Legal Information

Privacy Policy

Preamble

With the following Privacy Policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) we process, the purposes for which we do so, and the scope of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as the “Online Offer”).

The terms used are not gender-specific.

Updated: April 18, 2026

Table of Contents

  1. Preamble
  2. Person in charge
  3. Overview of Processing Methods
  4. Relevant legal basis
  5. Security Measures
  6. Transfer of Personal Data
  7. General Information on Data Storage and Deletion
  8. Rights of data subjects
  9. Business Services
  10. Provision of the online service and web hosting
  11. Use of Cookies
  12. Blogs and Publication media
  13. Contact and Inquiry Management
  14. Social Media Presence
  15. Changes and Updates
  16. Definitions

02

Person in charge

Maryna Herz
Bruckmannring 19, 85764 Oberschleißheim, Deutschland

Email: contact@herz-psychology.com

Phone: +49 176 32500867

Imprint: https://herz-psychology.com/en/imprint-en/

Back to the table of contents

03

Overview of Processing Methods

The following overview summarizes the types of data processed and the purposes of such processing, and identifies the data subjects.

Types of data processed

  • Inventory data
  • Payment data
  • Contact information
  • Content data
  • Contract data
  • Usage data
  • Meta, communication, and process data
  • Log data

Categories of data subjects

  • Service recipients and clients
  • Prospective customers
  • Communication partners
  • Users
  • Business and contractual partners

Purposes of data processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Office and organizational procedures
  • Organizational and administrative procedures
  • Firewall
  • Feedback
  • Provision of our online services and user-friendliness
  • IT infrastructure
  • Public relations
  • Business processes and operational procedures
Back to the table of contents

04

Relevant Legal Basis

Relevant Legal Bases under the GDPR: The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your country of residence or our country of residence. If more specific legal bases apply in individual cases, we will inform you of these in the Privacy Policy.

  • Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of personal data concerning him or her for a specific purpose or for several specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
  • Legal obligation (Art. 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations apply in Germany. These include, in particular, the Act on the Protection against the Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). The BDSG contains, in particular, special provisions regarding the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transfer of data, as well as automated decision-making in individual cases, including profiling. Furthermore, state data protection laws of the individual federal states may apply.

Note on the applicability of the GDPR and the Swiss Data Protection Act (DSG): This privacy notice serves to provide information in accordance with both the Swiss Data Protection Act (DSG) and the General Data Protection Regulation (GDPR). For this reason, please note that the terms used in the GDPR are employed here due to its broader geographical scope and greater clarity. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “sensitive personal data” used in the Swiss Data Protection Act (DSG), the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” used in the GDPR are employed. However, the legal meaning of these terms continues to be determined in accordance with the Swiss Data Protection Act (DSG) within the scope of its applicability.

Back to the table of contents

05

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, and disclosure of the data, ensuring its availability, and maintaining its separation. Furthermore, we have established procedures to ensure that data subjects’ rights are upheld, that data is deleted, and that appropriate responses are made in the event of a data breach. Furthermore, we take the protection of personal data into account from the very beginning of the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Securing online connections using TLS/SSL encryption technology (HTTPS): To protect user data transmitted via our online services from unauthorized access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user’s browser, thereby protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Back to the table of contents

06

Transfer of Personal Data

In the course of our processing of personal data, it may happen that such data is transferred to or disclosed to other agencies, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers entrusted with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

Back to the table of contents

07

General Information on Data Storage and Deletion

We delete the personal data we process in accordance with legal requirements as soon as the underlying consents are revoked or there is no longer any legal basis for processing. This applies to cases where the original purpose of processing no longer applies or the data is no longer needed. Exceptions to this rule apply if legal obligations or specific interests require the data to be retained or archived for a longer period.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal proceedings or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy policy contains additional information on the retention and deletion of data that applies specifically to certain processing operations.

If there are multiple specifications regarding the retention period or deletion deadlines for a particular piece of data, the longest period shall always apply. We process data that is no longer retained for its originally intended purpose, but rather due to legal requirements or other reasons, exclusively for the purposes that justify its retention.

Data Retention and Deletion: The following general time limits apply to data retention and archiving under German law:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, as well as the work instructions and other organizational documents necessary for their understanding (Section 147(1)(1) in conjunction with (3) of the German Fiscal Code (AO), § 14b (1) UStG, § 257 (1) No. 1 in conjunction with (4) HGB).
  • 8 years – accounting documents, such as invoices and expense receipts (Section 147(1)(4) and (4a) in conjunction with (3), first sentence, AO, and Section 257(1)(4) in conjunction with (4) HGB).
  • 6 years – Other business documents: received commercial or business letters, copies of sent commercial or business letters, other documents to the extent they are relevant for taxation, e.g., hourly wage slips, payroll sheets, cost calculation documents, price tags, as well as payroll records, provided they are not already accounting documents, and cash register receipts (Section 147(1)(2), (3), and (5) in conjunction with (3) of the German Fiscal Code (AO), Section 257(1)(2) and (3) in conjunction with (4) of the German Commercial Code (HGB)).
  • 3 years – Data necessary to address potential warranty and damage claims or similar contractual claims and rights, as well as to process related inquiries, based on past business experience and standard industry practices, is stored for the duration of the regular statutory limitation period of three years (Sections 195, 199 BGB).

Start of the period at the end of the year: If a period does not expressly begin on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships under which data is stored, the event triggering the period is the date on which the termination or other termination of the legal relationship takes effect.

 

Back to the table of contents

08

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which are set forth in particular in Articles 15 through 21 of the GDPR:

  • Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this also applies to profiling to the extent that it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw your consent at any time.
  • Right of access: You have the right to request confirmation as to whether data concerning you is being processed, as well as access to such data, further information, and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request that data concerning you be completed or that inaccurate data concerning you be corrected.
  • Right to erasure and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be erased without delay, or alternatively, in accordance with legal requirements, to request a restriction on the processing of the data.
  • Right to data portability: You have the right to receive the data concerning you that you have provided to us in a structured, commonly used, and machine-readable format in accordance with legal requirements, or to request that it be transmitted to another controller.

Complaint to a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place where the alleged infringement occurred, if you believe that the processing of your personal data violates the provisions of the GDPR.

 

Back to the table of contents

09

Business Services

We process the personal data of our contractual and business partners—such as customers, clients, prospective customers, suppliers, and other partners (collectively, “contractual partners”)—for the purpose of establishing, executing, and fulfilling contractual relationships and similar legal relationships. This also includes pre-contractual measures taken upon request, as well as communication related to the respective contractual relationship.

The processing is carried out, in particular, to fulfill our primary and ancillary contractual obligations. This includes the provision of the agreed-upon services, any obligations to provide updates and information, the handling of warranty claims and other service disruptions, the processing of revocations, terminations of continuing obligations, rescissions, refunds, as well as the processing of other contract-related statements and inquiries. This covers both one-time contracts and ongoing contractual relationships.

In particular, we process master data such as name, address, and, where applicable, company name; contact information such as email address and phone number; contract and service data such as the subject matter of the contract, contract term, order or transaction number; usage and service data; payment and billing data; as well as communication content and history. Where necessary, we also process data that is disclosed or transmitted to us in connection with the execution of an order.

In addition, we process the data to protect our rights and to comply with legal obligations. This includes, in particular, retention requirements under commercial and tax law, documentation requirements, and, where applicable, obligations to provide evidence and accountability. Processing also takes place based on our legitimate interests in proper business management, internal administration, risk management, and IT security, as well as in protecting our business operations and our contractual partners from misuse and threats to data, trade secrets, and other legal interests. This may also include the involvement of external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax and legal advisors, or other vicarious agents, to the extent that this is necessary for the performance of the contract or to fulfill legal obligations.

Personal data is disclosed to third parties only to the extent necessary for the performance of a contract, the implementation of pre-contractual measures, the protection of legitimate interests, or the fulfillment of legal obligations. We provide separate information regarding any additional processing, particularly for marketing purposes, within this Privacy Policy.

We inform our contractual partners of the specific data required in each individual case during the data collection process, for example by clearly marking online forms or through personal contact.

Data is deleted as soon as it is no longer necessary for the aforementioned purposes and there are no legal retention requirements that prevent its deletion. Legal retention periods, particularly under commercial and tax law, may require longer storage. We delete data transmitted in connection with a specific order upon completion of the order and the expiration of any retention periods, provided there are no further legal or contractual obligations to retain the data.

The legal basis for processing is Article 6(1)(b) of the GDPR for the implementation of pre-contractual measures and the fulfillment of the respective contractual relationship, as well as Article 6(1)(c) of the GDPR for the fulfillment of legal obligations. To the extent that processing is based on legitimate interests, it is carried out on the basis of Article 6(1)(f) of the GDPR.

  • Types of data processed: Inventory data; payment data; contact information; contract data.
  • Data subjects: Service recipients and clients; prospective clients; business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; communication; administrative and organizational procedures; business processes and management procedures.

Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) of the GDPR); Legal obligation (Art. 6(1)(c) of the GDPR); Legitimate interests (Art. 6(1)(f) of the GDPR).

Back to the table of contents

10

Provision of the online service and web hosting

We process users’ data in order to provide them with our online services. To this end, we process the user’s IP address, which is necessary to deliver the content and features of our online services to the user’s browser or device.

  • Types of data processed: Usage data; metadata, communication data, and procedural data; log data; content data.
  • Data subjects: Users.
  • Purposes of processing: Provision of our online services and user-friendliness; IT infrastructure; security measures; performance of contractual obligations. Firewall.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional information on processing procedures, methods, and services:

  • Hosting of the Online Service on Leased Server Space: To host our online service, we use server space, computing capacity, and software that we lease or otherwise obtain from a server provider (also known as a “web host”). Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • Collection of access data and log files: Access to our online services is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, a notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized.
  • Email Sending and Hosting: The web hosting services we use also include the sending, receiving, and storage of emails. For these purposes, we process the addresses of the recipients and senders, as well as other information regarding the sending of emails and the content of the respective emails. Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
  • 1&1 IONOS: Services in the field of providing IT infrastructure and related services; Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.ionos.de; Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy. Data Processing Agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/vereinbarung-zur-auftragsverarbeitung-avv-mit-ionos-abschliessen/.
  • Wordfence: Firewall, security, and error detection features; Service provider: Defiant, Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.wordfence.com; Privacy Policy: https://www.wordfence.com/privacy-policy/; Basis for transfers to third countries: Standard Contractual Clauses (https://www.wordfence.com/standard-contractual-clauses/). Further information: https://www.wordfence.com/help/general-data-protection-regulation/.
Back to the table of contents

11

Use of Cookies

The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies may also be used for various purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. To this end, we obtain users’ consent in advance when necessary. If consent is not required, we rely on our legitimate interests. Consent may be revoked at any time. We provide clear information regarding the scope of our use and which cookies are employed.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest when a user leaves a website and closes their device.
  • Persistent cookies: Persistent cookies remain stored even after the device is closed. This allows, for example, the user’s login status to be saved and preferred content to be displayed immediately when the user visits the website again.

Cookie settings/opt-out option:

  • Types of data processed: Metadata, communication data, and operational data.
  • Data subjects: Users.
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR). Consent (Art. 6(1)(a) of the GDPR).

Additional information:

  • Processing of cookie data based on consent: We use a consent management solution to obtain users’ consent to the use of cookies. Legal basis: Consent (Art. 6(1)(a) GDPR).
  • Complianz: Storage and management of consents; Service provider: Processing on servers and/or computers under our own data protection responsibility; Website: https://complianz.io/; Privacy Policy: https://complianz.io/legal/.
Back to the table of contents

12

Blogs and Publication Media

We use blogs or similar online communication and publication platforms (hereinafter referred to as “publication platforms”). Readers’ data is processed for the purposes of the publication platform only to the extent necessary for its operation and for communication between authors and readers, or for security reasons.

  • Types of data processed: Personal information; contact information; content data; usage data; metadata, communication data, and procedural data.
  • Data subjects: Users.
  • Purposes of processing: Feedback; provision of our online services and user-friendliness; security measures; organizational and administrative procedures.
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information:

  • Comments and posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).
  • Loading WordPress Emojis and Smilies: Our WordPress blog uses graphic emojis that are retrieved from external servers. The server providers collect users’ IP addresses. Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses.
Back to the table of contents

13

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, phone, or social media), as well as in the context of existing user and business relationships, we process the information provided by the individuals making the inquiry to the extent necessary to respond to their inquiries and take any requested actions.

  • Types of data processed: Contact data; content data; metadata, communication data, and procedural data.
  • Data subjects: Communication partners.
  • Purposes of processing: Communication; organizational and administrative procedures; feedback; provision of our online services and user-friendliness.
  • Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Contract performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).

Additional information:

Contact Form: When you contact us via our contact form, by email, or through other communication channels, we process the personal data you provide to us in order to respond to and handle your inquiry. Legal basis: Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Back to the table of contents

14

Social media presence

We maintain online presences on social media platforms and, in this context, process user data to communicate with users active on those platforms or to provide information about us.

Please note that user data may be processed outside the European Union in this context. This may pose risks to users, as it could, for example, make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on users’ behavior and the resulting interests.

For a detailed description of the respective forms of processing and the options for objection (opt-out), please refer to the privacy policies and information provided by the operators of the respective networks.

  • Types of data processed: Contact information; content data; usage data.
  • Data subjects: Users.
  • Purposes of processing: Communication; feedback; public relations.
  • Legal basis: Legitimate interests (Art. 6(1)(f) of the GDPR).

Additional information:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://privacycenter.instagram.com/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the Facebook social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/privacy/policy/. Basis for transfers to third countries: Data Privacy Framework (DPF), Standard Contractual Clauses.
Back to the table of contents

15

Changes and Updates

We ask that you review the content of our Privacy Policy on a regular basis. We will update the Privacy Policy as soon as changes to our data processing activities make it necessary to do so. We will notify you as soon as the changes require action on your part (e.g., consent) or any other individual notification.

If we provide addresses and contact information for companies and organizations in this Privacy Policy, please note that these addresses may change over time, and we ask that you verify the information before contacting them.

The supervisory authority responsible for us is: Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Back to the table of contents

16

Definitions

This section provides an overview of the terms used in this Privacy Policy. Where these terms are defined by law, their legal definitions apply. The explanations below are intended primarily to aid understanding.

  • Master Data: Master data includes essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments.
  • Firewall: A firewall is a security system that protects a computer network or a single computer from unauthorized network access.
  • Content data: Content data includes information generated during the creation, editing, and publication of all types of content.
  • Contact data: Contact data consists of essential information that enables communication with individuals or organizations.
  • Meta, communication, and process data: Meta, communication, and process data are categories that contain information about how data is processed, transmitted, and managed.
  • Usage Data: Usage data refers to information that tracks how users interact with digital products, services, or platforms.
  • Personal Data: “Personal data” means any information relating to an identified or identifiable natural person.
  • Log Data: Log data is information about events or activities that have been logged in a system or network.
  • Controller: The “controller” is the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means.
  • Contract data: Contract data refers to specific information relating to the formalization of an agreement between two or more parties.
    Payment data: Payment data includes all information required to process payment transactions.
Back to the table of contents
Scroll to Top