Data Protection Declaration

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as "data") we process, for which purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Status: September 25, 2025

Table of Contents

Controller

Marina Fonf
Heinrich-Ehrhard-Str. 38
40468 Düsseldorf

Email address: info@vanity-hostess.com

Imprint: https://vanity-hostess.com/impressum/

Overview of Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Data Processed

  • Inventory data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and procedural data.
  • Log data.

Categories of Data Subjects

  • Service recipients and clients.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Communication.
  • Security measures.
  • Office and organizational procedures.
  • Organizational and administrative procedures.
  • Feedback.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.
  • Public relations.
  • Business processes and economic procedures.

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations in your or our country of residence or seat may apply. Should more specific legal bases be relevant in individual cases, we will inform you of them in the privacy policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests, fundamental rights, and freedoms of the data subject which require protection of personal data.

National data protection regulations in Germany: In addition to the data protection provisions of the GDPR, national regulations apply in Germany. This includes in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions regarding the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transfer, ensuring availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. We also take into account the protection of personal data when developing or selecting hardware, software, and procedures, in line with the principle of data protection by design and by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect users' data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt information transmitted between the website or app and the user's browser (or between two servers), thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator for users that their data is being transmitted securely and in encrypted form.

General Information on Data Storage and Deletion

We delete personal data we process in accordance with the statutory provisions as soon as the underlying consents are revoked or there are no further legal bases for processing. This applies in cases where the original purpose of processing ceases to apply or the data is no longer required. Exceptions exist if legal obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the pursuit of legal claims or the protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion of data specifically applicable to certain processing operations.

In the case of multiple retention periods or deletion deadlines for a piece of data, the longest period always applies. Data that is no longer required for its original purpose, but is retained due to statutory requirements or other reasons, will only be processed for the reasons that justify its retention.

Retention and deletion of data: The following general periods apply for retention and archiving under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the working instructions and other organizational documents required to understand them (§ 147(1) No. 1 in conjunction with (3) AO, § 14b(1) UStG, § 257(1) No. 1 in conjunction with (4) HGB).
  • 8 years – Accounting records, such as invoices and cost receipts (§ 147(1) No. 4 and 4a in conjunction with (3) Sentence 1 AO, as well as § 257(1) No. 4 in conjunction with (4) HGB).
  • 6 years – Other business records: received commercial or business letters, copies of sent commercial or business letters, other documents relevant for taxation, such as timesheets, cost accounting sheets, calculation documents, price labels, but also payroll documents (unless they are accounting records) and cash register receipts (§ 147(1) Nos. 2, 3, 5 in conjunction with (3) AO, § 257(1) Nos. 2 and 3 in conjunction with (4) HGB).
  • 3 years – Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experience and customary industry practices, is stored for the duration of the regular statutory limitation period of three years (§§ 195, 199 BGB).

Commencement of the period at the end of the year: If a period does not explicitly begin on a specific date and is at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective termination or other conclusion of the legal relationship.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular those arising from Articles 15 to 21 GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. If personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to access such data as well as further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: You have the right to request the completion of data concerning you or the rectification of inaccurate data concerning you in accordance with legal requirements.
  • Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request that data concerning you be erased without undue delay, or alternatively, in accordance with legal requirements, to request restriction of the processing of the data.
  • Right to data portability: You have the right to receive the data concerning you which you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request its transmission to another controller.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Business Services

We process the data of our contractual and business partners, e.g., customers and prospective customers (collectively referred to as "contractual partners"), within the framework of contractual and comparable legal relationships, as well as associated measures and in relation to communication with the contractual partners (or pre-contractually), for example, to respond to inquiries.

We use this data to fulfill our contractual obligations. This includes, in particular, obligations to provide the agreed services, any updating obligations, and to remedy warranty and other service disruptions. Furthermore, we use the data to safeguard our rights and for administrative tasks associated with these obligations and business organization. In addition, we process the data on the basis of our legitimate interests in proper and efficient business management, as well as in security measures to protect our contractual partners and our business operations from misuse, threats to their data, secrets, information, and rights (e.g., involvement of telecommunications, transport, and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Within the scope of applicable law, we only pass on the data of contractual partners to third parties insofar as this is necessary for the aforementioned purposes or to fulfill legal obligations. Contractual partners are informed about further forms of processing, such as for marketing purposes, within this privacy policy.

Which data is required for the aforementioned purposes will be communicated to the contractual partners before or during data collection, e.g., in online forms, by special labeling (e.g., colors) or symbols (e.g., asterisks), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., generally after four years, unless the data is stored in a customer account, e.g., as long as it must be retained for statutory archiving reasons (e.g., usually ten years for tax purposes). Data disclosed to us by the contractual partner within the framework of an order is deleted in accordance with the specifications and generally after the end of the order.

  • Types of data processed: Inventory data (e.g., full name, residential address, contact information, customer number, etc.); Payment data (e.g., bank details, invoices, payment history); Contact data (e.g., postal and email addresses or telephone numbers); Contract data (e.g., subject matter of contract, duration, customer category).
  • Data subjects: Service recipients and clients; Prospective customers; Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organizational procedures; Organizational and administrative procedures; Business processes and economic procedures.
  • Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Storage and Deletion".
  • Legal bases: Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR); Legal obligation (Art. 6(1)(c) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further notes on processing operations, procedures, and services:

  • Agency services: We process the data of our customers within the scope of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes, handling, server administration, data analysis/consulting services, and training services; Legal basis: Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR).
  • Event management: We process the data of participants of events, activities, and similar functions offered or organized by us (hereinafter collectively referred to as "participants" and "events") to enable them to take part in the events and to use the services or actions associated with participation. If we process health-related data, religious, political, or other special categories of data in this context, this will be done on the basis of obviousness (e.g., at thematically oriented events), for health care, safety, or with the consent of the data subjects.

    The required details are indicated as such within the order, purchase, or comparable contract process and include the information necessary for the provision of services and billing, as well as contact information in order to be able to make any necessary inquiries. Insofar as we gain access to information on end customers, employees, or other persons, we process this in compliance with legal and contractual requirements; Legal basis: Contract performance and pre-contractual requests (Art. 6(1)(b) GDPR).

Further information on processing activities, procedures and services:

  • Contact form: When contacting us via our contact form, by e-mail or other communication channels, we process the personal data transmitted to us in order to respond to and handle the respective request. This usually includes information such as name, contact details and, if applicable, further information provided to us and required for proper handling. We use this data exclusively for the specified purpose of contact and communication; Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Presence on social networks (Social Media)

We maintain online presences within social networks and, in this context, process user data in order to communicate with the users active there or to provide information about us.

We point out that user data may be processed outside the territory of the European Union. This may entail risks for users, e.g. because enforcing user rights could become more difficult.

Furthermore, user data within social networks is usually processed for market research and advertising purposes. For example, usage profiles can be created based on users' behavior and the resulting interests. These profiles may in turn be used to display advertisements inside and outside the networks that are presumably aligned with users' interests. For this purpose, cookies are usually stored on users' devices, which record their usage behavior and interests. In addition, data may also be stored in the usage profiles regardless of the devices used by the users (particularly if they are members of the respective platforms and are logged in there).

For a detailed description of the respective processing operations and the options to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

Also in the case of access requests and the assertion of data subject rights, we point out that these can be most effectively exercised with the providers. Only the latter have direct access to the users' data and can take appropriate measures and provide information. Should you nevertheless require assistance, you may contact us.

  • Types of data processed: Contact data (e.g. postal and e-mail addresses or phone numbers); Content data (e.g. textual or visual messages and posts as well as related information such as authorship details or creation timestamps). Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, types of devices and operating systems used, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Communication; Feedback (e.g. collecting feedback via online form). Public relations.
  • Storage and deletion: Deletion according to the information provided in the section "General information on data storage and deletion".
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing activities, procedures and services:

  • Instagram: Social network, enables sharing of photos and videos, commenting and liking posts, sending messages, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for third country transfers: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the Facebook social network – The controller is jointly responsible with Meta Platforms Ireland Limited for the collection and transmission of data from visitors to our Facebook page ("Fanpage"). This includes in particular information about user behavior (e.g. viewed or interacted content, actions taken) as well as device information (e.g. IP address, operating system, browser type, language settings, cookie data). Further details can be found in Facebook's Data Policy: https://www.facebook.com/privacy/policy/. Facebook also uses this data to provide us with statistical evaluations via the "Page Insights" service, giving insights into how people interact with our page and its content. The basis for this is an agreement with Facebook ("Information on Page Insights": https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, security measures as well as the exercise of data subject rights. Further information can be found here: https://www.facebook.com/legal/terms/information_about_page_insights_data. Users may therefore direct requests for access or deletion directly to Facebook. Users' rights (in particular the right of access, erasure, objection, complaint to a supervisory authority) remain unaffected. The joint controllership is limited exclusively to the collection of data by Meta Platforms Ireland Limited (EU). Any further processing, including possible transfer to Meta Platforms Inc. in the USA, is the sole responsibility of Meta Platforms Ireland Limited; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for third country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • LinkedIn: Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors that is used to generate "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with and the actions they take. It also records details about the devices used, such as IP addresses, operating system, browser type, language settings and cookie data, as well as information from user profiles, such as job function, country, industry, seniority, company size and employment status. Privacy information on LinkedIn's processing of user data can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.
    We have entered into a special agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum", https://legal.linkedin.com/pages-joint-controller-addendum), which specifies, among other things, the security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can, for example, address access or deletion requests directly to LinkedIn). Users' rights (in particular the right of access, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection and transmission of the data to LinkedIn Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly with regard to the transfer of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfers: Data Privacy Framework (DPF), Standard Contractual Clauses (https://legal.linkedin.com/dpa). Opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.xing.com/. Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

Changes and Updates

We kindly ask you to regularly check the content of our privacy policy. We will adapt the privacy policy as soon as changes in the data processing carried out by us make this necessary. We will inform you as soon as changes require an act of cooperation on your part (e.g. consent) or another individual notification.
If we provide addresses and contact details of companies and organizations in this privacy policy, please note that addresses may change over time and verify the details before contacting them.

Definitions

In this section you will find an overview of the terms used in this privacy policy. To the extent that the terms are defined by law, their legal definitions apply. The following explanations, on the other hand, are intended primarily to aid understanding.

  • Inventory data: Inventory data includes essential information required for the identification and administration of contractual partners, user accounts, profiles and similar allocations. This data may include personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), dates of birth and specific identifiers (user IDs). Inventory data forms the basis for any formal interaction between individuals and services, institutions or systems, as it enables unique allocation and communication.
  • Content data: Content data includes information generated in the course of creating, editing and publishing all kinds of content. This category of data may include texts, images, videos, audio files and other multimedia content published on various platforms and media. Content data is not limited to the actual content itself, but also includes metadata that provides information about the content, such as tags, descriptions, author information and publication dates.
  • Contact data: Contact data are essential details that enable communication with individuals or organizations. They include, among other things, phone numbers, postal addresses and email addresses, as well as communication means such as social media handles and instant messaging identifiers.
  • Meta, communication and procedural data: Meta, communication and procedural data are categories that contain information on the manner in which data is processed, transmitted and managed. Metadata, also known as data about data, includes information that describes the context, origin and structure of other data. They may contain details such as file size, creation date, author of a document and version history. Communication data records the exchange of information between users across various channels, such as e-mail traffic, call logs, messages in social networks and chat histories, including the persons involved, timestamps and transmission paths. Procedural data describes the processes and workflows within systems or organizations, including workflow documentation, records of transactions and activities, as well as audit logs used to trace and verify processes.
  • Usage data: Usage data refers to information that records how users interact with digital products, services or platforms. This data covers a wide range of details showing how users utilize applications, which functions they prefer, how long they stay on certain pages and which paths they navigate through an application. Usage data may also include frequency of use, timestamps of activities, IP addresses, device information and location data. They are particularly valuable for analyzing user behavior, optimizing user experiences, personalizing content and improving products or services. In addition, usage data plays a crucial role in identifying trends, preferences and possible problem areas within digital offerings.
  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Log data: Log data is information about events or activities that have been logged in a system or network. This data typically contains details such as timestamps, IP addresses, user actions, error messages and other information about the use or operation of a system. Log data is often used for analyzing system issues, monitoring security, or creating performance reports.
  • Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data, be it collection, evaluation, storage, transmission or deletion.
  • Contract data: Contract data are specific details relating to the formalization of an agreement between two or more parties. They document the conditions under which services or products are provided, exchanged or sold. This category of data is essential for the management and fulfillment of contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may include the start and end dates of the contract, the nature of the agreed services or products, price agreements, payment terms, termination rights, renewal options and special conditions or clauses. They serve as the legal basis for the relationship between the parties and are crucial for clarifying rights and obligations, enforcing claims and resolving disputes.
  • Payment data: Payment data includes all information required to process payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking and any other form of financial transaction. It includes details such as credit card numbers, bank details, payment amounts, transaction data, verification numbers and invoice information. Payment data may also include information on payment status, chargebacks, authorizations and fees.

Created with the free Privacy Policy Generator.de by Dr. Thomas Schwenke