This privacy statement informs you about the nature, scope, and purpose of processing personal data (hereinafter referred to as “data”) within our online offer and the associated websites, functions, and content, as well as external online presences, such as our profiles on social media (hereinafter collectively referred to as “Online Offer”). Regarding the terms used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Controller

Nahiro Trinidad Sanchez
Münchenerstr. 9
Berlin 10779
Email address: info@nahiro.net
Link to LEGAL NOTICE: https://nahiro.net/en/legal-notice

Types of Data Processed

• Inventory data (e.g., names, addresses).
• Contact data (e.g., email, phone numbers).
• Content data (e.g., text entries, photographs, videos).
• Usage data (e.g., websites visited, interest in content, access times).
• Meta/communication data (e.g., device information, IP addresses).

Categories of Data Subjects

Visitors and users of the Online Offer (hereinafter referred to as “users”).

Purpose of Processing

• Provision of the Online Offer, its functions, and content.
• Responding to contact requests and communication with users.
• Security measures.
• Reach measurement/marketing.

Terminology Used

• “Personal data” refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data.
• “Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
• “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
• “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Relevant Legal Bases

In accordance with Article 13 of the GDPR, we inform you of the legal bases of our data processing. If the legal basis is not mentioned in the privacy statement, the following applies: The legal basis for obtaining consents is Art. 6(1)(a) and Art. 7 GDPR, the legal basis for processing to perform our services and carry out contractual measures, as well as respond to inquiries, is Art. 6(1)(b) GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6(1)(c) GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6(1)(d) GDPR serves as the legal basis.

Security Measures

In accordance with Art. 32 GDPR, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, protecting the confidentiality, integrity, and availability of data by controlling physical access to data, as well as related access, input, transmission, and availability control. Additionally, we have established procedures to ensure the exercise of data subject rights, data deletion, and response to data threats. Furthermore, we consider the protection of personal data in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).

Cooperation with Data Processors and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this will only be done on the basis of legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, is necessary for the performance of the contract according to Art. 6(1)(b) GDPR), you have given your consent, a legal obligation requires it, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called “data processing contract,” this is done on the basis of Art. 28 GDPR.

Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this happens in the context of using third-party services or disclosing or transmitting data to third parties, this will only be done if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or allow the data to be processed in a third country only under the conditions of Art. 44 et seq. GDPR. This means, for example, that the processing is carried out based on specific guarantees, such as the officially recognized determination of a data protection level equivalent to that in the EU (e.g., for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Rights of Data Subjects

You have the right to request confirmation as to whether data concerning you is being processed and to access this data, as well as to receive further information and a copy of the data in accordance with Art. 15 GDPR.

In accordance with Art. 16 GDPR, you have the right to request the completion of the data concerning you or the correction of incorrect data concerning you.

In accordance with Art. 17 GDPR, you have the right to request that data concerning you be deleted immediately, or alternatively, in accordance with Art. 18 GDPR, to request a restriction on the processing of the data.

You have the right to receive the data concerning you and that you have provided to us in accordance with Art. 20 GDPR, and to request its transmission to other controllers.

Furthermore, in accordance with Art. 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to revoke any consent given in accordance with Art. 7(3) GDPR, with effect for the future.

Right to Object

You can object at any time to the future processing of data concerning you in accordance with Art. 21 GDPR. The objection can be made particularly against processing for direct marketing purposes.

Cookies and Right to Object to Direct Marketing

Cookies are small files that are stored on users’ computers. Different data can be stored within the cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offer. Temporary cookies, or “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offer and closes their browser. For example, the contents of a shopping cart in an online store or a login status can be stored in a cookie. “Permanent” or “persistent” cookies are those that remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. Similarly, the interests of the users can be stored in such a cookie, which is used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers other than the controller who operates the online offer (otherwise, if it is only the controller’s own cookies, they are referred to as “first-party cookies”).

We may use temporary and permanent cookies and provide information on this in our privacy policy.

If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.

A general objection to the use of cookies used for online marketing purposes can be declared in a variety of services, especially in the case of tracking, via the U.S. site http://www.aboutads.info/choices/ or the EU site youronlinechoices.com. In addition, the storage of cookies can be prevented by disabling them in the browser settings. Please note that if you do this, you may not be able to use all the functions of this online offer.

Data Deletion

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17and 18 GDPR. Unless explicitly stated in this privacy policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention obligations. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

According to legal requirements in Germany, the retention is particularly for 10 years according to §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 and 4, Abs. 4 HGB (books, records, management reports, accounting documents, commercial books, documents relevant to taxation, etc.) and 6 years according to § 257 Abs. 1 Nr. 2 and 3, Abs. 4 HGB (commercial letters).

According to legal requirements in Austria, the retention is particularly for 7 years according to § 132 Abs. 1 BAO (accounting documents, receipts/invoices, accounts, documents, business papers, income and expenditure statements, etc.), for 22 years in connection with real estate, and for 10 years for documents related to electronically supplied services, telecommunications, broadcasting, and television services provided to non-business customers in EU member states and for which the Mini-One-Stop-Shop (MOSS) is used.

Brokerage Services

We process the data of our customers, prospects, and other contractual partners (referred to collectively as “customers”) in accordance with Art. 6(1)(b) GDPR, to provide them with our contractual or pre-contractual services. The data processed, the type, scope, and purpose, and the necessity of its processing are determined by the underlying contractual relationship. This generally includes basic customer data (e.g., name, address, etc.), as well as contact data (e.g., email address, telephone, etc.), contract data (e.g., content of the contract, fees, duration, customer information, etc.), and payment data (e.g., bank details, payment history, etc.).

In the context of our mandate, it may also be necessary for us to process special categories of data according to Art. 9(1) GDPR, in particular, information on the health of a person. For this purpose, and if necessary, we obtain explicit consent from the customers in accordance with Art. 6(1)(a), Art. 7, Art. 9(2)(a) GDPR.

If it is necessary for the execution of the contract or required by law, we disclose or transmit the data of the customers in the context of coverage inquiries, conclusion of contracts, and processing of contracts to providers of the services/products brokered, insurers, reinsurers, pools of brokers, technical service providers, other service providers such as cooperative associations, as well as financial service providers, banks, and investment companies, as well as social security institutions, tax authorities, legal advisors, auditors, insurance ombudsmen, and the Federal Financial Supervisory Authority (BaFin). We may also subcontract processing to subcontractors, such as sub-brokers. We obtain consent from customers when such consent is required for disclosure/transmission (which may be the case, for example, with special categories of data according to Art. 9 GDPR).

The data will be deleted after the expiration of statutory retention obligations and similar requirements, with the necessity of retaining the data being reviewed every three years; otherwise, the statutory retention obligations apply.

In the case of statutory archiving obligations, the deletion takes place after their expiration. Relevant records in the insurance and financial industry in Germany include, in particular, advisory logs for 5 years, brokerage notes for 7 years, and brokerage contracts for 5 years, as well as generally 6 years for commercially relevant documents and 10 years for tax-relevant documents.

Business Analysis and Market Research

To operate our business economically and to recognize market trends, customer and user preferences, we analyze the data available to us on business transactions, contracts, inquiries, etc. We process basic data, communication data, contract data, payment data, usage data, and metadata on the basis of Art. 6(1)(f) GDPR, with the data subjects including contractual partners, interested parties, customers, visitors, and users of our online offer.

The analyses are conducted for the purpose of economic evaluations, marketing, and market research. We may use profiles of registered users with information, for example, on their use of services. The analyses help us to improve the user-friendliness, optimize our offer, and increase business efficiency. The analyses are solely for our use and are not disclosed externally, except in the case of anonymized analyses with aggregated values.

If these analyses or profiles are personal, they will be deleted or anonymized upon cancellation of the user, otherwise after two years from the conclusion of the contract. Economic general analyses and trend determinations are created anonymously whenever possible.

Provision of Our Services According to the Articles of Association and Business

We process the data of our members, supporters, interested parties, customers, or other persons in accordance with Art. 6(1)(b) GDPR, if we offer them contractual services or act in the context of existing business relationships, e.g., with members, or are ourselves recipients of services and benefits. In addition, we process the data of data subjects in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interests, e.g., when it comes to administrative tasks or public relations.

The data processed, the type, scope, and purpose, and the necessity of its processing are determined by the underlying contractual relationship. This generally includes basic data and main data of the persons (e.g., name, address, etc.), as well as contact data (e.g., email address, telephone, etc.), contract data (e.g., services used, content communicated, names of contact persons), and in the case of paid services or products, payment data (e.g., bank details, payment history, etc.).

We delete data that is no longer required for the fulfillment of our statutory and business purposes. This is determined in accordance with the respective tasks and contractual relationships. In the case of business processing, we retain the data as long as it is relevant to the business, as well as in relation to possible warranty or liability obligations. The necessity of retaining data is reviewed every three years; otherwise, the statutory retention obligations apply.

Registration Function

Users can create a user account. During the registration process, users are informed of the mandatory information required and processed on the basis of Art. 6(1)(b) GDPR for the purpose of providing the user account. The processed data includes, in particular, the login information (name, password, and an email address). The data entered during registration is used for the purpose of using the user account and its purposes.

Users may be informed by email about information relevant to their user account, such as technical changes. If users have canceled their user account, their data related to the user account will be deleted, subject to any statutory retention obligations. It is the responsibility of the users to secure their data upon termination of the contract. We are entitled to irreversibly delete all user data stored during the term of the contract.

In the context of using our registration and login functions as well as the use of the user account, we store the IP address and the time of each user action. The storage is based on our legitimate interests as well as the user’s interests in protection against misuse and other unauthorized use. These data are not passed on to third parties unless it is necessary to pursue our claims or there is a legal obligation according to Art. 6(1)(c) GDPR. The IP addresses are anonymized or deleted at the latest after 7 days.

Contact

When contacting us (e.g., via contact form, email, telephone, or social media), the user’s data is processed to handle the contact request and its processing in accordance with Art. 6(1)(b) (within the context of contractual/pre-contractual relationships), Art. 6(1)(f) (other inquiries) GDPR. Users’ data may be stored in a Customer Relationship Management (CRM) system or comparable inquiry organization.

We delete the inquiries if they are no longer necessary. We review the necessity every two years; in addition, the statutory archiving obligations apply.

Google Analytics

We use Google Analytics, a web analytics service provided by Google LLC (“Google”), based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offer in accordance with Art. 6(1)(f) GDPR). Google uses cookies. The information generated by the cookie about the use of the online offer by the users is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement and thereby offers a guarantee to comply with European data protection law (privacyshield.gov/participant).

Google will use this information on our behalf to evaluate the use of our online offer by the users, to compile reports on the activities within this online offer, and to provide us with other services related to the use of this online offer and the use of the Internet. Pseudonymous usage profiles of the users may be created from the processed data.

We use Google Analytics only with IP anonymization activated. This means that the user’s IP address is truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and truncated there.

The IP address transmitted by the user’s browser is not merged with other data from Google. Users can prevent the storage of cookies by adjusting their browser software accordingly; users can also prevent the collection of the data generated by the cookie and related to their use of the online offerby Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.

More information on data usage by Google, settings, and opt-out options can be found in Google’s privacy policy https://policies.google.com/privacy and in the settings for the display of ads by Google https://adssettings.google.com/authenticated.

Personal data of the users will be deleted or anonymized after 14 months.

Integration of Third-Party Services and Content

We use content or service offers from third parties within our online offer based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offer in accordance with Art. 6(1)(f) GDPR) to incorporate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).

This always requires that the providers of this content perceive the IP address of the users, as they would not be able to send the content to their browsers without the IP address. The IP address is, therefore, necessary for the presentation of this content. We strive to use only content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. Through pixel tags, information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring websites, time of visit, and other information about the use of our online offer, and may be linked to such information from other sources.

YouTube

We integrate videos from the “YouTube” platform provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

Google ReCaptcha

We integrate the function for recognizing bots, e.g., for entries in online forms (“ReCaptcha”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.

Google Maps

We integrate maps from the “Google Maps” service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, IP addresses and location data of users, which, however, are not collected without their consent (usually performed in the settings of their mobile devices). The data may be processed in the USA. Privacy Policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.