Privacy policy

1. Introduction

With the following information, we would like to give you, as the ‘data subject’, an overview of how we process your personal data and your rights under data protection laws. It is generally possible to use our website without entering personal data. However, if you wish to use special services offered by our company via our website, it may be necessary to process personal data. If the processing of personal data is necessary and there is no legal basis for such processing, we will generally obtain your consent.

The processing of personal data, such as your name, address or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to ‘ituma GmbH’. With this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use and process.

As the controller, we have implemented numerous technical and organisational measures to ensure the most complete protection possible for the personal data processed via this website. Nevertheless, Internet-based data transmissions can generally have security gaps, so that absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us by alternative means, for example by telephone or post.

2. Legal basis for processing

Art. 6(1)(a) GDPR serves as the legal basis for our company for processing operations in which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of other services or consideration, the processing is based on Art. 6 para. 1 lit. b GDPR. The same applies to processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of enquiries about our products or services.

If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfilment of tax obligations, the processing is based on Art. 6 para. 1 lit. c GDPR.

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor to our premises were injured and their name, age, health insurance details or other vital information had to be passed on to a doctor, hospital or other third party. In this case, the processing would be based on Art. 6(1)(d) GDPR.

Finally, processing operations could be based on Art. 6(1)(f) GDPR. This legal basis applies to processing operations that are not covered by any of the above legal bases if the processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. We are permitted to carry out such processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47, sentence 2 of the GDPR) and we process your personal data for the purpose of direct marketing (Recital 47, sentence 7 of the GDPR).

3. Transfer of data to third parties

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only pass on your personal data to third parties if:

1. you have given your express consent in accordance with Art. 6 (1) (a) GDPR,
2. the transfer is permissible under Art. 6 (1) (f) GDPR to safeguard our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
3. in the event that there is a legal obligation for the transfer pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR, and
4. this is legally permissible and necessary for the performance of contractual relationships with you pursuant to Art. 6 para. 1 sentence 1 lit. b GDPR.

In order to protect your data and, if necessary, enable us to transfer data to third countries (outside the EU/EEA), we have concluded agreements on order processing based on the standard contractual clauses of the European Commission.

4. Technology

4.1 SSL/TLS encryption

This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login details or contact enquiries that you send to us as the operator. You can recognise an encrypted connection by the fact that the address line of the browser contains ‘https://’ instead of ‘http://’ and by the lock symbol in your browser line.

We use this technology to protect your transmitted data.

4.2 Data collection when visiting the website

When you use our website for informational purposes only, i.e. if you do not register or otherwise provide us with information, we only collect data that your browser transmits to our server (in so-called ‘server log files’). Our website collects a range of general data and information each time you or an automated system accesses a page. This general data and information is stored in the server log files. The following may be recorded

1. browser types and versions used,
2. the operating system used by the accessing system,
3. the website from which an accessing system reaches our website (so-called referrer),
4. the sub-websites that are accessed via an accessing system on our website,
5. the date and time of access to the website,
6. an abbreviated Internet Protocol address (anonymised IP address),
7. the Internet service provider of the accessing system.

When using this general data and information, we do not draw any conclusions about your person. Rather, this information is required in order to

1. deliver the content of our website correctly,
2. optimise the content of our website and the advertising for it,
3. ensure the long-term functionality of our IT systems and the technology of our website, and
4. provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.

We therefore evaluate this collected data and information statistically and with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data we process. The anonymous data in the server log files is stored separately from all personal data provided by a data subject.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest follows from the purposes listed above for data collection.

5. Cookies

5.1 General information about cookies

We use cookies on our website. These are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our site.

The cookie stores information that is related to the specific device used. However, this does not mean that we immediately become aware of your identity.

The use of cookies serves, on the one hand, to make the use of our offer more pleasant for you. For example, we use so-called session cookies to recognise that you have already visited individual pages of our website. These are automatically deleted after you leave our site.

In addition, we also use temporary cookies to optimise user-friendliness, which are stored on your device for a specific period of time. If you visit our site again to use our services, it will automatically recognise that you have already been with us and what entries and settings you have made, so that you do not have to enter them again.

We also use cookies to statistically record the use of our website and to evaluate it for the purpose of optimising our offer for you. These cookies enable us to automatically recognise that you have already visited our site when you visit it again. These cookies are automatically deleted after a defined period of time.

5.2 Legal basis for the use of cookies

The data processed by cookies, which is necessary for the proper functioning of the website, is therefore necessary to safeguard our legitimate interests and those of third parties in accordance with Art. 6(1)(f) GDPR.

For all other cookies, you have given your consent in accordance with Art. 6 (1) (a) GDPR via our opt-in cookie banner.

6. Our activities on social networks

We have our own pages on social networks so that we can communicate with you and provide information about our services. When you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing operations triggered by this, which concern personal data, within the meaning of Art. 26 GDPR.

We are not the original provider of these pages, but merely use them within the scope of the options offered to us by the respective providers.

As a precaution, we would therefore like to point out that your data may also be processed outside the European Union or the European Economic Area. Use may therefore pose data protection risks for you, as it may be more difficult to safeguard your rights, e.g. to information, deletion, objection, etc., and processing on social networks is often carried out directly for advertising purposes or to analyse user behaviour by the providers, without us being able to influence this. If usage profiles are created by the provider, cookies are often used or your usage behaviour is directly assigned to your own member profile on social networks (if you are logged in here).

The processing of personal data described above is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest and the legitimate interest of the respective provider in communicating with you in a modern manner and informing you about our services. If you as a user are required to give your consent to data processing by the respective providers, the legal basis is Art. 6 (1) (a) GDPR in conjunction with Art. 7 GDPR.

As we do not have access to the providers’ databases, we would like to point out that it is best to exercise your rights (e.g. to information, correction, deletion, etc.) directly with the respective provider. Further information on the processing of your data in social networks and the possibility of exercising your right of objection or revocation (so-called opt-out) is listed below for each social network provider we use:

6.1 Facebook

(Joint) controller for data processing in Europe:
Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Privacy policy (data policy):
https://www.facebook.com/about/privacy
Opt-out and advertising settings:
https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen
Facebook has joined the EU-U.S. Privacy Shield Agreement:
https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active

7. Web analytics

7.1 Google Analytics 4 (GA4)

On our websites, we use Google Analytics 4 (GA4), a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’).

In this context, pseudonymised usage profiles are created and cookies (see ‘Cookies’) are used. The information generated by the cookie about your use of this website may include:

a temporary recording of the IP address without permanent storage
2. Location data
3. Browser type/version
4. Operating system used
5. Referrer URL (previously visited page)
6. Time of the server request

The pseudonymised data may be transferred by Google to a server in the USA and stored there.

The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for the purposes of market research and the design of this website in line with user needs. This information may also be transferred to third parties if this is required by law or if third parties process this data on behalf of the website operator.

These processing operations are carried out exclusively with the express consent of the data subject in accordance with Art. 6(1)(a) GDPR.

The default data storage period set by Google is 14 months. Otherwise, personal data is stored for as long as it is necessary to fulfil the purpose of processing. The data is deleted as soon as it is no longer required to fulfil the purpose.

The parent company Google LLC is certified as a US company under the EU-US Data Privacy Framework. This means that an adequacy decision pursuant to Art. 45 GDPR is in place, so that personal data may be transferred without further guarantees or additional measures.

Further information on data protection when using GA4 can be found at:

https://support.google.com/analytics/answer/12017362?hl=de

8. Your rights as a data subject

8.1 Right to confirmation

You have the right to request confirmation from us as to whether personal data concerning you is being processed.

8.2 Right of access Art. 15 GDPR

You have the right to obtain information from us at any time, free of charge, about the personal data stored about you and to receive a copy of this data in accordance with the statutory provisions.

8.3 Right to rectification Art. 16 GDPR

You have the right to request the correction of inaccurate personal data concerning you. Furthermore, you have the right to request the completion of incomplete personal data, taking into account the purposes of the processing.

8.4 Deletion Art. 17 GDPR

You have the right to request that we delete your personal data immediately, provided that one of the reasons specified by law applies and that processing or storage is not necessary.

8.5 Restriction of processing Art. 18 GDPR

You have the right to request that we restrict processing if one of the legal requirements is met.

8.6 Data portability Art. 20 GDPR

You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from us, to whom the personal data has been provided, provided that the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR and the processing is carried out using automated procedures, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Furthermore, when exercising your right to data portability pursuant to Art. 20(1) GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

8.7 Objection under Article 21 of the GDPR

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) (data processing in the public interest) or (f) (data processing based on a balancing of interests) of the GDPR.

This also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In individual cases, we process personal data for direct marketing purposes. You can object to the processing of personal data for such marketing purposes at any time. This also applies to profiling insofar as it is related to such direct marketing. If you object to us processing your data for direct marketing purposes, we will no longer process your personal data for these purposes.

You are free to exercise your right to object in relation to the use of information society services, notwithstanding Directive 2002/58/EC, by means of automated procedures using technical specifications.

8.8 Withdrawal of consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time with future effect.

8.9 Complaint to a supervisory authority

You have the right to complain to a supervisory authority responsible for data protection about our processing of personal data.

9. Routine storage, deletion and blocking of personal data

We process and store your personal data only for the period necessary to achieve the purpose of storage or as required by the legal provisions to which our company is subject.

If the purpose of storage no longer applies or a prescribed storage period expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

10. Duration of storage of personal data

The criterion for the duration of storage of personal data is the respective statutory retention period. After expiry of this period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfilment or initiation of a contract.

11. Updates and changes to the privacy policy

This privacy policy is currently valid and was last updated in April 2025.

Due to the further development of our website and services, or due to changes in legal or regulatory requirements, it may be necessary to amend this privacy policy.