# Privacy policy of cepharum GmbH

Version: September 14th 2020

# 1. Terms

# 1.1. Services and visitors

cepharum GmbH (hereinafter referred to as cepharum) offers web-based services (e.g. websites and online stores) on the Internet, which can be used without authentication. Any user becomes a visitor in the sense of this privacy policy on the very first access to those services.

# 1.2. Extended services and customers

In addition, cepharum offers extended services on the basis of contractual agreements. These include

  • extended access to previously mentioned services of cepharum after prior authentication,
  • the production, support and distribution of multimedia - both through the aforementioned cepharum services and in cepharum branches,
  • the admissions-free communication consulting for companies and
  • the provision and/or support of resources on the Internet (hosting).

A person using at least one of these offers against payment or free of charge is considered a customer of cepharum, which then sets up a customer account and manages it to support the contractual relationship. A customer account includes both data that is only managed internally and data that can be viewed directly by the customer via the aforementioned extended access options.

# 1.3. Users

In these terms, visitors and customers are commonly referred to as users as soon as explanations commonly apply to both roles.

# 1.4. Servers of cepharum

cepharum rents servers operated in the EU from companies located in Germany in order to operate its own offers and services for its customers. In the context of this declaration, these servers are commonly referred to as cepharum's servers.

# 1.5. Data

In this statement, the term data is exclusively used by proxy for personal data in the sense of §4 (1) GDPR.

# 2. Subject

The subject of this declaration is the collection, processing and use of data by cepharum when using the services offered by cepharum. Furthermore, this declaration extends to data that a user actively provides in the course of this use.

This includes

  • traffic data documenting the use and resulting processes within cepharum's offer and in the interaction with third parties,
  • data, which is stored by cepharum's customers on cepharum's servers for the operation of offers of the respective customer, and
  • other data that customers manage and store on cepharum's servers when making use of cepharum's offers for which a fee is charged.

This declaration expressly does not concern data collected, stored and/or otherwise processed by cepharum's customers with their own offers and their functions. Here, the data protection declarations of the respective customers apply.

# 3. Responsible body, contact address

The responsible party by means of data protection law is cepharum. If you have any questions about the use of the data or if you wish to make use of the legal remedies described herein, please send an e-mail to:


As an option, sent postal inquiries to:

cepharum GmbH
Postfach 74 01 43
13091 Berlin

The supervisory authority is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Friedrichstraße 219
10969 Berlin

# 4. User rights

With regard to their personal data, users have the right to request:

  • information about what kind of personal data is collected and how it is processed,
  • correction and completion,
  • removal,
  • restriction of processing,
  • data portability and
  • opposition.

The use of the data is governed by the applicable legal provisions, in particular the German Federal Data Protection Act (BDSG), the German Telemedia Act (TMG) and the General Data Protection Regulation (GDPR).

The aforementioned rights of users may be partially restricted by statutory provisions in the Telecommunications Act (TKG) and by provisions in the Principles for the Proper Keeping and Retention of Books, Records and Documents in Electronic Form and for Data Access (GoBD).

# 6. Data collection

# 6.1. Traffic data

cepharum logs the use of its own offers and the offers of its customers by collecting traffic data in the sense of §3 No. 30 TKG.

Traffic data is primarily generated by

  • retrieval of web pages and related files, which are offered via servers of cepharum,
  • authenticated access to e-mail boxes, calendars, contacts, databases and file systems by cepharum customers,
  • sending and receiving e-mails via cepharum servers,
  • transmission of e-mails between servers of cepharum and servers of external recipients or senders of e-mails.

Traffic data - in general or based on the type of access - includes

  • the IP address of the remote station from which the access is made or to which outgoing access is made,
  • the IP address and, if applicable, the name of the server that is being accessed or from which that remote station is being accessed,
  • the time of access,
  • user names during authentication processes,
  • identity of the page or file being accessed (e.g. for web pages),
  • sender and recipient for e-mails,
  • status codes of the transmission and
  • the amount of transmitted data.

# 6.2. Communication

cepharum is obligated by legal provisions to archive communication contents, which are transmitted to or from cepharum by electronic and non-electronic means, on a long-term basis. This expressly includes contents of e-mails.

# 6.3. Customer data

When commissioning the provision of services or ordering distributed goods, the customer is asked to provide personal information. Of these, only those details that are required for the respective contractual relationship are provided as mandatory details.

# 6.4. Usage data

When using web-based services of cepharum, information about the user is collected partially anonymously and summarized in pseudonymized profiles. The collected data includes the shortened (thus partially anonymized) IP address, the browser used, selected features of the browser, the operating system and the graphic resolution of the user, the website accessed and from which website the user was redirected to this website. Through the use of cookies, recurring users are recognized and their pseudonymized profiles are linked.

The collection of this usage data can be completely prevented by settings in the browser ("Do Not Track" option).

# 6.5. Cookies

Cookies are files that are stored on the computer of a user when using web-based services of cepharum and that are transferred to the servers of cepharum on subsequent accesses to those services. They are necessary to enable extended functionalities in web-based services. Therefore, a waiver of cookies may lead to functional limitations of the offered services.

Cookies can be stored for a short time until the browser is closed or for a long time until a future expiration date, depending on the purpose.

cepharum sets one or more cookies

  • for short-term storage for the extended functionality of own offers such as authenticated access to protected content or the shopping cart in online stores,
  • for long-term storage of up to 13 months for the surveys described above under "Usage data",
  • for long-term storage of up to 12 months upon confirmation of a new user to accept this privacy policy as the basis of the used offer of cepharum, in order to prevent a renewed display of that notice.

The storage of cookies on the user's hard disk can be prevented by activating browser settings such as "do not accept cookies" or similar. Further information on this can be found in the instructions of the respective browser. The user can delete all cookies set at any time via browser functions, regardless of the storage desired by cepharum.

cepharum guarantees that, in addition to cookies, no hidden alternative technologies (such as ETags) are used in order to ensure the possibilities achievable with cookies even without the user's consent to the storage of cookies.

# 7. Data processing and use

cepharum uses the collected data for the purposes described below. Any change or extension requires the immediate consent of the user.

# 7.1. Inventory data

The data in the customer account concerning the person and address of the user, as well as data records assigned to the account concerning transactions (such as orders, deliveries, invoices) within a contractual relationship are used for its establishment, administration and billing.

# 7.2. Traffic data

The collection of traffic data serves

  • the fulfillment of legal requirements within the framework of the TKG,
  • the monitoring of the operability of the respective offerings and analyzing impairments of the same,
  • the internal processing of customer complaints. Any disclosure to or inspection by a complaining customer is limited to data of that customer.

# 7.3. User data

The data provided by users when using services is stored on cepharum's servers and copied and archived as part of backups of all data inventories. Any further use of this data does not take place.

# 7.4. Communication content

The data contained in the communication with cepharum is stored internally and only offered for inspection to authorized institutions within the regulations of the GoBD.

This data can only be deleted in accordance with the GoBD.

# 8. Data transmission to third parties

cepharum may transmit data to third parties only if

  • the user has agreed to the transmission or
  • the transmission is necessary for the implementation or billing of the services used. This applies in particular if goods or services of an independent partner company are used through the service or if a vicarious agent requires this data for the provision of an agreed service. Such vicarious agents are, unless the customer is expressly informed otherwise, only authorized to use the data to the extent that this is necessary for the partial service transferred.
  • law enforcement authorities or courts in accordance with applicable laws request information for the purpose of law enforcement.

# 8.1. Integration of external offers

cepharum uses fonts in its own web-based services which, for licensing reasons, are only available through direct retrieval from third-party providers. This makes it technically possible for these providers, as licensors, to log user access to cepharum's web-based services.

cepharum has no influence on whether and in what form and to what extent this collection is carried out by the licensors and whether and to what extent it is possible for them to reconstruct a possibly initially missing personal reference in the collected data. cepharum hereby informs users of its services that in this case cepharum does not pass on data to third parties, but the user's browser is instructed to retrieve the fonts and cepharum is not involved in this retrieval. It is up to the user's browser or the user himself to ignore these instructions for the protection of his data by settings in the browser.

The following services of their respective providers are used:

  • TypeKit of Adobe Systems Inc., see https://typekit.com
  • WebFonts of Monotype Imaging Inc., see https://fonts.com
  • WebFonts of Google Inc., see https://fonts.google.com

In order to avoid comparable possibilities of logging user behavior on its web-based offers by third parties, cepharum refrains from using so-called Content Delivery Networks (CDN) and the direct integration of functions of social media platforms, external analysis tools and map services.

# 9. Data deletion

As far as the user's data is no longer required for the purposes mentioned above, including billing, and also no longer has to be retained due to legal regulations, it will be deleted. It should be noted that whenever data is deleted, it is initially only blocked and then only finally deleted with a time delay in order to prevent accidental deletion or intentional damage. For technical reasons, data is duplicated in data backup files and service mirroring. For technical reasons, such copies are only deleted after a maximum delay of 30 days.

# 10. Data security

cepharum treats the user's data with care and intends to protect it as best as possible against unauthorized access, loss, misuse or destruction. For this purpose, various measures corresponding to the current technical state of the art are taken. Passwords for user and customer accounts are always stored in an irreversibly coded form.

cepharum uses encrypted connections for the transmission of data between the computer of users and the servers of cepharum. This makes it more difficult to directly eavesdrop transmitted data, but cannot guarantee absolute security, e.g. against the reading of encrypted data and its long-term decryption.

The user acknowledges that cepharum operates publicly accessible server systems on the internet for the provision of available services and is technically capable of viewing all data of the user stored there (web pages, e-mails, logbooks, databases). Furthermore, the user acknowledges that unauthorized access to this data by third parties cannot be completely ruled out, even with additional encryption according to the current state of the art.

In case of unforeseen unauthorized access, loss or misuse of data, resulting in risks to the user, cepharum is obligated to immediately notify the user as well as the competent supervisory authority about the nature and consequences of the violation and the measures taken.

# 11. Liability

cepharum is not liable for any damages,

  • caused to the customer or his data stored on cepharum's servers due to improper handling by the customer. This includes

    • the use of insufficiently secure and protected access information, which is managed by the customer itself,
    • the offers set up by a customer on cepharum's servers and their functions (e.g. customer's web services) and
    • third-party applications set up by cepharum on behalf of a customer.
  • caused by unauthorized or improper access to data of a user on the transmission path between the user's computer and cepharum's servers.

# 12. Disclaimer towards third parties

This data protection declaration does not concern the protection of data related to third parties which customers collect and process in the course of providing their own services. In such cases, the customer is obligated to publish a separate data protection declaration for its offers. The customer shall expressly indemnify cepharum from any liability or damage claims of third parties arising from the use of the customer's offers in return.

# 13. Changes to this privacy policy

cepharum reserves the right to adapt this privacy statement to upcoming forms of data use or upcoming requirements for this statement.