Preamble

With the following Privacy Policy, we would like to inform you about the types of your personal data we process, for what purposes, and to what extent. This Privacy Policy applies to all personal data processing carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles.

Last updated: April 17, 2026

Controller

Nivando – IT That Works a business division of Casino King GmbH Scheidertalstr. 9 65326 Aarbergen Germany Email address: [email protected] Imprint: https://www.nivando.com/imprint

Overview of Processing Activities

Types of Data Processed Inventory data. Payment data. Location data. Contact data. Content data. Contract data. Usage data. Meta, communication and procedural data.

Categories of Data Subjects Recipients of services and clients. Prospective customers. Communication partners. Users. Business and contractual partners.

Purposes of Processing Provision of contractual services and fulfillment of contractual obligations. Communication. Reach measurement. Tracking. Office and organizational procedures. Target group formation. Organizational and administrative procedures. Feedback. Marketing. Profiles with user-related information. Provision of our online offering and user experience. Public relations. Business processes and operational procedures.

Relevant Legal Bases

Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements. These measures include securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology.

General Information on Data Storage and Deletion

We delete personal data in accordance with legal requirements as soon as the underlying consents are revoked or no further legal bases for processing exist.

The following general retention periods apply under German law:
10 years – Books and records, annual financial statements, inventories (§ 147 AO, § 257 HGB).
8 years – Accounting vouchers such as invoices and expense receipts (§ 147 AO, § 257 HGB).
6 years – Other business documents (§ 147 AO, § 257 HGB).
3 years – Data required to consider potential warranty and compensation claims (§§ 195, 199 BGB).

Rights of Data Subjects

Right to object: You have the right to object at any time to the processing of your personal data carried out on the basis of Art. 6(1)(e) or (f) GDPR.
Right to withdraw consent: You have the right to withdraw your consent at any time.
Right of access: You have the right to obtain confirmation as to whether data concerning you is being processed and to access such data.
Right to rectification: You have the right to request the completion or correction of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right to request that data concerning you be erased immediately, or alternatively to request restriction of processing.
Right to data portability: You have the right to receive data concerning you in a structured, commonly used, and machine-readable format.
Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes the GDPR.

Business Services

We process data of our contractual and business partners in the context of contractual and comparable legal relationships as well as related measures and communication.

Processed data types: Inventory data; Payment data; Contact data; Contract data.
Data subjects: Recipients of services and clients; Prospective customers; Business and contractual partners.
Purposes of processing: Provision of contractual services; Communication; Office and organizational procedures; Business processes and operational procedures.
Legal bases: Performance of a contract (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes:

Project and development services: We process the data of our customers and clients to enable them to select, acquire, or commission the chosen services or works, as well as related activities. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR).

Technical services: We process the data of our customers and clients to enable them to select, acquire, or commission the chosen services. Where we obtain access to information of end customers, employees, or other persons, we process this in accordance with legal and contractual requirements. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR).

Use of Cookies

The term “cookies” refers to functions that store and retrieve information on users’ end devices. We use cookies in accordance with legal requirements. Where necessary, we obtain prior consent from users.

Storage duration:
Session cookies: Deleted at the latest when a user leaves the online offering and closes their end device.
Permanent cookies: Remain stored even after closing the end device for up to two years unless otherwise specified.

Processed data types: Meta, communication and procedural data.
Data subjects: Users (e.g., website visitors, users of online services).
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further notes:

Processing of cookie data based on consent: We use a consent management solution to obtain user consent for the use of cookies. Consent declarations are stored to avoid repeated requests and to provide proof of consent. Legal bases: Consent (Art. 6(1)(a) GDPR).

Contact and Inquiry Management

When contacting us (e.g., via contact form or email) and in the context of existing user and business relationships, the information provided by the inquiring persons is processed to respond to contact inquiries and any requested actions.

Processed data types: Inventory data; Contact data; Content data; Usage data; Meta, communication and procedural data.
Data subjects: Communication partners.
Purposes of processing: Communication; Organizational and administrative procedures; Feedback; Provision of our online offering and user experience.
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Performance of a contract (Art. 6(1)(b) GDPR).

Further notes:

Contact form: When contacting us via our contact form, email, or other communication channels, we process the personal data transmitted to us to respond to and handle the respective inquiry. We use this data exclusively for the stated purpose of contact and communication. Legal bases: Performance of a contract (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).

Communication via Messenger

We use messenger services for communication purposes. In the case of end-to-end encryption, the content of messages cannot be viewed, not even by the messenger providers themselves.

Legal bases: Consent (Art. 6(1)(a) GDPR); Performance of a contract (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Web Analytics, Monitoring and Optimization

Web analytics serves to evaluate the visitor flows of our online offering. IP addresses of users are stored using an IP masking procedure for user protection.

Processed data types: Usage data; Meta, communication and procedural data.
Data subjects: Users.
Security measures: IP masking (pseudonymization of IP address).
Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes:

Google Analytics: We use Google Analytics to measure and analyze the use of our online offering on the basis of a pseudonymous user identification number. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms/; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-out: https://tools.google.com/dlpage/gaoptout.

Google Tag Manager: We use Google Tag Manager to manage website tags centrally. The Google Tag Manager itself does not create user profiles or carry out independent analyses. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data to communicate with active users or to offer information about us.

Processed data types: Contact data; Content data; Usage data.
Data subjects: Users.
Purposes of processing: Communication; Feedback; Public relations.
Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Further notes:

Instagram: Social network enabling sharing of photos and videos. Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/; Basis for third-country transfers: Data Privacy Framework (DPF).

LinkedIn: Social network. We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection of visitor data used to create Page Insights of our LinkedIn profiles. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF); Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers. These may include graphics, videos, or maps.

Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes:

Google Fonts (from Google Server): Retrieval of fonts for technically secure and efficient use. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

Google Maps: We integrate the maps of the “Google Maps” service provided by Google. Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6(1)(a) GDPR); Privacy policy: https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF).

Changes and Updates

We ask you to regularly inform yourself about the content of our Privacy Policy. We will adapt the Privacy Policy as soon as changes to the data processing activities we carry out make this necessary.