Privacy Policy

Status: 01 May 2025

With the following Privacy Policy we would like to inform you which types of your personal data (hereinafter also referred to simply as “data”) we process for which purposes and to what extent when providing our website.

Controller

peerevents GmbH
Frankfurter Ring 150
80807 Munich
Germany

Tel.: +49 (0)89 957 248 10
E-mail: mail@peerevents.de

External Data-Protection Officer

DataCo GmbH
Sandstraße 33
80335 Munich
Germany

E-mail: datenschutz@peerevents.de
Tel.: +49 (0)89 95 72 48 10

Applicable Legal Bases

Relevant legal bases under the GDPR

Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data-protection regulations may apply in your or our country of residence or establishment. Where more specific legal bases are relevant in individual cases, we will inform you of these in this Privacy Policy.

Consent (Art. 6 (1) sentence 1 lit. a GDPR) – The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
Performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data-protection rules in Germany

In addition to the GDPR, national regulations on data protection apply in Germany, in particular the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, processing of special categories of personal data, processing for other purposes, and transmission as well as automated individual decision-making including profiling. Data-protection laws of the individual German federal states may also apply.

Security Measures

We take appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the access, input, transmission, securing of availability and separation of the data. Furthermore, we have established procedures to ensure the exercise of data-subject rights, the deletion of data and responses to data-threats. We also take the protection of personal data into account when developing or selecting hardware, software and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services from unauthorised access, we employ TLS/SSL encryption. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encrypt information transferred between the website or app and the user’s browser (or between two servers), protecting the data from unauthorised access. TLS, the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. A website secured by an SSL/TLS certificate is indicated by “HTTPS” in the URL.

Transfer of Personal Data

In the course of processing personal data, data may be transferred to or disclosed to other entities, companies, legally independent organisational units or persons. Recipients may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases we comply with legal requirements and in particular conclude contracts or agreements with the recipients that serve to protect your data.

Data transfers within our organisation: We may transfer personal data to other departments or units within our organisation or grant them access. Such transfer is based on our legitimate business and economic interests or is necessary to fulfil our contractual obligations, or where the data subjects have given consent or a legal permission exists.

General Information on Storage and Deletion of Data

We delete personal data we process in accordance with legal requirements as soon as the consents on which processing is based are revoked or other legal grounds cease to apply. This is the case when the original purpose no longer exists or the data are no longer needed. Exceptions apply where statutory obligations or special interests require longer retention or archiving.

Data that must be retained for commercial or tax reasons, or that are necessary for legal prosecution or to protect the rights of other natural or legal persons, are archived accordingly.

Our Privacy Policy contains additional information on retention and deletion specific to certain processing operations.

If multiple retention or deletion periods are specified for data, the longest period shall always apply.

Where a period does not expressly commence on a specific date and is at least one year long, it begins automatically at the end of the calendar year in which the event triggering the period occurred. For ongoing contractual relationships in which data are stored, the triggering event is the date on which notice of termination becomes effective or the legal relationship otherwise ends.

Data retained no longer for their original purpose but due to legal requirements or other reasons are processed solely for the reasons justifying their retention.

Additional notes on processes, procedures and services – retention & deletion (Germany)

10 years – Books and records, annual financial statements, inventories, management reports, opening balance sheets and the organisational documents necessary for their understanding, accounting vouchers and invoices (§ 147 (3) in conjunction with (1) Nos. 1, 4 and 4a Fiscal Code of Germany (AO); § 14b (1) German VAT Act; § 257 (1) Nos. 1 & 4, (4) Commercial Code (HGB)).
6 years – Other business documents: received commercial or business letters, copies of dispatched commercial or business letters, other documents relevant for taxation (e.g. time sheets, cost accounting sheets, calculation documents, price markings) and wage accounting documents insofar as they are not already accounting vouchers, and till receipts (§ 147 (3) in conjunction with (1) Nos. 2, 3, 5 AO; § 257 (1) Nos. 2 & 3, (4) HGB).
3 years – Data required to consider potential warranty and damage-compensation claims or similar contractual claims and rights, as well as related enquiries, stored for the regular statutory limitation period of three years (§§ 195, 199 German Civil Code (BGB)).

Rights of Data Subjects

Data subjects have various rights under the GDPR, in particular arising from Arts. 15 to 21 GDPR:

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6 (1) lit. e or f GDPR, including profiling based on those provisions. Where personal data are processed for direct-marketing purposes, you have the right to object at any time to such processing, including profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw consent at any time.
Right of access: You have the right to obtain confirmation as to whether data concerning you are being processed and to obtain access to those data and further information in accordance with legal requirements.
Right to rectification: You have the right to obtain the completion of your data or the rectification of inaccurate data concerning you in accordance with legal requirements.
Right to erasure and restriction of processing: You have the right to demand that data concerning you be erased without delay or, alternatively, to demand restriction of processing in accordance with legal requirements.
Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller, in accordance with legal requirements.
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

Provision of the Online Offer and Web Hosting

We process users’ data in order to provide them with our online services. To this end we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the users’ browser or device.

Processed data types: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); meta, communication and process data (e.g. IP addresses, timestamps, identifiers, persons involved); log data (e.g. log-in or data-retrieval logs, access times).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online offer and user friendliness; IT infrastructure (operation and provision of information systems and technical devices such as computers, servers, etc.); security measures.
Retention and deletion: Deletion in accordance with the section “General Information on Storage and Deletion of Data”.
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Additional notes on processes, procedures and services

Provision of online offer on rented storage space: For our online offer we use storage space, computing capacity and software that we rent or otherwise obtain from a server provider (“web host”); legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).
Collection of access data and log files: Access to our online offer is logged as “server log files”. Server log files may include the address and name of the retrieved webpages and files, date and time of retrieval, transferred data volumes, message about successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. Server log files are used for security purposes (e.g. to avoid server overload, especially in the case of abusive attacks such as DDoS attacks) and to ensure server load and stability; legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR). **Deletion of data:** Log-file information is stored for a maximum of 30 days and then deleted or anonymised. Data whose further retention is required for evidence purposes are excluded from deletion until the relevant incident has been finally clarified.
Hetzner: Services in the field of provision of IT infrastructure and related services (e.g. storage space and/or computing capacities); service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR); website: [https://www.hetzner.com](https://www.hetzner.com); privacy policy: [https://www.hetzner.com/de/rechtliches/datenschutz](https://www.hetzner.com/de/rechtliches/datenschutz); data-processing agreement: [https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/](https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/).

Processing of Applicant Data

You may submit your application to us by e-mail. We process the data you provide solely to assess your professional suitability and to contact you.

Legal basis of processing: The processing is carried out for the purpose of establishing an employment relationship pursuant to Art. 6 (1) lit. b GDPR.
Recipients of application data: Within the company, those departments receive access to your data that require them to fulfil contractual, legal and regulatory obligations and to safeguard legitimate interests.
Storage period: In the event of rejection, deletion takes place six months after notification of the decision. If an employment relationship is established, the application documents are transferred to the personnel file and retained for the duration of the employment relationship.

Blogs and Publication Media

We use blogs or comparable online communication and publication media (“publication media”). Readers’ data are processed only to the extent necessary for the presentation of the publication medium and communication between authors and readers, or for security reasons. For the rest, we refer to the information on processing visitors of our publication medium contained in this Privacy Policy.

Processed data types: Inventory data; contact data; content data; usage data; meta, communication and process data.
Data subjects: Users.
Purposes of processing: Feedback; provision of our online offer and user friendliness.
Retention and deletion: Deletion in accordance with the section “General Information on Storage and Deletion of Data”.
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Contact and Enquiry Management

When contacting us (e.g. by post, contact form, e-mail, telephone or via social media) and within existing user and business relationships, the information provided by the enquiring persons is processed to the extent necessary to respond to contact requests and any requested measures.

Processed data types: Inventory data; contact data; content data; usage data; meta, communication and process data.
Data subjects: Communication partners.
Purposes of processing: Communication; organizational and administrative procedures; feedback; provision of our online offer and user friendliness.
Retention and deletion: Deletion in accordance with the section “General Information on Storage and Deletion of Data”.
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR); performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b GDPR).

Additional notes on processes, procedures and services

Contact form: When contacting us via our contact form, e-mail or other communication channels, we process the personal data transmitted to us to answer and handle the respective request. This usually includes information such as name, contact details and any further information provided that is necessary for proper handling. We use this data solely for the stated purpose of contact and communication; legal bases: performance of a contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Newsletters and Electronic Notifications

We send newsletters, e-mails and other electronic notifications (“newsletter”) only with the consent of the recipients or on a legal basis. If newsletter content is specifically described during registration, this content is decisive for the user’s consent. Usually only an e-mail address is required to register; to personalize the newsletter we may also ask for your name or further information if necessary.

Deletion and restriction of processing: We may store unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests to be able to prove prior consent. Processing of these data is limited to the purpose of potential defence against claims. An individual deletion request is possible at any time if former consent is confirmed simultaneously. If we are obliged to observe objections permanently, we store the e-mail address solely for this purpose in a blocklist.

Subscription registration is logged on the basis of our legitimate interests to prove proper procedure. If we engage a service provider to send e-mails, this is based on our legitimate interests in an efficient and secure dispatch system.

Content: Information about us and our services.
Processed data types: Inventory data; contact data; meta, communication and process data; usage data.
Data subjects: Communication partners.
Purposes of processing: Direct marketing (e.g. via e-mail or post).
Retention and deletion: 3 years (Austria) – contractual claims (§§ 1478, 1480 Austrian Civil Code); 10 years (Switzerland) – contractual claims (Art. 127, 130 Swiss Code of Obligations, unless a shorter 5-year period applies).
Legal bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR); legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Opt-out: You can cancel the newsletter at any time, i.e. withdraw your consent or object to further receipt. A cancellation link can be found at the end of each newsletter, or you can use one of the contact options above (preferably e-mail).

Additional notes on processes, procedures and services

Mailjet: E-mail dispatch and automation services; service provider: Mailjet SAS, 13-13 bis rue de l’Aubrac, 75012 Paris, France; legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR); website: https://www.mailjet.de; privacy policy: https://www.mailjet.de/privacy-policy.

Web Analytics, Monitoring and Optimisation

Web analytics (also called “reach measurement”) involves the evaluation of visitor flows to our online offer and may include behaviour, interests or demographic information about visitors (e.g. age or gender) as pseudonymous values. Reach measurement allows us, for example, to recognize when our online offer or its functions or content are most frequently used or invite reuse. We can also see which areas require optimization.

We may also use testing procedures to test and optimize different versions of our online offer or its components.

Unless indicated otherwise below, profiles may be created for these purposes, data stored in a browser or terminal and then read out. Collected information includes visited websites and their elements as well as technical data such as the browser used, computer system and usage times. If users have consented to the collection of their location data, this may also be processed.

IP addresses of users are stored, but we use IP masking (i.e. pseudonymisation by shortening the IP address). Generally, no clear data (such as e-mail addresses or names) are stored in profiles, only pseudonyms.

Notes on legal bases: Where we ask users for their consent to the use of third-party providers, consent is the legal basis. Otherwise, users’ data are processed on the basis of our legitimate interests (i.e. interest in efficient, economical and user-friendly services). Please also refer to the information on cookies in this Privacy Policy.

Processed data types: Usage data; meta, communication and process data.
Data subjects: Users.
Purposes of processing: Reach measurement; profiles with user-related information.
Retention and deletion: Deletion in accordance with the section “General Information on Storage and Deletion of Data”. Cookies may be stored for up to 2 years unless stated otherwise.
Security measures: IP masking.
Legal bases: Consent (Art. 6 (1) sentence 1 lit. a GDPR); legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Social-Media Presences

We maintain online presences within social networks and process user data in this context to communicate with users active there or to offer information about us.

Please note that user data may be processed outside the European Union, which may pose risks (e.g. impeding enforcement of user rights).

User data within social networks are generally processed for market-research and advertising purposes. For example, user profiles can be created based on usage behavior and resulting interests; these profiles may be used to display advertisements inside and outside the networks likely corresponding to user interests. Cookies storing usage behaviour and interests are usually placed on users’ devices. Data may also be stored in the user profiles independently of the devices used (especially if users are members of the respective platforms and logged in).

For detailed information on the respective processing forms and opt-out options, please refer to the privacy policies of the respective network operators.

Regarding access requests and the assertion of data-subject rights, we point out that these can be most effectively asserted with the providers themselves, as only they have access to user data. If you need assistance, you may contact us.

Processed data types: Contact data; content data; usage data.
Data subjects: Users.
Purposes of processing: Communication; feedback; public relations.
Retention and deletion: Deletion in accordance with the section “General Information on Storage and Deletion of Data”.
Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR).

Additional notes on processes, procedures and services

Instagram: Social network enabling sharing of photos and videos, commenting, liking, messaging, following profiles and pages; service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR); website: https://www.instagram.com; privacy policy: https://privacycenter.instagram.com/policy/; third-country transfer basis: Data Privacy Framework (DPF).
LinkedIn: Social network – we are joint controllers with LinkedIn Ireland Unlimited Company for the collection (but not further processing) of data of visitors to our LinkedIn profiles for the purpose of creating “Page Insights” (statistics). These data include information about the types of content users view or interact with, or actions they take, as well as information about the devices they use (e.g. IP addresses, operating system, browser type, language settings, cookie data) and data from users’ profiles such as job function, country, industry, seniority, company size and employment status. Privacy information on LinkedIn’s processing of user data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

We have concluded a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum”, https://legal.linkedin.com/pages-joint-controller-addendum ) which specifies, among other things, the security measures LinkedIn must observe and which states that LinkedIn will fulfill data-subject rights (e.g. users can send requests for information or deletion directly to LinkedIn). Users’ rights (especially rights of access, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. Joint controllership is limited to the collection of data and transmission to LinkedIn Ireland Unlimited Company within the EU. Further processing, particularly transfer to LinkedIn Corporation in the USA, is the sole responsibility of LinkedIn Ireland Unlimited Company; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR); website: https://www.linkedin.com; privacy policy: https://www.linkedin.com/legal/privacy-policy; third-country transfer basis: DPF. Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Amendments and Updates

Please review the content of our Privacy Policy regularly. We will adapt the Privacy Policy as soon as changes in the data processing we carry out make this necessary. We will inform you if the changes require your cooperation (e.g. consent) or another individual notification.

If we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that addresses may change over time; please verify the information before contacting them.