Privacy Policy
As of: January 6, 2025

Table of Contents

1. Controller

2. Overview of Processing Activities

3. Relevant Legal Bases

4. Security Measures

5. Transfer of Personal Data

6. International Data Transfers

7. General Information on Data Retention and Deletion

8. Rights of Data Subjects

9. Provision of the Online Offer and Web Hosting

10. Use of Cookies

11. Presence on Social Networks (Social Media)

12. Changes and Updates

Controller

Jordi Breu
Beethovenstraße 7
84453 Mühldorf am Inn
Germany

Email Address: jordi[at]breu.design

Legal Notice: thebookoffmx.com/legal-notice

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and references the affected individuals.

Types of Data Processed

• Contact details

• Content data

• Usage data

• Metadata, communication, and procedural data

• Log data

Categories of Data Subjects

• Users

Purposes of Processing

• Communication

• Security measures

• Feedback

• Provision of our online offer and user-friendliness

• Information technology infrastructure

• Public relations

Relevant Legal Bases

Relevant Legal Bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that national data protection regulations of your or our place of residence or business may also apply in addition to the provisions of the GDPR. Should other, more specific legal bases apply in individual cases, we will notify you in this privacy policy.

• Consent (Art. 6(1)(1)(a) GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Legitimate Interests (Art. 6(1)(1)(f) GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.

National Data Protection Regulations in Germany: In addition to the data protection provisions of the GDPR, national data protection regulations in Germany apply, including the Federal Data Protection Act (BDSG). The BDSG includes specific provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and automated decision-making in individual cases, including profiling. State-level data protection laws of individual federal states may also apply.

Reference to GDPR and Swiss DSG: These privacy notices serve to provide information under both the Swiss DSG and the GDPR. For broader applicability and comprehensibility, GDPR terminology is used. However, under the Swiss DSG, terms retain their legal definitions (e.g., "processing" of "personal data," "overriding interest," "special categories of personal data").

Security Measures

We implement technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, nature, scope, circumstances, and purposes of processing, as well as varying likelihoods and severity of risks to natural persons’ rights and freedoms.

Measures include ensuring data confidentiality, integrity, and availability by controlling physical and electronic access to data, as well as data entry, disclosure, and availability. We also implement procedures for exercising data subject rights, data deletion, and responses to data security threats. Furthermore, we ensure data protection by design and by default when developing or selecting hardware, software, and procedures.

Securing Online Connections with TLS/SSL Encryption Technology (HTTPS): To protect user data transmitted through our online services, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission online. These technologies encrypt information exchanged between the website or app and the user’s browser (or between two servers), protecting it from unauthorized access. TLS, the enhanced and more secure version of SSL, ensures that all data transfers comply with the highest security standards. Websites secured with an SSL/TLS certificate are identified by HTTPS in the URL, signaling that data transmission is encrypted and secure.

Transfer of Personal Data

In processing personal data, we may transfer or disclose it to other entities, companies, legally independent organizational units, or individuals. Recipients may include IT service providers or providers of embedded services and content. In such cases, we adhere to legal requirements and conclude appropriate contracts or agreements to protect your data.

International Data Transfers

Processing Data in Third Countries: Where data is processed in a third country (outside the EU or EEA) or where processing involves third-party services or data disclosures to others, this occurs only in compliance with legal requirements. Transfers rely on adequacy decisions (Art. 45 GDPR) or other safeguards, such as standard contractual clauses (Art. 46(2)(c) GDPR), express consent, or contractual/legal requirements (Art. 49(1) GDPR).

For additional information, consult the EU Commission: EU International Data Transfers.
Details on certified US entities under the Data Privacy Framework are available at: Data Privacy Framework.

General Information on Data Retention and Deletion
We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or there are no further legal grounds for processing. This includes cases where the original purpose of processing ceases to apply or the data is no longer needed. Exceptions to this rule exist if legal obligations or specific interests require a longer retention or archiving period for the data.

In particular, data that must be retained for commercial or tax purposes, or whose storage is necessary for legal prosecution or to protect the rights of other natural or legal persons, will be archived accordingly.

Our privacy notices include additional information on the retention and deletion of data specifically applicable to certain processing activities.

In cases where multiple retention periods or deletion deadlines are specified for data, the longest period always applies.

If a period does not explicitly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the triggering event occurred. In the case of ongoing contractual relationships under which data is stored, the triggering event is the date on which the termination becomes effective or any other ending of the legal relationship.

Data that is no longer retained for its originally intended purpose but due to legal requirements or other reasons will only be processed for the reasons justifying its retention.

Further Notes on Processing Activities, Procedures, and Services:

• Retention and Deletion of Data: The following general periods apply for retention and archiving under German law:

  • 10 Years: Retention period for books and records, annual financial statements, inventories, management reports, opening balances, and the instructions and other organizational documents required for their understanding, accounting records, and invoices (§ 147(3) in conjunction with § 147(1) No. 1, 4, and 4a AO, § 14b(1) UStG, § 257(1) No. 1 and 4, and § 257(4) HGB).

  • 6 Years: Other business records, including received and sent commercial or business letters, and other documents relevant for taxation purposes (e.g., timesheets, operational accounting sheets, calculation documents, price labels, and payroll records unless they are accounting records or cash register receipts) (§ 147(3) in conjunction with § 147(1) No. 2, 3, and 5 AO, § 257(1) No. 2 and 3, and § 257(4) HGB).

  • 3 Years: Data necessary to consider potential warranty and damage claims or similar contractual claims and rights, as well as related inquiries based on prior business experiences and common industry practices, are retained for the duration of the standard statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects
Under the GDPR, you, as a data subject, have various rights arising, in particular, from Articles 15 to 21 GDPR:

• Right to Object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data carried out based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you also have the right to object to the processing for such marketing at any time, including profiling related to direct marketing.

• Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.

• Right of Access: You have the right to request confirmation of whether your data is being processed and to obtain information about this data and further information and a copy of the data in accordance with legal requirements.

• Right to Rectification: You have the right, under legal provisions, to request the completion of your data or the correction of your inaccurate data.

• Right to Erasure and Restriction of Processing: You have the right, under legal provisions, to request the immediate deletion of your data or, alternatively, to request a restriction of processing in accordance with legal provisions.

• Right to Data Portability: You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller, in accordance with legal provisions.

• Right to Lodge a Complaint: Without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, particularly in the member state of your habitual residence, workplace, or the location of the alleged infringement if you believe that the processing of your personal data violates the GDPR.

Provision of the Online Offer and Web Hosting
We process users' data to provide our online services. For this purpose, we process users' IP addresses, which are necessary to transmit the content and functionalities of our online services to the users’ browsers or devices.

Processed Data Types:

• Usage data: E.g., page views, session duration, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions.

• Metadata, communication, and procedural data: E.g., IP addresses, timestamps, identification numbers, involved persons.

• Log data: E.g., log files regarding logins, data retrieval, or access times.

• Content data: E.g., textual or visual messages and contributions and related information such as authorship or creation timestamps.

Data Subjects: Users, e.g., website visitors or users of online services.

Purposes of Processing:

• Provision of our online offer and user-friendliness.

• IT infrastructure (operation and provision of IT systems and devices such as computers and servers).

• Security measures.

Retention and Deletion: Data is deleted following the provisions outlined in the section "General Information on Data Retention and Deletion."

Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

For further details on processing activities, procedures, and services, the translation continues faithfully to the original German content.

Provision of Online Offer on Rented Storage Space:
To provide our online offer, we use storage space, computing capacity, and software that we rent or otherwise procure from an appropriate server provider (also referred to as a "web host"); Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

Collection of Access Data and Log Files:
Access to our online offer is logged in the form of "server log files." These log files may include the address and name of the accessed websites and files, the date and time of access, transmitted data volumes, messages regarding successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes (e.g., to prevent server overloads, particularly in the event of misuse attacks such as DDoS attacks) and to ensure server stability and performance; Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).
Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that must be retained for evidence purposes is excluded from deletion until the respective incident is fully resolved.

Email Transmission and Hosting:
Our web hosting services also encompass the sending, receiving, and storage of emails. To this end, the addresses of recipients and senders, as well as additional information regarding email transmission (e.g., participating providers), and the content of the respective emails are processed. The aforementioned data may also be processed to detect SPAM. Please note that emails sent via the internet are generally not encrypted. While emails are typically encrypted during transport, they are not encrypted on the servers from which they are sent or received unless end-to-end encryption is used. Therefore, we cannot take responsibility for the transmission path of emails between the sender and our server.
Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

ALL-INKL:
Services in the field of IT infrastructure provisioning and related services (e.g., storage space and/or computing capacity);
Service Provider: ALL-INKL.COM - Neue Medien Münnich, Owner: René Münnich, Hauptstraße 68, 02742 Friedersdorf, Germany;
Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR);
Website: https://all-inkl.com/;
Privacy Policy: https://all-inkl.com/datenschutzinformationen/;
Data Processing Agreement: Provided by the service provider.

Framer

The provider of this service is Framer B.V., Rozengracht 207B, 1016 LZ Amsterdam, Netherlands (hereinafter referred to as "Framer"). When you visit our website, Framer collects various log files, including parts of your IP address.

Framer is a tool for creating and hosting websites. Framer stores cookies or other recognition technologies that are necessary for the display of the website, the provision of certain website features, and ensuring security ("necessary cookies"). For details, please refer to Framer's Privacy Policy: https://www.framer.com/legal/privacy-statement/.

The use of Framer is based on Article 6(1)(f) GDPR. We have a legitimate interest in the most reliable presentation of our website possible. If corresponding consent has been requested, processing is carried out exclusively on the basis of Article 6(1)(a) GDPR and Section 25(1) TTDSG, insofar as the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) as defined by the TTDSG. Consent can be revoked at any time.

Data transfers to the Netherlands are based on the standard contractual clauses of the European Commission. For further details, please refer to Framer's Privacy Policy: https://www.framer.com/legal/privacy-statement/.

Use of Cookies
The term "cookies" refers to functions that store and retrieve information on user devices. Cookies may be used for different purposes, such as ensuring the functionality, security, and user comfort of online offers, or for creating analyses of visitor flows. We use cookies in accordance with legal regulations. When necessary, we obtain users' prior consent. If consent is not required, we rely on our legitimate interests. This applies when the storage and retrieval of information are essential to provide explicitly requested content and functionalities. Examples include storing settings and ensuring the functionality and security of our online offer. Users can withdraw their consent at any time. We provide clear information about the scope and type of cookies used.

Notes on Legal Bases for Data Protection: Whether we process personal data using cookies depends on user consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests as explained in this section and in the context of respective services and procedures.

Storage Duration:
Regarding storage duration, the following types of cookies are distinguished:

• Temporary Cookies (also: Session Cookies): These cookies are deleted no later than when a user leaves the online offer and closes their device (e.g., browser or mobile application).

• Permanent Cookies: These cookies remain stored even after the device is closed. For instance, login statuses can be saved, and preferred content can be displayed immediately when a user revisits a website. Similarly, user data collected via cookies may be used for reach measurement. If we do not explicitly provide information about the type and storage duration of cookies (e.g., when obtaining consent), users should assume they are permanent cookies stored for up to two years.

General Notes on Revocation and Objection (Opt-Out):
Users can revoke their consent at any time and object to the processing as per legal requirements, including through their browser's privacy settings.

Cookie Settings/Objection Option:
https://www.thebookoffmx.com/legal-notice

Processed Data Types:
Metadata, communication, and procedural data (e.g., IP addresses, timestamps, identification numbers, involved persons).

Data Subjects: Users (e.g., website visitors, users of online services).

Legal Bases: Legitimate Interests (Art. 6(1)(1)(f) GDPR); Consent (Art. 6(1)(1)(a) GDPR).

Further Notes on Processing Activities, Procedures, and Services:

Processing of Cookie Data Based on Consent:
We use a consent management solution to obtain users' consent for the use of cookies or the procedures and providers specified in the consent management solution. This process involves obtaining, recording, managing, and withdrawing consent, particularly regarding cookies and similar technologies used to store, retrieve, and process information on users' devices. As part of this process, users can manage and withdraw their consent. Consent declarations are stored to avoid repeated queries and to provide proof of consent as required by law. Storage occurs server-side and/or in a cookie (known as an opt-in cookie) or via similar technologies to associate the consent with a specific user or device. Where no specific details are provided about consent management service providers, the following general notes apply: Consent storage duration is up to two years. A pseudonymous user identifier is created and stored along with the time of consent, information about the scope of consent (e.g., relevant cookie categories and/or service providers), as well as information about the browser, system, and device used; Legal Basis: Consent (Art. 6(1)(1)(a) GDPR).

We point out that user data may be processed outside the European Union. This may pose risks to users because enforcing their rights could become more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles may be created based on user behavior and their inferred interests. These profiles might then be used to display advertisements within and outside the networks that are presumably aligned with users' interests. As a result, cookies are typically stored on users' devices to record their usage behavior and interests. Additionally, such usage profiles may contain data that is independent of the devices used by users (especially when they are members of the respective platforms and logged in).

For a detailed overview of the specific processing forms and opt-out options, we refer to the privacy policies and information provided by the respective network operators.

In the case of access requests or exercising data subject rights, we advise that such requests are most effectively addressed directly to the providers. Only they have access to user data and can take appropriate actions or provide information. If you still require assistance, you may contact us.

Processed Data Types:

• Contact Data: E.g., postal and email addresses

• Usage Data: E.g., page views, time spent, click paths, usage intensity and frequency, types of devices used, operating systems, interactions with content and functions.

Data Subjects:

Users (e.g., website visitors, users of online services).

Purposes of Processing:

• Communication

• Feedback (e.g., collecting feedback via online forms)

• Public relations

Retention and Deletion:

Data is deleted in accordance with the details outlined in the section "General Information on Data Retention and Deletion."

Legal Bases:

Legitimate Interests (Art. 6(1)(1)(f) GDPR).

Further Notes on Processing Activities, Procedures, and Services:

Instagram:

Social network that enables sharing photos and videos, commenting on and favoriting posts, sending messages, and following profiles and pages.

• Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

• Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

• Website: https://www.instagram.com.

• Privacy Policy: https://privacycenter.instagram.com/policy/.

• Basis for Third-Country Transfers: Data Privacy Framework (DPF).

Facebook Pages:

Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for collecting (but not further processing) data from visitors to our Facebook Page ("Fanpage"). Such data includes information about the types of content users view or interact with, actions they take (see "Things you and others do and provide" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/), as well as device information (e.g., IP addresses, operating systems, browser types, language settings, cookie data; see "Device Information" in Facebook's Data Policy: https://www.facebook.com/privacy/policy/).

As explained in Facebook's Data Policy under "How do we use this information?" Facebook collects and uses information to provide analytics services, called "Page Insights," to page operators to give them insights into how people interact with their pages and associated content. We have entered into a specific agreement with Facebook ("Page Insights Controller Addendum," https://www.facebook.com/legal/terms/page_controller_addendum), which defines Facebook's security obligations and its agreement to fulfill data subject rights (e.g., users can send access or deletion requests directly to Facebook).

Users' rights (e.g., access, deletion, objection, and complaints to the supervisory authority) are not restricted by agreements with Facebook. Further information is available in the "Page Insights Information" (https://www.facebook.com/legal/terms/information_about_page_insights_data). Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. Further data processing is the sole responsibility of Meta Platforms Ireland Limited, particularly regarding data transfer to the parent company Meta Platforms, Inc. in the United States.

• Service Provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland.

• Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

• Website: https://www.facebook.com.

• Privacy Policy: https://www.facebook.com/privacy/policy/.

• Basis for Third-Country Transfers: Data Privacy Framework (DPF).

LinkedIn:

Social network – We are jointly responsible with LinkedIn Ireland Unlimited Company for collecting (but not further processing) data from visitors, used to generate "Page Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content users view or interact with, actions they take, as well as device details (e.g., IP addresses, operating systems, browser types, language settings, cookie data), and user profile information (e.g., job roles, countries, industries, hierarchy levels, company size, and employment status).

LinkedIn's data protection information about user data processing can be found in LinkedIn's Privacy Policy: https://www.linkedin.com/legal/privacy-policy.

We have a specific agreement with LinkedIn Ireland ("Page Insights Joint Controller Addendum," https://legal.linkedin.com/pages-joint-controller-addendum), which defines LinkedIn's security obligations and its agreement to fulfill data subject rights (e.g., users can send access or deletion requests directly to LinkedIn). Users' rights (e.g., access, deletion, objection, and complaints to the supervisory authority) are not restricted by agreements with LinkedIn. Joint responsibility is limited to the collection and transmission of data to LinkedIn Ireland Unlimited Company, a company based in the EU. Further data processing is the sole responsibility of LinkedIn Ireland Unlimited Company, particularly regarding data transfer to the parent company LinkedIn Corporation in the United States.

• Service Provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

• Legal Basis: Legitimate Interests (Art. 6(1)(1)(f) GDPR).

• Website: https://www.linkedin.com.

• Privacy Policy: https://www.linkedin.com/legal/privacy-policy.

• Basis for Third-Country Transfers: Data Privacy Framework (DPF).

• Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

Changes and Updates
We encourage you to regularly review the content of our privacy policy. We will update the privacy policy as soon as changes in our data processing activities make this necessary. We will inform you if such changes require your cooperation (e.g., consent) or other individual notifications.

If we provide addresses and contact information for companies and organizations in this privacy policy, please note that these addresses may change over time. We ask you to verify the information before contacting these entities.