Privacy Policy

Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications as well as within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offering”).

The terms used are not gender-specific.

Status: 28.04.2026

Table of Contents

Controller

FARBWERKE HERKULA® SA/AG
Bernard Sproten
Friedensstraße 21
4780 Sankt Vith

Email address:

info@herkula.com

Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects concerned.

Types of data processed
  • Master data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta/communication data.
  • Applicant data.
  • Event data (Facebook).
Categories of data subjects
  • Customers.
  • Employees.
  • Prospects.
  • Communication partners.
  • Users.
  • Applicants.
  • Participants in competitions and sweepstakes.
  • Members.
  • Business and contractual partners.
Purposes of processing
  • Provision of contractual services and customer service.
  • Contact requests and communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement.
  • Tracking.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion measurement.
  • Target group formation.
  • Affiliate tracking.
  • Administration and response to inquiries.
  • Application procedures.
  • Execution of sweepstakes and competitions.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Target group formation.
  • Provision of our online offering and user-friendliness.
  • Information technology infrastructure.
Legal Bases

The following provides an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or registered office. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

  • Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of personal data concerning them for one or more specific purposes.
  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In addition to the data protection provisions of the GDPR, national regulations on data protection in Germany apply. This includes in particular the Federal Data Protection Act (BDSG). The BDSG contains specific provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and the transfer as well as automated decision-making in individual cases including profiling. It also regulates data processing for purposes of employment relationships (§ 26 BDSG), in particular with regard to the establishment, execution or termination of employment relationships and the consent of employees. Furthermore, data protection laws of the individual federal states may apply.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access, input, transfer, availability assurance and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data and responses to data risks. In addition, we take into account the protection of personal data already during the development or selection of hardware, software and procedures in accordance with the principle of data protection by design and by default.

SSL encryption (https): To protect your data transmitted via our online offering, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transfer of Personal Data

As part of our processing of personal data, it may happen that the data is transferred to or disclosed to other bodies, companies, legally independent organizational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and conclude appropriate contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of services of third parties or the disclosure or transfer of data to other persons, bodies or companies, this is only done in accordance with the legal requirements.

Subject to explicit consent or contractually or legally required transfer, we only process or have the data processed in third countries with a recognized level of data protection, contractual obligation through so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of Data

The data processed by us will be deleted in accordance with the legal requirements as soon as their permitted consents are revoked or other permissions cease to apply (e.g., if the purpose of processing this data no longer applies or it is no longer required for the purpose). If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise or defense of legal claims or to protect the rights of another natural or legal person.

Within the scope of our privacy information, we may provide users with further information on the deletion and retention of data that applies specifically to the respective processing processes.

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and read information from end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content or used functions of an online offering. Cookies can also be used for different purposes, e.g. for purposes of functionality, security and convenience of online offerings as well as the creation of analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless this is not legally required. Consent is not required in particular if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service expressly requested by them (i.e. our online offering). The revocable consent is clearly communicated to users and contains information on the respective use of cookies.

Notes on legal bases under data protection law: The legal basis on which we process users’ personal data using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g. in the commercial operation of our online offering and its improvement) or, if this is done in the context of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also: session cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the end device is closed. For example, the login status can be stored or preferred content displayed directly when the user revisits a website. Likewise, the data of users collected using cookies can be used for reach measurement. If we do not provide users with explicit information on the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage duration can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and also object to processing in accordance with the legal requirements in Art. 21 GDPR. Users can also declare their objection via the settings of their browser, e.g. by deactivating the use of cookies (although this may also restrict the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Further notes on processing procedures:

  • Processing of cookie data based on consent: We use a cookie consent management procedure in which users’ consents to the use of cookies, or the processing and providers mentioned within the cookie consent management procedure, can be obtained, managed and revoked. The consent declaration is stored so that its query does not have to be repeated and so that the consent can be proven in accordance with the legal obligation. Storage can take place server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a user or their device. Unless individual information is provided about the providers of cookie management services, the following applies: The storage duration of consent can be up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.

Performance of Tasks According to Statutes or Rules of Procedure

We process the data of our members, supporters, interested parties, business partners or other persons (collectively “data subjects”) if we have a membership or other business relationship with them and perform our tasks as well as are recipients of services and benefits. Otherwise, we process the data of data subjects on the basis of our legitimate interests, e.g. when it concerns administrative tasks or public relations work.

The data processed, the type, scope, purpose and necessity of their processing are determined by the underlying membership or contractual relationship, from which the necessity of any data details also arises (otherwise we point out required data).

We delete data that is no longer required to fulfill our statutory and business purposes. This is determined according to the respective tasks and contractual relationships. We retain the data for as long as it may be relevant for business processing as well as with regard to any warranty or liability obligations based on our legitimate interest in their regulation. The necessity of retaining the data is regularly reviewed; otherwise the statutory retention obligations apply.

  • Types of data processed: Master data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. email, telephone numbers); contract data (e.g. subject matter of the contract, duration, customer category).
  • Data subjects: Users (e.g. website visitors, users of online services); members; business and contractual partners.
  • Purposes of processing: Provision of contractual services and customer service; contact requests and communication; administration and response to inquiries.
  • Legal bases: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Business Services

We process data of our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) within the scope of contractual and comparable legal relationships as well as related measures and within the context of communication with the contractual partners (or pre-contractually), e.g. in order to respond to inquiries.

We process this data in order to fulfill our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of warranty and other service disruptions. In addition, we process the data to safeguard our rights and for the purposes of administrative tasks associated with these obligations as well as for company organization.

We also process the data on the basis of our legitimate interests in proper and efficient business management as well as security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities).

Within the scope of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations.

  • Types of data processed: Master data; payment data; contact data; contract data; usage data; meta/communication data.
  • Data subjects: Customers; interested parties; business and contractual partners.
  • Purposes of processing: Provision of contractual services and customer service; security measures; communication; administration.
  • Legal bases: Contract performance; legal obligation; legitimate interests.

Provision of the Online Offering and Web Hosting

In order to provide our online offering securely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offering can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services as well as security services and technical maintenance services.

The data processed in the context of providing the hosting service may include all information relating to users of our online offering that is generated during use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offerings to browsers, and all entries made within our online offering or from websites.

  • Types of data processed: Content data (e.g. entries in online forms); usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; information technology infrastructure.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further notes on processing procedures:

  • Collection of access data and log files: We (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the accessed web pages and files, date and time of access, amounts of data transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes (e.g. to prevent server overload, especially in the case of abusive attacks, so-called DDoS attacks) and to ensure the utilization and stability of the servers; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified.

Blogs and Publication Media

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). The data of readers is processed for the purposes of the publication medium only to the extent necessary for its presentation and communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within the scope of this privacy policy.

  • Types of data processed: Master data; contact data; content data; usage data; meta/communication data.
  • Data subjects: Users.
  • Purposes of processing: Provision of services; feedback; user-friendliness; security; communication.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Further notes on processing procedures:

  • Comments and contributions: When users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interests. This is done for our security in case someone leaves illegal content (insults, prohibited political propaganda, etc.). In this case, we may be liable ourselves and are therefore interested in the identity of the author. Furthermore, we reserve the right to process user information for the purpose of spam detection. The personal information provided in comments and contributions is stored by us permanently until users object; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Contact and Inquiry Management

When contacting us (e.g. via contact form, email, telephone or via social media) as well as within the framework of existing user and business relationships, the information provided by the requesting persons is processed insofar as this is necessary to respond to the contact requests and any requested measures.

The response to contact requests and the management of contact and inquiry data within the framework of contractual or pre-contractual relationships is carried out for the fulfillment of our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of legitimate interests in responding to inquiries and maintaining user or business relationships.

  • Types of data processed: Contact data; content data; usage data; meta/communication data.
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; customer service; administration; feedback; user-friendliness.
  • Legal bases: Contract performance; legitimate interests.

Further notes on processing procedures:

  • Contact form: When users contact us via our contact form, email or other communication channels, we process the data provided to us in this context to handle the request; Legal bases: Contract performance and legitimate interests.

Communication via Messenger

We use messenger services for communication purposes and therefore ask you to note the following information regarding the functionality, encryption, use of communication metadata and your options to object.

You can also contact us via alternative channels, such as telephone or email.

In the case of end-to-end encryption of content, the communication content is encrypted. This means that the content of the messages cannot be viewed, not even by the messenger providers themselves.

However, messenger providers may process metadata such as the fact and time of communication, device information and possibly location data.

Notes on legal bases: If we ask for consent before communication via messenger, the legal basis is consent. Otherwise, communication is based on legitimate interests.

Revocation, objection and deletion: You can revoke your consent at any time or object to communication. Messages are deleted in accordance with our deletion policies.

  • Types of data processed: Contact data; usage data; meta/communication data.
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; direct marketing.
  • Legal bases: Consent; legitimate interests.

Push Notifications

We use push notifications to inform users about updates, offers and other relevant information. For this purpose, we process the data necessary for sending notifications, such as device identifiers and consent data.

  • Types of data processed: Usage data; meta/communication data.
  • Data subjects: Users.
  • Purposes of processing: Communication; marketing.
  • Legal bases: Consent.

Video Conferences, Online Meetings, Webinars and Screen Sharing

We use platforms and applications from other providers to conduct video and audio conferences, webinars and other types of video and audio meetings. When selecting providers and their services, we comply with the legal requirements.

  • Types of data processed: Usage data; meta/communication data; content data.
  • Data subjects: Communication partners; users.
  • Purposes of processing: Communication; collaboration.
  • Legal bases: Consent; contract performance; legitimate interests.

Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The required information is specified in the job description or otherwise communicated.

Applicants may submit their applications via email or via a contact form.

  • Types of data processed: Applicant data; contact data; content data.
  • Data subjects: Applicants.
  • Purposes of processing: Application procedures.
  • Legal bases: Contract initiation; consent; legitimate interests.

Cloud Services

We use software services accessible via the Internet and running on their providers’ servers (so-called “cloud services”) for the storage and management of content.

  • Types of data processed: Content data; usage data; meta/communication data.
  • Data subjects: Users; communication partners.
  • Purposes of processing: Provision of services; information technology infrastructure.
  • Legal bases: Legitimate interests; consent.

Newsletter and Electronic Notifications

We send newsletters, emails and other electronic notifications only with the consent of the recipients or on the basis of a legal permission.

  • Types of data processed: Contact data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Direct marketing.
  • Legal bases: Consent; legitimate interests.

Promotional Communication via Email, Post, Fax or Telephone

We process personal data for the purposes of promotional communication, which may take place via various channels such as email, telephone, post or fax.

  • Types of data processed: Contact data.
  • Data subjects: Users; customers.
  • Purposes of processing: Direct marketing.
  • Legal bases: Consent; legitimate interests.

Sweepstakes and Competitions

We process personal data of participants in competitions and sweepstakes only in compliance with the relevant legal requirements.

  • Types of data processed: Master data; contact data; content data.
  • Data subjects: Participants.
  • Purposes of processing: Execution of competitions.
  • Legal bases: Contract performance; consent.

Web Analysis, Monitoring and Optimization

Web analysis (also referred to as “reach measurement”) is used to evaluate the visitor flows of our online offering and may include behavior, interests or demographic information about visitors.

  • Types of data processed: Usage data; meta/communication data.
  • Data subjects: Users.
  • Purposes of processing: Reach measurement; optimization.
  • Legal bases: Consent; legitimate interests.

Online Marketing

We process personal data for the purposes of online marketing.

  • Types of data processed: Usage data; meta/communication data.
  • Data subjects: Users.
  • Purposes of processing: Marketing; profiling; reach measurement.
  • Legal bases: Consent; legitimate interests.

Affiliate Programs and Affiliate Links

We include affiliate links or other references to offers and services of third-party providers on our online offering.

  • Types of data processed: Usage data.
  • Data subjects: Users.
  • Purposes of processing: Affiliate tracking.
  • Legal bases: Legitimate interests.

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimize and promote our services.

  • Types of data processed: Content data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Feedback; marketing.
  • Legal bases: Consent; legitimate interests.

Social Media Presence

We maintain online presences within social networks to communicate with users active there and to inform them about our services.

  • Types of data processed: Contact data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Communication; marketing.
  • Legal bases: Legitimate interests.

Plugins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers.

  • Types of data processed: Usage data; meta/communication data.
  • Data subjects: Users.
  • Purposes of processing: Provision of services; marketing.
  • Legal bases: Legitimate interests; consent.

Amendment and Update of the Privacy Policy

We ask you to regularly inform yourself about the content of our privacy policy.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, in particular arising from Articles 15 to 21 GDPR.

  • Right to information
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Definitions

This section provides you with an overview of the terms used in this privacy policy.