Privacy

(Automated translation: This privacy policy has been translated from German into English using artificial intelligence. The translation may contain inaccuracies. The authoritative original text in German is available at https://sinnwerkstatt.com/datenschutz/)

We take the protection of your personal data very seriously and treat your data confidentially and in accordance with applicable data protection regulations. This notice informs you about the processing of your data, your rights, and how you can contact us.

Data controller

The data controller responsible for data processing on this website is:

sinnwerkstatt Medienagentur GmbH
Glogauer Str. 21
10999 Berlin
Commercial Register: Berlin-Charlottenburg, HRB 134255 B
Managing Director: Ian Delù
Phone: +49 (0)30 5770 4477 0
Email: kontakt@sinnwerkstatt.com

Further details can be found in our legal notice at https://sinnwerkstatt.com/en/legal-notice/

Scope

These privacy notices apply to:

• Website https://sinnwerkstatt.com
• Website https://ki-koala.de
• LinkedIn https://www.linkedin.com/company/sinnwerkstatt-medienagentur-gmbh/
• LinkedIn https://www.linkedin.com/showcase/ki-koala/
• Instagram https://www.instagram.com/sinnwerkstatt/
• Facebook https://www.facebook.com/sinnwerkstatt/

Data processing when visiting our website

When you visit our website, your browser automatically sends information to our web server. This information is temporarily stored in a server log file. The following data is collected without any action on your part and stored until it is automatically deleted:

• IP address of your device
• Operating system of your device
• Browser type and version
• Date and time of access
• Volume of data transferred
• Referrer URL (the page you visited before ours)
• Hostname of the accessing computer
• Pages and sub-pages visited on our website

Purpose of processing

Analysis of system security and server stability to ensure the confidentiality and integrity of processed personal data, and to defend against misuse such as DDoS attacks.

Legal basis

For visitors to our website, the legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR in the secure and functional provision of our website and the protection of the integrity, confidentiality, and availability of data processed on this website. For customers or registered users, the legal basis additionally includes the fulfilment of our contractual obligations pursuant to Art. 6(1)(b) GDPR.

Recipients of collected data

We use storage space, computing power, and software from server service providers (web hosts) to operate our website.

Retention period

Log file information is stored server-side for 7 days. Data that must be retained for evidentiary purposes is exempt from deletion until the relevant incident has been fully resolved.

Enquiries by email or phone

If you contact us by email or phone, your enquiry, including all resulting personal data (name, enquiry content), will be stored and processed by us for the purpose of handling your request. We will not share this data without your consent.

This processing is based on Art. 6(1)(b) GDPR where your enquiry is related to the fulfilment of a contract or is necessary for pre-contractual measures. In all other cases, processing is based on our legitimate interest in effectively handling enquiries directed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) where this has been obtained.

The data you send us via contact enquiries will remain with us until you request deletion, withdraw your consent, or the purpose for data storage no longer applies (e.g. after your enquiry has been fully processed). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

Cookies and similar technologies

Cookies are small text files stored on your device that hold certain information. Our website does not use cookies.

Disclosure of your data to third parties

Your personal data will only be disclosed to third parties where this is necessary for the fulfilment of a contract, for compliance with legal obligations, or where you have consented to the disclosure. Recipients may include, for example:

• IT service providers who operate our systems
• Payment service providers in the event of orders

Where we transfer data to service providers, we have entered into appropriate data processing agreements to ensure the security of your personal data.

Transfer to third countries

Should we transfer personal data to recipients outside the European Union or the European Economic Area, we ensure that this is carried out in accordance with applicable data protection laws – for example, through the use of standard contractual clauses or on the basis of an adequacy decision by the European Commission.

Website hosting

To provide this website, we use an external service provider (host) for the provision of IT infrastructure and related services, such as storage space.

Data processed

Access to our website is logged via server log files; see above under "Data Processing When Visiting Our Website". This personal data is stored on our host's servers. Server log files may also be stored by us.

Purpose of processing

Server log files may be used for security purposes, e.g. to prevent server overload (in particular in the event of abusive attacks, so-called DDoS attacks), and to ensure server stability and availability.

Legal bases

The use of a host is based on the fulfilment of contractual obligations towards our potential and existing customers (Art. 6(1)(b) GDPR) and in the interest of providing our online services securely, quickly, and efficiently through a professional provider (Art. 6(1)(f) GDPR).

Deletion of data

Log file information is stored for a maximum of 7 days and then deleted or anonymised. Data whose further retention is required for evidentiary purposes is exempt from deletion until the relevant incident has been fully resolved.

Service provider

Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany;
Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz

Our host will only process your data to the extent necessary to fulfil its service obligations and will follow our instructions regarding such data. To ensure data protection-compliant processing, we have entered into a Data Processing Agreement (DPA) with our host.
Data Processing Agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/

Email hosting

Our web hosting services also include the sending, receiving, and storage of emails. In this context, the email addresses of senders and recipients, as well as other transmission data such as the service providers involved, are processed. The content of the emails themselves may also be processed. This data is also used to detect potential spam messages.

Please note that emails are generally transmitted unencrypted over the internet. While encryption is often applied during transmission, data remains unprotected on the sending and receiving servers without end-to-end encryption. We therefore cannot accept responsibility for the security of the email transmission path between sender and receiving server.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in the secure, fast, and efficient provision of our email hosting by a professional provider.

SSL/TLS encryption

For security reasons and to protect the transmission of confidential content – such as orders or enquiries that you send to us as the site operator – this site uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address bar of the browser changes from "http://" to "https://" and by the padlock icon in your browser bar.

When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Retention period

We store personal data only for as long as is necessary for the purposes for which it was collected, or as required by statutory retention obligations. Once the purpose of data processing no longer applies or the statutory retention period has expired, the data is routinely deleted.

Matomo analytics (cookieless)

Purpose of processing: We use the analytics tool Matomo on our website to analyse user behaviour in anonymised form and to continuously improve our website. Matomo is operated without the use of cookies, meaning no data is stored on your device. Data is processed locally on our server and is not passed on to third parties.

Data processed: Matomo operates cookieless and collects exclusively anonymised data. The following information is gathered:

• Anonymised IP address (truncated so that no conclusions can be drawn about the individual)
• Information about the device used (browser type, operating system, screen resolution)
• Referrer URL (the website previously visited)
• Pages visited and time spent on them
• Timestamp of the server request

This data is used exclusively for statistical analysis and to improve our website.

Legal basis: The processing of data is based on our legitimate interest in the statistical analysis of user behaviour for the optimisation of our website pursuant to Art. 6(1)(f) GDPR.

Service provider: Matomo is open-source software operated locally on our server. No data is transmitted to external service providers or third parties. Further information about Matomo software can be found on the official Matomo website.

Sending marketing newsletters via Brevo

If you sign up for our newsletter, we use your email address to send you regular information about our offers, products, or services. Newsletters are sent via the service provider Brevo (formerly Sendinblue), a service of Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

The data you provide when signing up (e.g. email address, name) is stored on Brevo's servers within the EU. Brevo processes this data on our behalf for the purpose of sending the newsletter and for statistical analysis. This may include recording whether the newsletter was opened and which links were clicked. We use this information to optimise our content.

The processing of your data is based on your explicit consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future – for example, via the unsubscribe link in the newsletter or by contacting us at the details provided in our legal notice.

Further information on data protection at Brevo: https://www.brevo.com/de/datenschutz-uebersicht/

Legal basis: Consent, Art. 6(1)(a) GDPR
Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin
Imprint: https://www.brevo.com/de/legal/impressum/
Privacy policy: https://www.brevo.com/de/legal/privacypolicy/

LinkedIn

To operate our LinkedIn company page, we use the technical platform and services of LinkedIn Ireland Unlimited Company (hereinafter "LinkedIn"). As part of our company page on LinkedIn, we also use so-called Page Insights – a function provided by LinkedIn that supplies us with anonymised statistics about visitors and interactions on our company page.

Joint controllership for page insights

The collection of personal data in connection with Page Insights is carried out under joint controllership between LinkedIn and us as the operator of the LinkedIn company page pursuant to Art. 26 GDPR. LinkedIn provides the platform and the Page Insights and is responsible for the processing of data. We use the anonymised statistics to analyse the reach of our content and to improve our communications.

Data processed by LinkedIn

LinkedIn collects and processes the following data:

• LinkedIn member data: Information provided by registered LinkedIn users, such as profile information (e.g. industry, position, location).
• Interaction data: Data about interactions with our page, such as clicks, likes, comments, and shared content.
• Device and connection data: Information about devices, IP addresses, and cookies.

This data is processed by LinkedIn on the basis of LinkedIn's User Agreement and Privacy Policy: LinkedIn Privacy Policy.

Purpose of processing

The purpose of our company page is to provide up-to-date information and to support interaction with our users. Page Insights data is processed for the following purposes:

• Analysis of the reach and interactions with our LinkedIn company page
• Improvement of our content and communications on LinkedIn
• Optimisation of our marketing and targeting

Legal bases

The operation of our LinkedIn page and Page Insights is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing timely and supportive information and interaction opportunities for and with our users, optimising our corporate communications, and tailoring our LinkedIn page to user needs.

Joint controllership agreement (Controller Addendum)

We have entered into a joint controllership agreement (also referred to as a Controller Addendum, Joint Controllership Agreement, or Controller-to-Controller Agreement) with LinkedIn. The joint controllership agreement (Page Insights Supplement) can be found here: LinkedIn Page Insights Supplement.

LinkedIn agrees to assume responsibility under the GDPR for providing Page Insights and to comply with all applicable GDPR obligations in relation to the processing of Page Insights data (including, but not limited to, Articles 12–22 and 32–34 of the GDPR). This means that LinkedIn will, among other things, ensure that members are informed about the data processed and will support members' rights of access and erasure.

Service provider

LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland;
Website: https://www.linkedin.com
Privacy policy: https://de.linkedin.com/legal/privacy-policy?
Cookie policy: https://de.linkedin.com/legal/cookie-policy?
Basis for third-country transfer: Provider self-certification under the Data Privacy Framework (DPF): https://www.dataprivacyframework.gov/list

To exercise your rights in connection with data processing by LinkedIn, you may also contact LinkedIn directly via their Privacy Portal.

Instagram

To operate our Instagram business account, we use the technical platform and services of Meta Platforms Ireland Ltd. (hereinafter "Meta"). As part of our business account on Meta, we also use so-called Instagram Insights – a function provided by Meta that supplies us with anonymised statistics about visitors and interactions on our business account.

Joint controllership for Instagram insights

The collection of personal data in connection with Instagram Insights is carried out under joint controllership between Meta and us as the operator of the Instagram business account pursuant to Art. 26 GDPR. Meta provides the technical platform and processes data to provide analytics and insights (so-called "Instagram Insights"). We use the anonymised statistics to analyse the reach of our content and to improve our communications.

Data processed by Meta

Meta processes users' personal data in accordance with Instagram's Data Policy. The data processed may include, among other things:

• Profile data: Name, username, profile picture, location.
• Interaction data: Likes, comments, messages, clicks on content.
• Device and connection data: Information about devices used, IP address, and cookies.

Purpose of processing

The purpose of our business account is to provide up-to-date information and to support interaction with our users. Instagram Insights data is processed for the following purposes:

• Analysis of the reach and effectiveness of our content
• Optimisation of our content and marketing strategy
• Improvement of our communication with the target audience

Legal bases

The processing of your personal data by Meta is based on Meta's terms of use and privacy policies. Our processing via the Instagram business account and Instagram Insights is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing timely and supportive information and interaction opportunities for and with our users, optimising our corporate communications, and tailoring our page to user needs.

Joint controllership agreement (Controller Addendum)

We have entered into a joint controllership agreement with Meta. The joint controllership agreement between us and Meta can be viewed here: Meta Page Insights Supplement.

Meta agrees to assume responsibility under the GDPR for providing Page Insights and to comply with all applicable GDPR obligations in relation to the processing of Page Insights data (including, but not limited to, Articles 12–22 and 32–34 of the GDPR). This means that Meta will, among other things, ensure that members are informed about the data processed and will support members' rights of access and erasure.

Service provider

Instagram is a service of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Website: https://www.instagram.com/
Privacy policy: https://privacycenter.instagram.com/policy/ and Cookie Policy
Basis for third-country transfer: Provider self-certification under the Data Privacy Framework (DPF):
https://www.dataprivacyframework.gov/list and https://www.facebook.com/privacy/policies/data_privacy_framework

Facebook

To operate our Facebook business page, we use the technical platform and services of Meta Platforms Ireland Ltd. (hereinafter "Meta").

Joint controllership for page insights

As part of our business page on Meta, we also use so-called Page Insights. The collection of personal data in connection with Page Insights is carried out under joint controllership between Meta and us as the operator of the Facebook business page pursuant to Art. 26 GDPR. Meta provides the technical platform and processes data to provide analytics and insights (so-called "Page Insights"). We use the anonymised statistics to analyse the reach of our content and to improve our communications.

Data processed by Meta

Meta processes users' personal data in accordance with Facebook's Data Policy. The data processed may include, among other things:

• Profile data: Name, username, profile picture, location.
• Interaction data: Likes, comments, messages, clicks on content.
• Device and connection data: Information about devices used, IP address, and cookies.

Purpose of processing

The purpose of our business page is to provide up-to-date information and to support interaction with our users. Page Insights data is processed for the following purposes:

• Analysis of the reach and effectiveness of our content
• Optimisation of our content and marketing strategy
• Improvement of our communication with the target audience

Legal bases

The processing of your personal data by Meta is based on Meta's terms of use and privacy policies. Our processing via the Facebook business page and Page Insights is based on our legitimate interest (Art. 6(1)(f) GDPR) in providing timely and supportive information and interaction opportunities for and with our users, optimising our corporate communications, and tailoring our page to user needs.

Joint controllership agreement (Controller Addendum)

We have entered into a joint controllership agreement with Meta. The joint controllership agreement between us and Meta can be viewed here: Meta Page Insights Supplement.

Meta agrees to assume responsibility under the GDPR for providing Page Insights and to comply with all applicable GDPR obligations in relation to the processing of Page Insights data (including, but not limited to, Articles 12–22 and 32–34 of the GDPR). This means that Meta will, among other things, ensure that members are informed about the data processed and will support members' rights of access and erasure.

Service provider

Facebook is a service of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;
Website: https://www.facebook.com and Imprint
Privacy policy: https://www.facebook.com/privacy/policy and Cookie Policy
Basis for third-country transfer: Provider self-certification under the Data Privacy Framework (DPF):
https://www.dataprivacyframework.gov/list and https://www.facebook.com/privacy/policies/data_privacy_framework

Use of our Nextcloud

We operate a self-hosted Nextcloud instance to provide our customers with secure access to data and documents.

Data processed

When accessing our Nextcloud, the following access data is automatically stored in the server logs:

• IP address of the requesting device
• Date and time of access
• File accessed and volume of data transferred
• Browser and operating system used

Purpose of processing

Personal data is processed to enable you to access our Nextcloud and to provide you with relevant files there. Technical log data also serves to ensure the secure and proper operation of the platform.

Retention period

Data stored in server logs (including IP addresses) is retained for a maximum of seven days and then automatically deleted, unless security-relevant events (e.g. unusual access or attacks) have been identified that necessitate longer retention.

Legal basis

The processing of the above data is based on Art. 6(1)(f) GDPR. Our legitimate interest is to ensure the functionality, security, and integrity of our Nextcloud.

Recipients of data

Server logs and the data they contain are processed exclusively internally and are not shared with third parties, except where we are legally obliged to do so (e.g. for the investigation of security incidents).

Applicant data

We offer you the opportunity to apply to us (e.g. by email or by post). Below we inform you about the scope, purpose, and use of your personal data collected in the course of the application process. We assure you that the collection, processing, and use of your data will be carried out in accordance with applicable data protection law and all other statutory provisions, and that your data will be treated with strict confidentiality.

Scope and purpose of data collection

When you submit an application to us, we process the personal data associated with it (e.g. contact and communication data, application documents, notes made during interviews, etc.) to the extent necessary for deciding whether to establish an employment relationship. The legal basis for this is Section 26 of the German Federal Data Protection Act (BDSG) (initiation of an employment relationship), Art. 6(1)(b) GDPR (general pre-contractual measures), and – where you have given your consent – Art. 6(1)(a) GDPR. Consent may be withdrawn at any time. Your personal data will only be shared within our company with persons involved in processing your application.

If the application is successful, the data you have submitted will be stored in our data processing systems on the basis of Section 26 BDSG and Art. 6(1)(b) GDPR for the purposes of conducting the employment relationship.

Retention period

If we are unable to offer you a position, you decline an offer, or withdraw your application, we reserve the right to retain the data you have submitted on the basis of our legitimate interests (Art. 6(1)(f) GDPR) for up to 6 months from the end of the application process (rejection or withdrawal). The data will then be deleted and physical application documents destroyed. Retention serves in particular as evidence in the event of a legal dispute. If it becomes apparent that the data will be required after the 6-month period (e.g. due to an impending or pending legal dispute), deletion will not take place until the purpose for further retention ceases to apply.

Longer retention may also take place if you have given your consent (Art. 6(1)(a) GDPR) or if statutory retention obligations prevent deletion.

Inclusion in the applicant pool

If we are unable to make you a job offer, there may be the possibility of including you in our applicant pool. If included, all documents and information from your application will be transferred so that we can contact you should suitable vacancies arise.

Inclusion in this pool takes place exclusively on the basis of your explicit consent (Art. 6(1)(a) GDPR). Giving consent is voluntary and is not related to the current application process. You may withdraw your consent at any time. In such a case, the data will be irrevocably deleted from the applicant pool, unless statutory retention obligations exist.

Data in this pool will be irrevocably deleted at the latest two years after consent was given.

Rights of data subjects

Under the GDPR, you have the following rights:

• Right of access: You have the right to request confirmation as to whether we process personal data about you, and to receive information about such data.
• Right to rectification: You have the right to have inaccurate or incomplete personal data corrected.
• Right to erasure: You may request the deletion of your personal data stored by us where it is no longer necessary.
• Right to restriction of processing: You have the right to restrict the processing of your personal data under certain conditions.
• Right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format and to transmit this data to another controller.

Right to object

You have the right to object to the processing of your personal data where it is based on Art. 6(1)(f) GDPR (legitimate interest).

Right to withdraw consent: Where the processing of your data is based on your consent, you may withdraw that consent at any time with effect for the future. A simple informal email to us is sufficient for this purpose. The lawfulness of processing carried out prior to withdrawal remains unaffected.

Right to lodge a complaint with a supervisory authority

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. This may be, for example, the data protection authority in your federal state. Contact details for the competent supervisory authority can be found here.

Automated decision-making and profiling

No automated decision-making, including profiling, takes place on our website.

Changes to this privacy notice

We reserve the right to update this privacy notice as necessary to reflect changes in data processing or legal requirements. The current version is always available on our website.

Berlin, March 13th 2026

This privacy notice was created with the assistance of a template provided by the law firm Gumbrecht.