Privacy Information

Our privacy information is structured as follows:

Contents

1. General Information
   1. Controller
   2. Data Protection Officer
   3. Disclosure of Data to Third Parties
   4. Storage Period
   5. Your Rights
2. Additional Information on Data Processing on Our Website
   1. Data Processing Strictly Necessary for Providing the Website
      1. Accessing Our Web Pages and Server Log Files
      2. Consent Management Tool
      3. Cookies Necessary for Website Functionality
   2. Additional Data Processing on the Website Based on Consent
      1. Google Services
      2. Meta Pixel
      3. TikTok Pixel
   3. Data Processing When Contacting Us, Placing an Order, or Using Website Features
      1. Contacting Us
      2. Registration and Login
      3. Orders
      4. Payment Processing
      5. Marketing Measures
   4. Categories of Recipients of Personal Data of Website Visitors and Third-Country Transfers
      1. Categories of Recipients
      2. Third-Country Transfers
3. Additional Information on Data Processing on Our Social Media Company Pages
   1. General Information on Company Pages, Legal Basis

For reasons of readability, gender‑specific language is omitted. All terms apply equally to all genders.

A. General Information

1. Controller

The controller responsible for processing personal data is:

Cumdente GmbH
Paul-Ehrlich-Straße 11
72076 Tübingen
Phone: 07071 - 975 57 21
Fax: 7071 - 975 57 22
Email: info@cumdente.de

2. Data Protection Officer

You can reach our Data Protection Officer at:

Cumdente GmbH
Dr. med. dent. Esther Hahn
Paul-Ehrlich-Straße 11
72076 Tübingen
Phone: 07071 - 975 57 21
Fax: 7071 - 975 57 22
Email: datenschutz@cumdente.de

3. Disclosure of Data to Third Parties

Your personal data is only disclosed to third parties if permitted under data protection law, particularly if you have consented to the disclosure (Art. 6(1)(1)(a) GDPR) or if the disclosure is necessary for contract fulfilment (Art. 6(1)(1)(b) GDPR).

The relevant recipients and recipient categories are listed in the respective supplementary sections.

4. Storage Period

Personal data processed by us is stored only as long as necessary for the respective purpose—especially processing inquiries and orders, and maintaining user accounts. Afterwards, the data is deleted.

Further storage is possible if you have consented (Art. 6(1)(1)(a) GDPR) or if we are legally required to store the data (e.g., ten years for tax‑relevant documents or six years for business correspondence under German law) according to Art. 6(1)(1)(c) GDPR.

5. Your Rights

5.1 Deactivating and Deleting Cookies

Cookies may be stored on your device when you visit our website. You may disable the storage of cookies in your browser settings. You may also delete already‑stored cookies at any time. However, this may result in limited website functionality.

5.2 Right of Withdrawal

Some data processing activities described in this privacy information are based on your consent. You may withdraw your consent at any time with effect for the future. You can withdraw consent relating to website services via the Consent Management Tool (“CMT”). You may also re‑consent to individual processing operations at any time. You can open the CMT at any time via the “Cookie Settings” link in the footer. In all other cases, you may withdraw consent by contacting us using the details provided above.

5.3 Right to Object

You may object at any time to the processing of personal data for direct marketing purposes; you may also object at any time—for reasons arising from your particular situation—to processing based on Art. 6(1)(e) or (f) GDPR. Only transmission costs at basic rates apply.

5.4 Right of Access, Rectification, Erasure, Restriction, and Data Portability

You have the right, under Arts. 15–20 GDPR, to obtain free information about your stored data, to have incorrect data corrected, and to request erasure, restriction, or portability of your data. In some cases, legal retention obligations may prevent full erasure.

5.5 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a supervisory authority—particularly in your country of residence, workplace, or the place of a suspected infringement—if you believe that processing your personal data violates data protection law.

B. Additional Information on Data Processing on Our Website

In addition to our General Information (see section A), this section explains how personal data is collected on our website, for which purposes it is processed, and on which legal basis.

I. Data Processing Strictly Necessary for Providing the Website

Some data processing is strictly necessary to provide our services without technical or functional limitations and in accordance with legal requirements. Such processing occurs even if you have rejected any additional processing via the Consent Management Tool (“CMT”).

1. Accessing Our Web Pages and Server Log Files

To load content from our web pages and display it correctly on your device, your browser automatically sends data requests to our servers. Each request includes, among other data: (dynamic) IP address, browser type and version, operating system and version, accessed domain, previously visited page, as well as date and time of access. These requests are automatically stored in so‑called “server log files”.

This processing is necessary to ensure the website can be accessed and displayed properly. Log files also help identify cyberattacks and ensure the availability of the website (Art. 6(1)(1)(b) GDPR).

2. Consent Management Tool

We use a Consent Management Tool (“CMT”) to obtain and document your consent for the use of various services.

When you access our website, you can provide consent for individual processing operations via the CMT. These consents are stored.

To do this, the CMT stores cookies (small text files) on your device. These include the following cookies:

Open cookie information

On subsequent visits, the CMT can recognize which processing operations you have consented to or rejected. This prevents you from having to make the same choices each time you visit. Storage of the listed cookies is strictly necessary (§ 25(2)(2) TTDSG).

You may open the CMT at any time via the “Cookie Settings” link in the website footer to revoke previously granted consent.

3. Cookies Necessary for Website Functionality

When you visit our website, cookies may be stored on your device:

Open cookie information

The storage of these cookies is strictly necessary for the operation of our website (§ 25(2)(2) TTDSG).

II. Additional Data Processing on the Website Based on Consent

We have integrated the following services into our website for various purposes. These services process data only if you provide consent via the CMT. You may revoke your consent at any time via the CMT. See also section A.I.5.2.

1. Google Services

Our website integrates services provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (“Google”).

1.1 General Information About Google Services, Legal Basis

To provide the services, Google accesses information stored on your device. Google may also store information and cookies on your device. Details can be found in the respective service descriptions below. The legal basis for accessing and storing information is your consent (§ 25(1)(1) TTDSG).

Google uses this information to provide and continuously improve its services. The legal basis for processing personal data for these purposes is your consent (Art. 6(1)(1)(a) GDPR).

It cannot be ruled out that data processed by Google may be transferred to servers located in a third country, especially the United States, to the parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, California, USA. To secure these transfers, we have entered into EU Standard Contractual Clauses with Google. According to Google, they ensure compliance with data protection obligations. Nevertheless, transfers to the U.S. involve specific risks. Therefore, Google services are only enabled after your explicit consent. See section IV.2 for more details.

If you are logged into your Google account, Google may associate processed information with your account, depending on your settings. See more at: https://www.google.de/policies/privacy/partners. We do not receive any information on these aggregated data.

Further information on Google’s processing activities:

• https://policies.google.com/privacy (“Google Privacy Policy”)
• https://www.google.com/intl/de/policies/privacy/partners (“How Google uses data from sites or apps that use our services”)
• http://www.google.com/policies/technologies/ads (“Data use for advertising purposes”)

1.2 Google Tag Manager

We use Google Tag Manager on our website to load additional services. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool for managing website tags. Through Google Tag Manager, tracking and statistics tools as well as other technologies can be integrated into our website. Google Tag Manager itself does not create user profiles, does not store cookies, and does not perform independent analyses. It serves exclusively for the management and delivery of the tools integrated through it.

Due to this technical implementation, Google gains knowledge when a webpage is accessed that the website was called up with the IP address of your device. Additionally, Google can track which functions and tools are loaded via GTM.

The legal basis for its use is your consent according to Art. 6 Para. 1 lit. a GDPR as well as §25 TTDSG.

You have the option to deactivate the service and thus prevent data transfer to the provider by disabling JavaScript through your browser settings. However, we would like to point out that in this case you may not be able to use all functions of the website.

Further information about data processing by GTM can be found at:

https://support.google.com/tagmanager/answer/6102821?hl=de

1.3 Google Analytics 4

This website uses Google Analytics 4, a web analytics service from Google Ireland Limited.

Google Analytics enables us to analyze website visitor behaviour. Data processed includes:

• pages visited
• time spent on pages
• click paths
• approximate location data
• technical information on browser and device
• IP address (truncated)

Data may be transferred to servers operated by Google LLC in the USA. Transfers are based on the EU Standard Contractual Clauses.

The processing is carried out exclusively on the basis of your consent according to Art. 6 Para. 1 lit. a GDPR as well as §25 TTDSG. You can withdraw your consent at any time via the cookie settings.

The service performs a cross-website analysis of your browsing behavior. For this purpose, the service stores cookies, i.e., small text files, on your device: These are the following cookies: 

Open cookie information

On our behalf, Google processes the collected data to provide us with pseudonymous profiles of individual visitors and general statistics about the use of our website. We use this information to improve our offering and make it more interesting for you as a user.

IP anonymization has been activated on this website, so that your IP address is shortened by Google Analytics before storage. According to Google, only in exceptional cases is the full IP address transmitted to a Google LLC server in the USA and shortened there. According to Google, the shortened IP address transmitted by your browser within the framework of Google Analytics is not merged with other Google data.

Under the following link, you can download and install a plug-in for cross-website deactivation of Google Analytics for the browser you use: https://tools.google.com/dlpage/gaoptout?hl=en.

Further information about data processing by Google Analytics can be found at: https://support.google.com/analytics/answer/6004245?hl=en.

1.4 Google Ads, Google Ads Remarketing, Google Ads Conversion Tracking

Our website integrates the services Google Ads, Google Ads Remarketing, and Google Ads Conversion Tracking to draw attention to our offerings in Google search results as well as on third-party websites.

We want to display only attractive advertisements for you. For this purpose, Google analyzes in particular device information, your location, and your browsing behavior on our website. For this purpose, the service stores cookies, i.e., small text files, on your device:

These are the following cookies: 

Open cookie information

This website uses the online advertising program Google Ads and, within the framework of Google Ads, conversion tracking.

When you reach our website via a Google advertisement, a cookie is stored on your device by Google Ads. These cookies serve to analyze and statistically evaluate the effectiveness of our advertising campaigns.

In particular, the following data may be processed:

• page views
• conversion events
• device information
• IP address

The processing is carried out exclusively on the basis of your consent according to Art. 6 Para. 1 lit. a GDPR as well as §25 TTDSG.

You can activate or deactivate personalized advertising from Google via the advertising settings under this link: https://adssettings.google.com/anonymous?sig=ACi0TCjoT_RnPbIUe8IGa85dyA_5J4bol6TV5SM7jVOJycoeZaGP6BA8RWwSWmRUP0XRoURUu0XBV15kNZzQKE4cntIuJx15vg&hl=de

These settings are saved in your Google account (if you are logged in) or in the browser (if you are not logged in). Alternatively, you have the option to install a plug-in for your browser under this link to deactivate personalized advertising: https://support.google.com/ads/answer/7395996?hl=en.

Further information about the functionality and data processing by Google Ads can be found at:

• https://ads.google.com
• https://ads.google.com/intl/de_de/home/faq/gdpr
• https://policies.google.com/technologies/ads

2. Meta Pixel (Facebook /Instagram)

This website uses Meta Pixel, provided by Meta Platforms Ireland Ltd., Dublin, Ireland.

Meta Pixel enables us to track user behaviour after being redirected to our website via a Facebook or Instagram advertisement.

This helps us:

• measure the effectiveness of advertising
• build target audiences (remarketing)
• optimize ads

Data may be transferred to Meta Platforms Inc. in the USA.

The processing is carried out exclusively on the basis of your consent according to Art. 6 Para. 1 lit. a GDPR as well as §25 TTDSG.

When accessing our web pages, a 1x1 pixel image file is automatically loaded from the provider's servers. Through the respective data request to load the image file, the following information is disclosed to the provider: (dynamic) IP address, browser type and version, operating system and version, accessed domain, previously visited website, as well as date and time of access. The legal basis for accessing stored information on your device by the service is your consent (§ 25 Para. 1 S. 1 TTDSG).

It cannot be excluded that data collected by the service may also be transmitted to and stored on a server of the provider in a third country – particularly in the USA. To secure third-country transfers, we have agreed on EU Standard Contractual Clauses with the provider. According to its own statements, the provider ensures compliance with data protection agreements. Nevertheless, the transmission of personal data to the USA involves special risks for affected persons. The integration of and data processing by the service therefore only takes place after your explicit consent. More detailed information about third-country transfers can be found in Section IV.2.

Users logged into Facebook can adjust their advertising settings at: https://www.facebook.com/ads/preferences.

Further information about data processing by the service can be found at: 

• https://www.facebook.com/policy.php
• https://m.facebook.com/policies/cookies

3. TikTok Pixel

This website uses TikTok Pixel, provided by TikTok Technology Limited, Dublin, Ireland.

TikTok Pixel allows us to analyze user behaviour after being redirected to our site via a TikTok advertisement.

Data processed may include:

• IP address
• device information
• browser information
• usage behaviour
• pages visited
• conversion events

The data may be transmitted to TikTok servers outside the European Union, particularly to the USA. Furthermore, it cannot be excluded that data may also be transmitted to TikTok's parent company, ByteDance Ltd. based in China.

In these countries, there is no level of data protection comparable to that of the European Union. In particular, it cannot be excluded that government authorities may access the data. 

The transmission is based on your consent according to Art. 6 Para. 1 lit. a GDPR and Art. 49 Para. 1 lit. a GDPR as well as §25 TTDSG.

Further information about data processing by the service can be found at: 

https://www.tiktok.com/legal/page/eea/privacy-policy/enIII. 
 

III. Data Processing When Contacting Us, Placing an Order, or Using Features on the Website

Below you can read which data is processed when you contact us or use functionalities on the website.

1. Contacting Us

We collect personal data that you enter into a contact form or provide to us when contacting us. Fields marked as “required” collect the data necessary for carrying out the desired action. You may provide additional data voluntarily.

The processing is based on Art. 6(1)(1)(b) GDPR if necessary to process your request. In all other cases, processing is based on our legitimate interest in effectively handling incoming inquiries (Art. 6(1)(1)(f) GDPR).

2. Registration and Login

You may create a customer account on our website. During registration, we collect data marked as “required”, which is necessary for establishing the user relationship (Art. 6(1)(1)(b) GDPR). You may provide additional data voluntarily (Art. 6(1)(1)(a) GDPR). You may delete your user account at any time.

To technically allow access to password-protected areas, it is strictly necessary that the following cookies are stored on your device (§ 25(2)(2) TTDSG):

Open cookie information

3. Orders

You may place orders with us. During the ordering process, we collect data marked as “required”, which is necessary for processing the order (Art. 6(1)(1)(b) GDPR). You may provide additional data voluntarily (Art. 6(1)(1)(a) GDPR).

For more convenient shopping, you may also register or log in — see section D.2.

To technically enable the shopping cart function and the order process, it is strictly necessary that the following cookies are stored on your device (§ 25(2)(2) TTDSG):

Open cookie information

4. Payment Processing

Below you can read which payment methods are available and which personal data is processed in each case.

4.1 PayPal

Payments may be processed using PayPal. The provider is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L‑2449 Luxembourg (“PayPal”).

Payment via PayPal is only possible if you have a PayPal account. When selecting PayPal as the payment option, you will be redirected to the PayPal website. In doing so, data is transmitted to PayPal; in particular, PayPal receives information about your purchase. This transmission is necessary to provide the chosen payment method (Art. 6(1)(1)(b) GDPR).

We have no influence on further data processing performed by PayPal. This is governed solely by the agreements between you and PayPal. PayPal alone is responsible for how it handles and protects the data it collects. More information on PayPal’s data processing can be found at: https://www.paypal.com/de/webapps/mpp/ua/privacy-full .

4.2 Other Payment Methods

If you choose credit card or direct debit and this is necessary for processing the payment, we will transmit the required data to the chosen payment service provider (Art. 6(1)(1)(b) GDPR).

5. Marketing Measures

We have a legitimate interest in using your data for direct marketing purposes under Art. 6(1)(1)(f) GDPR.

If you have consented (Art. 6(1)(1)(a) GDPR), we will also use your data to send you an email newsletter and personalized advertising.

You can revoke your consent to receiving newsletters at any time using the unsubscribe link in each newsletter or by contacting us using the details provided above. You may also object to the processing of your personal data for marketing purposes for the future, in writing, by fax, by email, or by telephone. Only transmission costs at basic rates apply. The lawfulness of processing already carried out remains unaffected.

IV. Categories of Recipients of Personal Data of Website Visitors and Third-Country Transfers

1. Categories of Recipients of Personal Data

Categories of non-instructed recipients: providers of analytics services and payment service providers.

Categories of instructed service providers contractually obligated to follow data protection requirements and prohibited from using the data for other purposes: providers responsible for website maintenance and hosting.

2. Third-Country Transfers

Our website integrates services from providers based in the United States or with ties to the U.S as well as those based in China or with connections to China. If you consent to data processing by such a provider, it cannot be ruled out that U.S. /chinese  authorities may access your data without restriction. No effective legal remedies exist against this.

• Service:

  Google Tag Manager, Google Analytics, Google Ads

  Provider:

  Google Ireland Limited, Ireland

  Parent Company:

  Google LLC, USA

• Service:

  Meta Pixel

  Provider:

  Meta Platforms Ireland, Ireland

  Parent Company:

  Meta Platforms Inc., USA

• Service:
  TikTok Pixel
  Provider:
  TikTok Technology Limited, Dublin, Irland
  
   Parent Company:
  ByteDance Ltd., China

It cannot be ruled out that these companies, their respective parent companies, and/or U.S./ Chinese authorities may access personal data processed through these services.

As a legal basis for transferring personal data to the U.S.or China, Standard Contractual Clauses (“SCC”) are generally concluded under Art. 46(2)(c) GDPR. However, an SCC-based transfer is only permissible if the clauses can be effectively complied with. This would require that unrestricted access by U.S./ Chinese authorities could be excluded — which is currently not the case.

Although we conclude SCCs with these companies, we only use the services based on your explicit, informed consent (Art. 49(1)(1)(a) GDPR). We explicitly warn of the risks associated with such transfers:

Due to the powers of U.S./ Chinese intelligence agencies and the current U.S./ Chinese legal framework, U.S./ Chinese government surveillance is considered disproportionate by EU standards. In particular, Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) places no meaningful limits on surveillance of non-U.S. persons. Further, Presidential Policy Directive 28 (PPD‑28) provides no effective legal remedies. Additionally, under the U.S. Cloud Act, U.S. authorities may require U.S. companies to hand over data stored anywhere, including servers located within the EU.

Since there is no level of data protection in these third countries comparable to that of the European Union, the transmission is carried out expressly only on the basis of your consent according to Art. 6 Para. 1 lit. a GDPR and Art. 49 Para. 1 lit. a GDPR as well as §25 TTDSG.

C. Additional Information on Data Processing on Our Social Media Company Pages

We operate a so‑called “company page” on the following social media platforms:

Facebook:

Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Instagram:

Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

YouTube:

Google Ireland Limited, Google Building Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland

In addition to our general information (see section A), we explain here how data is processed when visiting one of our company pages.

1. General Information on Company Pages, Legal Basis

As the owner of an online presence on a social media platform, we process personal data when you contact us directly via private message or via public comment functions. The data collected depends on the information you provide and the contact details you share or make visible. Processing is based on Art. 6(1)(1)(b) GDPR where necessary to fulfil your request. In all other cases, processing is based on our legitimate interest in effectively handling incoming inquiries (Art. 6(1)(1)(f) GDPR).

When you visit a company page, the platform operator (“provider”) collects information enabling it to recognise users and analyse their behaviour. Using this data, the provider can create user profiles. If you are logged in to your account while visiting a company page, the provider may associate this visit with your account.

We only receive anonymised statistical insights from the provider regarding the usage of our company page. These allow us to better tailor our content. We therefore have a legitimate interest in collecting and processing this information. We also have a legitimate interest in using as many communication channels as possible to reach interested users personally. The legal basis for processing associated with operating a company page is Art. 6(1)(1)(f) GDPR.

We do not ourselves share personal data collected via our company pages with third parties. However, we cannot influence or exclude that the providers may share collected data with third parties — especially their partner companies, which may be located outside the EU. In many non‑EU countries, there is currently no level of data protection equivalent to EU standards.

You may exercise your rights as a data subject (see A.I.5) both with us and with the respective platform provider. However, we note that the provider is generally better positioned to fulfil requests, as it has exclusive access to user data and can take the corresponding measures directly.