We place particular importance on protecting your data. Therefore, when processing your personal data (e.g. master data), we comply with the applicable data protection regulations, especially the GDPR and the Austrian Data Protection Act (DSG). Below you will find detailed information about the data processing activities we carry out: Contents

1. Controller – 1 –
2. Rights of data subjects / Right to object and withdraw / Right to lodge a complaint – 1 –
3. Information about the processing of your personal data – 2 – 3.1. Website visit – 2 – 3.2. Electronic contact requests via the website – 3 – 3.3. Cookies / Web analytics service – 3 – 3.4. Use of Google services – 4 – 3.5. User account – 5 – 3.6. Customer management, accounting, logistics, and bookkeeping – 6 – 3.7. Customer support and marketing for own purposes – 7 – 3.8. Payment systems – 8 – 3.9. Applicant management – 11 – 3.10. Social media – 11 – 3.11. Website shop system: WooCommerce – 14 – 3.12. Images and learning content – 15 –
4. Information on data transfers to third countries or international organizations – 16 –
5. Change management – 16 –

1. Controller Bogner Academy GmbH Peter-Behrens-Platz 10 4020 Linz Phone: +43 677 6436 5253 Email: support@bogneracademy.com

No phone support Please note that we do not offer telephone customer support. Inquiries are processed exclusively in writing via email at support@bogneracademy.com. This is for documentation and quality assurance purposes. As we are not legally required to do so, we have not appointed or registered a data protection officer with the data protection authority.

2. Rights of Data Subjects / Right to Object and Withdraw / Right to Lodge a Complaint 2.1. You have the following rights with regard to your personal data:

• Right of access (Art. 15 GDPR),
• Right to rectification (Art. 16 GDPR),
• Right to restriction of processing (Art. 18 GDPR),
• Right to data portability (Art. 20 GDPR),
• Right to object to processing (Art. 21 GDPR).

If the processing of your personal data is based on a balancing of interests (Art. 6 para. 1 lit. f GDPR: legitimate interests), you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data. When exercising your right to object, we kindly ask you to explain your reasons why you believe we should not process your personal data as we do. We will examine the situation and either cease or adapt the data processing, or demonstrate our compelling legitimate grounds and continue processing. We will also continue processing your data if it is required for the establishment, exercise, or defense of legal claims. You may object to the processing of your personal data for direct marketing and data analysis purposes at any time. In this case, we will stop the data processing.

• Right to withdraw consent (Art. 7 para. 3 GDPR). If you have given us consent to process your personal data, you may withdraw that consent at any time. The withdrawal does not affect the lawfulness of data processing carried out before the withdrawal.

To exercise any of the above rights, please contact us personally, by telephone, or in writing: Bogner Academy GmbH Peter-Behrens-Platz 10 4020 Linz Phone: +43 677 6436 5253 Phone: Email: support@bogneracademy.com Please note that we can only provide information if you are able to identify yourself. 2.2. If you believe that the processing of your data violates applicable data protection law or that your data protection rights have been infringed, you also have the right to lodge a complaint with the supervisory authority in the Member State of your residence, workplace, or the place of the alleged infringement. If you wish to file your complaint with the supervisory authority in Austria, please direct it to: Austrian Data Protection Authority Barichgasse 40–42 1030 Vienna

3. Information about the Processing of Your Personal Data 3.1. Website Visit

• Purpose: If you use our website purely for informational purposes (i.e. without registering or otherwise transmitting information), personal data will be collected that your browser transmits to our server. This is technically necessary to display our website to you and to ensure the website’s stability and security.
• Data subjects: Website visitors
• Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Provision of a stable, secure, and user-friendly information society service (website, online shop, appointment scheduling) to inform about our company, to promote our business and our services and products
• The following data is processed: IP address, date and time of the request, time zone difference to GMT, content of the request (specific page), access status / HTTP status code, amount of data transferred in each case, requesting

Website, browser, operating system and interface, language and version of browser software

• Retention period: As long as you use our website.
• Recipients / Categories of recipients: Processors

3.2. Electronic Contact Inquiries via the Website

• Purpose: Processing contact inquiries via email or the website contact form.
• Data subjects: Website visitors who use the contact form
• Legal basis: Performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Provision of a stable and user-friendly information society service (website, online shop, appointment scheduling) for receiving and responding to inquiries
• The following data is processed: Master data, content data of the inquiry
• Retention period: Until the inquiry is answered. If legal retention obligations apply, processing will be restricted until that time.
• Recipients / Categories of recipients: Processors

3.3. Cookies / Web Analytics Service

• Purpose: Improving service offerings, web presence, and direct marketing
• Data subjects: Website visitors
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Improvement of our own services, technical stability, plausibility check of billing resulting from the use of cookies and web analytics services
• The following data is processed: IP address
• Retention period: See cookie banner
• Recipients / Categories of recipients: Analytics service provider / Contractor

3.4. Use of Google Services This website uses various services of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”). For data processing concerning residents of the European Union, the European Economic Area, and Switzerland, the responsible entity is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Below, we explain in detail which services are used on this website. Further information about Google services and the privacy policy can be found at: https://policies.google.com/privacy?hl=en Information about transfers to countries outside the EU / EEA: When using Google services, Google—as an active participant in the EU-U.S. Data Privacy Framework—also processes your data in the United States. Companies that have successfully completed the Data Privacy Framework program are considered to have an adequate level of data protection under the provisions of the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. The Data Privacy Framework ensures secure data transfers of EU citizens’ data to the U.S. Further information about the EU-U.S. Data Privacy Framework can be found at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en 3.4.1 Google Tag Manager This website uses Google Tag Manager, a tool for technically integrating and managing applications on the website.

• Purpose: Capturing interactions on the website and forwarding them to connected services; managing and modifying web analysis tools without programming knowledge
• Data subjects: Website visitors
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR)
• The following data is processed: IP address
• Retention period: During the website session
• Transfers to countries outside the EU / EEA: possibly USA (see details in section 3.4)

3.4.2 Google Fonts This website uses external fonts known as “Google Fonts.” These web fonts are integrated by a server call, typically to a Google server in Ireland.

• Purpose: Cross-platform, uniform presentation of our web content
• Data subjects: Website visitors
• Legal basis: Legitimate interest (Art. 6 para. 1 lit. f GDPR)

• Legitimate interests: Improvement of own services, technical stability, consistent presentation, fast website loading times
• Data processed: IP address
• Retention period: During the website session
• Transfers to countries outside the EU / EEA: possibly USA (details in section 3.4)

3.4.3 Google Analytics This website uses cookies from Google to analyze the use of the website.

• Purpose: Improving service offerings, website presence, and direct marketing. We use behavioral analysis to optimize both our online offerings and our advertising.
• Data subjects: Website visitors who have given their consent
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), explicit consent (Art. 49 para. 1 lit. a GDPR)
• Data processed: IP address, number of sessions and accesses, click behavior, duration of website visit, approximate location (country, city)
• Retention period: See cookie banner
• Recipients / Categories of recipients: Processors
• Transfers to countries outside the EU / EEA: possibly USA (details in section 3.4)

3.5. User Account To use the app and the web platform, a user account must be created. For this, users must register with an email address and password and subsequently receive a profile account.

• Purpose: Creation and management of the registered user profile
• Data subjects: Individuals who create a user account
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims; security measures, particularly protection against unauthorized access to user accounts
• Data processed: Salutation, title, first name, last name, address data, email address, date of birth, payment preferences, and for purchases, additional contract data, duration of access rights to specific digital products […]
• Retention period: Data may be stored until the end of the seventh year after the last contact with the customer, unless longer contractual or legal retention obligations apply
• Recipients / Categories of recipients: Processors

You can delete your user account at any time. In the navigation area of the customer account, the function “Delete user account” is available. After confirming the email sent to you, the user account will be deleted. 3.6. Customer Management, Accounting, Logistics and Bookkeeping

• Purpose: Processing of personal data in the context of all business relationships with customers and suppliers in the course of business activities, including systematic documentation of all transactions relating to income and expenses
• Data subjects: Customers, suppliers, employees
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), compliance with a legal obligation (Art. 6 para. 1 lit. c GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims; evaluation of customer relationships (especially duration of business relationship, number of complaints)
• Data processed: Master data, VAT ID number
• Retention period: Until the termination of the business relationship or until the expiry of the warranty, guarantee, limitation, and statutory retention periods applicable to the customer (especially under the Austrian Federal Fiscal Code – BAO); beyond that, until the conclusion of any legal disputes in which the data is required as evidence
• Recipients / Categories of recipients: Tax authorities, courts and regulatory bodies, suppliers, debt collection agencies, banks involved in payments to the data subject or third parties, legal representatives, auditors, payroll accountants

Providing your personal data is necessary for the performance of a contract or for the implementation of pre-contractual measures. Without this data, we cannot conclude a contract with you. 3.7. Customer Support and Marketing for Own Purposes

• Purpose: Processing of own or acquired customer and prospect data for business development regarding our own products or services, as well as for conducting marketing activities and newsletter distribution; customer relationship management
• Data subjects: Suppliers, customers
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), compliance with a legal obligation (Art. 6 para. 1 lit. c GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims; evaluation of open rates and campaign success statistics to optimize customer communication; commercial interest in customer and supplier retention
• Data processed for newsletter dispatch via our website: Master data
• Retention period: Data may be retained until the end of the third year after the last contact with the client, unless longer contractual or legal retention periods apply
• Recipients / Categories of recipients: Analytics service provider / contractor

3.7.1. Customer Referrals (“Referral Partnerships”) As part of our “Referral Partnerships,” we offer existing customers the opportunity to refer new customers to our products. Typically, we provide registered users with vouchers or discount codes that they can forward to new customers. If a new customer places an order, the referral partner also receives corresponding benefits. We process personal data to ensure smooth handling, transparent cooperation, and to measure the success of these activities.

• Purpose: Processing customer data related to the issuance and use of vouchers, discount codes, and rebates as part of marketing activities
• Data subjects: Existing customer, new customer
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), compliance with a legal obligation (Art. 6 para. 1 lit. c GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims; implementation of promotional activities within the referral partner program (e.g. voucher validity periods)
• Data processed: Email address of the referral partner, date and voucher code including validity period, master data of the new user, order data, accounting of referral benefits
• Retention period: Data may be retained until the end of one year after the last contact with the client, unless longer contractual or legal retention periods apply
• Recipients / Categories of recipients: Analytics service provider / contractor

3.8. Payment Systems 3.8.1. PayPal PayPal is an online payment service for which you need a personal PayPal account. The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

• Purpose: Processing online payments
• Data subjects: Users who order paid content and select this payment service provider
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Integration and provision of various payment systems; displaying and forwarding requests to payment providers; analyzing failed transactions to improve processes; defense, exercise, and enforcement of legal claims
• Data processed: PayPal ID, master data, contract data, IP address, device data necessary for the setup and technical processing of the payment, especially IP address, date and time of request, time zone difference to GMT, content of the request (specific page), access status / HTTP status code, amount of data transferred in each case, referring website, browser, operating system and interface, language and version of the browser software
• Retention period: Until the completion of the payment process, including the time required for processing a refund. Certain billing data will be stored for the statutory retention period of seven years
• Recipients / Categories of recipients: Online payment service provider and the sub-payment service provider selected by the user, processors

Further information about this online payment service provider can be found here: https://www.paypal.com/de/legalhub/paypal/privacy-full 3.8.2. Stripe Payments Stripe is an online payment service that requires you to have a personal Stripe account. The European operating company of Stripe is Stripe Payments Europe (Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland).

• Purpose: Processing online payments
• Data subjects: Users who order paid content and select this payment service provider
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Integration and provision of various payment systems; displaying and forwarding requests to payment providers; analysis of failed transactions to improve processes; defense, exercise, and enforcement of legal claims
• Data processed: First and last name, address, email address, contract data, device data required for setup and technical processing of the payment, in particular IP address, date and time of request, time zone difference to GMT, content of the request (specific page), access status / HTTP status code, amount of data transferred in each case, referring website, browser, operating system and interface, language and version of the browser software
• Retention period: Until completion of the payment process, including time required for processing a refund. Certain billing data is stored for the statutory retention period of seven years
• Recipients / Categories of recipients: Online payment service provider and sub-payment service provider selected by the user, processors

Further information about this online payment service provider can be found here: https://stripe.com/en-de/privacy 3.8.3. Coinbase Coinbase is an online payment service that requires you to have a personal Coinbase account. The European operating companies of Coinbase are Coinbase Ireland Limited (70 Sir John Rogerson’s Quay, Dublin 2, 662881, Ireland), Coinbase Europe Limited (70 Sir John Rogerson’s Quay, Dublin 2, 662881, Ireland), and Coinbase Germany GmbH (Kurfürstendamm 12, 10719 Berlin, Germany).

• Purpose: Processing online payments
• Data subjects: Users who order paid content and select this payment service provider
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), § 165 para. 3 TKG 2021
• Legitimate interests: Integration and provision of various payment systems; displaying and forwarding requests to payment providers; analysis of failed transactions to improve processes; defense, exercise, and enforcement of legal claims
• Data processed: Transaction data, contract data, master data, device data required for setup and technical processing of the payment, in particular IP address, date and time of request, time zone difference to GMT, content of the request (specific page), access status / HTTP status code, amount of data transferred in each case, referring website, browser, operating system and interface, language and version of the browser software
• Retention period: Until completion of the payment process, including time required for processing a refund. Certain billing data is stored for the statutory retention period of seven years
• Recipients / Categories of recipients: Online payment service provider, processors

Further information about this online payment service provider can be found here: https://www.coinbase.com/de/legal/privacy 3.9. Applicant Management

• Purpose: Use and retention of personal data provided by applicants, when such data has been submitted by the individual
• Data subjects: Applicants, interested parties
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), explicit consent (Art. 9 para. 2 lit. a GDPR), as well as for the establishment, exercise, or defense of legal claims (Art. 9 para. 2 lit. f GDPR), and legitimate interest (Art. 6 para. 1 lit. f GDPR; Art. 10 GDPR in conjunction with § 4 para. 3 Z 2 DSG)

• Legitimate interests: Defense, exercise, and enforcement of legal claims; documentation of the selection process, including evaluations and interview notes
• Data processed: Master data, CV, voluntarily submitted data
• Retention period: Applicant data will be deleted without delay after the position has been filled or after the expiration of the claim period under the Equal Treatment Act (7 months), unless consent for data retention has been given. Unsolicited applications will be retained for future reference as appropriate, and only until withdrawal by the data subject
• Recipients / Categories of recipients: Applicant data is not shared

3.10. Social Media

• Purpose: In addition to our website, we also operate presences on social networks, specifically YouTube, Instagram, LinkedIn, and X (formerly Twitter), to increase the visibility of our company and for marketing purposes. When you visit one of our online profiles, personal data may be transmitted to the operator of the respective social network. If you are logged in to the network, the operator may also associate your profile with ours
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), explicit consent (Art. 49 para. 1 lit. a GDPR)
• Data subjects: Visitors to our social media profiles
• Data processed: Date and time of actions performed, user ID (for logged-in users only), location data (country/city), language setting, age/gender group (for logged-in users, based on profile data), previously visited website, identification of hardware (computer/mobile device)
• Retention period: If a person contacts us via social media, the message is treated like an electronic inquiry via the website (see section 3.2). The data will be stored until the inquiry is answered. If legal retention obligations exist, processing will be restricted accordingly
• Recipients / Categories of recipients: Operators of the visited social media platforms

3.10.1 YouTube (Google LLC) YouTube is part of the Google LLC group. The controller for the processing of personal data in connection with YouTube usage is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

• Transfer to the following data protection third countries: USA: Companies that have successfully completed the Data Privacy Framework Program are considered to have an adequate level of protection under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. It is legally permissible to transfer information to these companies under the framework. Details on data collection and processing by the respective provider can be found at: https://www.youtube.com/static?gl=DE&template=terms&hl=de and https://policies.google.com/privacy Google LLC, the parent company of the YouTube platform, has committed to complying with the requirements of the EU-U.S. and Swiss-U.S. Data Privacy Frameworks by certifying under the Data Privacy Framework Program. Information about participation can be found by searching “Google LLC” at: https://www.dataprivacyframework.gov/s/participant-search

3.10.2 Facebook, Instagram (Meta Inc.) Facebook and Instagram are part of Meta Inc. These services are operated by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, which is the controller for the processing of personal data through Facebook and Instagram. Details on data collection and processing by the respective platform can be found at: Facebook: https://de-de.facebook.com/about/privacy/ (general privacy policy) and https://www.facebook.com/legal/terms/page_controller_addendum# (specific data collection for page insights) Instagram: https://help.instagram.com/155833707900388

• Transfer to the following data protection third countries: USA: Companies that have successfully completed the Data Privacy Framework Program are considered to have an adequate level of protection under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. It is legally permissible to transfer information to these companies under the framework.

Meta Platforms Inc., the parent company of Facebook and Instagram, has committed to complying with the requirements of the EU-U.S. and Swiss-U.S. Data Privacy Frameworks by certifying under the Data Privacy Framework Program. Information on participation can be found by searching “Meta Platforms, Inc.” at: https://www.dataprivacyframework.gov/s/participant-search 3.10.3. LinkedIn (Microsoft Corporation) LinkedIn is part of the Microsoft Corporation group. The controller responsible for processing personal data in connection with the use of LinkedIn services is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

• Transfer to the following data protection third countries: USA: For companies that have not completed the Data Privacy Framework Program, no adequate level of protection can be guaranteed under legal requirements Details on data collection and processing by the respective provider can be found here: LinkedIn: https://www.linkedin.com/legal/privacy-policy LinkedIn relies on the European Commission’s Standard Contractual Clauses (SCCs) for international data transfers. Details are available here: https://www.linkedin.com/help/linkedin/answer/a1343190

3.10.4. X (formerly Twitter) X is operated by X Corp. The controller responsible for the service in the European region is Twitter International Unlimited Company, Fenian Street, D02 F663 Dublin, Ireland.

• Transfer to the following data protection third countries: USA: For companies that have not completed the Data Privacy Framework Program, no adequate level of protection can be guaranteed under legal requirements Details on data collection and processing by the respective provider can be found here: https://twitter.com/de/privacy X relies on the European Commission’s Standard Contractual Clauses (SCCs) for international data transfers. Details are available here: https://gdpr.x.com/en/controller-to-controller-transfers.html

3.10.5. TikTok (Bytedance Ltd.) TikTok is operated by Bytedance Ltd. and its European branch, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland. The controller for data processing in connection with TikTok use is TikTok Technology Limited.

• Transfer to the following data protection third countries: TikTok may transfer personal data to countries outside the EU, particularly China and the USA. Transfers are based on the European Commission’s Standard Contractual Clauses pursuant to Art. 46 GDPR. More information can be found in the TikTok privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/en
• Purpose: Content display, brand communication, user interaction, marketing
• Data subjects: Visitors to our TikTok presence
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), explicit consent (Art. 49 para. 1 lit. a GDPR)
• Data processed: Username, profile picture, date and time of interactions, content data (e.g. comments), device data, location data if applicable
• Retention period: Unless otherwise specified, TikTok’s internal retention periods apply. If a person contacts us, the rules under section 3.2 apply
• Recipients / Categories of recipients: TikTok or Bytedance Ltd.

3.10.6. Threads (Meta Platforms Ireland Limited) Threads is a service of Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, and part of the Meta group (Facebook, Instagram).

• Transfer to the following data protection third countries: USA: Meta Platforms Inc., the parent company, is certified under the EU-U.S. Data Privacy Framework. Details on certification: https://www.dataprivacyframework.gov/s/participant-search
• Purpose: Brand communication, reach analysis, social media marketing
• Data subjects: Visitors to our Threads presence

• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), explicit consent (Art. 49 para. 1 lit. a GDPR)
• Data processed: Username, location data, content data (e.g. comments), device data, interest profiles
• Retention period: Unless otherwise specified, Meta’s internal retention periods apply. If a person contacts us, the rules outlined in section 3.2 apply
• Recipients / Categories of recipients: Meta Platforms Ireland Limited

3.11. Website Shop System: WooCommerce The integration of the webshop on this website is done using the WooCommerce plugin for WordPress, an open-source solution provided by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA.

• Purpose: Provision of our products and services, processing and handling of orders, delivery of important messages and information regarding your account or your purchase
• Data subjects: Website visitors
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims; optimization of our website
• Data processed: Master data, voluntarily submitted data
• Retention period: We retain your personal data only as long as necessary to fulfill the purposes for which it was collected. When your data is no longer needed, it will be securely deleted or anonymized
• Recipients / Categories of recipients: Shipping service providers
• Transfer to data protection third countries: Yes, USA. Companies that have successfully completed the Data Privacy Framework Program are considered to offer an adequate level of protection under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks. It is legally permissible to transfer information to such companies under the framework.

Automattic Inc., the parent company of the WooCommerce platform, has committed to complying with the requirements of the EU-U.S. and Swiss-U.S. Data Privacy Frameworks by certifying under the Data Privacy Framework Program. Information on participation can be found by searching “Automattic, Inc.” at: https://www.dataprivacyframework.gov/s/participant-search Further information on WooCommerce’s privacy policy can be found at: https://automattic.com/privacy/ 3.12. Images and Learning Content 3.12.1. Vimeo The controller for Vimeo is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

• Purpose: Preparation and presentation of course content in the members’ area
• Data subjects: Users who use Vimeo
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims
• Data processed: Usage data, content data
• Retention period: We retain your personal data only as long as necessary to fulfill the purposes for which it was collected. When your data is no longer needed, it will be securely deleted or anonymized Further information on Vimeo’s privacy policy can be found here: https://vimeo.com/privacy

3.12.2. LearnDash The controller for LearnDash is LearnDash, 2531 Jackson Avenue, Ann Arbor, MI 48103, USA.

• Purpose: Preparation and presentation of course content in the members’ area
• Data subjects: Users who use LearnDash
• Legal basis: Consent (Art. 6 para. 1 lit. a GDPR), legitimate interest (Art. 6 para. 1 lit. f GDPR), performance of a contract or pre-contractual measures (Art. 6 para. 1 lit. b GDPR)
• Legitimate interests: Defense, exercise, and enforcement of legal claims
• Data processed: Usage data
• Retention period: We retain your personal data only as long as necessary to fulfill the purposes for which it was collected. When your data is no longer needed, it will be securely deleted or anonymized Further information on LearnDash’s privacy policy can be found here: https://www.learndash.com/privacy-policy/

3.12.3. YouTube (Google LLC) YouTube videos are embedded in LearnDash for the presentation of video content. When an embedded YouTube video is started, a connection to YouTube’s servers is established. YouTube is then informed which page you are visiting. Additionally, when a video is played, cookies are used to collect information about user behavior – unless cookies are blocked in your browser. For more information, see section 3.10.1 and YouTube’s privacy policy: https://policies.google.com/privacy?hl=de&gl=de 4.Information on Data Transfers to Third Countries or International Organizations The data we process is not transferred to recipients in third countries or to international organizations. 5.Change Management This privacy policy is available in its current version on our website. If you have questions about a previous version, please contact the entity listed in section 1.