contact us

Privacy Policy

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to simply as „data“) we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the „online offering“).

Effective Date: May 24, 2025

Controller

femzar GmbH

Lorenzengasse 7

22303 Hamburg

Germany

Authorized Representatives: Samira Mousavi Hesari, Mira Schröder

Email: hallo@femzar.com

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and the categories of data subjects.

Relevant Legal Bases

Relevant legal bases under the GDPR: The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases apply in individual cases, we will inform you about them in this privacy policy.

• Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

• Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection laws apply in Germany, particularly the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG includes specific provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, as well as transmission and automated decision-making in individual cases including profiling. Furthermore, state data protection laws of the individual federal states may also apply.

Note on the Applicability of the GDPR and Swiss DPA: This privacy notice serves both to fulfill information requirements under the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). For reasons of broader territorial scope and clarity, the terminology of the GDPR is used. In particular, instead of the terms used in the Swiss DPA such as „processing“ of „personal data“, „overriding interest“, and „sensitive personal data“, the GDPR terms „processing“ of „personal data“, „legitimate interest“, and „special categories of data“ are used. However, the legal meaning of these terms continues to be interpreted according to the Swiss DPA when applicable.

Security Measures

In accordance with legal requirements, and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying probabilities and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transmission, availability, and separation of the data itself. Furthermore, we have established procedures that ensure the exercise of data subject rights, data deletion, and responses to data breaches. We also take data protection into account in the development or selection of hardware, software, and procedures in accordance with the principle of data protection by design and by default.

Securing Online Connections Using TLS/SSL Encryption (HTTPS):

To protect user data transmitted through our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information exchanged between the website or app and the user’s browser (or between two servers), protecting the data from unauthorized access. TLS, as the advanced and more secure version of SSL, ensures that all data transfers comply with the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being securely and encryptedly transmitted.

Transfer of Personal Data

As part of our processing of personal data, data may be transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, IT service providers or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements that serve to protect your data with the recipients.

Internal Data Transfers Within Our Organization:

We may transfer personal data to other departments or units within our organization or grant them access to the data. If data is shared for administrative purposes, this is based on our legitimate business and economic interests, or it occurs if it is necessary to fulfill our contractual obligations or based on the data subject’s consent or legal permission.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal requirements as soon as the consent on which processing is based is withdrawn, or if there are no other legal grounds for processing. This applies when the original purpose of processing no longer exists or the data is no longer needed. Exceptions apply where statutory obligations or legitimate interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons or is necessary for legal prosecution or for protecting the rights of other natural or legal persons must be archived accordingly.

Our privacy notices contain additional information on retention and deletion of data that apply to specific processing operations.

Where multiple retention or deletion periods are specified for a particular piece of data, the longest period shall always prevail.

If a retention period does not explicitly begin on a specific date and is at least one year, it will automatically begin at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships under which data is stored, the triggering event is the termination or other conclusion of the legal relationship.

Data that is no longer needed for the original intended purpose but is retained due to legal requirements or other reasons will be processed solely for the reasons justifying its retention.

Additional Information on Processing Activities, Procedures, and Services:

Data Retention and Deletion – General Periods Under German Law:
• 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balances, and the work instructions and other organizational documents required to understand them

(§ 147(1) no. 1 in conjunction with § 147(3) AO, § 14b(1) UStG, § 257(1) no. 1 in conjunction with § 257(4) HGB).

•8 years – Accounting vouchers such as invoices and cost records

(§ 147(1) nos. 4 and 4a in conjunction with § 147(3) sentence 1 AO, and § 257(1) no. 4 in conjunction with § 257(4) HGB).

• 6 years – Other business documents, including received or sent commercial correspondence and other documents relevant for taxation, such as hourly wage records, cost sheets, calculation documents, price labels, and payroll records (if not classified as accounting vouchers), as well as cash register receipts

(§ 147(1) nos. 2, 3, 5 in conjunction with § 147(3) AO, § 257(1) nos. 2 and 3 in conjunction with § 257(4) HGB).

• 3 years – Data necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, will be retained for the duration of the standard statutory limitation period of three years

(§§ 195, 199 BGB).

Rights of Data Subjects

Rights under the GDPR:
As a data subject under the General Data Protection Regulation (GDPR), you are entitled to a number of rights, particularly those outlined in Articles 15 to 21 GDPR:

  • Right to object: You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data which is based on Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to such processing, including profiling related to such direct marketing.
  • Right to withdraw consent: If you have given your consent for certain data processing activities, you have the right to withdraw your consent at any time.
  • Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and additional information, as well as a copy of the data, in accordance with legal requirements.
  • Right to rectification: You have the right to request the completion or correction of inaccurate personal data concerning you, in accordance with legal requirements.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request the immediate deletion of your personal data, or alternatively, the restriction of its processing.
  • Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, and to transmit those data to another controller, where legally required.
  • Right to lodge a complaint: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority—particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement—if you believe that the processing of your personal data violates the GDPR.

Business Services

We process the data of our contractual and business partners—such as customers and prospects (hereinafter collectively referred to as „contractual partners“)—within the scope of contractual or similar legal relationships, including associated measures and communication (including pre-contractual communication such as responding to inquiries).

This data is used to fulfill our contractual obligations, such as providing the agreed services, addressing warranty issues, and handling service disruptions. It is also used for administrative tasks and business organization, as well as for enforcing our legal rights. Furthermore, we rely on our legitimate interests to ensure secure and efficient business operations, protect against misuse, and safeguard our contractual partners’ and business interests. This may involve sharing data with third parties such as telecommunication or logistics providers, subcontractors, banks, tax or legal advisors, payment service providers, and financial authorities.

We only share data with third parties to the extent necessary for these purposes or to comply with legal obligations. Any additional processing (e.g., for marketing) is described separately in this privacy policy.

The necessary data is disclosed to contractual partners before or during data collection—e.g., through online forms, highlighted markers (such as color or symbols like asterisks), or in-person explanations.

We delete personal data after expiration of statutory warranty and similar obligations, generally after four years, unless the data is stored in a customer account or must be retained for legal reasons (e.g., 10 years for tax purposes). Data disclosed to us under a contract will be deleted in accordance with the contract and legal requirements.

Types of data processed:

  • Master data (e.g., full name, address, contact info, customer ID)
  • Payment data (e.g., bank details, invoices, transaction history)
  • Contact data (e.g., email, phone number)
  • Contractual data (e.g., subject matter, duration, customer category)
  • Usage data (e.g., page views, session durations, click paths, frequency, device types, OS)
  • Meta, communication, and procedural data (e.g., IP address, timestamps, IDs, involved persons)

Categories of data subjects:

  • Recipients of services and clients
  • Interested parties
  • Business and contractual partners

Purposes of processing:

  • Fulfillment of contractual obligations
  • Security measures
  • Communication
  • Office and organizational processes
  • Business operations and economic procedures

Data retention and deletion:

  • As described in the section „General Information on Data Storage and Deletion“

Legal bases:

  • Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR)
  • Legal obligation (Art. 6(1)(c) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR)

Business Processes and Procedures

We process personal data from service recipients and clients—including customers, patients, clients, partners, and, in some cases, other third parties—within the context of contractual and pre-contractual relationships. This data processing supports and facilitates business operations such as customer management, sales, payment processing, accounting, and project management.

The data helps us fulfill contractual obligations and optimize business workflows, including managing transactions, improving sales strategies, ensuring internal accounting and finance processes, safeguarding legal claims, and supporting company administration.

Data may be shared with third parties as needed to fulfill these purposes or comply with legal obligations.

Types of data processed:

  • Master data, payment data, contact data
  • Content data (e.g., text or image-based communications and metadata such as authorship)
  • Contract data, usage data (e.g., website visits, duration, device type, operating system)
  • Meta, communication, and procedural data

Data subjects:

  • Recipients of services and clients
  • Interested parties
  • Communication partners
  • Business and contractual partners

Purposes of processing:

  • Fulfillment of contractual obligations
  • Office and organizational processes
  • Business operations and economic procedures

Data retention and deletion:

  • As described in the section „General Information on Data Storage and Deletion“

Legal bases:

  • Contract fulfillment and pre-contractual inquiries (Art. 6(1)(b) GDPR)
  • Legitimate interests (Art. 6(1)(f) GDPR)

Additional Processing: Economic Analyses and Market Research

For business analysis and to recognize market trends and customer preferences, we evaluate data related to business activities, contracts, and inquiries. Affected groups may include contractual partners, prospects, customers, and users of our online services. These analyses support marketing, business development, and market research—such as identifying customer groups with varying characteristics.

If available, we may use user profiles (e.g., service usage data) in our analysis. All analysis is internal and not disclosed externally—unless it is aggregated and anonymized.

We respect users’ privacy by processing the data pseudonymously or anonymously where possible.

Legal basis:

  • Legitimate interests (Art. 6(1)(f) GDPR)

Gerne! Hier ist die englische Übersetzung des gesamten Abschnitts zur Bereitstellung des Onlineangebots, Webhosting, Einsatz von Cookies und Kontaktanfragen:

Provision of Online Services and Web Hosting

We process user data in order to provide our online services. For this purpose, we process users’ IP addresses, which are necessary to transmit content and functionalities of our online services to the user’s browser or device.

  • Types of data processed: Usage data (e.g., page views, session duration, click paths, usage frequency and intensity, device types, operating systems, interactions with content and features); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons); log data (e.g., login logs, access times, data retrieval); content data (e.g., messages or posts including authorship or time of creation).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers); security measures.
  • Retention and deletion: Deletion as described in the section “General Information on Data Storage and Deletion”.
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR).

Additional processing and services:

  • Hosting of online services on rented servers: We use storage space, computing capacity, and software rented from a server provider (a “web host”) to operate our online services;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Access data and server log files: Access to our online services is logged in server log files. These logs may include the names and addresses of accessed websites or files, timestamps, data volumes transferred, success messages, browser type and version, operating system, referrer URL (previous page), IP address, and requesting provider. Log files are used for security (e.g., to prevent server overload or DDoS attacks) and ensure server performance and stability;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
    Retention: Log file data is stored for up to 30 days and then deleted or anonymized unless retention is required for evidence purposes.
  • Email dispatch and hosting: Our web hosting services also include sending, receiving, and storing emails. This involves processing sender and recipient addresses, transmission details (e.g., providers), and email content. These may also be processed for spam detection. Please note that emails are generally not end-to-end encrypted unless this is specifically used. Thus, we cannot assume responsibility for email transmission between sender and our server;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Content Delivery Network (CDN): We use a CDN to deliver large media files (e.g., images or scripts) more quickly and securely via regionally distributed servers;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • ALL-INKL: IT infrastructure services including storage and computing capacities;
    Provider: ALL-INKL.COM – Neue Medien Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
    Website: https://all-inkl.com/Privacy Policy
  • WordPress.com: Hosting and software for operating websites and blogs;
    Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland;
    Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
    Website: https://wordpress.comPrivacy Policy;
    Data transfer safeguards: Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs)

Use of Cookies

“Cookies” refer to technologies used to store and retrieve information on users’ devices. They serve various purposes, including functionality, security, user convenience, and analytics. We use cookies in accordance with legal requirements. Where required, we obtain users’ consent beforehand. If consent is not necessary, processing is based on our legitimate interests—such as ensuring the functionality and security of our online services.

Users may revoke their consent at any time. We clearly inform users of the scope and purpose of the cookies used.

Legal bases:

  • With consent: Art. 6(1)(a) GDPR
  • Without consent: Legitimate interests per Art. 6(1)(f) GDPR

Storage duration of cookies:

  • Session cookies (temporary): Deleted when the user leaves the site or closes the browser/app.
  • Persistent cookies: Remain stored after the session ends—e.g., to remember login status or display preferred content. Unless stated otherwise, assume cookies are persistent and stored for up to two years.

Withdrawal and opt-out:
Users can revoke consent or object to processing via browser privacy settings.

  • Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons)
  • Data subjects: Users (e.g., website visitors, online service users)

Consent management solution:
We use a consent management tool to obtain, document, manage, and revoke users’ cookie consents. This includes assigning a pseudonymous user ID, storing the time and scope of consent, browser/system/device info. Unless otherwise stated, consent is stored for up to two years;
Legal basis: Consent (Art. 6(1)(a) GDPR)

Contact and Inquiry Management

When you contact us (e.g., via post, contact form, email, phone, or social media) or in the context of business/user relationships, we process the data provided by the inquirer as necessary to respond and fulfill the request.

  • Types of data processed:
    • Master data (e.g., name, address, contact details, customer number)
    • Contact data (e.g., postal and email addresses, phone numbers)
    • Content data (e.g., messages and related info like authorship, timestamp)
    • Usage data (e.g., page views, session duration, click paths, usage frequency, device type, OS, interactions with features)
    • Meta, communication, and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons)
  • Data subjects: Communication partners
  • Purposes of processing: Communication; administrative procedures; user feedback (e.g., feedback forms); provision and usability of our online services
  • Retention and deletion: In accordance with the section “General Information on Data Storage and Deletion”
  • Legal bases: Legitimate interests (Art. 6(1)(f) GDPR); contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR)

Additional information:

  • Contact form: When you contact us via form, email, or other means, we process the personal data you provide (e.g., name, contact info) solely for the purpose of responding to your inquiry;
    Legal bases: Contract performance (Art. 6(1)(b) GDPR); Legitimate interests (Art. 6(1)(f) GDPR)

Gerne! Hier ist die englische Übersetzung des Abschnitts über Plug-ins and Embedded Functions and Content sowie den Hinweis zu Changes and Updates:

Plug-ins and Embedded Functions and Content

We integrate function and content elements into our online services that are obtained from the servers of their respective providers (referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (collectively referred to as “content”).

Embedding such content always requires that the third-party providers process users’ IP addresses, as they would otherwise not be able to send the content to users‘ browsers. The IP address is therefore necessary for displaying this content or functionality. We strive to use only content where the providers use the IP address solely to deliver the content.

Third-party providers may also use so-called pixel tags (invisible graphics, also known as „web beacons“) for statistical or marketing purposes. These pixel tags can be used to evaluate visitor traffic on our website. The pseudonymized information may also be stored in cookies on users’ devices and may include technical information such as browser and operating system data, referring websites, visit time, and other data on the use of our online services, and may be linked to such information from other sources.

Legal basis notice: If we request users‘ consent to use third-party providers, the legal basis for the processing of data is that consent. Otherwise, users’ data is processed based on our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). Please also see our information on the use of cookies in this privacy policy.

  • Types of data processed: Usage data (e.g., page views, duration of visit, click paths, usage frequency and intensity, device types and operating systems, interaction with content and functions); meta, communication and procedural data (e.g., IP addresses, timestamps, identifiers, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purpose of processing: Provision of our online services and user-friendliness.
  • Storage and deletion: Deletion in accordance with the section “General Information on Data Storage and Deletion”. Cookies may be stored for up to 2 years (unless otherwise stated).
  • Legal bases: Consent (Art. 6(1)(a) GDPR); Legitimate interests (Art. 6(1)(f) GDPR).

Further information on processing, procedures, and services:

  • Google Fonts (from Google servers): Fonts (and icons) are retrieved to enable technically secure, maintenance-free, and efficient use with regard to up-to-date fonts, loading times, consistent presentation, and licensing considerations. The font provider is informed of the user’s IP address to deliver the fonts in the user’s browser. Additionally, technical data (language settings, screen resolution, operating system, device type) is transmitted to ensure compatibility. This data may be processed on servers in the U.S.

When visiting our website, users‘ browsers send HTTP requests to the Google Fonts Web API to fetch fonts. These requests include:

  1. The user’s IP address.
    1. The requested URL on Google’s server.
    1. HTTP headers including user-agent (browser/OS version), and referrer URL (site where the font is to be displayed).

Google states:

  • IP addresses are not logged or stored.
    • Only requested URLs, user-agent strings, and referrer URLs are logged for performance and analytics.
    • These logs are tightly controlled and only used to determine font popularity and maintain services.
    • Data is not used to profile end users or target ads.

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR)
Website: https://fonts.google.com/
Privacy Policy: https://policies.google.com/privacy
International transfers: Data Privacy Framework (DPF)
Further info: Google Fonts Privacy FAQ

Changes and Updates

We kindly ask users to regularly review the contents of our privacy policy. We will amend the privacy policy as soon as changes in our data processing practices make it necessary. We will inform you if these changes require your cooperation (e.g., renewed consent) or any other form of individual notification.

Where we provide addresses and contact information of companies and organizations in this privacy policy, please note that such information may change over time. Therefore, we ask you to verify these details before contacting them.