This privacy policy informs users of this website, in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Digital Services Act (DDG), about the type, scope, and purpose of the collection and processing of personal data by the website operator: zigzag GmbH Kronprinzstrasse 11 70173 Stuttgart The protection of our users’ personal data is a matter of great importance to us. We treat our users’ data confidentially and in accordance with the applicable data protection laws and this privacy policy. However, data transmission over the internet (e.g., communication via email) may be subject to security vulnerabilities. Complete protection of data from access by third parties is technically not possible.

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is: zigzag GmbH Kronprinzstrasse 11 70173 Stuttgart Email: datenschutz@zigzag.is Phone: +49 711 50454712 Web: www.zigzag.is

The Data Protection Officer of zigzag GmbH is: Sandra Hangst Kronprinzstrasse 11 70173 Stuttgart Email: datenschutz@zigzag.is Phone: +49 711 50454712 Web: www.zigzag.is

We collect and process the personal data of our users only to the extent necessary to provide a functional website and our content and services, and only where such processing is permitted by law or the users have given their consent. Personal data refers to all information that can be used to identify users or that can be linked to them - for example, their name, email address, or telephone number.

Where we obtain the consent of users for the processing of personal data, the legal basis is Article 6(1)(a) of the EU General Data Protection Regulation (GDPR). If the processing of personal data is necessary for the performance of a contract to which the users are party, or for the implementation of pre-contractual measures, the legal basis is Article 6(1)(b) GDPR. Where the processing of personal data is required to comply with a legal obligation to which our company is subject, the legal basis is Article 6(1)(c) GDPR. If the processing is necessary to protect the vital interests of the users or another natural person, it is based on Article 6(1)(d) GDPR. Where processing is necessary for the purposes of the legitimate interests pursued by our company or a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the users, the legal basis is Article 6(1)(f) GDPR.

The personal data of users will be deleted or blocked as soon as the purpose for storing the data no longer applies. Data may also be stored if this is required by European or national legislators in EU regulations, laws, or other legal provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by such legal provisions expires, unless further storage of the data is necessary for the performance of a contract or the implementation of pre-contractual measures.

Each time our website is accessed, our system automatically collects data and information from the users’ computer systems. The following data are collected in this process:
 (1) Information about the browser type and version used (2) The user’s operating system (3) The user’s IP address (4) Date and time of access These data are also stored in the log files of our system. The user’s IP addresses or other data that would allow the data to be linked to a user are not affected by this. Only anonymized IP addresses of visitors to the website are stored. At the web server level, this is ensured by storing an IP address such as 123.123.123.XXX in the log file instead of the actual IP address 123.123.123.123, where XXX is a random value between 1 and 254. Identification of an individual user is no longer possible. These data are also not stored together with other personal data of the user.

The legal basis for the temporary storage of data is Article 6(1)(f) GDPR.

The temporary storage of the anonymized IP address by the system is necessary to enable the delivery of the website to the users’ end devices. The IP address must be stored for the duration of the session. This purpose also represents our legitimate interest in data processing pursuant to Article 6(1)(f) GDPR.

The data will be deleted as soon as they are no longer necessary for achieving the purpose for which they were collected. In the case of data collected for providing the website, this is when the respective session ends; otherwise, the data will be deleted no later than after 2 months.

The collection of data for the provision of the website and its storage in log files is absolutely necessary for the secure and stable operation of the website. For this reason, users have no possibility to object.

Our websites use Google Analytics, a web analytics service provided by Google Inc. ("Google"). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"), a subsidiary of Google LLC (USA). Google uses so-called "cookies," i.e., text files that are stored on users’ devices and enable an analysis of their use of the website. The information generated by the cookie about the use of this website may include the following data:
 - Browser type/version, - Operating system used, - Referrer URL (the previously visited page), - Hostname of the accessing computer (IP address), - Time of the server request.
 This information is usually transmitted to a Google server in the USA and stored there. However, we use Google Analytics with the extension “_anonymizeIp()”. This means that the IP address is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. This ensures that a personal identification based on the IP address is not possible.
 Google processes this information on our behalf to evaluate the use of the website by users, to compile reports on website activities, and to provide other services related to website and internet usage. Google may also transfer this information to third parties if required by law or if third parties process this data on behalf of Google. Google will not associate the transmitted IP address with any other data held by Google.
 The legal basis for the use of Google Analytics is the explicit consent of the user in accordance with Article 6(1)(a) GDPR and § 25(1) TDDDG.
 We have entered into a data processing agreement (Data Processing Agreement) with Google. Data transfers to the United States are based on the Standard Contractual Clauses approved by the European Commission pursuant to Article 46(2)(c) GDPR. The data collected through Google Analytics is automatically deleted after statistical evaluation - at the latest after 14 months.
 Users can prevent the storage of cookies by adjusting the settings in their browser software accordingly. However, we would like to point out that in this case, not all functions of this website may be fully available. Furthermore, users can prevent the collection of data generated by the cookie and related to their use of the website (including their IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en Alternatively to the browser add-on, especially for browsers on mobile devices, users can also prevent  the collection of data by Google Analytics by setting an opt-out cookie in their browser. This cookie prevents future data collection when visiting this website. The opt-out cookie is only valid in this browser and only for our website. It will be stored on the user’s device. If users delete the cookies in their browser, they will need to set the opt-out cookie again.
 By using this website, users consent to the processing of data collected about them by Google in the manner and for the purposes described above.
 Further information about Google Analytics and Google's privacy policy can be found at the following link: https://support.google.com/analytics/answer/6004245?hl=en

To best protect the data transmitted by users, this website uses SSL encryption. Encrypted connections can be recognized by the prefix “https://” in the browser’s address bar. Unencrypted pages are indicated by “http://”. All data transmitted by users to this website - for example, through inquiries or logins - cannot be read by third parties thanks to SSL encryption.

If users' personal data is processed, they are a data subject within the meaning of the GDPR. These persons have the following rights in particular vis-à-vis the controller:

Data subjects have the right to request confirmation from the data controller as to whether personal data concerning them is being processed. If personal data is being processed, data subjects have the right to obtain information from the data controller regarding the following: (1) The purposes for which the personal data are being processed; (2) The categories of personal data being processed; (3) The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed; (4) The intended duration of storage of the personal data or, if specific details are not available, the criteria used to determine the storage period; (5) the existence of the right to rectification or erasure of their personal data, the right to restriction of processing by the controller, or the right to object to such processing; (6) The existence of a right to lodge a complaint with a supervisory authority; (7) All available information about the origin of the data if the personal data was not collected directly from the data subject; (8) The existence of automated decision-making, including profiling pursuant to Articles 22(1) and (4) GDPR, and - at least in those cases - meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject. Furthermore, data subjects have the right to request information about whether their personal data is transferred to a third country or to an international organization. In this context, they may request to be informed about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transfer.

Data subjects have the right to request the controller to correct any inaccurate personal data concerning them. Taking into account the purposes of the processing, they also have the right to request the completion of incomplete personal data - including by means of a supplementary statement. The controller is obligated to carry out the correction or completion without undue delay.

Data subjects have the right to request the restriction of the processing of their personal data under the following conditions: (1) If they contest the accuracy of their personal data, which enables the controller to verify the accuracy of the personal data; (2) If the processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of its use; (3) If the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; (4) If the data subject has objected to processing pursuant to Article 21(1) GDPR and it is not yet established whether the legitimate grounds of the controller override those of the data subject. Where processing of the data subject's personal data has been restricted, such data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. If processing is restricted in accordance with the above conditions, the data subject shall be informed by the controller before the restriction is lifted.

a) Obligation to Delete Data subjects have the right to request that the controller delete their personal data without undue delay. The controller is obligated to delete these data immediately if one of the following grounds applies: (1) The personal data of the data subject is no longer necessary for the purposes for which it was collected or otherwise processed. (2) The data subject withdraws consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and there is no other legal basis for the processing. (3) The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR. (4) The personal data of data subjects have been processed unlawfully. (5) The deletion of the data is necessary to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject. (6) The personal data of the data subject has been collected in relation to the offer of information society services pursuant to Article 8(1) GDPR. b) Information to Third Parties If the controller has made the personal data of data subjects public and is obliged to erase them pursuant to Art. 17(1) GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers that data subjects have requested the erasure of all links to these personal data or of copies or replications of these data. c) Exceptions The right to erasure does not apply insofar as the processing is necessary (1) For exercising the right of freedom of expression and information; (2) For compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) For reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) GDPR; (4) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) GDPR, insofar as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; (5) For the establishment, exercise, or defense of legal claims.

If data subjects have exercised their right to rectification, erasure, or restriction of processing towards the controller, the controller is obligated to communicate this rectification, erasure, or restriction of processing to all recipients to whom the personal data has been disclosed, unless this proves impossible or involves a disproportionate effort. Data subjects also have the right to be informed by the controller about these recipients.

Data subjects have the right to receive the personal data they have provided to the controller in a structured, commonly used, and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data were provided, provided that (1) The processing is based on consent pursuant to Art. 6(1)(a) or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and (2) The processing is carried out by automated means. Furthermore, data subjects have the right to request that their personal data be transmitted directly from one controller to another controller, insofar as this is technically feasible. In doing so, the rights and freedoms of others must not be adversely affected. The right to data portability does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Data subjects have the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on Article 6(1)(e) or (f) GDPR; this also applies to profiling based on these provisions. The controller shall no longer process the personal data of the data subject unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or the processing serves the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, data subjects have the right to object at any time to the processing of their personal data for such marketing; this also applies to profiling insofar as it is related to such direct marketing. If data subjects object to processing for direct marketing purposes, their personal data shall no longer be processed for these purposes. Furthermore, data subjects have the right to exercise their objection right in connection with the use of information society services by automated means using technical specifications, regardless of Directive 2002/58/EC.

Data subjects have the right to withdraw their consent to the processing of their personal data at any time. The legality of processing carried out based on the consent until the withdrawal remains unaffected.

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of their habitual residence, place of work, or place of the alleged infringement, if they believe that the processing of their personal data violates the GDPR. The supervisory authority with which the complaint has been lodged shall inform the data subject about the status and outcome of the complaint, including the possibility of judicial remedy under Article 78 GDPR.

We reserve the right to modify our data protection measures. In such cases, we will also update our privacy policy to comply with legal requirements. Therefore, attention should be drawn to the current version of the privacy policy at all times.