Privacy Policy

With this privacy policy, we would like to inform you in accordance with Art. 13 and 14 of the General Data Protection Regulation (GDPR) and §§ 32 and 33 of the Federal Data Protection Act (BDSG) about how we process personal data on our website and in the context of the Medumio Academy (hereinafter collectively referred to as "online offers"), and inform you about your related rights.

The processing of your personal data by us is carried out in compliance with the GDPR and all other applicable data protection regulations.

I. Name and Contact Details of the Controller

Salutem OHG
Manhonienweg 22 F
12437 Berlin
Germany

Phone: +49 030 62932585
Email: mail@medumio.de

Data Protection Contact
Mathias Hakendahl
datenschutz@medumio.de

II. Definitions

This privacy policy uses the terminology of the GDPR. The terms used, such as "recipient," "visitor," or "user," are chosen for clarity and should be understood as gender-neutral.

III. Specific Processing Activities: Categories of Processed Data, Scope, Purpose, and Legal Basis of Data Processing

Below, we inform you in detail about the specific processing activities, the data processed in each case, the scope and purpose of the respective data processing, as well as the respective legal basis.
First, we address the specific processing activities within the scope of both online offers, followed by the individual processing activities that apply to our website and our Medumio Academy.

1. Data Processing in the Context of Both Online Offers

1.1. Hosting and Content Delivery Network

1.1.1. Hosting

Purpose: Hosting of online offers.

Legal basis: Contract fulfillment with our potential and existing customers and in the interest of secure, fast, and efficient provision of our online offers by a professional service provider.

Personal data: This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated through a website.

Recipient: netcup GmbH.
Further information about our service provider's privacy policy can be found here: https://www.netcup.de/kontakt/datenschutzerklaerung.php.

1.1.2. Content Delivery Network

Purpose: We use a Content Delivery Network ("CDN"), a service provider that optimizes the transmission of content over the Internet.

Legal basis: The use of the CDN is for the purpose of fulfilling contracts with our potential and existing customers and in the interest of secure, fast, and efficient provision of our online offers by a professional provider.

Personal data: This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses, and other data generated through a website.

Recipient: netcup GmbH.
Further information on the data protection provisions of our service provider can be found here: https://www.netcup.de/kontakt/datenschutzerklaerung.php.

1.2. Functionality, Security, and Presentation of Our Online Offers and Consent Request

Purpose: Presentation of an appealing and complete website.
When you visit our website, it is technically necessary for data to be transmitted from your internet browser to our web server and stored in log files, known as server log files.

Legal basis: Our legitimate interest in maintaining a confidential, available, and integral website.

Personal data: IP address and usage data.

Recipient: Google Fonts service provided by Google LLC and operated in Europe by Google Ireland Ltd.
No data transmission, including to Google, occurs in the context of our website.
Further information can be found here: https://developers.google.com/fonts/faq?tid=311124635

1.3. Cookies and Similar Technologies

Purpose: We process your browsing data for the purposes stated in the Cookie Policy.

Legal basis: For technically necessary cookies and technologies, the legal basis is the legitimate interest of the website operator in providing the website and its functions in a technically error-free, secure, and visually appealing manner.
For technically unnecessary first-party and third-party cookies, the legal basis is your consent.

You can revoke any given consent at any time via our website function "Cookie Settings" or by email to datenschutz@medumio.de with effect for the future.

Recipient: To provide our cookie banner, we use the Cookiebot service from Usercentrics A/S.
Your data may be shared with third-party providers.
For more information, please read our Cookie Policy.

1.4. Data Processing in the Context of Registration / Creation and Provision of a Customer Account

Purpose: You can register on our online offers by providing your personal data for our Medumio Academy, newsletters, and events.

Legal basis: Fulfillment of a contract.

Personal data: Your email address and, if applicable, your username and your first and last name.

Recipient: Unless legally required, the data will not be shared with third parties.

1.4.1. Registration and Sending of Our Newsletter

Purpose: Personal data is processed when you register for our newsletter, receive it, and unsubscribe from it, after you decide to register, provide us with the corresponding data, and subscribe through the double opt-in procedure.

Legal basis: Your consent.
You can revoke any given consent at any time with effect for the future via the designated link in the newsletter or by email to datenschutz@medumio.de.
Additionally, our legitimate interest in conducting the verification process as part of the double opt-in procedure.
In some rare cases, the processing of your personal data may also be based on our legitimate interest in advertising our products.

Personal data: Email address.
When registering for the newsletter, we store the IP address and the date and time of registration.

Recipient: The aforementioned personal data is also stored by our mailing service provider ActiveCampaign, LLC.
Further information about data protection at ActiveCampaign is available at: https://www.activecampaign.com/legal/privacy-policy

1.5. Data Processing in the Context of Contact Requests

Purpose: If you wish to contact us, you can direct your inquiry directly to us via the "Contact" button by email.
When you click on the email addresses listed under the "Contact" button (e.g., mail@medumio.de), your email program opens.

Legal basis: Your consent, and if the contact is aimed at initiating, concluding, or fulfilling a contract, the legal basis for processing is the fulfillment of the contract.

Personal data: Email address and, if applicable, any other personal data provided by you.

Recipient: HotJar Ltd.
Further information about our service provider's privacy policy can be found here: https://www.hotjar.com/legal/policies/privacy/

1.6. Data Processing in the Context of Initiating and/or Executing a Contractual Relationship

1.6.1. Processing of Customer and Contract Data

Purpose: For establishing, structuring content, or modifying the legal relationship (inventory data) and insofar as this is necessary to enable the use of the service or for billing purposes.

Legal basis: For the fulfillment of a contract and to fulfill a legal obligation.
This includes, in particular, data processing through the use of our Medumio Academy, unless another described processing purpose (and the corresponding legal basis) applies and is relevant.
You are neither contractually nor legally obligated to provide the corresponding data.
However, without providing the data, you may not be able to conclude a contract with us regarding the use of our services or other offers.

Personal data: Contact data, identification data, customer database, and all additional information required for contract conclusion.

Recipient: Unless legally required, the data will not be shared with third parties.

1.6.2. Customer Management

Purpose: Initiation and processing of contracts, or fulfillment of contractual services.
Furthermore, we use the contact data to inform our customers about relevant changes to our services.

Legal basis: For the fulfillment of contracts, fulfillment of legal obligations, and to protect our legitimate interests.

Personal data: Contact data, identification data, inventory data, communication data, contract data, location data, and payment data.

Recipient: To manage our customer data, we use a Customer Relationship Management System.
A transfer of this data to third parties does not generally occur, unless it is necessary to enforce our legal claims.
If you require further information in this regard, please contact us at datenschutz@medumio.de

1.6.3. Subscriptions for Paid Services of Our Online Offers

Purpose: The subscriptions to paid services.
Payment for the services provided is processed through our service provider Digistore24.
We would like to point out that we do not store or process any payment data, except for the confirmation or negative information of the payment.
The entered data is only processed and stored by the payment service providers.
This means that neither Digistore24 nor Medumio receives account or credit card-related information.

Legal basis: The processing is based on the existing or concluded contract with you regarding the purchase of our paid services.

Personal data: Registration data and purchase date.

Recipient: Digistore24 GmbH.
For payment transactions, the terms and conditions and privacy notices of the respective payment service providers, which are available within Digistore24, apply.
Further information about our service provider's privacy policy can be found here: https://www.digistore24.com/page/privacy/4/en

1.7. Security, Monitoring, and Error Resolution

Purpose: To monitor the functionality of our online offers and to detect and resolve errors.

Legal basis: Fulfillment of the contract and our legitimate interest in a confidential, available, and integral data processing.

Personal data: In individual cases, IP address.

Recipient: netcup GmbH.
Further information about our service provider's privacy policy can be found here: https://www.netcup.de/kontakt/datenschutzerklaerung.php.

1.8. Google Tag Manager and Conversion Linker

Purpose: Through the Tag Manager, we can install and manage code segments from various tools that we use on our website easily, quickly, and centrally.
The "Conversion Linker" tag supports the measurement of click data to effectively track conversions.

Legal basis: Your consent.
You can revoke any given consent at any time with effect for the future via the "Cookie Settings" function on our website or by email to datenschutz@medumio.de.
Any processing that has already taken place up to the time of revocation remains unaffected.

Personal data: Including your IP address

Recipients: Google Tag Manager, a tag management system of Google LLC, which is operated in Europe by Google Ireland Ltd.
As part of our tag management system, we also use Conversion Linker, a tag tool of Google LLC which is operated in Europe by Google Ireland Ltd.
Further information about Google's privacy and data processing is available at: https://policies.google.com/privacy?hl=en.

1.9. Data Processing for Statistical Evaluation, Analysis, and Further Development of Our Online Services

Purpose: Statistical evaluation, analysis, and further development.

Legal basis: Your consent.
You can revoke any given consent at any time with effect for the future via the "Cookie Settings" function on our website or by email to datenschutz@medumio.de.
Any processing that has already taken place up to the time of revocation remains unaffected.

Personal data: Including IP address, location, usage data.

Recipients: Google LLC, operated in Europe by Google Ireland Ltd.
Further information about data protection at Google is available at: https://policies.google.com/privacy?hl=en.
Also VG Wort – Further information about data protection at VG WORT is available at: https://www.vgwort.de/datenschutz.html?tid=331691061443.

1.10. Google Ads

Purpose: We use Google Ads on our online services for advertising and optimization purposes.
Through this service, advertisers can place advertisements in Google's advertising networks that are primarily oriented towards search results from Google services and aligned with website content.

Legal basis: Your consent.
You can revoke any given consent at any time with effect for the future via our Cookie Settings on our online services or by email to datenschutz@medumio.de.
The lawfulness of processing based on your consent until revocation remains unaffected.

Personal data: Including IP address, date and time of access, and usage data.

Recipients: Google LLC, which is operated in Europe by Google Ireland Ltd.
Further information about our service provider's privacy policies can be found here: Google Ads Policies.

1.11. Promotion of Social Media Presence on Our Online Services

Purpose: Promotion of social media presence.
Integration occurs through a text link or linked graphic of the network.
The use of these links prevents the automatic establishment of a connection to the respective social network server when a website with a social media advertisement is accessed.
Only by clicking on the corresponding link is the user redirected to the social network's service.
Once the user has been redirected, the social network collects information about the user.

Legal basis: The legal basis for integrating the links on our website is our legitimate interest in promoting and ensuring the visibility of our social media presences.

Personal data: Including IP address, date, time, and visited page.
If users want to prevent the collected information from being directly associated with their user account, they must log out of their account before clicking on the graphic link provided on our website.
Additionally, there is the possibility to configure the respective user account accordingly.

Recipients: Including:

• Facebook – Social network of Meta Platforms Inc., operated in Europe by Meta Platforms Ireland Limited
• Instagram – Social network of Meta Platforms Inc., operated in Europe by Meta Platforms Ireland Limited
• Youtube – Social video platform of YouTube LLC, which is a subsidiary of Google LLC and operated in Europe by Google Ireland Limited
• LinkedIn – Social network of LinkedIn Corporation Inc., which is operated in Europe by LinkedIn Ireland Unlimited Company
• Google Maps – Online map service of Google LLC, which is operated in Europe by Google Ireland Limited

1.12. VIMEO

Purpose: Video Streaming.
As soon as you start a Vimeo video on this website, a connection to Vimeo's servers is established.
This informs the Vimeo server which of our pages you have visited.
If you are logged into your Vimeo account, you allow Vimeo to directly associate your browsing behavior with your personal profile.
You can prevent this by logging out of your Vimeo account.

Legal basis: Your consent.
You can revoke any given consent at any time with effect for the future via the "Cookie Settings" function on our website or by email to datenschutz@medumio.de.
The lawfulness of any processing carried out up to the time of revocation remains unaffected.

Personal data: Visited pages, IP address, and usage data.

Recipients: Our website incorporates videos from Vimeo LLC for the graphical presentation of our online services.
Further information about data protection at Vimeo is available at: https://vimeo.com/privacy.

IV. Data Processing in the Context of Your Application and Hiring Process

When you apply to us (e.g., via email or contact form), we process your information and the documents you submit, including the personal data contained therein, for the purpose of processing your application.
The data processed includes at minimum the mandatory information of first and last name, address, email address, and telephone number if applicable, voluntary information about place and date of birth, nationality, and your application photo, as well as other information provided by you and/or documents submitted by you.

If and to the extent that you apply to us via email or contact form, the legal basis for processing is our legitimate interest pursuant to Art. 6(1)(f) GDPR.
We have a legitimate interest in the complete processing of your application.
Since you are applying to us, we assume that there are no conflicting interests on your part regarding the processing.
If we have your consent, the legal basis for processing is this consent, Art. 6(1)(a) GDPR or, if applicable, Art. 9(2)(a) GDPR.
If an employment relationship is established, personal applicant data will be processed for the purpose of establishing and implementing the employment relationship on the basis of § 26(1) and (3) BDSG.
For applications that do not lead to a contractual relationship, we also have a legitimate interest pursuant to Art. 6(1)(f) GDPR in retaining the application documents for a limited period (see Section 7 of this Privacy Policy) to enforce our legal claims or defend against lawsuits.

V. Legitimate Interests

Unless otherwise specified in this Privacy Policy and where we rely on legitimate interests as per Art. 6(1)(f) GDPR for the processing of your personal data, such interests include protection against misuse, detection and correction of errors, assertion or defense of legal claims, and handling incoming inquiries.

VI. Additional Recipients and Data Transfer

Beyond the cases mentioned in this Privacy Policy, your personal data will only be shared in the following cases without your express prior consent:

• To provide and continuously improve our services, we use some third-party services that have been carefully selected and are in compliance with GDPR provisions.
• Tools to enable the use of Academy, Media Library, and Event Booking services (legitimate interest pursuant to Art. 6(1)(f) GDPR).
• Tools to support the user's use of the Academy (contract fulfillment pursuant to Art. 6(1)(b) GDPR).
• If necessary for investigating illegal use of our services or for legal prosecution, personal data will be shared with law enforcement authorities and, if applicable, affected third parties.

This only occurs if there are concrete indications of unlawful or abusive behavior.
Data may also be shared if this serves to enforce terms of use or other agreements.
Furthermore, we are legally obligated to provide information to certain public authorities upon request.
These are law enforcement authorities, authorities that prosecute administrative offenses subject to fines, and tax authorities.

The sharing of this data is based on our legitimate interest in combating abuse, prosecuting criminal offenses, and securing, asserting, and enforcing claims, unless your rights and interests in protecting your personal data prevail, Art. 6(1)(f) GDPR, or due to a legal obligation under Art. 6(1)(c) GDPR.

We also share personal data with auditors, accounting service providers, lawyers, banks, tax advisors, and similar entities to the extent necessary for providing our services (Art. 6(1)(b) GDPR) or the proper operation of our company, including the enforcement or defense of legal claims and court proceedings (Art. 6(1)(f) GDPR) or if we are obligated to do so (Art. 6(1)(c) GDPR).

VII. International Data Transfers

Data transfers to countries outside the European Union or European Economic Area occur. Information we collect from you may be processed in the United States or other third countries. Some third countries currently do not have an adequacy decision from the European Union under Article 45 of the GDPR, meaning your data may not receive the same level of protection as under the GDPR.

International data transfers typically occur based on legally prescribed contractual or other regulations designed to ensure adequate protection of your data, which you can review upon request. We rely on the provisions set out in Article 49 GDPR or, where applicable, safeguards pursuant to Article 46 GDPR. We and our processors implement appropriate security measures to protect the privacy and security of your personal data. Therefore, we process your personal data only in accordance with the practices described in this Privacy Policy.

As of July 10, 2023, the European Commission has adopted an adequacy decision for EU-US data transfers under Art. 45 GDPR. However, American companies must first obtain (self-)certification under the Trans-Atlantic Privacy Framework ("EU-US-DPF") and be listed with the US Department of Commerce to qualify under this adequacy decision. Since we and our processors continue implementing appropriate security measures to protect your privacy and personal data security, our data transfers to third countries and non-certified US companies remain based on legally prescribed contractual or other regulations designed to ensure adequate data protection, which you can review upon request. We rely on safeguards pursuant to Art. 46 GDPR or, where applicable, provisions of Art. 49 GDPR.

Note: For more information about this, please contact us at datenschutz@medumio.de.

The following service providers we use are certified by the US Department of Commerce:

• Meta Platforms, Inc.
• Google LLC
• ActiveCampaign LLC

VIII. Storage Duration

We retain your personal data only as long as necessary to achieve the processing purpose. If you have consented to processing, we store your data until you withdraw consent; if we need the data to perform a contract, only as long as the contractual relationship exists; if we use the data based on legitimate interest, only as long as your interest in deletion or anonymization does not prevail.

Storage may extend beyond these periods if required by European or national legislation in EU regulations, laws, or other provisions binding the controller. In such cases, data will be deleted when the storage or retention period prescribed by these standards expires.

We retain application documents throughout the hiring process and for two months after sending rejection if (i) the application does not result in employment, (ii) no further storage has been agreed upon, and (iii) no claims against us have been filed within the exclusion period of § 15 Para. 4 AGG. If claims are filed within this exclusion period, the retention period extends at least by the 3-month period of § 61b Para. 1 Labor Court Act. If no lawsuit is filed within this period, we destroy the application documents; otherwise, we retain them until a court decision becomes final. For successful applications, we retain the documents, if applicable, throughout the employment relationship and the labor law limitation period in the employee's personnel file. In employment-related legal disputes, we retain documents until a court decision becomes final.

IX. Your Rights as a Data Subject

When processing your personal data, the GDPR grants you the following rights. You can exercise the rights described in sections IX.1.- IX.7. at any time by emailing datenschutz@medumio.de. The right to lodge a complaint explained in section IX.8. must be asserted with the respective competent supervisory authority.

Please note: When exercising your rights under Articles 15 to 22 of the GDPR, the personal data you provide will be processed to handle your request and maintain proof thereof. This processing is based on Art. 6 Para. 1 lit. c GDPR in conjunction with Art. 15 to 22 GDPR and § 34 Para. 2 BDSG.

Right of Access: You have the right to request confirmation whether personal data concerning you is being processed.

Right to Rectification: You have the right to request immediate correction of inaccurate personal data concerning you and completion of incomplete data.

Right to Erasure: You have the right to request immediate deletion of personal data concerning you, provided Art. 17 GDPR requirements are met and no legal provision justifies further processing.

Right to Restriction of Processing: You have the right to request restriction of processing if one of the conditions in Art. 18 GDPR is met.

Right to Data Portability: In certain cases detailed in Art. 20 GDPR, you have the right to receive personal data concerning you in a structured, commonly used, and machine-readable format or request its transfer to a third party. Direct transfer to another controller will only occur where technically feasible.

Right to Object under Art. 21 GDPR: You have the right to object at any time to processing of personal data concerning you based on Article 6 Para. 1 S. 1 lit. e (public interest task) or lit. f (legitimate interest) GDPR, including profiling based on these provisions.

Upon objection, we will no longer process the affected personal data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves to establish, exercise, or defend legal claims (objection under Art. 21 Para. 1 GDPR in conjunction with § 36 BDSG).

If your personal data is processed for direct marketing, you may object at any time to such processing, including related profiling. Upon objection, your personal data will no longer be used for direct marketing (objection under Art. 21 Para. 2 GDPR).

Withdrawal of Consent: You have the right to withdraw consent to personal data processing at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

Please note: When exercising rights under Art. 15 to 22 GDPR, transmitted personal data will be processed to handle your request and maintain proof thereof. This processing fulfills legal obligations under Art. 6 Para. 1 lit. c) GDPR in conjunction with § 34 Para. 2 BDSG or Art. 12 GDPR and/or pursues legitimate interests in evidence-based defense against claims under Art. 6 Para. 1 lit. f) or Art. 9 Para. 2 lit. f) GDPR.

Right to Lodge a Complaint with a Supervisory Authority: Under Art. 77 GDPR, you may lodge a complaint with a supervisory authority, particularly in your habitual residence, workplace, or alleged infringement location if you believe personal data processing violates the GDPR or other provisions.

Our responsible supervisory authority is:
Berlin Commissioner for Data Protection and Freedom of Information
Address: Alt-Moabit 59-61 10555 Berlin

Phone: +49 (0) 30 13889-0
Fax: +49 (0) 30 2155050
Email: mailbox@datenschutz-berlin.de

X. Necessity or Obligation to Provide Data

Unless explicitly stated during collection, providing data is neither necessary nor obligatory. Such obligations may arise from legal requirements or contractual regulations. Generally, failing to provide required personal data prevents contract conclusion and/or service provision. Our employees provide case-specific clarification about whether personal data provision is legally or contractually required, necessary for contract conclusion, whether an obligation exists to provide data, and the consequences of non-provision.

XI. Automated Decisions

We do not use automated decision-making mechanisms - including profiling - that have legal effects or similarly significant impacts on data subjects.

XII. Data Security

We implement organizational, contractual, and technical security measures according to current technological standards to ensure compliance with data protection laws and protect processed data against accidental or intentional manipulation, loss, destruction, or unauthorized access. Security measures include encrypted data transmission between your browser and our server.

XIII. Status of this Privacy Policy & Changes

We reserve the right to modify this privacy policy at any time with future effect.

Status: April 2024