Privacy policy

Responsible party

toern GmbH
Am Sandtorkai 32
20457 Hamburg
Germany

Email: info@re-toern.de

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to briefly as “data”) we process, for what purposes, and to what extent in the context of providing our application and website. This privacy policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, in mobile applications, as well as within external online presences such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).

The terms used are not gender-specific.

Last updated: September 2025

Table of Contents

    1. Responsible Entity
    2. Overview of Processing
    3. Legal Basis
    4. Security Measures
    5. Transfer of Personal Data
    6. International Data Transfers
    7. Data Deletion
    8. Rights of Data Subjects
    9. Use of Cookies
    10. Provision of the Online Offering and Web Hosting
    11. Contact and Inquiry Management
    12. Web Analysis, Monitoring and Optimization
    13. Online Marketing
    14. Social Media Presences
    15. Plugins and Embedded Features and Content
    16. Management, Organization, and Auxiliary Tools

Overview of Processing

The following overview summarizes the types of data processed and the purposes of processing and refers to the affected individuals.

Types of Data Processed

  • Master data (e.g., names, addresses)
  • Content data (e.g., entries in online forms)
  • Contact data (e.g., email addresses, telephone numbers)
  • Meta/communication data (e.g., device information, IP addresses)
  • Usage data (e.g., visited websites, interest in content, access times)
  • Contract data (e.g., contract subject, duration, customer category)

Categories of Affected Persons

  • Prospects
  • Communication partners
  • Customers
  • Users (e.g., website visitors, users of online services)
  • App users

Purposes of Processing

  • Provision of our online offering and user-friendliness
  • Fulfillment of contractual services and obligations
  • Contact inquiries and communication
  • Security measures
  • Reach measurement and web analysis
  • A/B testing and optimization
  • Management and response to inquiries
  • Feedback collection
  • IT infrastructure
  • Marketing and conversion measurement

Legal Basis

The following overview provides the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations in your or our country of residence or location may apply.

Consent (Art. 6(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.

Contractual performance and pre-contractual inquiries (Art. 6(1)(b) GDPR): Processing is necessary for the performance of a contract to which the data subject is party or for pre-contractual measures at the request of the data subject.

Legitimate interests (Art. 6(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided the interests or fundamental rights and freedoms of the data subject do not override those interests.

National Data Protection Regulations in Germany: In addition to the GDPR, national regulations on data protection in Germany apply, in particular the Federal Data Protection Act (BDSG). The BDSG includes special provisions on the right of access, the right to deletion, the right to object, processing of special categories of personal data, processing for other purposes, and transfers, as well as automated decision-making including profiling. Furthermore, state data protection laws of individual federal states may also apply.

Security Measures

We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the likelihood and severity of risks to individuals’ rights and freedoms, to ensure an appropriate level of security.

Measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical and electronic access, input, transmission, storage, availability, and separation of data. Procedures have been established to ensure the exercise of data subjects’ rights, deletion of data, and responses to data breaches. Data protection is also considered in the development and selection of hardware, software, and procedures, following the principles of privacy by design and privacy by default.

IP Address Truncation: IP addresses processed by us or by service providers are truncated if full IP processing is not required. Typically, the last two digits or segment of the IP address are removed or replaced by placeholders to prevent or significantly hinder identification of the individual.

TLS/SSL Encryption (https): To protect data transmitted via our online services, we use TLS/SSL encryption. Encrypted connections can be recognized by the prefix https:// in the browser address bar.

Transfer of Personal Data

In processing personal data, it may be necessary to transfer data to other entities, companies, legally independent organizations, or persons. Recipients may include IT service providers or providers of services and content embedded in our website. Legal requirements are observed, and appropriate contracts or agreements are concluded with recipients.

International Data Transfers

Data Processing in Third Countries:
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing occurs in the context of using third-party services or the disclosure or transfer of data to other persons, entities, or companies, this is done only in compliance with legal requirements. If the level of data protection in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfers (Art. 49(1) GDPR).

EU-US Trans-Atlantic Data Privacy Framework:
Under the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection for certain companies from the USA as adequate under the adequacy decision dated 10 July 2023. The list of certified companies and further information about the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We provide information in our privacy notices about which service providers we use are certified under the Data Privacy Framework.

Data Deletion

The data we process is deleted in accordance with legal requirements as soon as the consents permitting their processing are revoked or other authorizations no longer apply (e.g., if the purpose of processing the data no longer exists or the data is not required for that purpose).

If the data is not deleted because it is required for other legally permissible purposes, its processing is limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for asserting, exercising, or defending legal claims or for the protection of the rights of another natural or legal person.

Within the scope of our privacy notices, we may provide users with additional information regarding the deletion and retention of data that specifically applies to the respective processing procedures.

Right of Data Subjects

As a data subject, you have various rights under the GDPR, in particular those set out in Articles 15 to 21 GDPR:

Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling insofar as it is related to such direct marketing.

Right to withdraw consent: You have the right to withdraw any consent you have given at any time.

Right of access: You have the right to obtain confirmation as to whether your personal data is being processed and to access such data, as well as to receive further information and a copy of the data in accordance with the statutory provisions.

Right to rectification: You have the right, in accordance with statutory provisions, to request the completion of your personal data or the correction of inaccurate personal data concerning you.

Right to erasure and restriction of processing: You have the right, in accordance with statutory provisions, to request the immediate deletion of your personal data or, alternatively, to request a restriction of processing of your data.

Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to request its transfer to another controller in accordance with statutory provisions.

Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement, if you consider that the processing of your personal data violates the provisions of the GDPR.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from those devices. For example, they can store the login status in a user account, the contents of a shopping cart in an e-shop, the visited content, or functions used on an online service. Cookies can also be used for various purposes, such as functionality, security, and convenience of online services, as well as for analyzing visitor traffic.

Cookie management with CookieYes: We use CookieYes as a cookie consent management system to obtain GDPR-compliant consent for the use of cookies. CookieYes allows you to manage your cookie preferences and change them at any time.
Service provider: CookieYes Limited, 2 Castle Street, 3rd Floor, Dublin 2, D02 KP23, Ireland; Website: https://www.cookieyes.com; Privacy Policy: https://www.cookieyes.com/privacy-policy

Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless legally not required. Consent is not required in particular if storing and reading information, including cookies, is strictly necessary to provide users with a telemedia service (i.e., our online service) expressly requested by them. Strictly necessary cookies generally include cookies with functions that serve the display and operability of the online service, load balancing, security, storing user preferences and selections, or similar purposes directly related to providing the main and ancillary functions of the online service requested by users.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

Temporary cookies (also called session cookies): Temporary cookies are deleted at the latest when a user leaves an online service and closes their device (e.g., browser or mobile application).

Permanent cookies: Permanent cookies remain stored even after closing the device. For example, the login status can be saved, or preferred content can be displayed directly when the user revisits a website. If we do not provide users with explicit information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.

General notes on withdrawal and objection (opt-out): Users can revoke their given consents at any time and object to processing in accordance with legal requirements. To do so, users can, for example, restrict the use of cookies in their browser settings (note that this may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be submitted via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Processing of cookie data based on consent: We use a cookie consent management system, through which user consents for the use of cookies, as well as for the processing and providers mentioned within the cookie consent management process, are obtained, managed by users, and can be revoked. The consent declaration is stored so that it does not need to be requested again and to be able to provide proof of consent in accordance with legal requirements. Storage can occur server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to associate the consent with a user or their device. Subject to individual information provided by the providers of cookie management services, the following notes apply: The duration of consent storage can be up to two years. A pseudonymous user identifier is created and stored along with the time of consent, details about the scope of the consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and device used.

Provision of the Online Offer and Web Hosting

We process user data to make our online services available to them. For this purpose, we process the user’s IP address, which is necessary to deliver the content and functions of our online services to the user’s browser or device.

Webflow as Hosting Platform: Our website is hosted on the Webflow platform, a service of Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA. Webflow acts as our processor in accordance with Art. 28 GDPR.

Types of data processed: Usage data (e.g., visited web pages, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers).

Affected persons: Users (e.g., website visitors, users of online services).

Purposes of processing: Provision of our online services and user-friendliness; IT infrastructure; security measures; performance of contractual services and fulfillment of contractual obligations.

Legal basis: Legitimate interests (Art. 6 (1) (f) GDPR).

Data transfer to the USA: Data transfer to the USA is carried out under the EU-U.S. Data Privacy Framework (DPF), which Webflow has joined. Additionally, data processing is based on Standard Contractual Clauses approved by the EU Commission in accordance with Art. 46 (2) (c) GDPR.

Order processing: We have concluded a data processing agreement (DPA) with Webflow, ensuring that the personal data of our website visitors is processed solely according to our instructions and in compliance with the GDPR.

Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files.” These server log files may include the address and name of the accessed web pages and files, date and time of access, amount of data transferred, status of the access request, browser type and version, the user’s operating system, referrer URL (the previously visited page), and generally the IP addresses and the requesting provider. The server log files may be used both for security purposes (e.g., to prevent server overload, particularly in case of malicious attacks, so-called DDoS attacks) and to ensure server load and stability. Log file information is stored for a maximum of 30 days and then deleted or anonymized.

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, e-mail, phone, or via social media) as well as within the framework of existing user and business relationships, the information provided by the contacting persons is processed to the extent necessary to answer the inquiries and carry out any requested actions.

Use of the Contact Form and Data Processing by Webflow:
If you contact us via the contact form embedded on our website, the information you provide will be stored for the purpose of processing your request. The data you enter in the contact form is transmitted to Webflow and processed there. Webflow acts as our processor in accordance with Art. 28 GDPR. Data transfer to the USA is carried out under the EU-U.S. Data Privacy Framework (DPF), which Webflow has joined. The data submitted via the contact form is used exclusively to process your request and is not shared with third parties without your consent.

Types of data processed: Contact data (e.g., e-mail addresses, telephone numbers); content data (e.g., entries in online forms); usage data (e.g., visited web pages, interest in content, access times); meta, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).

Affected persons: Communication partners.

Purposes of processing: Contact inquiries and communication; management and response to inquiries; feedback; provision of our online services and user-friendliness.

Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR); legitimate interests (Art. 6 (1) (f) GDPR).

Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") is used to evaluate the visitor traffic on our online offerings and can include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. Using reach analysis, we can, for example, determine when our online offering or its features and content are most frequently used or revisit-worthy. It also allows us to identify areas in need of optimization.

In addition to web analysis, we may also use testing procedures to, for example, test and optimize different versions of our online offerings or their components.

IP addresses of users are also stored. However, we use an IP-masking procedure (i.e., pseudonymization by shortening the IP address) to protect users and Google Consent Mode to ensure GDPR-compliant data collection. Generally, no clear personal data of users (such as e-mail addresses or names) is stored during web analysis, A/B testing, and optimization; only pseudonyms are used.

Google Tag Manager:
We use Google Tag Manager to manage various tracking and analytics tools on our website. Google Tag Manager is a tag management solution that allows us to manage website tags via a user-friendly interface. Google Tag Manager itself does not collect personal data. It enables us to activate other services, such as Google Analytics, only if the corresponding consent has been given.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Basis for international data transfer: EU-US Data Privacy Framework (DPF).

Google Analytics 4 with Google Consent Mode:
We use Google Analytics 4 to measure and analyze the use of our online offering. Google Analytics is only activated after your consent and works with Google Consent Mode v2 to ensure GDPR-compliant data collection. Google Consent Mode ensures that Google Analytics processes personal data only if you have consented to the use of analytical cookies. Without your consent, only anonymized, aggregated statistics are recorded. Google Analytics does not log or store individual IP addresses for EU users. Analytics, however, provides coarse geographic location data by deriving metadata from IP addresses: city, continent, country, region. User-related data is automatically deleted after 14 months.
Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://marketingplatform.google.com/intl/de/about/analytics/; Privacy Policy: https://policies.google.com/privacy; Basis for international data transfer: EU-US Data Privacy Framework (DPF); Opt-out option: https://tools.google.com/dlpage/gaoptout?hl=de

Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).

Affected Individuals: Users (e.g., website visitors, users of online services).

Purposes of Processing: Reach measurement; creation of profiles with user-related information; A/B testing; feedback collection; provision of our online offering and user-friendliness.

Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR); legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Online Marketing

We process personal data for the purposes of online marketing, which may include, in particular, the promotion of advertising spaces or the display of advertising and other content based on the potential interests of users, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called "cookie") or similar methods are used, through which the information relevant for displaying the aforementioned content is stored about the user.

Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).

Affected Individuals: Users (e.g., website visitors, users of online services).

Purposes of Processing: Marketing; creation of profiles with user-related information; conversion measurement.

Legal Basis: Consent (Art. 6 Para. 1 Sentence 1 lit. a GDPR); legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Presences on Social Networks (Social Media)
We maintain online presences within social networks and, in this context, process user data to communicate with the users active there or to provide information about us.

We note that in doing so, user data may be processed outside the territory of the European Union. This can pose risks for users, for example because the enforcement of users’ rights may be more difficult.

Types of Data Processed: Contact data (e.g., email addresses, phone numbers); content data (e.g., inputs in online forms); usage data (e.g., visited websites, interest in content, access times); meta-/communication data (e.g., device information, IP addresses).

Affected Individuals: Users (e.g., website visitors, users of online services).

Purposes of Processing: Contact inquiries and communication; feedback; marketing.

Legal Basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Services and Service Providers Used:

Instagram: Social network; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy

LinkedIn: Social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy

YouTube: Social network and video platform; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy

Plugins and Embedded Features as well as Content

We integrate functional and content elements into our online offering that are provided by the servers of their respective providers (hereinafter referred to as “third-party providers”). These can include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).

Embedding these elements always requires that the third-party providers of this content process the users’ IP addresses, as they could not send the content to the users’ browsers without the IP address. Therefore, the IP address is necessary for the display of these contents or functions.

Types of Data Processed: Usage data (e.g., visited websites, interest in content, access times); meta-, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, consent status).

Affected Individuals: Users (e.g., website visitors, users of online services).

Purposes of Processing: Provision of our online offering and user-friendliness.

Legal Basis: Legitimate interests (Art. 6 Para. 1 Sentence 1 lit. f GDPR).

Services Used and Service Providers:

Google Fonts: Provision of fonts for technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times. The user’s IP address is transmitted to the font provider so that the fonts can be made available in the user’s browser.
Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis for International Data Transfer: EU-US Data Privacy Framework (DPF).

YouTube Videos: Video content; Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://www.youtube.com; Privacy Policy: https://policies.google.com/privacy

reCAPTCHA: We integrate the “reCAPTCHA” function to be able to determine whether inputs (e.g., in online forms) are made by humans and not by automated machines (so-called “bots”). The data processed may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, and time spent on websites.
Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://www.google.com/recaptcha/; Privacy Policy: https://policies.google.com/privacy

Management, Organization, and Support Tools

We use services, platforms, and software from other providers (hereinafter referred to as "third-party providers") for the purposes of organization, administration, planning, and delivery of our services. When selecting third-party providers and their services, we comply with legal requirements.

In this context, personal data may be processed and stored on the servers of the third-party providers. Various types of data may be affected, which we process in accordance with this privacy policy.

Types of Data Processed: Master data (e.g., names, addresses); Contact data (e.g., email addresses, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses)

Affected Persons: Communication partners; Users (e.g., website visitors, users of online services)

Purposes of Processing: Office and organizational procedures; Provision of contractual services and customer support

Legal Bases: Consent (Art. 6(1)(a) GDPR); Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR)

Webflow: Service Provider: Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA; Website: https://webflow.com; Privacy Policy: https://webflow.com/legal/eu-privacy-policy

Storage Duration and Deletion of Data

Cookie Data: The storage duration of cookies varies depending on their type and purpose. Session cookies are deleted when the browser is closed. Persistent cookies have a storage duration of up to 24 months.

Google Analytics Data: User-related data is automatically deleted after 14 months. Aggregated data is stored indefinitely but does not contain any personal information.

CookieYes Consent Data: Your cookie preferences are stored for up to 12 months to prevent repeated consent requests on each visit.

Contact Form Data: Data from contact inquiries is stored for the duration of the processing of your request and then deleted, unless legal retention obligations apply.

Server Log Files: Stored for a maximum of 30 days and then deleted or anonymized.

Changes and Updates to This Privacy Policy

We ask that you regularly review the contents of our privacy policy. We update this policy whenever changes to our data processing activities make it necessary. We will notify you if such changes require your cooperation (e.g., renewed consent) or any other individual notification.

If we provide addresses and contact information of companies and organizations within this privacy policy, please note that these details may change over time. We recommend verifying the information before getting in touch.

Definitions of Terms

This section provides an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and primarily defined in Article 4 of the GDPR. The legal definitions are binding; the following explanations are provided for clarity and better understanding.

Personal Data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Controller: The term “controller” refers to the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processing: “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and encompasses practically any handling of data — such as collection, evaluation, storage, transmission, or deletion.