and cookies. We do not store personally identifiable information or financial details such as credit card numbers. Instead, payment data (particularly contact and transaction data such as credit card or bank account details) is forwarded directly to Stripe.

The legal basis for this is Article 6(1)(b) of the GDPR, for fulfilling payments within the framework of a contract with you, and otherwise Article 6(1)(f) of the GDPR, based on our legitimate interest in offering you an additional payment option with Stripe.

We have entered into a data processing agreement with Stripe Payments Europe Ltd. Your personal data may also be transferred by Stripe Payments Europe Ltd. to Stripe Inc., Corporation Trust Center, 1209 Orange Street, Wilmington, New Castle, DE 19801, USA. Stripe Inc. has joined the EU-US Data Privacy Framework, so such transfers are based on the adequacy decision for the U.S. under Article 45 of the GDPR. Additionally, we have entered into Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2) with Stripe Inc. in accordance with Article 46(2)(c) of the GDPR.

For more information, please refer to Stripe's Privacy Policy: https://stripe.com/privacy.

4.1.6 Intercom FinAI Chatbot

We use the FinAI Chatbot provided by Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2, Ireland (“Intercom”) to enable automated customer support interactions and to improve response times on our website. The FinAI Chatbot processes personal data that you actively provide during the interaction, such as your name, contact information, and any information included in your messages. In addition, technical connection data (such as IP address, browser type, and timestamps) may be processed to enable the functionality of the chatbot. The legal basis for this data processing is Article 6(1)(f) GDPR. Our legitimate interest lies in providing an efficient and user-friendly support experience and ensuring availability of basic support services. If you provide optional information voluntarily, the legal basis is your consent under Article 6(1)(a) GDPR. Access to information on the end device is based on Section 25(2) TTDSG. Intercom may transfer personal data to servers outside the European Economic Area, including the United States. Intercom is certified under the EU-U.S. Data Privacy Framework, and we have also concluded Standard Contractual Clauses with Intercom in accordance with Article 46(2)(c) GDPR to ensure an adequate level of data protection.

We have entered into a data processing agreement with Intercom R&D Unlimited Company. More information can be found in Intercom’s privacy policy: Terms and Policies | Intercom

4.2 Analytical Tools

With your consent, we use certain analytical tools to enhance the user experience when visiting our website and to undertake interest-based advertising measures. The legal basis for the use of these tools is your consent pursuant to Article 6(1)(a) GDPR. Access to information on the end device is carried out in accordance with Section 25(1) TTDSG.

4.2.1 Google Analytics

Our website uses the web analytics service Google Analytics 4 (Google Analytics). Google Analytics uses cookies, JavaScript, and tracking pixels to store and read information on your end device. The collected information is processed to evaluate your individual use of the website and to improve our online offerings. During the evaluation, Google Analytics calculates predictive values to forecast the likely behavior of website visitors based on structured event data (e.g., predicted revenue, purchase, or churn probability). The data can also be used to determine predictive audiences or conversion goals (e.g., a certain number of registrations, purchases, or video views). The evaluation (insights) is carried out automatically using artificial intelligence and based on specific individually defined criteria. The data collected in this context may be transmitted to and stored on a server of Google LLC in the USA for analysis.

The following data is processed by Google Analytics:

• Accessed pages (date, time, URL, title, duration of stay);
• Certain connection data (e.g., IP address, referrer URL, or technical information);
• Achievement of specific goals (conversions);
• User ID, Google ID (Google Signals), and/or device ID;
• Events (e.g., clicked links to other websites, downloaded files, interaction with videos and forms, scroll activity, or search queries);
• Approximate location (based on truncated IP address).

Additionally, Google Analytics reads cookies from other Google services.

The following privacy settings have been configured for Google Analytics:

• Limiting the storage period to 14 months;
• Disabled audience targeting;
• Disabled data sharing with other Google products and services;
• Disabled cross-device and cross-site tracking (Google Signals);
• Disabled remarketing;
• Disabled collection of granular location and device data;
• Truncation of the IP address before evaluation.

We have entered into a data processing agreement with Google Ireland Limited. Further details are available upon request. More information can be found here.

4.2.2 Microsoft Clarity

Our website uses Microsoft Clarity, an analytics service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland ("Microsoft"). Microsoft Clarity uses cookies and JavaScript to store or retrieve information on your device. The collected information is processed to perform usage analysis and create heatmaps to evaluate and visualize user activities. Additionally, Microsoft Clarity can record and replay sessions and enables A/B testing to assess the impact of different website designs. Microsoft also processes the data to improve its products and services, create user profiles, and for advertising purposes.

This includes the analysis of interactions (e.g., mouse movements, clicks, or scrolls, changes in window size, or (masked) input in form fields), diagnostic, connection, and page data (e.g., document size, attributes, width and height; browser name, operating system, device type, and geographic origin; performance). The analysis and evaluation cover click and scroll activities, navigation on and exit from a page, identification of particularly relevant activities or frequently clicked elements, errors or confusing aspects during page use, as well as filtering and segmentation of visitors based on factors such as location, browser, or session length. Session recordings are anonymized and can also be presented in aggregated form.

The data collected in this context may be transferred by Microsoft Ireland Operations Limited to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, and stored there. As of July 10, 2023, an adequacy decision by the EU Commission for the USA – the location of Microsoft Corp. – has been in effect. Microsoft Corp. is certified under the Data Privacy Framework.

More information can be found here and in Microsoft’s privacy statement.

4.2.3 RudderStack

We use the RudderStack service by RudderStack Inc., 548 Market St, PMB 78620, San Francisco, California 94104-5401, USA, on our website. RudderStack uses cookies, JavaScript, and similar technologies for cross-device and cross-platform tracking and data routing. Identifiers are created from the characteristics of your end device and browser and stored on your end device and RudderStack’s servers. Using this identifier, RudderStack processes usage data about your activity on our website. This includes processing your IP address, connection data, device, operating system, and browser information (including HTTP headers and user-agent), your language and network information, as well as events and interactions on our platforms (including visited pages, clicked buttons, and purchases made). If you log in with your Nitrado account, we link these usage profiles with your user ID, thereby associating the activities with your profile. We use the processed data to create audiences and assign you to an audience. However, we only pass the encrypted (hashed) version of your user ID to RudderStack.

We have entered into a data processing agreement with RudderStack Inc is certified under the Data Privacy Framework. More information can be found here.

4.2.4 Hotjar Ask

We use Hotjar Ask, a feedback and survey service provided by Hotjar Limited, Level 2, St Julian's Business Centre, 3, St Julian's Avenue, St Julian's STJ 1000, Malta (“Hotjar”). Hotjar Ask enables us to deploy feedback widgets to collect targeted user feedback on our website. The surveys cover various aspects, such as customer satisfaction, user feedback on articles, or web design, and help us analyze responses. Hotjar Ask uses cookies, JavaScript, and similar technologies to store and retrieve information on your device. These technologies are employed to display feedback widgets and deploy surveys on our website. The tool collects data such as browser type, screen size, device type, IP address, page views, and interactions with survey widgets. Optionally, you may provide your email address. The collected information is processed to measure user feedback regarding the design, content, and functionality of our website and to enhance user experiences through various types of surveys, such as NPS surveys, article ratings, and exit-intent surveys. Any email address provided is used solely to respond to feedback and is not used for other purposes. The collected data, including voluntarily shared email addresses, is encrypted and stored within Hotjar's dashboards.

We have entered into a Data Processing Agreement with Hotjar to ensure compliant data processing. Additionally, as of July 10, 2023, the EU Commission's adequacy decision for the USA – where Hotjar is headquartered – is in effect. Hotjar is certified under the Data Privacy Framework.

More information can be found here.

4.3 Marketing Tools

With your consent, we use marketing tools to improve the user experience when visiting our website and to undertake interest-based advertising measures. The legal basis for the use of these tools is your consent pursuant to Article 6(1)(a) GDPR. Access to information on the end device is carried out in accordance with Section 25(1) TTDSG.

4.3.1 Google Ads

Our website uses Google Ads. Google Ads uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID), event and usage data (including clicks, page views, or interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, and information about the end device, browser, and operating system) for analytics, conversion tracking, retargeting, and remarketing purposes within the Google network (e.g., in Google search or on YouTube). If you use a Google account, Google can also link your web and app browsing history with your Google account and use information from your Google account to personalize ads. In addition, Google uses the data to create usage profiles (behavior, viewed or clicked ads, interests, audience) and recognizes the same users across different websites using identifiers. The data processed in this context may be transmitted by Google Ireland Limited to servers of Google LLC in the USA.

4.3.2 Meta Pixel

Our website uses the Meta Pixel by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta Platforms Ireland Limited uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID), event and usage data (including clicks, page views, or interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, and information about the end device, browser, and operating system) for analytics, conversion tracking, retargeting purposes within the Meta network (e.g., on Facebook or Instagram). Remarketing is also performed through Custom Audiences. The data processed in this context may be transmitted by Meta Platforms Ireland Limited to servers of Meta Platforms Inc., 1601 Willow Road Menlo Park, California 94025, in the USA. An adequacy decision by the EU Commission for the USA, the location of Meta Platforms Inc., came into effect on July 10, 2023. Meta Platforms Inc. is certified under the Data Privacy Framework.

For matching, measurement, and analytics services, especially for analyzing the use of our website, matching the user ID, and creating reports on our advertising campaigns, Meta Platforms Ireland Limited acts as a data processor. We have entered into a data processing agreement with Meta Platforms Ireland Limited.

We are jointly responsible with Meta Platforms for the processing of event data for ad targeting (by creating and selecting audiences), delivering commercial and transactional messages, improving ad delivery, and personalizing features and content when using Meta Pixel. Our respective responsibilities are outlined in an agreement on joint responsibility, which can be accessed here.

Additionally, Meta Platforms processes event data to protect and secure Meta Platforms' products, for research and development purposes, and to maintain and improve the integrity of their products.

4.3.3 LinkedIn Insight Tag

Our website uses the LinkedIn Insight Tag by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (LinkedIn). LinkedIn uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID stored on the end device), event and usage data (including clicks, page views, interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, information about the end device, browser, and operating system), and any profile data (including demographic information or interests) for analytics, conversion tracking, and retargeting purposes within the LinkedIn network. If you are logged into LinkedIn while visiting our website, LinkedIn can link the collected information with your member account and use it for targeted advertising on LinkedIn.

We have entered into a data processing agreement and standard contractual clauses (Commission Implementing Decision (EU) 2021/914, Module 2) with LinkedIn in accordance with Article 46(2)(c) GDPR. More information can be found here.

4.3.4 Microsoft Advertising

Our website uses Microsoft Advertising by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland (Microsoft). Microsoft uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID stored on the end device), event and usage data (including clicks, page views, interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, information about the end device, browser, and operating system), and any profile data (including demographic information or interests) for analytics, conversion tracking, and retargeting purposes. Microsoft also processes the data to improve its own products and services, create usage profiles, and for advertising purposes. The data processed in this context may be transmitted by Microsoft to servers of Microsoft Corp., One Microsoft Way, Redmond, WA 98052-6399 USA, in the USA. An adequacy decision by the EU Commission for the USA, the location of Microsoft Corp., came into effect on July 10, 2023. Microsoft Corp. is certified under the Data Privacy Framework.

More information can be found in the Microsoft Advertising agreement and Microsoft's privacy statement.

4.3.5 Reddit Pixel and Reddit Ads

Our website uses Reddit Pixel and Reddit Ads, services provided by the social network Reddit, offered by Reddit, Inc., 548 Market St. 16093, San Francisco, California 94104, USA (Reddit). Reddit uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID stored on the end device), event and usage data (including viewed content and ads, searches, actions, and events on websites and apps like adding to cart, registrations, or purchases, interactions on Reddit with content like clicks and comments), connection and technical data (including HTTP headers, user-agent, IP address, information about the end device, browser, and operating system), and any profile data (including demographic information, interests, and Reddit communities) to conduct targeted customer engagement using keywords. In addition, we use these services to create, supplement, and optimize our remarketing audiences (audiences). Reddit Pixel and Reddit Ads conduct usage analysis and profiling, tracking and evaluating conversions and leads. Furthermore, information collected on our website is linked with your profile or usage behavior on Reddit. The data processed in this context is also transmitted to the USA. The transfer to the USA is based on your explicit consent. In the case of transfers to third countries, there is generally a risk that an adequate level of data protection comparable to the EU cannot be guaranteed and your data subject rights cannot be fully enforced.

More information can be found here.

4.3.6 RudderStack

We use the RudderStack service by RudderStack Inc., 548 Market St, PMB 78620, San Francisco, California 94104-5401, USA, on our website. RudderStack uses cookies, JavaScript, and similar technologies for cross-device and cross-platform tracking and data routing. Identifiers are created from the characteristics of your end device and browser and stored on your end device and RudderStack’s servers. Using this identifier, RudderStack processes usage data about your activity on our website. This includes processing your IP address, connection data, device, operating system, and browser information (including HTTP headers and user-agent), your language and network information, as well as events and interactions on our platforms (including visited pages, clicked buttons, and purchases made). If you log in with your Nitrado account, we link these usage profiles with your user ID, thereby associating the activities with your profile. We use the processed data to create audiences and assign you to an audience. However, we only pass the encrypted (hashed) version of your user ID to RudderStack.

We use the created profiles to create audiences and assign you to an audience. Additionally, we work with advertising partners to deliver personalized advertising to you. This includes Google Ads in particular (see 4.3.1). The collected data is also used by us to automate our marketing activities and communication with you (Journeys). The data processed in this context may be transmitted by RudderStack to servers in the USA.

We have entered into a data processing agreement with RudderStack Inc is certified under the Data Privacy Framework. More information can be found here.

4.3.7 TikTok Pixel

Our website uses the TikTok Pixel by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (collectively TikTok). TikTok uses cookies, JavaScript, pixels, and similar technologies to process identifiers (including cookie, device, platform, or advertising ID stored on the end device), event and usage data (including clicks, page views, interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, information about the end device, browser, and operating system), and any profile data (including demographic information or interests) for analytics, conversion tracking, and retargeting purposes. For this processing of personal data, TikTok and we are partially jointly responsible.

We have entered into an agreement on joint responsibility with TikTok, which can be accessed here (1, 2, 3). More information can be found here.

4.3.8 X Conversion Tracking and X Ads

Our website uses X Conversion Tracking and X Ads, services provided by the social network X, offered for individuals from the European Union, the European Free Trade Association (EFTA), and the United Kingdom by X International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland, and for all other individuals by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA (collectively X). X Conversion Tracking analyzes and evaluates the use of our website (e.g., clicks, page views, views, and interactions with our content). This involves matching and associating your behavior via identifiers with your usage behavior on X. The data collected creates reports on the success of our advertising campaigns and improves ad delivery. X Ads is used to target potential customers and deliver personalized advertising on X, tracking viewed and clicked ads, performing retargeting and remarketing, creating and optimizing user profiles based on interests, and assigning users to audiences. The data processed in this context (including cookie, device, platform, or advertising ID stored on the end device), event and usage data (including clicks, page views, interactions with ads, events, viewed content and ads), connection and technical data (including HTTP headers, user-agent, IP address, information about the end device, browser, and operating system), and any profile data (including demographic information or interests) may be transmitted by X International Unlimited Company to X Corp. in the USA. An adequacy decision by the EU Commission for the USA, the location of X Corp., came into effect on July 10, 2023. X Corp. is certified under the Data Privacy Framework.

We have entered into a data processing agreement and standard contractual clauses (Commission Implementing Decision (EU) 2021/914, Module 2) with X in accordance with Article 46(2)(c) GDPR. More information can be found here.

4.3.9 Snap Ads and Snap Pixel

Our website uses the Snap Ads and Snap Pixel services from the social network Snapchat. These services are provided by Snap Inc., 3000 31st Street, Santa Monica, CA 90405, USA, for users in the United States; by Snap Group Limited Singapore Branch, #16-03/04, 12 Marina Boulevard, Marina Bay Financial Centre Tower 3, Singapore 018982, Singapore, for users in the Asia-Pacific region; and by Snap Group Limited, 50 Cowcross Street, Level 2, London, EC1M 6AL, United Kingdom, (collectively referred to as “Snap”) for all other users.

The Snap Pixel collects information about user activities on our website, such as sign-ups, purchases, page views, or cart actions, and, if available, associates this information with your personal Snapchat account. This is done using JavaScript, cookies, local storage, and through (encrypted) user parameters or metadata such as cookie information, HTML tags, or the IP address. The data collected by Snap Pixel is used by Snap to optimize, create custom audiences, perform lookalike modeling, generate reports, conduct machine learning, and for targeting purposes. Data processed in this context may also be transmitted by Snap Group Limited to Snap Inc.

We have entered into a data processing agreement with Snap. Additionally, on July 10, 2023, an adequacy decision by the EU Commission for the USA—where Snap Inc. is based—came into effect. Snap Inc. is certified under the Data Privacy Framework.

More information can be found here.

5. Newsletter

5.1 Subscribing to the Newsletter

To subscribe to our newsletter, we use the so-called double opt-in procedure. This means that after your subscription, we will send you an email asking you to confirm your email address. Once you confirm your email address, we will store your email address, the time of registration, and the IP address used for registration until you unsubscribe from the newsletter. This storage is to enable us to send you the newsletter and to prove your registration. The legal basis for processing is your consent according to Article 6(1)(a) GDPR and our legitimate interest in proving the registration (Article 6(1)(f) GDPR).

For sending newsletters, we use the MailChimp tool provided by The Rocket Science Group LLC, 675 Ponce De Leon Ave NE Suite 5000, Atlanta, GA 30308, USA. We have entered into a data processing agreement with The Rocket Science Group LLC. Additionally, an adequacy decision by the EU Commission for the USA, where The Rocket Science Group LLC is located, came into effect on July 10, 2023. The Rocket Science Group LLC is certified under the Data Privacy Framework.

5.2 Newsletter Tracking

We use tracking pixels in our newsletters to measure interactions with the newsletter (receipt and opening of the email, clicked links). The data obtained is used in pseudonymous form for statistical evaluations and to optimize our content. The legal basis for processing is your consent according to Article 6(1)(a) GDPR.

6. Surveys

To conduct surveys, we use SurveyMonkey, a service offered by ServiceMonkey Europe UC, 2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4, Ireland, for individuals in the European Union, the United Kingdom, or Switzerland, and by SurveyMonkey, Inc., One Curiosity Way, San Mateo, CA 94403, USA, for all other individuals (collectively SurveyMonkey). Participation in a survey can be via a dialog box on our platforms or a link sent to you by email.

6.1 Generating Personalized Survey Links

For certain surveys, we create personalized links to associate surveys with users. Your user ID is converted into a complex string (hash value) and attached to the link, which can be assigned to you without SurveyMonkey being able to deduce your user ID from the link. With your consent according to Article 6(1)(a) GDPR, we link the survey response data with other customer data, for example, to recognize patterns based on selected games, server sizes, or booking histories. This way, we can avoid requiring you to provide this information in a survey you wish to participate in. The legal basis for this processing is our legitimate interest according to Article 6(1)(f) GDPR. Our legitimate interest lies in conducting qualified surveys among our (existing) customers.

6.2 Sending Survey Links by Email

To send survey links by email, we process your email address and, for certain surveys, the encrypted user ID. The legal basis for processing is Article 6(1)(a) GDPR, provided you have consented to data processing, and otherwise Article 6(1)(f) GDPR. Our legitimate interest according to Article 6(1)(f) GDPR lies in continuously improving the quality and relevance of our services through your feedback and in strengthening our customer relationships over the long term. You can object to the use of your email address for product recommendations and satisfaction surveys at any time without incurring any costs other than the transmission costs according to the basic rates. We explicitly point this out during registration.

6.3 Participation and Data in Surveys

Participation in surveys is voluntary. SurveyMonkey collects and gathers your responses, which we can use for further analysis. You can withdraw your consent at any time without affecting the lawfulness of the processing carried out up to that point (Article 6(1)(a) and (f) GDPR).

We have entered into a data processing agreement with SurveyMonkey. Additionally, an adequacy decision by the EU Commission for the USA, where SurveyMonkey, Inc. is located, came into effect on July 10, 2023. SurveyMonkey, Inc. is certified under the Data Privacy Framework. More information can be found here.

7. Applications and Careers / Applicant Data

You can apply for open positions with us via email, postal mail, or our career page. To process your application, we collect the applicant and contact data you provide (e.g., first name, last name, email address, and application documents such as cover letter, resume, and certificates). We process this data if and to the extent necessary for the decision on establishing an employment relationship or, after establishing the employment relationship, for its execution or termination or for exercising or fulfilling the rights and obligations of employee representation arising from a law or collective agreement.

The legal basis for processing is Article 6(1)(a) GDPR, provided you have consented to data processing, Article 6(1)(b) GDPR, provided the processing is necessary for fulfilling a contract or for pre-contractual measures, Article 6(1)(c) GDPR, provided the processing is necessary for fulfilling a legal obligation, and otherwise Article 6(1)(f) GDPR. Our legitimate interest lies in reviewing incoming application documents, establishing employment relationships, and potentially asserting, exercising, or defending legal claims. Using the career portal may require storing information and accessing information already stored on your end device. Storage and access are necessary to provide you with the career portal and are based on Section 25(2)(2) TTDSG.

To provide our career portal and manage applications, we use the software Personio provided by Personio GmbH, Rundfunkplatz 4, 80335 Munich (Personio). We have entered into a data processing agreement with Personio. Further details are available upon request. More information can be found here.

If an employment relationship is established, we store your applicant data as long as it is necessary for the employment relationship and legal regulations justify an obligation to retain it. If we reject your application, we store your applicant data for up to 180 days after sending the rejection (to defend against potential legal claims), unless you consent to longer storage.

If you have given us your separate consent, we will store your applicant data to identify interesting positions for you and potentially contact you again.

8. Online Presences in Social Networks

We maintain online presences in social networks to communicate with customers and interested parties and to inform them about our services. The data of users is usually processed by the respective social networks for market research and advertising purposes. For this purpose, cookies and other identifiers are stored on the end devices of the data subjects. In operating our online presences, we may access information provided by the social networks (e.g., statistics). These statistics contain aggregated data and may include demographic information and data on interactions with our online presences (e.g., age, gender, region, subscriptions, likes, shares). Details and links to the data of the social networks, which we can access as operators of the online presences, can be found in the links in the list below. The collection and use of these statistics are partly subject to joint responsibility. Where applicable, the corresponding agreement is listed below.

The legal basis for processing is Article 6(1)(b) GDPR, provided it concerns customers or interested parties, and otherwise Article 6(1)(f) GDPR. Our legitimate interest lies in effective communication with visitors and optimizing our online presence.

Please note that data protection inquiries can most effectively be asserted with the respective provider of the social network. However, you can also contact us. In this case, we will process your request and forward it to the provider of the respective social network.

Below is a list of the social networks where we maintain online presences:

• Discord (United Kingdom: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London, SE1 7TL, United Kingdom; otherwise: Discord Inc., 444 De Haro St Suite 200, San Francisco, California 94107, USA)
  • Privacy Policy
• Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
• Operation of the Facebook fan page under joint responsibility based on an agreement on the joint processing of personal data (so-called Page Insights Supplement regarding the controller): Page Controller Addendum
• Information about the processed Page Insights data and contact options for data protection inquiries: Information About Page Insights Data
  • Privacy Policy
• GitHub (North America: GitHub Inc., 88 Colin P. Kelly Jr. Street, San Francisco, California 94107, USA; otherwise: GitHub BV, Vijzelstraat 68-72, 1017 HL Amsterdam, Netherlands)
  • Privacy Policy
• Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
  • Privacy Policy
• Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
  • Instagram business account based on an agreement on the joint processing of personal data (so-called Page Insights Supplement regarding the controller): Page Controller Addendum
  • Information about the processed Page Insights data and contact options for data protection inquiries: Information About Page Insights Data
  • Privacy Policy
• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
  • Operation of the LinkedIn company page under joint responsibility based on an agreement on the joint processing of personal data (so-called Page Insights Joint Controller Addendum): Pages Joint Controller Addendum
  • Information about the processed Page Insights data and contact options for data protection inquiries: Pages Joint Controller Addendum
  • Privacy Policy
• Snapchat (USA: Snap Inc., 3000 31st Street, Santa Monica, California 90405, USA; otherwise: Snap Group Limited, 77 Shaftesbury Avenue, London, W1D 5DU, United Kingdom)
  • Privacy Policy
• Twitch (Twitch Interactive, Inc. 350 Bush Street, San Francisco, California 94107, USA)
  • Privacy Policy
• Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland)
  • Privacy Policy

9 Digital Services Act and Terrorist Content Online Regulation

Nitrado provides all customers and other users of the internet portal with an electronic form for reporting unlawful content. Users can report any content they believe violates applicable laws, these terms and conditions, or general conduct rules. Additionally, Nitrado has established a contact point to receive official orders to remove or block access to terrorist content and ensure their prompt processing. The mandatory information processed in this context is to fulfill our legal obligations under Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a single market for digital services (Digital Services Act) and amending Directive 2000/31/EC, and Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online. The legal basis for processing is Article 6 (1) (c) GDPR. The legal basis for processing voluntary information is Article 6 (1) (c) GDPR, if the processing is necessary to fulfill a legal obligation, Article 6 (1) (a) GDPR, if you have consented to the data processing, and otherwise Article 6 (1) (f) GDPR. Our legitimate interest under Article 6 (1) (f) GDPR is the smooth functioning of the notice and take down process.

10. Recipients of the Data

10.1 Other Companies in the "Nitrado Group"

To fulfill the contract in accordance with Article 6(1)(b) and Article 49(1)(b) GDPR, we use services from companies within the "Nitrado Group":

• Apex Hosting LLC, 7121 W Craig Road, Ste 113 PMB, 1203 Las Vegas, Nevada 89129, United States;
• Marbis / Nitrado USA, Inc., 4600 Kietzke Lane, Reno, Nevada 86502, USA;
• MCProHosting LLC, 5830 East 2nd St., Casper, Wyoming 82609, USA.

The aforementioned companies act as processors on our behalf. Therefore, we have entered into data processing agreements and standard contractual clauses (Commission Implementing Decision (EU) 2021/914, Module 2 and Module 4) with these companies in accordance with Article 46(2)(c) GDPR. Further details are available upon request.

10.2 Payment Service Providers / Identification and Payment Data

When you place an order through our website and select the appropriate option, your identification and payment data (e.g., name, account details, or credit card number) may be transmitted to the respective payment service provider. The privacy notices of the respective providers apply to this ordering process.

The legal basis for processing is Article 6(1)(b) GDPR, provided the use of a payment service provider is necessary for initiating or fulfilling a contract, and otherwise Article 6(1)(f) GDPR. Our legitimate interest lies in making payment transactions as smooth, convenient, and secure as possible.

Depending on the payment method you choose, it may be one of the following companies:

• Global Collect B.V., Neptunusstraat 41-63, 2132 JA Hoofddorp, Netherlands;
• Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden;
• PayPal (Europe) S.à.r.l. et Cie, S.C.A, 22-24 Boulevard Royal L-2449, Luxembourg;
• Paysafe, 2 Gresham Street, London, England, EC2V 7AD, United Kingdom;
• Worldline Group - 1442, River Ouest, 80 Quai Voltaire, 95870 Bezons, France.
• Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Irland

10.3 Domain Registrars and Registries

For domain registrations, we forward the contact and address data required for the respective domain registration to the registrars and registries of the respective domains.

10.4 Other Recipients

In addition to the service providers explicitly mentioned in this privacy policy, we may also share your data with other recipients. These other recipients include agencies, external data protection officers, market research and consulting companies, software providers and IT service providers who maintain our software and systems, and data center operators who host our website and databases. These service providers have been carefully selected and contracted by us. Any processors are contractually bound to follow our instructions, have appropriate technical and organizational measures in place to protect the rights of data subjects, and are regularly monitored by us.

11. Data Transfer to Third Countries

To provide our services, we work with service providers based in third countries. Where applicable, this has been noted. We would like to point out that there is an adequacy decision pursuant to Article 45(3) GDPR for Japan, the United Kingdom, and the USA. Otherwise, there is a risk that authorities in the respective third country (e.g., intelligence services) may access the transmitted data, that data subject rights cannot be enforced, and/or effective legal remedies are not available. When obtaining (explicit) consent through the consent banner, you will also be informed about this.

12. Retention Period

In general, we store personal data only for as long as necessary to fulfill the purposes for which we collected the data. In addition, as a business, we are subject to certain legal retention obligations, e.g., from the Fiscal Code (AO), the Income Tax Act (EStG), or the Commercial Code (HGB). Personal data subject to such retention obligations must be stored by us in accordance with Article 6(1)(c) GDPR even after the original purpose of collection has been fulfilled. The retention period in this case can be up to ten years.

If the personal data is used for initiating or fulfilling a contract or pre-contractual measures, we also retain the data after the contract has been fulfilled or not concluded for as long as necessary to protect our legitimate interests (Article 6(1)(f) GDPR). Our legitimate interest in this case is to be able to fulfill any claims that may arise after the original contract has been completed and to defend against unlawfully asserted claims. The retention period is based on the statutory limitation periods and is generally three years (§ 195 BGB).

13 Your Rights, Including Withdrawal and Objection

If the legal requirements are met, you have the following rights as formulated in the GDPR:

• Right of access by the data subject (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure ("right to be forgotten", Article 17 GDPR);
• Right to restriction of processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object (Article 21 GDPR).

To exercise your rights, you can contact our above-mentioned contacts at any time. This also applies if you wish to receive copies of safeguards to demonstrate an adequate level of data protection.

Requests to exercise data protection rights and our responses to them are kept for documentation purposes for up to three years and, in individual cases, for longer to assert, exercise, or defend legal claims. The legal basis for processing is Article 6(1)(f) GDPR. Our legitimate interest lies in asserting, exercising, or defending legal claims and fulfilling our accountability obligations.

Finally, you have the right to lodge a complaint with a competent data protection supervisory authority about us. For example, you can exercise this right with:

State Commissioner for Data Protection and Freedom of Information Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart

Contact

Effective: July 2024