Privacy policy

We take the protection of your personal data extremely seriously. We treat your personal data as confidential and in accordance with statutory data protection regulations as well as this privacy policy. We would like to take this opportunity to inform you about the processing of your personal data in connection with the use of our app, our website and our webshop.

Depending on which products and services you use, different parts of this privacy policy are relevant to you. This privacy policy is therefore structured in such a way that, as a first step, you are given all the information that is relevant to you, regardless of which of our services you use. In a further step, you will learn more about the data processing when using the individual services. If you use our App, you will find further details on the processing of your data under BORA APP. If you visit our website or our webshop, the BORA WEBSITE AND WEBSHOP section of this privacy policy applies. If you are applying for a job at BORA, the points APPLICANT and BORA WEBSITE AND WEBSHOP are decisive. In the COOKIES section, we provide you with an overview of the cookies used. This point applies to the use of our app as well as our website and web shops.

If you have any questions about this privacy policy, please do not hesitate to contact us at any time using the following contact details:

Responsible for the processing are (1) werkhaus GmbH & Co KG (2) BORA - Vertriebs GmbH & Co KG and (3) BORA Retail GmbH (together "BORA"). These companies jointly determine the purposes and means of processing and are therefore joint controllers within the meaning of Art 26 GDPR.

BORA - Vertriebs GmbH & Co KG is the joint point of contact for BORA. Affected persons can contact this joint contact point. The contact details of BORA are: Innstraße 1, 6342 Niederndorf, E-Mail: datenschutz@bora.com, Tel: +435373622500. Notwithstanding this agreement, you can assert your rights against any controller.

3.1. Personal data
Personal data is all data that contains information about the personal or factual circumstances of natural persons, for example name, address, email address, telephone number, date of birth, age, gender, national insurance number, video recordings, photos, etc. Data of legal entities are not subject to the provisions of the GDPR.

3.2. Processing
refers to any operation or set of operations performed upon personal data with or without the assistance of automated processes such as collection, recording, organisation, collation, storage, adaptation or alteration, sorting, retrieval, use, disclosure by supply, dissemination or otherwise making available, linking or matching, restriction, deletion or destruction.

3.3. Controller

The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

3.4. Processor
Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

3.5. Recipient
refers to a natural person or legal entity, authority, agency or any other body to whom personal data are disclosed, regardless of whether or not they are a third party.

Your data will only be stored by us for as long as is necessary to achieve the processing purposes stated in this privacy policy or as required by statutory retention obligations or for the enforcement or defence of legal claims. If the data is no longer required for the provision of the app, the website or the web shop or for the fulfilment of our order, it will be deleted, provided that this does not conflict with any contractual or legal obligations on our part.

Important retention periods can be found below:

5.1. Right to information
You have the right to request confirmation as to whether personal data is being processed; if this is the case, you have a right to information about this personal data. The following information is recorded: 

- the purposes of the processing;
- the categories of personal data;
- the recipients or categories of recipients;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- any available information as to the source of the data;
- the existence of automated decision-making, including profiling.

5.2. Right to rectification
You have the right to obtain from the controller the rectification of inaccurate personal data and the completion of incomplete personal data.

5.3. Right to erasure
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:

- The personal data are no longer necessary in relation to the purposes for which they were collected. 
You withdraw your consent on which the processing is based and there is no other legal ground for the processing. You object to the processing (Article 21(1) GDPR) and there are no legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR. The personal data have been unlawfully processed. The personal data have to be erased for compliance with a legal obligation. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

The right to erasure shall not apply to the extent that processing is necessary:

- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for the performance of a task carried out in the public interest;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims.

5.4. Right to restriction of processing
You have the right to obtain restriction of processing where one of the following applies

- the accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the controller no longer needs the personal data, but you require it for the establishment, exercise or defence of legal claims;
- you have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override your grounds.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

5.5. Right to data portability
You have the right to receive the personal data that you have provided to a controller in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

5.6. You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data which is based on point (e) or (f) of Article 6(1) GDPR; this also includes profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

5.7. Right to withdraw consent
You have the right to withdraw consent based on Article 6(1)(a) or Article 9(2)(a) at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

5.8. Right to lodge a complaint
You have the right to lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, T.: 00431521522569, E.: dsb@gsb.gv.at, if you are of the opinion that the processing violates the applicable data protection law.

Your personal data is protected by means of appropriate organisational and technical measures. These measures involve in particular protection against unauthorised, unlawful or accidental access, loss, processing, use and manipulation.

No automated decision-making, including profiling, is carried out.

The app can also be used without creating a personal profile. In this case, certain functions are only available to a limited extent. When using the app without a profile, only the data that is technically necessary for the operation and provision of the app is processed (e.g. IP address, device information, necessary cookies/session data). No further processing of personal data takes place.

In order to use our app to its full extent, you must create a user account with us. When doing so and when using the app, we process the following personal data:

We regularly use the following IT service providers to operate our website and our web shop, who may also have access to the personal data obtained by us as a result of your use of our website and our web shop in accordance with our instructions in order to be able to provide the services commissioned from us.

We will only transfer your data to other recipients if you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR or, insofar as health data is concerned, in accordance with Art. 9 para. 2 lit. a GDPR, if this is legally permissible and necessary for the fulfilment of a contractual relationship with you in accordance with Art. 6 para. 1 lit. b GDPR is required to fulfil a contractual relationship with you, or if we have a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR, or if the disclosure pursuant to Art. 6 para. 1 lit. f GDPR is necessary to safeguard our legitimate interests and to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
We do not transfer your data to third countries or international organisations.

3.1. General
The provider of the following services is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland. Google's privacy policy can be found here.

However, some services (such as Google Search or Google Maps) are provided by or transmitted to the following company: Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043-1351, USA Google LLC is based in a third country. Google LLC is entered in the list, so that the data transfer to the USA is compliant with data protection in accordance with Art 45 GDPR. Further information on the certification of Google LLC can be found here.

Some Google services use cookies. An overview of the cookies used, their purpose and storage duration can be found in the cookie section of this privacy policy. For the use of Google services and the setting of the necessary cookies, your consent within the meaning of Art. 6 para. 1 lit a GDPR or § 165 para. 3 TKG is obtained prior to processing. Your consent can be freely revoked at any time.

Prior consent is only not obtained for cookies if the sole purpose is the transmission of a message or, if this is absolutely necessary, so that we can provide you with a service that you have expressly requested.

3.2. Firebase Crashlytics
We use Firebase Crashlytics, a Google service, to continuously improve the stability and performance of our app and to fix unexpected crashes. Crashlytics helps us to detect, analyse and fix problems that may occur while you are using our app.

Firebase Crashlytics collects information about errors in the app and their causes. The primary purpose of collecting data is to analyse and rectify errors in order to optimise the user experience.

The data collected helps us to understand the specific causes of errors and crashes and to make targeted improvements. The data is usually pseudonymised, which means that it cannot be directly assigned to a specific person. Event data is stored for a period of 3 months.

3.3. Firebase Analytics
In order to understand how our users interact with our app and to continuously improve the app, we use Firebase Analytics. This service helps us to gain valuable insights into the use of our app so that we can optimise functions, improve the user experience and provide more relevant content.

Firebase Analytics collects anonymised and pseudonymised usage data. This means that we cannot draw any conclusions about you directly from this data. The collection is used to create aggregated statistics and trends in order to improve the app in general.

The user and event data collected by Firebase Analytics is stored for a period of 14 months. After this period, this data is automatically deleted. However, aggregated reports and statistics derived from this data can be stored for longer.

We use Microsoft Dynamics 365 to organise our business processes efficiently and improve interaction with our customers, partners and employees. This cloud-based system supports us in managing customer relationships (CRM), automating business processes and analysing and optimising internal processes.

Microsoft Dynamics 365 processes both personal and pseudonymised data that is generated as part of our business relationship or internal processes. The processing is carried out to fulfil contractual obligations, to optimise our services and to comply with legal requirements.

The categories of data collected by Microsoft Dynamics 365 include:

- Master data and communication information: Name, customer number, address, e-mail address, telephone number
- Food intolerances: Information on diet, intolerances and allergies
- Technical and appliance-related data: IP address (pseudonymised), browser type, operating system, device information, log data on system usage and error diagnosis.

As far as possible, data is processed pseudonymised. Microsoft Dynamics 365 offers extensive functions for access control, data classification and logging to ensure data security and the protection of personal information.

The data stored in Microsoft Dynamics 365 is only kept for as long as is necessary for the respective purposes or as required by legal retention periods. This is followed by automatic deletion or anonymisation.

Microsoft also processes your data in the USA, among other places. Microsoft is an active participant in the EU-US Data Privacy Framework, which means that the transfer of data to the USA complies with data protection requirements in accordance with Art 45 GDPR

More information on Microsoft's privacy policy can be found at: https://www.microsoft.com/de-de/privacy/privacystatement?tid=139157291.

We use the AP+ software solution from Asseco Solutions AG, Amalienbadstraße 41, 76227 Karlsruhe, Germany, to efficiently manage and document our internal business processes. This application supports us in particular in the areas of order processing, production planning, warehouse management and controlling. The aim is to optimise processes, create transparency and continuously improve the quality of our services.

AP+ processes both personal and pseudonymised data that is generated as part of operational processes. The processing is carried out to fulfil legal, contractual and organisational requirements.

The typical data categories include:

- Master data and communication information: Name, address, language, user ID, relationship to the company, consent status for data protection, device ID of the linked device
- Technical and system data: Access information

As far as possible, data is processed pseudonymised. Access to personal data is restricted on a role basis.

The data stored in AP+ is stored in accordance with statutory retention periods and then deleted or anonymised. Internal deletion concepts regulate the regular review and cleansing of data that is no longer required.

More information on Asseco's data protection regulations can be found at:
Data protection declaration of Asseco Solutions AG

We use the OneWelcome Identity Platform from the Thales Group - OneWelcome, Zuidelijk Halfrond 1, 2801 DD Gouda, Netherlands, to ensure secure and efficient identity and access management (IAM) for our users. This platform supports us in the registration, authentication and management of user identities - especially in the context of customer portals, self-service functions and access control.

OneWelcome processes personal data in the context of identity management. The processing is carried out on the basis of legal obligations, contractual requirements and to safeguard legitimate interests in secure and user-friendly access control.

The data categories include:

- Identity and registration data: First and last name, email address, language, gender, consent status to terms of use and data protection
- Authentication and access data: Passwords (stored in encrypted form and cannot be exported), login times, IP addresses, device information
- System and log data: Event logs (e.g. successful and failed login attempts), changes to user profiles or access rights, usage statistics for system optimisation

OneWelcome processes data in accordance with the requirements of the GDPR. The platform offers functions for pseudonymisation, logging and role-based access control. Data processing takes place in certified data centres within the EU.

Personal data is only stored for as long as is necessary for the respective purposes or as required by statutory retention periods. After these periods have expired, automatic deletion or anonymisation takes place.

For more information on Thales' privacy policy, please visit:
Thales OneWelcome Privacy Notice & DPA

We use Lobster_data to efficiently integrate data flows, automate business processes and network systems. This platform enables us to process and transform structured and unstructured data from various sources and integrate it into existing IT systems.
Lobster_data processes both technical and business-related data that is generated as part of integration and automation processes. Processing is carried out to optimise internal processes, improve data quality and comply with regulatory requirements.

The data categories include:

- Business and transaction data: Customer, supplier and product data, order, invoice and logistics data, data from ERP, CRM or other specialised systems
- Technical metadata and logs: Timestamps of data processing processes, status and error logs, information about data sources and destinations
- User data (when using user interfaces or data apps): User name, roles and authorisations, interactions with the platform (e.g. manual validations, approvals), device information (pseudonymised).

Lobster_data offers functions for role-based access control, logging and optional pseudonymisation. Data processing is carried out in accordance with the requirements of the GDPR and takes place in a local environment.

Processed data is only stored for as long as is necessary for the respective integration or automation purposes. Protocols and logs are regularly deleted or anonymised in accordance with internal deletion concepts or legal requirements.

You can find more information on Thales' privacy policy at:
https://www.lobster-world.com/de/datenschutz/

When you use the website and the web shop, the following personal data is processed by us:

Cookies are text files that are stored on your end device in order to recognise it. Cookies may contain information about the use of our offers and services. Based on the judgement of the ECJ Planet49 GmbH, consent is obtained for cookies even if the cookies are not personal.

Some of the cookies used are only stored until you close our website again (session cookies), whereas certain cookies are stored for longer periods and you can be recognised again (persistent cookies). Some cookies are absolutely necessary for the function of the website (essential cookies), others record visits and the origin of the visitor and measure this data without the cookies being able to establish a link to your person (performance cookies). Certain cookies are used for marketing purposes (marketing cookies).

Insofar as personal data is also processed by individual cookies used by us, the processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR either for the performance of the contract, in accordance with Art. 6 para. 1 lit. a GDPR in the case of consent given or in accordance with Art. 6 para. 1 lit. f GDPR to safeguard our legitimate interests in the best possible functionality of the website and a customer-friendly and effective design of the user experience.

You can select which cookies you want to allow via the cookie declaration when you visit the website for the first time. Your consent is required for marketing cookies. If you wish to withdraw your consent or change your cookie settings, you can make this change directly in your browser.   

To operate our website and our web shop, we regularly use IT service providers who, on our behalf and in accordance with our instructions, may also have access to the personal data obtained by us as a result of your use of our website and our web shop in order to be able to provide the services commissioned from us.

In individual cases, we may therefore transfer your personal data to the following categories of recipients or recipients:

We will only transfer your data to other recipients if you have given your express consent in accordance with Art 6 para 1 lit a GDPR, if this is legally permissible and in accordance with Art. 6 para. 1 lit. b GDPR is required to fulfil a contractual relationship with you, or if we have a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR, or if the transfer pursuant to Art. 6 para. 1 lit. f GDPR is necessary to protect our legitimate interests and to assert, exercise or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data.

United States of America.

The European Commission has issued an adequacy decision for the United States of America. In its decision of 10 July 2023 on C(2023) 4745 final, the European Commission decided that the United States of America offers an adequate level of data protection within the meaning of Art 45 GDPR if our contractual partner is registered on the list of the EU/US data protection framework. Information on the entry of the individual providers in this list can be found in the respective section of this privacy policy.

In the absence of an adequacy decision, we may only transfer data on the basis of appropriate safeguards, such as standard contractual clauses, binding internal data protection regulations, approved codes of conduct, approved certification mechanisms, etc. A transfer may nevertheless be permitted under the conditions of Art 49 GDPR. We will be happy to provide you with a copy of these guarantees for your particular case on request.

4.1. General
The provider of the following services is Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Ireland. Google's privacy policy can be found here.

However, some services (such as Google Search or Google Maps) are provided by or transmitted to the following company: Google LLC, 1600 Amphitheatre Pkwy, Mountain View, California 94043-1351, USA Google LLC is based in a third country. Google LLC is entered in the list, so that the data transfer to the USA is compliant with data protection in accordance with Art 45 GDPR. Further information on the certification of Google LLC can be found here.

Some Google services use cookies. An overview of the cookies used, their purpose and storage duration can be found in the cookie section of this privacy policy. For the use of Google services and the setting of the necessary cookies, your consent within the meaning of Art. 6 para. 1 lit a GDPR or § 165 para. 3 TKG is obtained prior to processing. Your consent can be freely revoked at any time.

Prior consent is only not obtained for cookies if the sole purpose is the transmission of a message or, if this is absolutely necessary, so that we can provide you with a service that you have expressly requested.

4.2. Google Analytics 4
Google Analytics is a service for collecting, collating and analysing data about the behaviour of visitors to websites. Google uses the data and information obtained to analyse the use of our website and our web shop, among other things.

By setting the cookie, Google and we are able to analyse the use of our website and our web shop. This cookie causes your internet browser to transmit data to Google for the purpose of online analysis. As part of this technical process, Google gains knowledge of the data subject, the origin of visitors and clicks in order to compile statistics and determine personal interests.

Google Analytics 4 does not store the IP addresses of visitors to our website and our web shop. However, Analytics provides rough geographical location data by deriving the following metadata from IP addresses: City (and the derived latitude and longitude of the city), continent, country, region, subcontinent (and ID-based counterparts). The IP address data is used exclusively for the derivation of geolocalisation data and is then immediately discarded. They are not logged, are not accessible and are not used for other purposes.

In addition, we have configured Google Analytics 4 in accordance with data protection regulations so that Google Signals data is deactivated and no detailed location and device data is collected. Google Analytics 4 data is not shared with other Google services, such as Google Ads.

User and event data is stored for a period of 3 months if no new activity takes place within this period. If a new activity takes place within this period, the storage period starts again.

Further information on Google Analytics 4 can be found here.

4.3. Google Fonts
We use Google Fonts for our website and our webshop. With Google Fonts, we can use fonts on the website and webshop and do not have to upload them to our own server.

When you visit our website and webshop, the fonts are loaded via a Google server. This external call transmits data to the Google server. In this way, Google also recognises that you or your IP address are visiting our website and our web shop. The Google Fonts API was developed to reduce the use, storage and collection of end user data to what is necessary for the proper provision of fonts.

4.4. Google Maps
We use Google Maps for our website and our web shop to visualise geographical information. When using Google Maps, Google also collects, processes and uses data about the use of the Maps functions by visitors to the website and the web shop.

For more information about Google Maps, please visit Link. 

4.5. Google Ads
We use Google Ads (formerly Google AdWords) as an online marketing measure to advertise our products and services.

Google Ads is used to better analyse user actions. If you click on one of our Google Ads, the "Conversion" cookie from a Google domain is stored on your end device.

We also use Google Ad Remarketing for our website and our web shop.

The most important cookies used in this context are:

4.6. Google Tag Manager
Google Tag Manager is used by us as an organisational tool with which we can manage website tags centrally and via a user interface. For example, tags are used to record your activities on our website and our web shop. The tags mostly come from Google products such as Google Ads or Google Analytics.

Google Tag Manager does not set any cookies or store any data. Rather, it acts as an administrator of the tags implemented in the system. The data is recorded by the tags of the web analysis tools. In this sense, the data is channelled through to the individual tracking tools and is not stored.

We use LinkedIn's Insight tag for our website and webshop. The service provider is the American company LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. The company LinkedIn Ireland Unlimited (Wilton Place, Dublin 2, Ireland) is responsible for data protection aspects in the European Economic Area (EEA), the EU and Switzerland.

By embedding the tracking tool, data can be sent to LinkedIn, stored and processed there. This is a JavaScript code that we have integrated into our website and our web shop. This function helps us to better adapt our advertising offer to your interests and needs.

LinkedIn Corporation is an active participant in the EU-US Data Privacy Framework, which means that the data transfer to the USA is data protection compliant within the meaning of Art 45 GDPR.

You can find out more about LinkedIn Insight Tag at https://www.linkedin.com/help/linkedin/answer/a427660. You can also find out more about the data processed through the use of LinkedIn Insight Tag in the privacy policy at https://www.linkedin.com/legal/privacy-policy.

6.1. Meta Business Tools
For our website and our webshop we use Meta Business Tools, which are operated and provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, ("Meta").

The following processing operations are carried out exclusively on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.

6.2. Meta Pixel
Meta Pixel is a code that loads a collection of functions with which Meta can track your user actions on our website and our webshop. The Meta Pixel can save your actions on our website and our web shop in one or more cookies. Further information on the Meta Pixel can be found at Link. We also use Custom Audiences. You can find more information on this here.

The pixel collects information such as your IP address and user ID and compares this with the data from your Facebook account.

Meta uses different cookies depending on the interaction and user behaviour. For example, the following cookies are used:

For our online marketing measures, we also use the Microsoft Advertising programme of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. With the help of Microsoft Advertising, we want to draw attention to the high quality of our products and/or services.

We have integrated a conversion tracking tag (i.e. a code snippet) from Microsoft Advertising into our website and our webshop. This is the so-called Universal Event Tracking (UET) tag. If you come to our website or our web shop via a Microsoft advertisement, we can use this tracking tool to learn more about your user behaviour on our website and our web shop.

Microsoft also processes your data in the USA, among other places. Microsoft is an active participant in the EU-US Data Privacy Framework, which means that the data transfer to the USA complies with data protection regulations in accordance with Art 45 GDPR.

More information on Microsoft's data protection regulations can be found at: https://privacy.microsoft.com/de-de/privacystatement?tid=139157291.

We use the Microsoft Bookings planning tool from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, to organise and arrange customer appointments via our website. The connection to the service is only established when you access the online booking function via a button on our website. When booking, personal data such as name and e-mail address are collected.

Microsoft also processes your data in the USA, among other places. Microsoft is an active participant in the EU-US Data Privacy Framework, which means that the data transfer to the USA complies with data protection regulations in accordance with Art 45 GDPR.

More information on Microsoft's data protection regulations can be found at: https://privacy.microsoft.com/de-de/privacystatement?tid=139157291.

We use the conversion tracking technology "Pinterest Tag" from Pinterest Inc, 808 Brannan Street, San Francisco, CA 94103, USA for our website and our web shop. For the European area, the Irish company Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland is responsible for all aspects relevant to data protection.

So-called log data may be stored. If you have a Pinterest account yourself and are logged in, the data collected via our site can be added to your account and used for advertising purposes.

Pinterest processes data from you in the USA, among other places. 

Pinterest uses so-called standard contractual clauses (Art 46 (2) and (3) GDPR) as the basis for data processing for recipients based in third countries or for data transfer to third countries. Through these clauses, Pinterest undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en. 

We use the Webcare tool for consent management on our website and our web shop. The provider is the company DataReporter GmbH, FN 508418 z, Zeileisstraße 6, 4600 Wels, Austria. Webcare records and stores the decision of the respective user of our website and our web shop. Our consent banner ensures that statistical and marketing technologies such as cookies or external tools are only set or started once the user has given their express consent to their use.

You can find Webcare's privacy policy at: https://www.datareporter.eu/.

We use the open source services of jsdelivr.com from the Polish company ProspectOne, Krolewska 65A/1, 30-081, Krakow, Poland, so that we can deliver our website to you quickly and flawlessly on all different devices. This is a content delivery network (CDN). This is a network of regionally distributed servers that are connected via the Internet. This means that content, especially large files, can be delivered quickly and optimally, even during large load peaks.

For more information on data processing by the jsDelivr software service, please refer to the company's privacy policy at https://www.jsdelivr.com/terms/privacy-policy. 

We use the personnel management tool Personio for our website. The service provider is the German company Personio SE & Co KG, Seidlstraße 3, 80335 Munich, Germany.

You can find out more about the data processed through the use of Personio in the privacy policy at https://www.personio.de/datenschutzerklaerung/?tid=139512572. 

We use videos from the video portal Vimeo on our website. The video portal is operated by Vimeo.com, Inc, 330 West 34th Street, 10th Floor, New York, NY 10001. With the help of a plug-in, we can show you interesting video material directly on our website.

If you are logged in to Vimeo as a registered member, more data may be collected, as more cookies may already have been set in your browser. In addition, your actions on our website are linked directly to your Vimeo account. To prevent this, you must log out of Vimeo while "surfing" on our website.

Vimeo also processes your data in the USA, among other places. Vimeo is an active participant in the EU-US Data Privacy Framework, which means that the transfer of data to the USA complies with data protection regulations in accordance with Art 45 GDPR.

More information on Microsoft's privacy policy can be found at: https://vimeo.com/privacy?tid=139511714. 

We use the online marketplace shopify and Shopify Payments as a payment method natively integrated into the Shopify e-commerce software. The service provider is Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

Shopify processes data from you in the USA, among other places.

Shopify uses so-called standard contractual clauses (Art 46 para 2 and 3 GDPR) as the basis for data processing for recipients based in third countries or for data transfer to third countries. Through these clauses, Shopify undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

We use the customer service software Gorgias. The service provider is the company Gorgias Inc, CA, 34 Harriet St, San Francisco USA.

Gorgias processes your data in the USA, among other places.

Gorgias uses so-called standard contractual clauses (Art 46 (2) and (3) GDPR) as the basis for data processing for recipients based in third countries or for data transfer to third countries. Through these clauses, Gorgias undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

We have integrated YouTube videos on our website and our webshop. This allows us to present videos directly on our website and our webshop. The video portal is operated by YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, which is a subsidiary of Google. When you access a page on our website and our webshop that has a YouTube video embedded, your browser automatically connects to YouTube's servers. Different data is transmitted (depending on the setting). Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all data processing in Europe.

As soon as you visit one of our pages that has a YouTube video embedded, YouTube sets at least one cookie that stores your IP address and our URL. If you are logged into your YouTube account, YouTube can usually assign your interactions on our website or our webshop to your YouTube profile with the help of cookies.
YouTube processes data from you in the USA, among other places. YouTube or Google is an active participant in the EU-US Data Privacy Framework, meaning that the transfer of data to the USA is compliant with data protection regulations in accordance with Art 45 GDPR.

For more information, please refer to the privacy policy at: https://policies.google.com/privacy?hl=en.

Our processor for the newsletter dispatch is Sendinblue GmbH ("Brevo"), Köpenicker Straße 126, 10179 Berlin, Germany. You can find Brevo's privacy policy here. We have concluded an order processing agreement with Brevo.

If you subscribe to our email newsletter, we will regularly send you information about our offers and consulting services, event invitations and other advertising. Your e-mail address is mandatory for receiving the newsletter. The provision of further data is voluntary and is used to address you personally.

We use the double opt-in procedure to register for the newsletter. This means that we only send you an email newsletter if you have expressly confirmed that you consent to receiving the newsletter. We will therefore send you a confirmation email asking you to confirm that you wish to receive the newsletter in future by clicking on a corresponding link.

By activating the confirmation link, you give us your consent to the use of your personal data in accordance with Art. 6 para. 1 lit. a GDPR. When you register for the newsletter, we store your IP address entered by the Internet service provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your e-mail address at a later date.

You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending us a corresponding message. Once you have unsubscribed successfully, your email address is erased from our newsletter distribution list without undue delay, provided that you have not expressly consented to further use of your data or we reserve the right to use data beyond this time, which is legally permitted and about which we inform you in this statement.

If you apply for a job with us via the BORA application portal or form or by other means and send us application documents, we will process the personal data you provide as part of the application process by werkhaus GmbH & Co KG, Rosenheimer Straße 32, 83064 Raubling, Germany.

Your data will only be stored, analysed or processed as part of the application process. They are only accessible to employees of the HR department and the persons responsible for the selection of the BORA Group.

If you have applied for a job at another company of the BORA Group, we will forward your application documents to the respective company for decision-making on the establishment of an employment relationship.

Insofar as we process your data for the decision on the establishment of an employment relationship, the legal basis is Section 26 (1) sentence 1 of the Federal Data Protection Act. In all other cases, the legal basis for the storage of your data is your consent in accordance with Art. 6 para. 1 lit. a) GDPR.

If you have applied for an advertised position, your documents will be irrevocably deleted six months after the end of the application process, unless there is a legitimate interest in deletion.

If you do not apply for an advertised position (unsolicited application), your application and the personal data contained therein will be kept for a maximum period of 12 months in order to be able to contact you regarding any resulting job advertisements.

In the event of a successful application, your data will be stored for the purpose of concluding an employment relationship in compliance with legal requirements.

We process the data you provide to us as part of the application process. This includes:

- First name and surname,
- Name, date and place of birth,
- Nationality
- Contact details (address, tel. no., e-mail address),
- Information on family circumstances (marital status, spouse, children)
- Photograph
- Educational and professional background including qualifications and work references, external training and further education, studies
- Other information to be collected during the selection process
- If your travel expenses are reimbursed, we also need your bank details.

With your consent to inclusion in the applicant pool, your application documents and the personal data contained therein will be stored until revoked. Should a suitable position arise at a later date, we can contact you in this way. You will also be informed about interesting positions in our application newsletter.

With your consent, you give us permission to contact you via WhatsApp. You can revoke your consent at any time by sending an e-mail to jobs@bora.com