Privacy Policy

We take the protection of the data of users of our website and/or mobile app very seriously and are committed to safeguarding the information that users provide to us in connection with their use of our website and/or mobile app (collectively referred to as "digital assets"). Furthermore, we are committed to protecting and using your data in accordance with applicable laws.

This privacy policy explains our practices regarding the collection, use, and disclosure of your data through the use of our digital assets (the "services") when you access the services via your devices.

Please read this privacy policy carefully and ensure that you fully understand our practices regarding your data before using our services. If you have read and fully understood this policy and do not agree with our approach, you must discontinue the use of our digital assets and services. By using our services, you acknowledge the terms of this privacy policy. Your continued use of the services constitutes your acceptance of this privacy policy and any amendments thereto.

Below, we provide you with information in accordance with the legal requirements of data protection laws (particularly the BDSG n.F. and the European General Data Protection Regulation, "GDPR") regarding the type, scope, and purpose of the processing of personal data by our company. This privacy policy also applies to our websites and social media profiles. For definitions of terms such as "personal data" or "processing," we refer to Article 4 of the GDPR.


Name and Contact Details of the Controller

Our controller (hereinafter referred to as "Controller") as defined by Article 4(7) of the GDPR is:

Philipp Rommeiss
Hochfeldstraße 5
86159 Augsburg
Email: info@tontau.com


Types of Data, Purposes of Processing, and Categories of Data Subjects

Below, we inform you about the type, scope, and purpose of the collection, processing, and use of personal data.

1. Types of Data We Process

  • Usage Data (access times, visited websites, etc.)
  • Basic Data (name, address, etc.)
  • Contact Data (phone number, email, fax, etc.)
  • Payment Data (bank details, account information, payment history, etc.)
  • Contract Data (contract subject, duration, etc.)
  • Communication Data (IP address, etc.)

2. Purposes of Processing According to Art. 13(1)(c) GDPR

  • Execution of contracts
  • Evidence and documentation purposes
  • Technical and economic optimization of the website
  • Facilitating easy access to the website
  • Fulfillment of contractual obligations
  • Compliance with legal retention obligations
  • Optimization and statistical analysis of our services
  • Supporting the commercial use of the website
  • Economic operation of advertising and the website
  • Marketing, sales, and advertising
  • Compilation of statistics
  • Prevention of spam and misuse
  • Customer service and customer relationship management
  • Handling contact requests
  • Providing websites with functions and content
  • Ensuring uninterrupted and secure operation of our website

3. Categories of Data Subjects According to Art. 13(1)(e) GDPR

  • Visitors/users of the website
  • Customers
  • Suppliers

The affected individuals are collectively referred to as "users."

Legal Basis for Processing Personal Data

Below, we inform you about the legal bases for processing personal data:

  • If we have obtained your consent for processing personal data, the legal basis is Art. 6(1)(a) GDPR.
  • If processing is necessary for the performance of a contract or for pre-contractual measures requested by you, the legal basis is Art. 6(1)(b) GDPR.
  • If processing is necessary for compliance with a legal obligation (e.g., legal retention obligations), the legal basis is Art. 6(1)(c) GDPR.
  • If processing is necessary to protect vital interests of the data subject or another natural person, the legal basis is Art. 6(1)(d) GDPR.
  • If processing is necessary for legitimate interests pursued by us or a third party, and your interests or fundamental rights and freedoms do not override these, the legal basis is Art. 6(1)(f) GDPR.

 

Disclosure of Personal Data to Third Parties and Processors

We do not share your data with third parties without your explicit consent. If data is shared, it is based on the legal foundations mentioned above—for example, sharing data with online payment providers to fulfill contracts, due to court orders, or legal obligations such as law enforcement, risk prevention, or protecting intellectual property rights.

Additionally, we use data processors (external service providers, e.g., for website hosting and database management) to process your data. If data is transferred to processors as part of a processing agreement, this is always done in accordance with Art. 28 GDPR. We carefully select our processors, regularly review them, and ensure we retain control and instructions over the data. Furthermore, processors must implement appropriate technical and organizational measures and comply with data protection laws under BDSG n.F. and GDPR.

Data Transfers to Third Countries

With the introduction of the General Data Protection Regulation (GDPR), a standardized data protection framework was established within Europe. Your data is primarily processed by companies that fall under GDPR regulations.

If, however, data is processed by third-party services outside the European Union (EU) or the European Economic Area (EEA), they must meet the special requirements of Art. 44 et seq. GDPR. This means processing must occur under specific safeguards, such as:

  • An official EU Commission decision recognizing an adequate data protection level in the third country, or
  • Compliance with officially recognized contractual obligations, such as the Standard Contractual Clauses (SCCs).

If, due to the invalidity of the "Privacy Shield" agreement, we request your explicit consent for data transfer to the USA under Art. 49(1)(a) GDPR, we must inform you about potential risks. These include the possibility of undisclosed access to your data by US authorities and its use for surveillance purposes, potentially without legal recourse for EU citizens.

 

Deletion of Data and Retention Period

Unless otherwise specified in this privacy policy, your personal data will be deleted or blocked as soon as you withdraw your consent for processing, or the purpose for storing the data no longer applies, or the data is no longer needed for its purpose. However, if retention is required for proof purposes or due to legal retention obligations, the data will be retained.

For example, commercial law retention obligations for business correspondence under § 257(1) HGB (6 years) and tax law retention obligations for records under § 147(1) AO (10 years). Once the required retention period expires, your data will be blocked or deleted, unless storage is still necessary for contract conclusion or contract fulfillment.

Existence of Automated Decision-Making

We do not use automated decision-making or profiling.

Provision of Our Website and Creation of Log Files

  1. If you only use our website for informational purposes (i.e., no registration or other information submission), we collect only the personal data that your browser transmits to our server. When you view our website, we collect the following data:
  • IP address
  • Internet service provider of the user
  • Date and time of access
  • Browser type
  • Language and browser version
  • Content of the retrieval
  • Time zone
  • Access status/HTTP status code
  • Amount of data
  • Websites from which the request originates
  • Operating system

This data is not stored together with other personal data you provide.

This data serves the purpose of delivering our website to you in a user-friendly, functional, and secure manner, including features and content, as well as for optimization and statistical evaluation.

  1. The legal basis for this processing is our legitimate interest in processing data as stated above, according to Art. 6(1) S.1 lit. f) GDPR.

  2. For security reasons, we store this data in server log files for a retention period of one year. After this period, the data will be automatically deleted, unless retention is necessary for evidence purposes in cases of attacks on the server infrastructure or other legal violations.

Cookies

  1. Use of Cookies

We use cookies when you visit our website. Cookies are small text files stored by your internet browser on your device. When you revisit our website, these cookies provide information to automatically recognize you. This includes "user IDs," where user details are stored via pseudonymized profiles.

Upon visiting our website, you will be informed via a notice about our privacy policy and cookie usage, including how you can opt out or prevent their storage. You can adjust your preferences anytime via the cookie banner under "Settings":
Cookie Settings

Types of Cookies:

  • Essential Cookies: Necessary for website operation, enabling features such as logins, shopping carts, and saving user preferences (e.g., language settings).
  • Session Cookies: Recognize repeated visits by the same user, allowing for functions like login status detection. They are deleted when you close your browser or log out.
  • Persistent Cookies: Remain stored even after closing the browser. Used for login storage, audience measurement, and marketing purposes. These are automatically deleted after a set period, varying per cookie. You can delete them anytime in your browser settings.
  • Third-Party Cookies: These come from advertisers or external services. You can configure your browser to reject third-party cookies or all cookies, but this may affect website functionality. See third-party providers' privacy policies for more details.
  1. Data Categories: User data, cookies, user ID (including visited pages, device information, access times, and IP addresses).

  2. Purpose of Processing: Optimizing the technical and economic performance of our web services, ensuring an easier and more secure website experience.

  3. Legal Basis:

    • If processing is based on your consent (opt-in), the legal basis is Art. 6(1) S. 1 lit. a) GDPR.
    • If cookies are used for website functionality and business efficiency, our legitimate interest under Art. 6(1) S. 1 lit. f) GDPR applies.
    • For cookies used to facilitate transactions (e.g., orders), the legal basis is Art. 6(1) S. 1 lit. b) GDPR.
  4. Storage Duration & Deletion:

    • Data is deleted once it is no longer needed for its original purpose.
    • For website functionality, data is deleted when the session ends.
    • Cookies are stored on your device and can be managed or deleted via your browser settings.
    • Disabling cookies may limit some website features.

How to Delete Cookies in Your Browser:

 

6. Objection and "Opt-Out":

You can generally prevent cookies from being stored on your hard drive, regardless of consent or legal permission, by selecting "Do not accept cookies" in your browser settings. However, this may result in functional restrictions on our services. You can opt out of the use of third-party cookies for advertising purposes via the following websites: the American website https://optout.aboutads.info or the European website http://www.youronlinechoices.com/de/praferenzmanagement/.

Contract Processing:

We process inventory data (e.g., company name, title/academic degree, names and addresses, and user contact details such as email), contract data (e.g., services used, names of contact persons), and payment data (e.g., bank details, payment history) for the purpose of fulfilling our contractual obligations (identifying the contract partner, establishing, structuring, and executing the contract, and verifying the plausibility of the data) and for service-related purposes (e.g., customer service contact) in accordance with Art. 6 Para. 1 Sentence 1 lit. b) GDPR. The fields marked as mandatory in online forms are required for contract conclusion.

 

Disclosure of Data to Third Parties

In principle, these data are not shared with third parties unless it is necessary for asserting our claims (e.g., transferring data to a lawyer for debt collection) or for fulfilling the contract (e.g., providing data to a payment service provider), or if there is a legal obligation to do so in accordance with Art. 6 Para. 1 Sentence 1 lit. c) GDPR.

Processing for Marketing and Technical Information

We may also process the data you provide to inform you about other interesting products from our portfolio or to send you emails with technical information.

Data Deletion

Data will be deleted as soon as they are no longer required for the purpose for which they were collected. For inventory and contract data, this is the case when the data are no longer necessary for executing the contract and no claims can be asserted from the contract because the limitation period has expired (warranty: two years / general limitation period: three years).

We are legally obligated by commercial and tax regulations to retain your address, payment, and order data for a period of ten years. However, after three years from contract termination, we restrict processing, meaning that your data will only be used to comply with legal obligations. Information stored in a user account remains until the account is deleted.

 

Online Payment Providers

  1. The billing for payments via "PayPal" is processed by PayPal (Europe) S.àr.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, Web: paypal.de, https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Billing for payments via "Sofort.com" is processed by Klarna GmbH, Theresienhöhe 12, 80339 Munich, https://www.klarna.com/sofort/datenschutz/.

These are referred to as "Online Billers" below.

The Online Billers collect, store, and process your usage and billing data to determine and bill for the services you have used. The data entered into the Online Billers will only be processed and stored by them. If the Online Billers are unable to collect or can only partially collect the usage fees, or if the Online Billers refrain from doing so due to a complaint from you, the usage data will be forwarded to the controller, and, if necessary, a block will be implemented by the controller. The same applies if, for example, a credit card company reverses a transaction from you to the detriment of the controller.

2. Legal Basis

The legal basis for this processing is Art. 6 Para. 1 lit. b) GDPR, as the processing is necessary for the fulfillment of a contract by the controller. Additionally, external Online Billers are used based on Art. 6 Para. 1 lit. f) GDPR for the legitimate interests of the controller, to provide you with secure, simple, and diverse payment options.

3. Regarding Retention Period, Right to Withdrawal, Access, and Data Subject Rights

We refer to the above privacy statements of the Online Billers regarding the retention period, the right to withdrawal, access, and data subject rights.

 

Google AdWords with Conversion Tracking

  1. We use the service "Google Ads with Conversion Tracking" (service provider: Google Ireland Limited, Registration No.: 368047, Gordon House, Barrow Street, Dublin 4, Ireland) to attract attention to our website through advertisements on third-party websites.

  2. Data Categories and Description of Data Processing: Usage Data/Communication Data. When you click on one of our Google ads, a cookie is stored in your browser, which is valid for approximately 30 days. If you later visit our website, we and Google can analyze, based on the cookie, whether you visited our website and which page you visited. Google generates a statistic based on this. The data is also transferred to the USA and analyzed there. If you are logged into a Google account, the data may be associated with your account through AdWords. If you do not wish this, you must log out before visiting our website.

  3. Purpose of Data Processing: This conversion tracking is used for the purpose of analysis/success measurement, optimization, and the economic operation of our advertising and website.

  4. Legal Bases: If you have given consent for the processing of your personal data through "Google Ads with Conversion Tracking" ("Opt-in"), then Art. 6 Para. 1 Sentence 1 lit. a) GDPR is the legal basis. Otherwise, the legal basis for processing your data is our legitimate interest in the analysis, optimization, and efficient economic operation of our advertising and website in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

  5. Data Transfer/Recipient Category: Google Ireland.

  6. Retention Period: Up to 540 days.

  7. Objection and Removal Options ("Opt-Out"): You can object to or prevent the installation of cookies by Google in several ways:

  • You can prevent cookies in your browser by setting "Do not accept cookies," which also includes third-party cookies.
  • You can disable conversion tracking directly with Google via the link https://adssettings.google.com, but this setting will only remain active until you delete your cookies.
  • You can deactivate personalized ads from third-party advertisers participating in the "About Ads" self-regulation initiative via the link https://optout.aboutads.info for US sites or for EU sites via http://www.youronlinechoices.com/de/praferenzmanagement/. This setting will remain until you delete all your cookies.
  • You can permanently disable cookies through a browser plug-in for Chrome, Firefox, or Internet Explorer via the link https://support.google.com/ads/answer/7395996. This deactivation may result in not being able to fully utilize all functions of our website.
  1. For more information, please refer to Google's privacy policy at https://policies.google.com/privacy?hl=de&gl=de and https://services.google.com/sitestats/de.html.

 

Google Analytics Remarketing / "Similar Audiences"

  1. We use the service "Google Analytics Remarketing / 'Similar Audiences'" (service provider: Google Ireland Limited, Registration No.: 368047, Gordon House, Barrow Street, Dublin 4, Ireland) to attract attention to our website through advertisements on third-party websites and other internet services. Google and we share joint responsibility for data processing according to Art. 26 GDPR. We have agreed with Google that we assume primary responsibility for the data processing under the GDPR and will fulfill all obligations regarding the processing of data (including Art. 12, 13 GDPR, Art. 15 to 22 GDPR, and Art. 32 to 34 GDPR).

  2. Data Categories and Description of Data Processing: Usage Data/Communication Data. With the Remarketing or "Similar Audiences" feature in Ads, we can reach you if you have already visited our website, showing you a relevant ad message. With Remarketing, we can bring back our previous visitors to our website by means of a click. When you later visit other websites or online services, we and Google can analyze, based on the cookie, whether you had previously visited our website, and show you our ads there. Google generates statistics based on this. The full extent of the data processing is unknown to us. The data is also transferred to the USA and analyzed there. According to Google, the data collected by Remarketing is not combined with any personal data stored by Google, but is processed pseudonymously.

  3. Purpose of Data Processing: This Remarketing is used for the purpose of analysis, optimization, and the economic operation of our advertising and website.

  4. Legal Basis: If you have given consent for the processing of your personal data through "Google Ads Remarketing / 'Similar Audiences'" ("Opt-in"), then Art. 6 Para. 1 Sentence 1 lit. a) GDPR is the legal basis. Otherwise, the legal basis for processing your data is our legitimate interest in the analysis, optimization, and efficient economic operation of our advertising and website in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR.

  5. Data Transfer/Recipient Category: Google Ireland.

  6. Retention Period: If you visit certain pages on our website, a cookie will be stored in your browser, valid for 30 days.

  7. Objection and Removal Options ("Opt-Out"): You can object to or prevent the installation of cookies by Google in various ways:

  • You can prevent cookies in your browser by setting "Do not accept cookies," which includes third-party cookies.
  • You can directly disable personalized ads with Google via the link https://adssettings.google.com, but this setting will only remain active until you delete your cookies.
  • You can disable personalized ads from third-party advertisers participating in the "About Ads" self-regulation initiative via the link https://optout.aboutads.info for US sites or for EU sites at http://www.youronlinechoices.com/de/praferenzmanagement/, but this setting will remain until you delete all your cookies.
  • You can permanently disable cookies with a browser plug-in for Chrome, Firefox, or Internet Explorer via the link https://support.google.com/ads/answer/7395996. This deactivation may result in you not being able to fully use all functions of our website.
  1. For more information, please refer to Google's privacy policy at https://policies.google.com/privacy?hl=de&gl=de.

 

YouTube Videos

  1. We have embedded YouTube videos from youtube.com on our website using the embedded function, so they can be accessed directly on our website. YouTube is owned by Google Ireland Limited, Registration No.: 368047, Gordon House, Barrow Street, Dublin 4, Ireland.

  2. Data Category and Description of Data Processing: Usage Data (e.g., visited webpage, content, and access times). We have embedded the videos in the so-called "extended privacy mode," which does not collect usage behavior via cookies for personalizing the video playback. Instead, video recommendations are based on the currently played video. Videos played in the extended privacy mode in an embedded player do not affect the videos recommended to you on YouTube. By starting a video (clicking on the video), you consent to YouTube tracking the information that you have accessed the respective subpage or video on our website and using this data for advertising purposes.

  3. Purpose of Data Processing: Providing a user-friendly offering, optimization, and improvement of our content.

  4. Legal Basis: If you have given consent for the processing of your personal data through "etracker" by a third-party provider ("Opt-in"), then Art. 6 Para. 1 Sentence 1 lit. a) GDPR is the legal basis. The legal basis is also our legitimate interest in the data processing for the purposes mentioned above in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR. For services provided in connection with a contract, the tracking and analysis of user behavior is carried out under Art. 6 Para. 1 Sentence 1 lit. b) GDPR to offer optimized services for the fulfillment of the contractual purpose based on the resulting information.

  5. Data Transfer/Recipient Category: Third-party providers in the USA. The data collected is transferred to the USA and stored there, even without a Google account. If you are logged into your Google account, Google may associate this data with your account. If you do not wish this, you must log out of your Google account. Google creates user profiles from such data and uses this data for advertising, market research, or optimization of its websites.

  6. Retention Period: Cookies for up to 2 years or until the cookies are deleted by you as a user.

  7. Objection: You have the right to object to Google creating user profiles. Please contact Google directly via the privacy policy below. You can make an Opt-Out objection regarding advertising cookies here in your Google account: https://adssettings.google.com/authenticated.

  8. Further information on the use of Google cookies and advertising technologies, retention periods, anonymization, location data, functionality, and your rights can be found in YouTube's terms of service at https://www.youtube.com/t/terms and Google’s advertising privacy policy at https://policies.google.com/technologies/ads. General privacy policy of Google: https://policies.google.com/privacy.

 

Presence on Social Media

  1. We maintain profiles and fan pages on social media platforms. When you use or visit our profile on the respective network, the privacy notices and terms of use of that network apply.

  2. Data Categories and Description of Data Processing: Usage data, contact data, content data, and membership data. Additionally, user data within social networks is typically processed for market research and advertising purposes. For example, usage behavior and derived user interests can be used to create user profiles. These profiles can then be used to place targeted advertisements both within and outside the networks that are presumed to match the user's interests. For these purposes, cookies are generally stored on users' devices, which store their usage behavior and interests. User profiles may also store data independent of the devices used by the users (especially if the users are members of the respective platforms and are logged in). For a detailed description of the specific forms of processing and the options to object (Opt-Out), we refer to the privacy policies and terms provided by the operators of the respective networks. In the event of inquiries or exercising of data subject rights, we would like to inform you that these are most effectively addressed to the providers. Only the providers have access to user data and can take appropriate actions and provide information. Should you still need assistance, you can contact us.

  3. Purpose of Processing: Communication with users connected and registered on social networks; information and advertising about our products, offers, and services; external representation and image maintenance; evaluation and analysis of the users and content of our social media presence.

  4. Legal Basis: The legal basis for processing personal data is our legitimate interest as outlined in the purposes above in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR. If you have given consent to us or the social network provider for processing your personal data, the legal basis is Art. 6 Para. 1 Sentence 1 lit. a) in conjunction with Art. 7 GDPR.

  5. Data Transfer/Recipient Category: Social network provider.

  6. The privacy notices, access options, and objection options (Opt-Out) of the respective networks/service providers can be found here:

 

Rights of the Data Subject

  1. Right to Object or Withdraw Consent to the Processing of Your Data: If the processing is based on your consent under Art. 6 Para. 1 Sentence 1 lit. a), Art. 7 GDPR, you have the right to withdraw your consent at any time. The legality of the processing that was carried out based on your consent until the withdrawal remains unaffected. If we base the processing of your personal data on a legitimate interest in accordance with Art. 6 Para. 1 Sentence 1 lit. f) GDPR, you can object to the processing. This is the case if the processing is not necessary for the fulfillment of a contract with you, which we explain in the subsequent description of the functions. When exercising such an objection, we ask that you provide the reasons why we should not process your personal data as we have done. In case of a justified objection, we will review the situation and either stop or adjust the data processing or demonstrate to you our compelling legitimate grounds on which we continue the processing. You may object to the processing of your personal data for advertising and data analysis purposes at any time. The right to object can be exercised free of charge. You can inform us of your advertising objection at the following contact details:

    Philipp Rommeiss
    Hochfeldstraße 5
    86159 Augsburg
    Email: info@tontau.com

  2. Right to Access: You have the right to access your personal data stored with us under Art. 15 GDPR. This includes, in particular, information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage duration, and the origin of your data, if not directly collected from you.

  3. Right to Rectification: You have the right to rectify inaccurate or to complete correct data under Art. 16 GDPR.

  4. Right to Erasure: You have the right to erase your personal data stored with us under Art. 17 GDPR, unless there are statutory or contractual retention periods or other legal obligations or rights to further storage.

  5. Right to Restriction of Processing: You have the right to request a restriction of the processing of your personal data if one of the conditions in Art. 18 Para. 1 lit. a) to d) GDPR is met:

    • If you contest the accuracy of your personal data for a period that allows the controller to verify the accuracy of the data;
    • If the processing is unlawful and you oppose the erasure of the personal data and request instead the restriction of its use;
    • If the controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims;
    • If you have objected to the processing under Art. 21 Para. 1 GDPR and it is not yet clear whether the legitimate grounds of the controller override your interests.
  6. Right to Data Portability: You have the right to data portability under Art. 20 GDPR, which means you can receive the personal data stored about you in a structured, commonly used, and machine-readable format or request its transfer to another controller.

  7. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. Generally, you can contact the supervisory authority in the member state of your residence, place of work, or the place of the alleged infringement.


Data Security

To protect all personal data transmitted to us and ensure compliance with data protection regulations by us as well as our external service providers, we have implemented appropriate technical and organizational security measures. Among other things, all data transmitted between your browser and our server is encrypted via a secure SSL connection.

Last updated: 27.02.2023