Privacy Policy

1) Introduction and contact details of the controller

1.1 We are pleased that you are visiting our website and thank you for your interest. In the following, we inform you about how we handle your personal data when you use our website. Personal data is any data by which you can be personally identified.

1.2 The controller responsible for data processing on this website within the meaning of the General Data Protection Regulation (GDPR) is CIRO GmbH, Maischer Str. 10, 85386 Eching, Germany, phone: 017623433294, e-mail: markus@ciro.immo. The controller responsible for the processing of personal data is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

2) Data collection when visiting our website

2.1 When you use our website for informational purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to our server (so-called “server log files”). When you access our website, we collect the following data that is technically necessary for us to display the website to you:

• The website you visited
• Date and time of access
• Amount of data sent in bytes
• Source/reference from which you reached the page
• Browser used
• Operating system used
• IP address used (where applicable: in anonymized form)

Processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website. The data is not passed on or used in any other way. We do, however, reserve the right to subsequently review the server log files should there be concrete indications of unlawful use.

2.2 For security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to us), this website uses SSL or TLS encryption. You can recognize an encrypted connection by the string “https://” and the lock symbol in your browser bar.

3) Hosting & content delivery network

Cloudflare

We use a content delivery network from the following provider: Cloudflare Inc., 101 Townsend St. San Francisco, CA 94107, USA.

This service enables us to deliver large media files such as graphics, page content or scripts faster via a network of regionally distributed servers. Processing is carried out to safeguard our legitimate interest in improving the stability and functionality of our website pursuant to Art. 6(1)(f) GDPR. We have concluded a data processing agreement with the provider that ensures the protection of our visitors' data and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

4) Cookies

In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, i.e. small text files that are stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called “session cookies”), while others remain on your device for longer and enable us to save page settings (so-called “persistent cookies”). In the latter case, you can find the storage period in the overview of the cookie settings of your web browser.

If individual cookies we use also process personal data, processing is carried out in accordance with Art. 6(1)(b) GDPR either to perform the contract, in accordance with Art. 6(1)(a) GDPR in the case of consent given, or in accordance with Art. 6(1)(f) GDPR to safeguard our legitimate interests in the best possible functionality of the website as well as a customer-friendly and effective design of the visit.

You can set your browser so that you are informed about the setting of cookies and can decide individually whether to accept them, or you can exclude the acceptance of cookies for certain cases or in general.

Please note that the functionality of our website may be limited if cookies are not accepted.

5) Contacting us

5.1 Anthropic Claude

To provide autonomous customer support, we have integrated an artificial intelligence software solution from the following provider on this website: Anthropic Ireland Limited, 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland.

Data may also be transmitted to: Anthropic PBC, USA.

Via an API-based integration, visitors can submit enquiries by text input regarding offers, website functionalities, placed orders and the exercise of contractual rights, which are then answered and processed by the provider's language models.

For this purpose, the provider's software may collect personal data from you in order to compare it with your order history, assign the input to a specific order, automatically check your request and then resolve it by autonomously initiating processing operations.

The collection and further processing of personal data is carried out exclusively to handle the specific request. The processing of your inputs for the purpose of training and further developing the provider's AI language models is expressly prohibited.

Data processing is carried out on the basis of our legitimate interest in the effective support of our visitors, in the optimal marketing of our offer and in the automation of customer support to relieve operations pursuant to Art. 6(1)(f) GDPR.

Personal data collected from you will be deleted, subject to conflicting statutory retention periods, when the provider's software determines, in accordance with automated mathematical-statistical procedures, a final clarification of the matter.

We have concluded a data processing agreement with the provider that ensures the protection of your data and prohibits unauthorized disclosure to third parties.

For the transfer of data to the USA, the provider relies on the European Commission's standard contractual clauses, which are intended to ensure compliance with the European level of data protection.

5.2 WhatsApp Business

We offer you the option of contacting us via the messaging service WhatsApp provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this we use the so-called “Business version” of WhatsApp.

If you contact us via WhatsApp in connection with a specific transaction (for example, a placed order), we store and use the mobile phone number you use with WhatsApp as well as – if provided – your first and last name in accordance with Art. 6(1)(b) GDPR to handle and respond to your request. On the same legal basis, we may ask you via WhatsApp to provide further data (order number, customer number, address or e-mail address) in order to assign your enquiry to a specific transaction.

If you use our WhatsApp contact for general enquiries (e.g. regarding the range of services, availability or our website), we store and use the mobile phone number you use with WhatsApp as well as – if provided – your first and last name in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in the efficient and timely provision of the requested information.

Your data is always only used to respond to your request via WhatsApp. It is not passed on to third parties.

Please note that WhatsApp Business gains access to the address book of the mobile device we use for this purpose and automatically transfers phone numbers stored in the address book to a server of its parent company Meta Platforms Inc. in the USA. To operate our WhatsApp Business account, we use a mobile device whose address book exclusively stores the WhatsApp contact details of those users who have also contacted us via WhatsApp.

This ensures that every person whose WhatsApp contact details are stored in our address book has already consented, upon first use of the app on their device by accepting the WhatsApp terms of use, to the transfer of their WhatsApp phone number from the address books of their chat contacts in accordance with Art. 6(1)(a) GDPR. A transfer of data of users who do not use WhatsApp and/or have not contacted us via WhatsApp is thus excluded.

Please refer to WhatsApp's privacy notices for the purpose and scope of data collection and the further processing and use of the data by WhatsApp, as well as your related rights and settings options for protecting your privacy: https://www.whatsapp.com/legal/?eea=1#privacy-policy

In the context of the processing operations mentioned above, data may be transferred to servers of Meta Platforms Inc. in the USA.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

5.3 When you contact us (e.g. via contact form or e-mail), personal data is processed exclusively for the purpose of handling and responding to your request and only to the extent necessary for this.

The legal basis for processing this data is our legitimate interest in responding to your request pursuant to Art. 6(1)(f) GDPR. If your contact is aimed at concluding a contract, the additional legal basis for processing is Art. 6(1)(b) GDPR. Your data will be deleted when it can be inferred from the circumstances that the matter concerned has been conclusively clarified and provided that there are no statutory retention obligations to the contrary.

5.4 Brevo

For sending transactional e-mails, i.e. event-related messages triggered by a specific user interaction (such as conclusion of a contract, registration or password reset), we use this provider: Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.

On the basis of our legitimate interest in effective and user-friendly e-mail communication, we pass on the data you provide when carrying out such a user action to this provider pursuant to Art. 6(1)(f) GDPR so that it can handle the mailing on our behalf.

We have concluded a data processing agreement with the provider that protects the data of our visitors and prohibits disclosure to third parties.

6) Data processing when opening a customer account

In accordance with Art. 6(1)(b) GDPR, personal data will continue to be collected and processed to the extent necessary in each case if you provide it to us when opening a customer account. You can find out which data is required to open an account from the input mask of the relevant form on our website.

You can delete your customer account at any time by sending a message to the controller's address mentioned above. After deletion of your customer account, your data will be deleted provided that all contracts concluded through it have been fully processed, no statutory retention periods conflict, and we have no legitimate interest in continued storage.

7) Use of customer data for direct advertising

7.1 Subscription to our e-mail newsletter

If you subscribe to our e-mail newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your e-mail address. Providing further data is voluntary and is used to be able to address you personally. For sending the newsletter, we use the so-called double opt-in procedure, which ensures that you only receive newsletters once you have expressly confirmed your consent to receiving the newsletter by clicking a verification link sent to the specified e-mail address.

By activating the confirmation link, you give us your consent to use your personal data in accordance with Art. 6(1)(a) GDPR. In doing so, we store the IP address assigned by your internet service provider (ISP) as well as the date and time of registration in order to be able to trace any possible misuse of your e-mail address at a later point in time. The data collected by us when you subscribe to the newsletter is used strictly for the intended purpose.

You can unsubscribe from the newsletter at any time via the link provided for this purpose in the newsletter or by sending a corresponding message to the controller named at the outset. After unsubscribing, your e-mail address will be deleted from our newsletter distribution list without delay, unless you have expressly consented to further use of your data or we reserve the right to use the data beyond this, which is permitted by law and about which we inform you in this declaration.

7.2 Brevo

Our e-mail newsletters and other promotional e-mail communications are sent via this provider: Brevo GmbH, Köpenicker Str. 126, 10179 Berlin, Germany.

On the basis of our legitimate interest in effective and user-friendly e-mail marketing, we pass on the data you provide upon registration to this provider pursuant to Art. 6(1)(f) GDPR so that it can handle the mailing on our behalf.

We reserve the right, exclusively on the basis of your express consent pursuant to Art. 6(1)(a) GDPR, to additionally carry out a statistical performance analysis of mail campaigns using web beacons or tracking pixels in the e-mails sent, which can measure open rates and specific interactions with the newsletter content. In doing so, device information (e.g. time of access, IP address, browser type and operating system) is also collected and evaluated, but not combined with other data sets.

You can revoke your consent to mail tracking at any time with effect for the future.

We have concluded a data processing agreement with the provider that protects the data of our visitors and prohibits disclosure to third parties.

8) Data processing for contract execution

8.1 To process the contract, we work with the following service provider(s), who support us in whole or in part in carrying out concluded contracts. Certain personal data is transmitted to these service providers in accordance with the following information.

8.2 Use of payment service providers (payment services) – Stripe

One or more online payment methods from the following provider are available on this website: Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland.

If you select a payment method from the provider in which you make advance payment (e.g. credit card payment), the payment data you provided during the ordering process (including name, address, bank and payment card information, currency and transaction number) as well as information about the content of your order will be passed on to the provider in accordance with Art. 6(1)(b) GDPR. In this case, your data is passed on exclusively for the purpose of payment processing with the provider and only to the extent necessary for this.

If you select a payment method in which the provider makes advance payment (e.g. purchase on account or in instalments, or direct debit), you will also be asked during the ordering process to provide certain personal data (first and last name, street, house number, postal code, city, date of birth, e-mail address, telephone number, and, where applicable, data on an alternative means of payment).

To safeguard our legitimate interest in determining the solvency of our customers, we forward this data to the provider pursuant to Art. 6(1)(f) GDPR for the purpose of a credit check. On the basis of the personal data you provide and further data (such as shopping cart, invoice amount, order history, payment experiences), the provider checks whether the payment option you have selected can be granted with regard to payment and/or default risks.

The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, among other things but not exclusively, address data.

You can object to this processing of your data at any time by sending a message to us or to the provider. However, the provider may still be entitled to process your personal data insofar as this is necessary for contractual payment processing.

8.3 Anthropic Claude

To provide our services, we use artificial intelligence software from the following provider: Anthropic Ireland Limited, 6th Floor, South Bank House, Barrow Street, Dublin 4, D04 TR29, Ireland.

Information provided by you within the framework of a contractual relationship may be fed into the provider's software in order to organize, analyze, aggregate, modify, evaluate or process it for the provision of our service.

Information may also be transmitted to: Anthropic PBC, USA.

The collection and further processing of this information is carried out strictly for the purpose of fulfilling the contract. Processing for the purpose of training and further developing the provider's AI language models is expressly prohibited.

Insofar as personal data is also the subject of processing, this is carried out on the basis of our legitimate interest in the efficient design of our services and the optimal use of available resources and technologies pursuant to Art. 6(1)(f) GDPR. If the personal data is data of third parties whose processing you have entrusted to us, this processing on our behalf is secured by concluding a data processing agreement with us, which specifies the measures taken to protect this data as well as your control and access rights.

We, for our part, have concluded a data processing agreement with the provider that ensures the protection of personal data processed via the provider and prohibits unauthorized disclosure to third parties.

For the transfer of data to the USA, the provider relies on the European Commission's standard contractual clauses, which are intended to ensure compliance with the European level of data protection.

8.4 Electronic cancellation option for continuing obligations with consumers

Consumers who have entered into contracts for paid continuing obligations (e.g. subscription contracts) on this website have the option of cancelling these via an electronic button in accordance with the applicable notice periods.

Pressing the button leads to a confirmation page on which the consumer can provide further details about the cancellation, identify themselves unambiguously and then declare their cancellation electronically.

The collection of personal data and its transmission to us is carried out in accordance with Art. 6(1)(b) GDPR and only to the extent that it is necessary for the proper handling of the cancellation. Also on the basis of Art. 6(1)(b) GDPR, the personal data provided is used to confirm the receipt of the cancellation declaration and the time of cancellation electronically in text form. A further legal basis for processing is Art. 6(1)(c) GDPR. We are legally obliged to provide an electronic cancellation option for consumer contracts concluded by means of electronic commerce regarding paid continuing obligations.

9) Web analytics services

Amplitude

This website uses the web analytics service of the following provider: Amplitude, Inc., 201 3rd Street, Suite 200, San Francisco, CA 94103, USA.

The service enables a statistical evaluation of the use of new functions and content of the website by serving test variants to certain user groups. In this way, in the interest of improving the attractiveness of our website, it can be traced which variants are preferred by users. For this purpose, the service uses cookies, i.e. small text files that are stored on your device and enable an analysis of your use of a website. The information collected by cookies about your use of the website is generally transmitted to a server of the provider and stored and processed there.

All processing operations described above, in particular the setting of cookies for storing and reading information on the device you use to access the website, are only carried out if you have given us your express consent to do so in accordance with Art. 6(1)(a) GDPR. Without your consent, the service will not be used during your use of the website. You can revoke any consent you have given at any time with effect for the future. To exercise your revocation, please deactivate this service via the “cookie consent tool” provided on the website.

We have concluded a data processing agreement with the provider that ensures the protection of our visitors' data and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

10) Rights of the data subject

10.1 Applicable data protection law grants you the following data subject rights (rights to information and intervention) vis-à-vis us as the controller with regard to the processing of your personal data, whereby reference is made to the legal basis cited for the respective conditions of exercise:

• Right of access pursuant to Art. 15 GDPR;
• Right to rectification pursuant to Art. 16 GDPR;
• Right to erasure pursuant to Art. 17 GDPR;
• Right to restriction of processing pursuant to Art. 18 GDPR;
• Right to notification pursuant to Art. 19 GDPR;
• Right to data portability pursuant to Art. 20 GDPR;
• Right to withdraw consent given pursuant to Art. 7(3) GDPR;
• Right to lodge a complaint pursuant to Art. 77 GDPR.

10.2 Right to object

IF WE PROCESS YOUR PERSONAL DATA WITHIN THE FRAMEWORK OF A BALANCING OF INTERESTS ON THE BASIS OF OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE THE PROCESSING OF THE DATA CONCERNED. HOWEVER, WE RESERVE THE RIGHT TO CONTINUE PROCESSING IF WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR IF THE PROCESSING SERVES TO ASSERT, EXERCISE OR DEFEND LEGAL CLAIMS.

IF YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT ADVERTISING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH ADVERTISING. YOU CAN EXERCISE THE OBJECTION AS DESCRIBED ABOVE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE THE PROCESSING OF THE DATA CONCERNED FOR DIRECT ADVERTISING PURPOSES.

11) Duration of storage of personal data

The duration of storage of personal data is determined by the respective legal basis, the purpose of processing and – where applicable – additionally by the respective statutory retention period (e.g. commercial and tax retention periods).

In the case of processing personal data on the basis of express consent pursuant to Art. 6(1)(a) GDPR, the data concerned is stored until you revoke your consent.

If statutory retention periods exist for data processed within the framework of legal or quasi-legal obligations on the basis of Art. 6(1)(b) GDPR, this data is routinely deleted after the retention periods have expired, provided it is no longer required for the performance or initiation of the contract and/or we have no legitimate interest in continued storage.

In the case of processing personal data on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object pursuant to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

In the case of processing personal data for the purpose of direct advertising on the basis of Art. 6(1)(f) GDPR, this data is stored until you exercise your right to object pursuant to Art. 21(2) GDPR.

Unless otherwise stated in the other information in this declaration regarding specific processing situations, stored personal data is otherwise deleted when it is no longer necessary for the purposes for which it was collected or otherwise processed.