logo

Privacy Policy

Status: July 2025

1. General information about the processing of personal data

1.1. The protection of your personal data is of particular importance to us. Below, we wish to provide you with detailed information about which personal data is processed when you use our websites and services.

1.2. The controller according to Art. 4 No. 7 of the General Data Protection Regulation (“GDPR”) is:

Flightright GmbH
Revaler Straße 28
10245 Berlin
E-mail: service@flightright.de

(hereinafter “Flightright”). Further details can be found in our legal notice.

1.3. You can reach our Data Protection Officer at datenschutz@flightright.de or by post at our address, adding “Data Protection Officer” to the recipient field.

1.4. We only process personal data in compliance with the relevant data protection regulations. This means that data will only be processed if a legal permission applies, in particular when the data processing is necessary to provide our contractual services and online services, is required by law, consent has been given, or where it is based on our legitimate interests.

1.5. The legal basis for consent is Art. 6(1)(a), Art. 7 GDPR and Section 25(1) TDDDG; the legal basis for processing for the performance of our services and the execution of contractual measures is Art. 6(1)(b) GDPR; the legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR; and the legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR and Section 25(2) TDDDG.

2. Data processing when visiting our websites

2.1. When you visit our websites purely for informational purposes, meaning that you do not make an enquiry, log in, or otherwise provide us with personal information, we process the data that your browser transmits to our server and which is technically necessary to display our websites to you and to ensure stability and security (collectively referred to as “visit data”):

  • IP address

  • Date and time of the request

  • Duration of the website visit

  • Time zone difference to Greenwich Mean Time (GMT)

  • Content of the request (specific page)

  • Access status/HTTP status code

  • Amount of data transferred in each case

  • Website from which the request comes

  • Websites you visit on our site

  • Internet service provider

  • Browser type

  • Server log files

  • Operating system and its interface

  • Language and version of browser software

2.2. The legal basis is our legitimate interest in displaying the requested websites (Art. 6(1)(f) GDPR and Section 25(2) TDDDG).

2.3. From individual visit data, we create anonymous usage profiles that allow us to continuously improve our online offering.

2.4. Google Tag Manager

We use the service called Google Tag Manager by Google. “Google” is a corporate group consisting of Google Ireland Ltd. (provider of the service), Gordon House, Barrow Street, Dublin 4, Ireland, as well as Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and other affiliated companies of Google LLC. The Google Tag Manager enables us to centrally manage and control marketing and analytics tags.

During a transitional phase, we work with two different versions of the Google Tag Manager in parallel.

Client Side Tracking Version:
We have concluded a data processing agreement with Google. The Google Tag Manager is an auxiliary service and processes personal data itself only for technically necessary purposes. The Google Tag Manager ensures the loading of other components, which may in turn collect data. The Google Tag Manager does not access this data. More information on the Google Tag Manager can be found in Google’s Privacy Policy . Please note that US authorities, such as intelligence services, may have access to personal data due to US laws like the Cloud Act, to data that is inevitably exchanged with Google when this service is integrated because of the Internet Protocol (TCP).

Server Side Tracking Version:
We use the Google Tag Manager server-side and collect the data ourselves first. This is stored on our own Lynx server and transmitted in purely anonymised form to Google or other third parties. No direct data connection between you and Google is established. No cookies or other techniques that access information on your end device are used.

We work here with an IT service provider within the framework of data processing in order to share user information with advertising services in compliance with data protection requirements and efficiently. The servers and services provided by the service provider enable secure processing and encrypted transmission of user data without personal data being stored. This allows us to make our advertising measures targeted and effective while ensuring privacy is protected at all times.

The legal basis for the use of the server-side Google Tag Manager is our legitimate interest under Art. 6(1)(f) GDPR and Section 25(2) TDDDG in the systematic management of tags and thus maintaining the speed of our website, as the scripts of the tags do not have to be manually integrated into our website’s source code. Your interests have been considered accordingly due to the local storage of the data on our own servers.

2.5. Google Analytics 4

During a transitional phase, we work with two different versions of the Google Analytics 4 service in parallel.

Client Side Tracking Version:
If you have given your consent, Google Analytics 4 is used on this website, a web analytics service of Google LLC. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Type and purpose of processing
Google Analytics uses cookies that enable an analysis of your use of our websites. The information generated by the cookies about your use of this website is generally transmitted to a Google server in the USA and stored there.

We use Google Signals. This allows additional information about users who have activated personalised advertising (interests and demographic data) to be collected in Google Analytics, and ads can be delivered to these users in cross-device remarketing campaigns.

In Google Analytics 4, IP anonymisation is enabled by default. Due to IP anonymisation, your IP address will be shortened by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by your browser in the context of Google Analytics will, according to Google, not be merged with other Google data.

During your website visit, your user behaviour is recorded in the form of “events”. Events can include:

  • Page views

  • First visit to the website

  • Start of session

  • Pages visited

  • Your “click path”, interaction with the website

  • Scrolls (whenever a user scrolls to the end of the page (90%))

  • Clicks on external links

  • Internal searches

  • Interaction with videos

  • File downloads

  • Viewed / clicked ads

  • Language settings

  • Your approximate location (region)

  • Date and time of the visit

  • Your IP address (in shortened form)

  • Technical information about your browser and the devices you use (e.g., language setting, screen resolution)

  • Your internet service provider

  • The referrer URL (which website/advertisement brought you to this website)

Purpose of processing
On behalf of the operator of this website, Google will use this information to evaluate your pseudonymous use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.

Recipients
Recipients of the data are/can be:

  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor under Art. 28 GDPR)

  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

  • Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Third country transfer
For the USA, the European Commission adopted its adequacy decision on 10 July 2023. Google LLC is certified under the EU-US Privacy Framework. As Google servers are distributed worldwide and a transfer to third countries (e.g., Singapore) cannot be completely excluded, we have also concluded the EU Standard Contractual Clauses with the provider.

Retention period
The data we send and that is linked with cookies will be automatically deleted after 14 months. The maximum lifespan of Google Analytics cookies is 2 years. Data whose retention period has expired is automatically deleted once a month.

Legal basis
The legal basis for this data processing is your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.

Withdrawal
You can withdraw your consent at any time with effect for the future by scrolling to the cookie declaration following this privacy policy and withdrawing or adjusting your consent there. The lawfulness of the processing carried out on the basis of the consent until the withdrawal remains unaffected.

You can also prevent the storage of cookies from the outset by selecting the appropriate settings in your browser software. However, if you configure your browser to reject all cookies, this may lead to functional limitations on this and other websites. In addition, you can prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google and the processing of this data by Google by:

  • Not giving your consent to the setting of the cookie, or

  • Downloading and installing the browser add-on to disable Google Analytics, available here .

Further information on the terms of use of Google Analytics and on data protection at Google can be found at https://marketingplatform.google.com/about/analytics/terms/en/ and at https://policies.google.com/?hl=en .

Server Side Tracking Version:
On our website, we use the Google Analytics 4 service from Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns (so-called reach measurement).

However, to protect your personal data, we have implemented protective measures so that no personal data is transmitted to Google. This is ensured by interposing our own server (server-side tracking), as the data is anonymised using the SHA-256 method before being forwarded to Google, so Google cannot draw any conclusions about the identity of the visitor. No direct data connection between you and Google is established. No cookies or other techniques that access information on your device are used.

2.6. Google Firestore

On our website, we use Firestore, a real-time database from Google, for storing user data and click parameters on the lead form page. Firestore offers comprehensive security and privacy features to ensure that the stored data is GDPR-compliant. In particular, Firestore is only used after your personal data has been hashed by our own Lynx server. Your data is therefore stored exclusively in a secure and encrypted form. This information is used to improve the user experience and for marketing and sales activities.

3. Data processing through the use of cookies (tracking)

3.1. Cookies and cookie function groups

In addition to the data mentioned above, cookies are stored on your device when you use our websites. Cookies are small text files stored on your hard drive, assigned to your browser, and used to provide certain information to us. They help make our web offering more user-friendly and effective.

We distinguish between the following functional groups of cookies:

3.1.1. Technical cookies (“Necessary cookies”)
These cookies are necessary for us to display the website to you and to provide essential basic functions, such as site navigation or the chat function, as well as to ensure data protection standards.

The following data is stored and transmitted in these cookies:

  • Language settings

  • Page settings

  • Other state information

The purpose of using technically necessary cookies is to make the use of websites easier for users. We also use cookies to identify you for subsequent visits. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change.

Legal basis: Art. 6(1)(f) GDPR / Section 25(2) TDDDG.

3.1.2. Cookies for user preferences
These cookies are used to recognise you and your settings when you return to the website (e.g., preferred language).

Legal basis: Art. 6(1)(a) GDPR.

3.1.3. Cookies for performance and statistics
These cookies are used to analyse the use of the website and user behaviour. This helps us understand how our website is used and where errors have occurred, so that we can make it more user-friendly or tailor information and services to our users.

Legal basis: Art. 6(1)(a) GDPR.

StackAdapt
We use tracking technologies from StackAdapt, an advertising technology provider, based on your consent under Art. 6(1)(a) GDPR. StackAdapt uses pixels embedded on our site that collect data on your interactions to generate personalised ads and measure campaign effectiveness. Data collected may include your IP address, browser and device type, visited pages, and interactions with ads. For more information about StackAdapt’s privacy practices and the options available to you for controlling your data, please visit StackAdapt’s privacy policy at https://www.stackadapt.com/privacy-policy .

Data is stored for up to 180 days on servers located in Germany. You have the right to object to processing for marketing purposes at any time via the “Change consent” link.

Google Display & Video 360 (DV360)
Our website uses DV360 for programmatic advertising and demand-side platform services from Google, based on your consent under Art. 6(1)(a) GDPR. DV360 uses cookies and identifiers to collect behaviour data on our and other websites, including visited pages, viewed content, clicked ads, and technical info like IP address and browser details. Data is used to serve personalised ads and is processed according to Google’s privacy policy . Data is stored for 30 days.

You can object to personalised advertising via your Google account or the “Change consent” link.

3.1.4. Marketing cookies
Legal basis: Art. 6(1)(a) GDPR.

3.2. Cookie management

3.2.1. Cookie Consent Tool (Cookiebot)
We use Cookiebot (Cybot A/S, Denmark) to let you control cookies. It displays cookies grouped by function, explains their purposes, and shows their retention periods.

3.2.2. Settings via Cookiebot
When you first visit our site, Cookiebot appears as a pop-up. You can enable cookie groups by ticking boxes. Technical cookies are enabled by default.

3.2.3. Withdrawal / opt-out options
You can withdraw consent via Cookiebot or directly disable cookies with providers or via your browser settings.

More details are available in our Cookie Declaration .

4. Data processing when contacting us

When you contact us by e-mail, telephone, or a contact form, we process the data you provide (e.g., e-mail address, name, phone number, message) to respond to your request.

Legal basis: Art. 6(1)(b) GDPR.

5. Data processing for contract execution

5.1. Air passenger rights

5.1.1. If you instruct us to enforce your air passenger compensation claim, we process your contact, communication, contract, and flight data (e.g., flight number, date, time) to provide our contractual services. These data are required for contract conclusion. Without them, a contract is not possible. Data may be passed to service providers bound by our instructions (e.g., hosting, communications) who support us technically.

Payment data is only collected when a payout to you is to be made.

5.1.2. As stated in our Terms & Conditions, we may instruct contract lawyers to enforce claims in court if our out-of-court efforts fail (“assignment process”), or you may authorise them directly (“power of attorney process”). In both cases, all relevant case data will be shared with the legal representatives, and we will exchange updates to keep you informed and enable case handling (e.g., payment of compensation).

5.1.3. Legal basis: Art. 6(1)(b) GDPR. Data is deleted once no longer needed or restricted if statutory retention applies.

5.2. Other legal areas

5.2.1. If you instruct us to assess and enforce claims in other legal areas, we process your contact, communication, contract, and case data as per our Terms of Use and may pass them to partner law firms. Without them, an initial assessment is not possible. Data may also be shared with service providers (e.g., hosting, communications, data breach information providers) bound by our instructions.

5.2.2. Legal basis: Art. 6(1)(b) GDPR. Data is deleted once no longer needed or restricted if statutory retention applies.

6. Data processing for job applications

You can apply for open positions with us by e-mail or via our careers portal. The purpose of data collection is to select applicants for potential employment. To process your application, we collect the data you provide (usually: first and last name; e-mail address; application documents such as certificates and CV; earliest possible start date; channel through which you learned about the vacancy; optionally phone number, salary expectations, Xing or LinkedIn profile). Please note that confidentiality cannot be guaranteed when sending applications by unencrypted e-mail. You can also apply for our positions by post.

Legal basis: Art. 6(1)(b) and Art. 88(1) GDPR in conjunction with Section 26(1) BDSG.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship ensues, we will store your application data as long as necessary for the employment relationship and as far as statutory regulations require retention. If we reject your application, we will store your application data for up to three months after rejection, unless you give us consent for a longer retention period. If you have separately consented, we will keep your data in our applicant pool for a further twelve months after the end of the application process to identify other potential positions and contact you again if necessary. After the period expires, the data will be deleted. You can withdraw this consent at any time by sending an e-mail to gdpr-requests@allright.de .

7. Data processing with single sign-on services

You can register on our website using a Google account via an existing single sign-on (SSO) account. Such accounts allow you to log in to various services and platforms with one account. Flightright enables the use of Google’s SSO service.

The SSO service is operated by Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA.

The purpose and scope of data collection, further processing and use of data by Google, as well as your rights and privacy settings, can be found in Google’s privacy notices . For registration and use of Google’s services, the Google privacy and terms of use apply, available at https://policies.google.com/privacy?hl=en .

8. Data processing in connection with social networks

We are also present on social networks of other companies, such as Facebook or Twitter, and have integrated certain features from these networks into our online services. Both can only be used if you are registered and logged in to the respective social network. Please note that the usage and privacy terms of the respective network apply, which we cannot influence.

8.1. Name and address of the responsible operators

Responsible for our corporate profiles under the GDPR, in addition to Flightright GmbH:

Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland)
Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland)
LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland)
Twitter (Twitter International Company, One Cumberland Place, Dublin 2 D02 AX07, Ireland)
Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany)
TikTok (musical.ly Inc., 10351 Santa Monica Blvd #310, Los Angeles, CA 90025, USA)

You use these platforms and their features at your own risk, especially interactive features such as commenting, sharing, or rating. Your data may be processed outside the EU. Necessary contractual safeguards for data protection are in place.

8.2. Purpose and legal basis

We maintain these pages to communicate with visitors and inform them about our offers. We also collect statistical data to improve and optimise content and make our offering more attractive. This statistical data (e.g., total page views, activity, user-provided data, interactions) is prepared by the networks and provided to us; we have no control over its generation.

Your personal data may also be processed for market research and advertising purposes, both by the social networks and by Flightright GmbH, creating usage profiles that allow targeted advertising. Cookies are generally stored on your device for this purpose, and data may be stored in your usage profile even without direct device collection, especially if you are logged in to the network.

Processing by Flightright GmbH is based on our legitimate interest in effective information and communication under Art. 6(1)(f) GDPR and Section 25(2) TDDDG. If you are asked for consent, the legal basis is Art. 6(1)(a), Art. 7 GDPR and Section 25(1) TDDDG.

8.3. Your rights / right to object

If you are a member of a social network and do not want the network to collect data about you via our profile and link it to your membership data, you must log out before visiting our page, delete cookies from your device, and restart your browser. After logging in again, the network can recognise you once more.

Details of data processing and opt-out options can be found in the linked privacy policies of each platform.

You have the rights to access, rectify, delete, restrict processing, object, data portability, and to lodge a complaint with a supervisory authority. As Flightright GmbH does not have full access to your personal data, you should contact the social networks directly to exercise your rights. We will assist you if needed at datenschutz@flightright.de .

8.4. Copyright and image rights notice

If you publish images, text, plans, videos, music, etc., on our profile, you may be transferring all usage rights to the network, which can have legal consequences if you are not the author or rights holder.

9. Advertising and newsletters

If you have given your consent to receive advertising (newsletter, e-mail, postal, etc.), we will inform you via the agreed medium about our current offers, using your provided data. You can withdraw consent at any time.

9.1. MailJet

We use the Mailjet e-mail service provided by Sinch AB, Stockholm, Sweden, to send e-mails to user groups. Only e-mail addresses required for sending are processed and temporarily stored; deletion occurs within 30 days of the last sending. Mailjet’s privacy policy: https://sinch.com/legal/terms-and-conditions/other-sinch-terms-conditions/data-protection-agreement/ . Legal basis: Art. 6(1)(f) GDPR / Section 25(2) TDDDG.

We have concluded a data processing agreement with Mailjet under Art. 28(3) GDPR. Mailjet may use pseudonymised recipient data to optimise services but does not contact recipients directly or pass data to third parties.

9.2. Brevo

We use Brevo (Sendinblue GmbH, Berlin) to send newsletters. Recipient addresses and other relevant data are stored on Brevo servers. Brevo uses this information to send and evaluate newsletters on our behalf. Data may also be used by Brevo to optimise services or analyse recipient origins but not for independent marketing or sharing with third parties. Privacy policy: https://www.brevo.com/de/legal/privacypolicy/

Statistical analysis includes detecting whether newsletters are opened, when, and which links are clicked. Technically, this data can be linked to individual recipients, but we and Brevo do not aim to monitor individuals; the analysis serves to adapt content to reader interests.

10. Other data processing

10.1. Amazon Cloudfront

This website uses the Content Delivery Network (CDN) Cloudfront, a service provided by Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210. The Cloudfront CDN provides duplicates of data from a website on various AWS servers worldwide. This results in faster loading times, higher reliability, and improved protection against data loss.

Images and videos embedded on this website are loaded from the Cloudfront CDN when the page is accessed. Through this retrieval, information about your use of our website (such as your IP address) is transmitted to Amazon servers outside the EU and stored there. This happens as soon as you enter our website. Use of Amazon Web Services and the Amazon CDN Cloudfront is in the interest of higher website reliability, increased protection against data loss, and better loading speeds. This constitutes a legitimate interest under Art. 6(1)(f) GDPR / Section 25(2) TDDDG.

More about Amazon Web Services‘ data protection measures: https://aws.amazon.com/compliance/germany-data-protection/
Amazon Web Services privacy policy: https://aws.amazon.com/privacy/

10.2. Web Fonts from Adobe Fonts

This site uses web fonts provided by Adobe Fonts for a uniform display of fonts. When a page is accessed, your browser loads the necessary web fonts into its cache to display texts and fonts correctly.

For this purpose, the browser you use must connect to Adobe Fonts‘ servers. Adobe Fonts thereby becomes aware that your IP address has been used to access our website. Use of Adobe Fonts is in the interest of a uniform and attractive presentation of our online offerings and constitutes a legitimate interest under Art. 6(1)(f) GDPR / Section 25(2) TDDDG.

If your browser does not support web fonts, a default font from your computer will be used.
More information on Adobe Fonts: https://fonts.adobe.com
Adobe Fonts privacy policy: https://www.adobe.com/privacy/policies/adobe-fonts.html

10.3. Trustpilot

We use Trustpilot, a customer feedback and review service by Trustpilot, Inc., 245 5th Avenue, 4th floor, New York, NY 10016, USA. Trustpilot provides a form for submitting feedback on our website and for leaving reviews of your user experience and our product quality. All entries are voluntary, and results are published under a freely chosen pseudonym on https://www.trustpilot.com/ . Product reviews may also be published on our website and in Google search results.

More information on data protection at Trustpilot: https://legal.trustpilot.com/end-user-privacy-terms

10.4. Amplitude

This website uses the testing and web analytics service Amplitude. The program allows analysis of user behaviour based on user segmentation. By evaluating log file data, we can determine how individual user segments visit the site, which landing pages are accessed, and how click-through rates can be increased.

For analysis, as described above, cookies/local storage in the browser are used, linked to a pseudonymised ID. Your IP address is fully anonymised and not stored. The information generated is transmitted to an Amplitude server in Germany and stored in aggregated, pseudonymised form. The IP address transmitted by your browser is not merged with other Amplitude data.

Use of Amplitude serves to evaluate website usage and to compile reports on site activity so we can regularly improve our offering. Legal basis for storing the cookie: consent (Art. 6(1)(a) GDPR). Further evaluation of collected data is based on Art. 6(1)(f) GDPR / Section 25(2) TDDDG.

You can prevent the storage of cookies/local storage through your browser settings; however, this may result in some website functions being unavailable.

11. Your rights

11.1. You have the following rights regarding your personal data:
Right of access (Art. 15 GDPR)
Right to rectification and erasure (Art. 16 and 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to object to processing (Art. 21 GDPR)
Right to data portability (Art. 20 GDPR)

11.2. You also have the right to lodge a complaint with a supervisory authority about our processing of your data.

11.3. You may withdraw any consent given under data protection law at any time with effect for the future. The same applies to consent for marketing communications. Please contact datenschutz@flightright.de . Withdrawal may mean we can no longer provide certain services to you.

11.4. Where we process your personal data based on a legitimate interest (Art. 6(1)(f) GDPR), you can object to the processing. Please state the reasons why we should not process your data as we have done. If your objection is justified, we will review the situation and either stop or adjust the data processing, or present our compelling legitimate grounds for continuing.

12. Disclosure of data to third parties and third-country transfers

12.1. We only disclose your data to third parties if this is required for contractual purposes (Art. 6(1)(b) GDPR), to fulfil a legal obligation (Art. 6(1)(c) GDPR), or is justified by legitimate interests (Art. 6(1)(f) GDPR / Section 25(2) TDDDG).

12.2. Where we use subcontractors to provide our services, we take appropriate legal, technical, and organisational measures to protect personal data.

12.3. If third-party providers mentioned in this privacy policy are located in a third country, it should be assumed that data transfer to those countries takes place. We process data in a third country only if it is necessary for fulfilling our (pre-)contractual obligations (Art. 6(1)(b) GDPR), based on your consent (Art. 6(1)(a) GDPR / Section 25(1) TDDDG), due to a legal obligation (Art. 6(1)(c) GDPR), or on our legitimate interests (Art. 6(1)(f) GDPR / Section 25(2) TDDDG). The same applies to processing by third parties on our behalf.

We prefer to process your data within the EU/EEA. However, if we use service providers outside this area and in countries without adequate data protection, there is a risk (especially in the USA) that authorities could access your data without effective legal remedies being available.

13. Data deletion

13.1. Data stored by us will be deleted once it is no longer required for its purpose and no legal retention requirements apply. If deletion is not possible because the data is needed for other legally permissible purposes, processing will be restricted instead.

13.2. Retention follows legal requirements: six years under Section 257(1) HGB (commercial books, inventories, business correspondence, accounting records) and ten years under Section 147(1) AO (books, records, management reports, accounting records, business correspondence, tax-relevant documents).

14. Final provisions

14.1. We use technical and organisational security measures to protect your data, especially against accidental or intentional manipulation, loss, destruction, or unauthorised access. Security measures are continuously improved in line with technological progress.

14.2. We may update this privacy policy due to technical progress or changes in our services. If changes do not affect the use of existing data, the new privacy policy applies from the date of publication on our website. Changes affecting the use of already collected data will only occur if reasonable for you. In such cases, we will notify you in advance by e-mail, on our websites, in our application, or in another form. You have the right to object within four weeks of receiving the notification. If you object, we reserve the right to terminate the contractual relationship. If you do not object within this period, the amended privacy policy will be deemed accepted. We will inform you about your right to object and the significance of the objection period in the notification.