Privacy Policy

Controller

The controller within the meaning of Art. 4(7) of the EU General Data Protection Regulation (GDPR) is:

• Leon & Vera OÜ
• Address: Sepapaja tn 6, 15551 Tallinn, Estonia
• Email: privacy@leonandvera.com
• Legal representative: Jörg Olbing

Data Protection Officer

Our data protection officer can be reached at:

• heyData GmbH
• Address: Schützenstraße 5, 10117 Berlin, Germany
• Web: www.heydata.eu
• Email: datenschutz@heydata.eu

We set out the scope of the data processing, the processing purposes and the legal bases in detail in the sections below. In principle, the following legal bases may apply to a data processing operation:

• Art. 6(1)(a) GDPR serves as the legal basis for processing operations for which we obtain consent.
• Art. 6(1)(b) GDPR is the legal basis where the processing of personal data is necessary for the performance of a contract, e.g. when a website visitor purchases a product from us or we provide a service to them. This legal basis also applies to processing that is necessary for pre-contractual measures, e.g. for inquiries about our products or services.
• Art. 6(1)(c) GDPR applies where we use the processing of personal data to comply with a legal obligation, as may be the case under tax law, for example.
• Art. 6(1)(f) GDPR serves as the legal basis where we rely on legitimate interests to process personal data, e.g. for cookies that are necessary for the technical operation of our website.

Where we transfer data to service providers or other third parties outside the EEA, adequacy decisions of the European Commission under Art. 45(3) GDPR guarantee the security of the data during the transfer, where they exist, as is the case for the United Kingdom, Canada and Israel, for example.

For data transfers to service providers in the USA, the legal basis for the transfer is an adequacy decision of the European Commission, provided that the service provider is additionally certified under the EU–US Data Privacy Framework.

In other cases (e.g. where no adequacy decision exists), the legal basis for the data transfer is generally, i.e. unless we state otherwise, standard contractual clauses. These are a set of rules adopted by the European Commission and form part of the contract with the relevant third party. Under Art. 46(2)(b) GDPR they ensure the security of the data transfer. Many providers have given contractual guarantees that go beyond the standard contractual clauses and protect the data beyond them. These include, for example, guarantees regarding the encryption of the data or regarding an obligation of the third party to notify data subjects if law enforcement agencies seek access to the data.

Storage period

Unless expressly stated within this Privacy Policy, the data stored by us is deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations preclude deletion. If the data is not deleted because it is required for other and legally permissible purposes, its processing is restricted, i.e. the data is blocked and not processed for other purposes. This applies, for example, to data that we must retain for commercial or tax law reasons.

Rights of data subjects

Data subjects have the following rights vis-à-vis us with regard to the personal data concerning them:

• right of access,
• right to rectification or erasure,
• right to restriction of processing,
• right to object to processing,
• right to data portability,
• right to withdraw consent given at any time.

Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their personal data. Contact details for German data protection supervisory authorities can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html. Data subjects may also contact their local supervisory authority in the EU/EEA.

Obligation to provide data

In the context of a business relationship or any other relationship, customers, prospective customers or third parties are only required to provide us with the personal data that is necessary for the establishment, performance and termination of the business relationship or for the other relationship or that we are legally required to collect. Without such data, we will generally have to refuse to conclude a contract or provide a service, or will no longer be able to perform an existing contract or other relationship. Mandatory data are marked as such.

No automated decision-making in individual cases

In principle, we do not use fully automated decision-making within the meaning of Article 22 GDPR for the establishment and performance of a business relationship or any other relationship. Should we use such procedures in individual cases, we will inform you separately if this is required by law.

Contacting us

When you contact us, e.g. by e-mail or telephone, the data you provide to us (e.g. names and e-mail addresses) is stored by us in order to answer your questions. The legal basis for the processing is our legitimate interest (Art. 6(1)(f) GDPR) in answering inquiries addressed to us. We delete the data arising in this context once the storage is no longer required, or restrict the processing if statutory retention obligations apply.

This section applies to visitors from Germany.

Our website stores information on the terminal equipment of website visitors (e.g. cookies) or accesses information that is already stored on the terminal equipment (e.g. IP addresses). The specific information involved is set out in the following sections.

This storage and access takes place on the basis of the following provisions:

• Where this storage or access is strictly necessary so that we can provide a service of our website expressly requested by the website visitor (e.g. to operate a chatbot used by the website visitor or to ensure the IT security of our website), it takes place on the basis of § 25(2) no. 2 of the German Telecommunications-Digital-Services-Data-Protection Act (TDDDG).
• Otherwise, this storage or access takes place on the basis of consent of the website visitor (§ 25(1) TDDDG).

The downstream data processing takes place in accordance with the following sections and on the basis of the provisions of the GDPR.

Informational use of the website

When you use the website for informational purposes, i.e. when website visitors do not separately transmit information to us, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. This constitutes our legitimate interest, so that the legal basis is Art. 6(1)(f) GDPR.

This data is:

• IP address
• date and time of the request
• time zone difference from Greenwich Mean Time (GMT)
• content of the request (specific page)
• access status / HTTP status code
• respective amount of data transferred
• website from which the request originates
• browser
• operating system and its interface
• language and version of the browser software.

This data is also stored in log files. It is deleted when storage is no longer required, at the latest after 14 days.

Web hosting and content delivery

Our website is hosted by Vercel and we use the Content Delivery Network of Vercel. The provider is Vercel Inc., 340 S Lemon Ave Unit 4133 Walnut, CA, USA. The provider processes the personal data transmitted via the website, e.g. content, usage, meta/communication or contact data, in the EU. Further information can be found in the provider's privacy policy at https://vercel.com/legal/privacy-policy.

It is our legitimate interest to provide a website and to use sufficient storage and delivery capacities to guarantee optimal data throughput even under heavy load. The legal basis for the described data processing is therefore Art. 6(1)(f) GDPR.

The legal basis for the transfer to a country outside the EEA is an adequacy decision of the European Commission under Art. 45(3) GDPR (EU–US Data Privacy Framework), under which Vercel Inc. is certified.

Payment processors

For payment processing we use payment service providers that are themselves controllers within the meaning of Art. 4 No. 7 GDPR. To the extent they receive data and payment information entered by you in the checkout process, we thereby perform the contract concluded with our customers (Art. 6(1)(b) GDPR).

These payment service providers are:

• Stripe Payments Europe, Ltd., Ireland

One.com

We use One.com for the creation of websites. The provider is One.com Group AB, Carlsgatan 3, 211 20 Malmö, Sweden. The provider processes usage data (e.g. visited web pages, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.

The legal basis for the processing is Art. 6(1)(f) GDPR. We have a legitimate interest in setting up and maintaining a website and in presenting ourselves to the outside world in this way.

The data is deleted when the purpose for which it was collected ceases to apply and no retention obligation precludes deletion. Further information is available in the provider's privacy policy at https://www.one.com/de/ueber-uns/datenschutzerklarung.

Plausible Analytics

We use Plausible Analytics for analytics. The provider is Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia. The provider processes usage data (e.g. visited web pages, interest in content, access times) and meta/communication data (e.g. device information, IP addresses).

The legal basis for the processing is Art. 6(1)(a) GDPR. The processing takes place on the basis of consent. Data subjects may withdraw their consent at any time by contacting us using the contact details provided in this Privacy Policy. The withdrawal does not affect the lawfulness of processing carried out until the withdrawal.

The data is deleted when the purpose for which it was collected ceases to apply and no retention obligation precludes deletion. Further information is available in the provider's privacy policy at https://plausible.io/privacy.

heyData

We have embedded a data protection seal on our website. The provider is heyData GmbH, Schützenstraße 5, 10117 Berlin, Germany. The provider processes meta/communication data (e.g. IP addresses) in the EU.

The legal basis for the processing is Art. 6(1)(f) GDPR. We have a legitimate interest in providing website visitors with confirmation of our data protection compliance. At the same time, the provider has a legitimate interest in ensuring that only customers with existing contracts use their seals, which is why a mere image copy of the certificate is not a viable alternative for confirmation.

The data is masked after collection so that there is no longer any reference to a person. Further information is available in the provider's privacy policy at https://heydata.eu/datenschutzerklaerung.

We are represented on social media networks in order to present our organization and our services there. The operators of these networks regularly process data of their users for advertising purposes. Among other things, they create user profiles from their online behavior, which are used, for example, to display advertisements on the pages of the networks and elsewhere on the internet that match the users' interests. To this end, the network operators store information about user behavior in cookies on the users' devices. It is also not impossible that the operators combine this information with further data. Further information and notes on how users can object to processing by the page operators can be found in the privacy policies of the respective operators listed below. It may also be that the operators or their servers are located in non-EU countries, so that they process data there. This may give rise to risks for users, e.g. because the enforcement of their rights is made more difficult or because government authorities access the data.

When users of the networks contact us via our profiles, we process the data they provide in order to answer the inquiries. This constitutes our legitimate interest, so that the legal basis is Art. 6(1)(f) GDPR.

Facebook

We maintain a profile on Facebook. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. An option to object to the data processing is available via the ad preferences: https://www.facebook.com/settings?tab=ads. On the basis of an agreement, we are jointly responsible with Facebook within the meaning of Art. 26 GDPR for the processing of the data of visitors to our profile. Facebook explains exactly which data is processed at https://www.facebook.com/legal/terms/information_about_page_insights_data. Data subjects can exercise their rights both vis-à-vis us and vis-à-vis Facebook. According to our agreement with Facebook, however, we are obliged to forward inquiries to Facebook. Data subjects therefore receive a faster response if they contact Facebook directly.

Instagram

We maintain a profile on Instagram. The operator is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.

X (formerly Twitter)

We maintain a profile on X. The operator is X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The privacy policy is available here: https://twitter.com/de/privacy. An option to object to the data processing is available via the ad preferences: https://twitter.com/personalization.

LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE. An option to object to the data processing is available via the ad preferences: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.