Privacy Policy

How we handle your personal data is explained in this privacy policy. It is based on the General Data Protection Regulation (GDPR). Except the third party providers that we name in this document, we do not pass any data to third parties. If you have any questions, please contact us.

Controller

The controller for processing of data is

goodthoughts GmbH
Drakestr. 3
40545 Düsseldorf

General Information

Provision of data

As a rule, it is neither legally nor contractually required to provide personal data in order to use our website. Insofar as the provision of data is necessary for the conclusion of a contract or the user is obliged to provide personal data, we shall inform the user of this circumstance and the consequences of not providing the data in this privacy policy.

Data transfer to third countries

We may use service providers and third parties located in countries outside the European Union and the European Economic Area. The transfer of personal data to such third countries takes place on the basis of an adequacy decision by the European Commission (Art. 45 GDPR) or we have provided appropriate safeguards to ensure data protection (Art. 46 GDPR). Insofar as there is an adequacy decision by the European Commission for the transfer of data to a third country, we refer to this in this privacy policy. Furthermore, users can obtain a copy of the appropriate safeguards from us, insofar as these are not already contained in the privacy policies of the service providers or third-party providers.

Automated decision-making

In the event that we use automated decision-making, including profiling, this privacy policy will inform you of this fact, the logic involved and the scope and intended effects of such processing. Otherwise, there shall be no automated decision-making process.

Processing for other purposes

Data is generally only processed for the purposes for which it was collected. If, in exceptional cases, data is intended to be further processed for other purposes, we will inform you of these other purposes prior to such further processing and provide all other relevant information (Art. 13 (3) GDPR).

Hosting and Content Delivery Networks (CDN)

External hosting

We host the content of our website with the following provider:

Webflow

The provider is Webflow, Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA (hereinafter referred to as Webflow). When you visit our website, Webflow collects various log files including your IP addresses.


Webflow is a tool for creating and hosting websites. Webflow stores cookies or other recognition technologies that are required to display the page, to provide certain website functions and to ensure security (necessary cookies).


Details can be found in Webflow's privacy policy: https://webflow.com/legal/eu-privacy-policy.


The use of Webflow is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.


Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://webflow.com/legal/eu-privacy-policy.

The use of Webflow is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) within the meaning of the TTDSG. Consent can be revoked at any time.


Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://webflow.com/legal/eu-privacy-policy.


The company is certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the DPF undertakes to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participant- detail?contact=true&id=a2zt0000000TT9jAAG&status=Active

Order processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Privacy Policy of Squarespace

Cookies, pixel tags and mobile identifiers

On our website, we use technologies to recognise the used end device. These can be cookies, pixel tags and/or mobile identifiers.

The recognition of an end device can generally be used for different purposes. It may be necessary in order to provide functions of our website, for example to make a shopping cart available. In addition, these technologies can be used to track user behaviour on the site, for example for advertising purposes. We describe the technologies we use and the purpose of their use separately and in detail in this privacy policy.

For a better understanding, we will explain below how cookies, pixel tags and mobile identifiers work in general:

  • Cookies are small text files that contain certain information and are stored on the user's end device. In most cases, the information consists of an identification number that is assigned to an end device (cookie ID).
  • A pixel tag is a transparent graphic file that is integrated into a page and enables a log file analysis.
  • A mobile identifier is a unique number (mobile ID) stored on a mobile device which can be read out by a website.

Cookies may be required for our website to function properly. The legal basis for the use of cookies of this nature is Art. 6 (1) f) GDPR. Our legitimate interest is to provide the functions of our website.

We use cookies that are not required for the operation of our website in order to make our offer more user-friendly or to be able to trace the use of our website. The legal basis here depends on whether user consent must be obtained or whether we can invoke a legitimate interest. The user can revoke given consent, among other things, by means of browser settings at any time.

The user can prevent and object to the processing of data by means of cookies by choosing suitable browser settings. An objection may lead to some functions on the website no longer being available. We will inform you separately about further possibilities for objecting to the processing of personal data by means of cookies in this privacy policy. Where necessary, we provide links which can be used to state an objection. These are labelled “opt-out”.

Establishing contact

In the event contact is established, we process the user's details, date and time for the purpose of processing the enquiry, including any queries.

The legal basis for the data processing is Art. 6 (1) f) GDPR. Our legitimate interest is to answer our user’s enquiries. Additional legal basis is provided by Art. 6(1) b) GDPR, if processing is necessary for the performance of a contract or for the implementation of pre-contractual measures.

The data will be deleted as soon as the enquiry, including any queries, has been answered. We will check at regular intervals, but at least every two years, whether any data accumulated in connection with contacts must be deleted.

Comments

On our website, we give users the opportunity to leave their own comments. If a comment is transmitted to us, we process the user's data. To protect against misuse of the comment function (e.g. through spam or criminal content), we also process the date, time and IP address of the user.

The legal basis for the processing is Art. 6 (1) f) GDPR. Our legitimate interest is to be able to offer the comment function and to protect against misuse.

Job applications

When users apply for a job, we process personal data for the purpose of the application process. In addition to the data transmitted by the user, we also process other data that is collected during the application process (e.g. during a job interview). Should we include data in an applicant pool, this will only be done on the basis of the user's prior consent. In this case, the data will be processed beyond the conclusion of the application procedure so that contact can be established in the event of suitable job offers.

Applicant data will be deleted three months after completion of the application procedure. In the event of inclusion in an applicant pool, the data will be retained for a maximum of two years, unless the consent given is revoked beforehand.

The legal basis for the processing is Art. 6 (1) b) GDPR. If consent is given for inclusion in an applicant pool, the processing is based on Art. 6 (1) a) GDPR. At the end of the application procedure, processing takes place on the basis of Art. 6 (1) f) GDPR. Our legitimate interest consists in the defence of possible claims under Allgemeines Gleichbehandlungsgesetz [German General Equal Treatment Act].

Other third-party services

Google Analytics

We use Google Analytics to analyse the use of our website. Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

To be able to track user activities on the website, a cookie is placed on the end device. We use Google Analytics with the extension anonymize IP. The user's IP address is automatically truncated before being transmitted to servers in the USA. Among other things, the approximate geographical location, end device, screen resolution, browser and visited pages including the length of stay are evaluated.

Insofar as we obtain user consent, data processing is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise, the legal basis for the data processing is Art. 6 (1) f) GDPR. Our legitimate interests are optimising our website, improving our offers and online marketing.

The data collected by Google Analytics is automatically deleted after 14 months.

Opt-Out

Privacy Policy of Google Analytics

Google Adsense

We use Google AdSense. Provider: Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Through Google Adsense we place personalised advertisements. Google uses cookies and tracking pixels to analyse user behaviour and to be able to select suitable advertising. Among other things, the calls to our website and other websites that use Adsense are evaluated and assigned to a user ID. The data is not merged with other user data stored by Google.

Insofar as we obtain the user's consent, the processing is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise it is based on Art. 6 (1) f) GDPR. Our legitimate interest lies in the delivery of interest-based advertising.

Users can object to the use of data by Google for personalised advertising at any time by using the following opt-out.

Opt-Out

Privacy Policy of Google AdSense

Google Marketing Platform

We use the Google Marketing Platform for the statistical analysis of marketing measures, the collection of data relevant to advertising and the creation of advertising target groups. Provider: Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

With the Google Marketing Platform we can identify the target groups relevant to us. For this purpose a cookie is set on the user's end device. Among other things, the approximate geographical location, terminal device, screen resolution, browser and visited pages including the length of stay are evaluated.

Insofar as we obtain the user's consent, the processing of data is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise it is based on Art. 6 (1) f) GDPR. Our legitimate interest lies in statistical analysis, improvement of our website and online marketing.

The data collected by the Google Marketing Platform is deleted after 12 months.

LinkedIn

We integrate contents and buttons of the social network LinkedIn on our website via a plugin. Provider: LinkedIn Corp., 1000 W. Maude Ave., Sunnyvale, California 94085, USA.

To load content from LinkedIn, it is necessary to transfer the user's IP address to the company in terms of technology. If the user is logged in to LinkedIn, the visit of a page can be attached to the account.

Insofar as we obtain user consent, data processing is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise, the legal basis for the data processing is Art. 6 (1) f) GDPR. Our legitimate interest for the integration of LinkedIn content and buttons is making our website user-friendly.

Privacy Policy of LinkedIn

Instagram

We integrate contents and buttons of the social network Instagram on our website via a plugin. Provider: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

To load content from Instagram, it is necessary to transfer the user's IP address to the company in terms of technology. If the user is logged in to Instagram, the visit of a page can be attached to the account.

Insofar as we obtain user consent, data processing is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise, the legal basis for the data processing is Art. 6 (1) f) GDPR. Our legitimate interest for the integration of Instagram content and buttons is making our website user-friendly.

Privacy Policy of Instagram

Twitter

We integrate contents and buttons of the social network Twitter on our website via a plugin. Provider: Twitter International Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07, Ireland.

To load content from Twitter, it is necessary to transfer the user's IP address to the company in terms of technology. If the user is logged in to Twitter, the visit of a page can be attached to the account.

Insofar as we obtain user consent, data processing is carried out on the legal basis of Art. 6 (1) a) GDPR. Otherwise, the legal basis for the data processing is Art. 6 (1) f) GDPR. Our legitimate interest for the integration of Twitter content and buttons is making our website user-friendly.

Privacy Policy of Twitter

YouTube

We embed videos from YouTube. Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. We utilise advanced privacy mode so YouTube does not track user behaviour unless the user is watching the video. To be able to provide videos, it is necessary for reasons of technology to transmit the user’s IP address to YouTube.

The legal basis for using YouTube is Art. 6 (1) f) GDPR. Our legitimate interest is to improve the user experience on our website and to display content that is of interest to our users.

You can object to personalised advertising by Google at any time by exercising the following opt-out.

Opt-Out

Privacy Policy of YouTube

Google Fonts

On our website we use fonts from Google Fonts. Provider: Google Ireland Ltd., Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

Fonts are loaded from the Google server. In order to establish a connection, it is technically necessary to transmit the user's IP address.

The legal basis for the processing is Art. 6 (1) f) GDPR. Our legitimate interest is to make our website user-friendly and to improve its speed and availability.

Privacy Policy of Google Fonts

Adobe Fonts

On our website we use fonts from Adobe Fonts. Provider: Adobe Software Systems Ireland Ltd., 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.

Fonts are loaded from the Adobe server. In order to establish a connection, it is technically necessary to transmit the user's IP address.

The legal basis for the processing is Art. 6 (1) f) GDPR. Our legitimate interest is to make our website user-friendly and to improve its speed and availability.

Privacy Policy of Adobe Fonts

Profiles in social networks

We are present in one or more social networks. In detail, these are: LinkedIn, Instagram or Twitter. When contacting us, we process personal data as described above under “Establishing contact”.

Social network providers process data according to their data protection regulations, which can be accessed here:

If a user is logged in with an account, the activities on our profile in the respective social network may be attached to said user. This can take place across devices and without login as the case may be, for example when using cookies or mobile identifiers. Social network providers use the data collected to create pseudonymised user profiles, which they can use in particular to display personalised advertising.

Rights of the data subject

Where personal data relating to a user is being processed, the user has the following rights:

Right of access: The user has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and a copy of the personal data undergoing processing.

Right to rectification: The user has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to erasure: The user has the right in accordance with the law to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right to restriction of processing: The user has the right in accordance with the law to obtain from the controller restriction of processing.

Right to data portability: The user has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and has the right in accordance with the law to transmit those data to another controller.

Right to object: The user has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, the user has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to withdrawal: The user has the right to withdraw his or her consent at any time.

Right to lodge a complaint: The user has the right to lodge a complaint with a supervisory authority.

Last Updated: 15/08/2021

work with us.