Privacy Policy

Preamble

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as “online offering”).

The terms used are not gender-specific.

Status: April 23, 2025

Preamble
Controller
Overview of Processing
Relevant Legal Bases
Security Measures
Transfer of Personal Data
International Data Transfers
General Information on Data Storage and Deletion
Rights of Data Subjects
Provision of the Online Offering and Web Hosting
Use of Cookies
Contact and Inquiry Management
Plugins and Embedded Functions and Content
Definitions of Terms

Controller

Cavalo Lusitano
Sonja Niedermaier
Hack 11
87637 Seeg
Germany

Email: info@cavalo-lusitano.net

Legal Notice: https://cavalo-lusitano.net/impressum/

Overview of Processing

The following overview summarizes the types of data processed, the purposes of their processing, and refers to the data subjects.

Types of Data Processed:

Inventory data
Location data
Contact data
Content data
Usage data
Meta, communication, and procedural data
Log data

Categories of Data Subjects:

Communication partners
Userscavalo-lusitano.net

Purposes of Processing:

Provision of contractual services and fulfillment of contractual obligations
Communication
Security measures
Reach measurement
Tracking
Audience targeting
Organizational and administrative procedures
Feedback
Marketing
Provision of our online offering and user-friendliness
Information technology infrastructurecavalo-lusitano.net

Relevant Legal Bases

Relevant Legal Bases under the GDPR:

Below is an overview of the legal bases of the General Data Protection Regulation (GDPR) on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases are applicable in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a GDPR): The data subject has given consent to the processing of their personal data for one or more specific purposes.
Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR): Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

National Data Protection Regulations in Germany:

In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Germany. This includes, in particular, the Federal Data Protection Act (BDSG), which contains specific provisions on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, data protection laws of the individual federal states may apply.

Note on the Applicability of the GDPR and the Swiss Data Protection Act (DSG):

These data protection notices serve both to provide information under the Swiss DSG and under the GDPR. Therefore, please note that, for broader applicability and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms used in the Swiss DSG such as “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data,” the terms used in the GDPR such as “processing” of “personal data,” “legitimate interest,” and “special categories of data” are used. However, the legal meaning of the terms is determined according to the Swiss DSG within its scope of application.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling both physical and electronic access to the data, as well as the access, input, transmission, availability, and separation of the data itself. In addition, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security threats. We also take into account the protection of personal data during the development or selection of hardware, software, and procedures, in line with the principles of data protection by design and by default.

Securing Online Connections via TLS/SSL Encryption Technology (HTTPS):
To protect user data transmitted via our online services from unauthorized access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information transmitted between the website or app and the user’s browser (or between two servers), thus protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and in encrypted form.

Transmission of Personal Data

As part of our processing of personal data, it may happen that such data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers tasked with IT services or providers of services and content integrated into a website. In such cases, we comply with the legal requirements and in particular conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your data.

International Data Transfers

Data Processing in Third Countries:
If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA))—whether this occurs through the use of third-party services or through the disclosure or transmission of data to other persons, entities, or companies (which is identifiable by the provider’s postal address or explicitly indicated in the privacy policy)—we always do so in compliance with legal requirements.

For data transfers to the United States, we primarily rely on the Data Privacy Framework (DPF), which was recognized as a secure legal framework by an EU Commission adequacy decision dated July 10, 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the respective providers that meet EU Commission requirements and establish contractual obligations to protect your data.

This dual protection ensures a comprehensive level of data security: The DPF serves as the primary safeguard, while the SCCs provide an additional layer of protection. Should the DPF be altered or suspended, the SCCs act as a reliable fallback to ensure your data remains adequately protected, even in the event of political or legal changes.

For each service provider, we inform you whether they are certified under the DPF and whether SCCs are in place. You can find more information about the DPF and a list of certified companies on the U.S. Department of Commerce website: https://www.dataprivacyframework.gov/ (in English).

For data transfers to other third countries, equivalent safeguards apply—especially the use of SCCs, explicit consent, or transfers required by law. You can find further information about third-country data transfers and applicable adequacy decisions on the EU Commission’s website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

General Information on Data Storage and Deletion

We delete personal data we process in accordance with legal provisions, once the underlying consent has been revoked or there is no further legal basis for processing—such as when the original purpose for processing ceases to apply or the data is no longer needed. Exceptions to this rule exist when legal obligations or special interests require longer retention or archiving of the data.

This particularly applies to data that must be retained for commercial or tax law reasons or when storage is necessary for legal enforcement or to protect the rights of other natural or legal persons.

Our privacy policy contains further information about data retention and deletion specific to certain processing activities.

Where multiple retention periods or deletion deadlines are indicated for a dataset, the longest period always applies.

If a retention period does not explicitly begin on a specified date and is at least one year in length, it automatically starts at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships involving stored data, the triggering event is the effective date of termination or other conclusion of the legal relationship.

Data retained beyond its originally intended purpose due to legal obligations or other reasons will only be processed for the purposes that justify its continued retention.

Additional Information on Processing, Procedures, and Services:

Retention and Deletion Periods (Under German Law):

10 Years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets, and all related documentation necessary for understanding them (§ 147 para. 1 no. 1 in conjunction with para. 3 AO; § 14b para. 1 UStG; § 257 para. 1 no. 1 in conjunction with para. 4 HGB).
8 Years – Accounting records such as invoices and cost documents (§ 147 para. 1 nos. 4 and 4a in conjunction with para. 3 sentence 1 AO; § 257 para. 1 no. 4 in conjunction with para. 4 HGB).
6 Years – Other business documents: received business letters, copies of sent business letters, and other documents relevant for taxation (e.g., timesheets, cost allocation sheets, calculation documents, pricing records, payroll documents if not already accounting records, and cash register strips) (§ 147 para. 1 nos. 2, 3, 5 in conjunction with para. 3 AO; § 257 para. 1 nos. 2 and 3 in conjunction with para. 4 HGB).
3 Years – Data necessary to consider potential warranty and damage claims or similar contractual claims and to handle related inquiries—based on past business experiences and industry practice—is stored for the standard statutory limitation period of three years (§§ 195, 199 BGB).

Rights of Data Subjects
Rights of data subjects under the GDPR: As a data subject under the General Data Protection Regulation (GDPR), you are entitled to various rights, particularly those outlined in Articles 15 to 21 GDPR:

Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f) GDPR; this also applies to any profiling based on those provisions. If your personal data is being processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this includes profiling to the extent that it is related to such direct marketing.
Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
Right of access: You have the right to request confirmation as to whether or not your personal data is being processed, and, where that is the case, access to the personal data and further information and a copy of the data as provided by law.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of your personal data or the rectification of inaccurate data.
Right to erasure and restriction of processing: You have the right, in accordance with legal requirements, to request the immediate deletion of your personal data, or alternatively, restriction of the processing of your data.
Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller, in accordance with legal provisions.
Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data violates the GDPR.

Provision of Online Services and Web Hosting
We process users’ data to provide our online services. To do this, we process users’ IP addresses, which are necessary to deliver the content and functions of our online services to the user’s browser or device.

Data types processed: Usage data (e.g., page views, time spent, click paths, usage intensity and frequency, device types and operating systems, interactions with content and features); meta, communication and procedural data (e.g., IP addresses, timestamps, IDs, involved persons); log data (e.g., login logs, data retrieval, access times); content data (e.g., text or image messages and posts including authorship and creation timestamp).
Data subjects: Users (e.g., website visitors, users of online services).
Purposes of processing: Providing our online offer and ensuring user-friendliness; IT infrastructure (operation and provision of information systems and devices such as computers, servers, etc.); security measures; performance of contractual services and fulfillment of contractual obligations.
Data retention and deletion: Deletion follows the information given in the section “General Information on Data Storage and Deletion.”
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).

Additional notes on processes, procedures, and services:

Provision of online services via rented server space: We use hosting services (i.e., rented server space, computing power, and software) from a third-party provider (“web host”);
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Collection of access data and log files: Access to our online service is logged in “server log files,” which may include the accessed pages/files, date/time of access, transferred data volumes, successful access messages, browser types/versions, user OS, referrer URLs (previous page), IP addresses, and provider information. These log files are used for security purposes (e.g., protection against server overload or DDoS attacks) and to ensure server stability;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR).
Data deletion: Log file data is stored for up to 30 days and then deleted or anonymized. Data needed for evidence purposes will be excluded from deletion until final resolution.
1&1 IONOS: Provider of IT infrastructure services (e.g., hosting and computing resources);
Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://www.ionos.de;
Privacy Policy: https://www.ionos.de/terms-gtc/terms-privacy;
Data Processing Agreement: IONOS AVV Info
WordPress.com: Hosting and CMS service for websites and blogs;
Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland;
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR);
Website: https://wordpress.com;
Privacy Policy: https://automattic.com/de/privacy/;
Data Processing Agreement: DPA Info;
Legal basis for third country transfer: Data Privacy Framework (DPF), Standard Contractual Clauses (provided by the service provider).

Use of Cookies
The term “cookies” refers to functions that store and retrieve information on users’ devices. Cookies can serve various purposes such as functionality, security, user convenience, and analytics. We use cookies in compliance with legal regulations, requesting user consent when required. When consent is not required, we rely on legitimate interests—especially when cookies are necessary to provide explicitly requested services or features, such as saving preferences or ensuring the website’s secure functionality. Users can withdraw consent at any time, and we clearly inform them about the types and purposes of cookies used.

Legal basis for cookie usage: Whether personal data is processed via cookies depends on user consent. If granted, consent forms the legal basis. If not, processing relies on our legitimate interests, as described in this and other sections.

Cookie retention:

Session cookies (temporary): These are deleted after the user leaves the site and closes the browser or app.
Persistent cookies: These remain stored even after the session ends. They can store login status or preferences and be used for analytics. Unless stated otherwise, users can assume cookies are persistent and stored for up to two years.

General notes on revocation and objection (opt-out):
Users can withdraw their consent at any time or object to processing via their browser’s privacy settings.

Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, timestamps, IDs, involved parties).
Data subjects: Users (e.g., website visitors, online service users).
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Consent (Art. 6(1)(a) GDPR).

Further information:

Cookie data processing based on consent:
We use a consent management platform (CMP) to collect, manage, document, and withdraw cookie consents. This platform tracks user consent for cookies and related data processing, identifying users or devices via pseudonymous IDs. Information such as the scope of consent, timestamp, and browser/device details are stored. If not otherwise specified, storage lasts up to two years.
Legal basis: Consent (Art. 6(1)(a) GDPR).

Contact and Inquiry Management

When contacting us (e.g. by mail, contact form, email, phone, or via social media), as well as in the context of existing user and business relationships, the data of the requesting persons will be processed to the extent necessary to respond to the contact requests and any requested actions.

Types of data processed:
Inventory data (e.g. full name, residential address, contact details, customer number, etc.); contact data (e.g. postal and email addresses or phone numbers); content data (e.g. textual or visual messages and contributions, as well as related information such as authorship details or creation timestamps); usage data (e.g. page views and time spent, click paths, intensity and frequency of use, device types and operating systems used, interactions with content and functions); metadata, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).

Data subjects: Communication partners.
Purposes of processing: Communication; organizational and administrative procedures; feedback (e.g. collecting feedback via online form); provision of our online offering and user-friendliness.
Storage and deletion: Deletion according to the section “General Information on Data Retention and Deletion”.
Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR).

Further information on processing procedures, methods, and services:

Contact form:
When contacting us via our contact form, by email, or other communication channels, we process the personal data provided to respond to and handle the request. This usually includes data such as name, contact details, and potentially other information necessary for proper handling. We use this data exclusively for the stated purpose of communication.
Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).

Plugins and Embedded Functions and Content

We integrate function and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). This can include graphics, videos, or maps (collectively referred to as “content”).

Integration always requires that the third-party providers of this content process users’ IP addresses, since they would not be able to send the content to their browser without it. The IP address is thus necessary for displaying this content or functions. We strive to use only content whose providers use the IP address solely to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to analyze information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on users’ devices and may include technical information about browsers and operating systems, referring websites, visit times, as well as further usage details, and may be linked to similar information from other sources.

Legal basis information:
If we ask users for their consent to the use of third-party services, the legal basis for the processing of data is their consent. Otherwise, user data is processed based on our legitimate interests (i.e. interest in efficient, economical, and recipient-friendly services). For further information, see the section on the use of cookies in this privacy policy.

Types of data processed: Usage data (e.g. page views and dwell time, click paths, intensity and frequency of use, device types and operating systems, interactions with content and features); metadata, communication, and procedural data (e.g. IP addresses, timestamps, identification numbers, involved individuals); location data (e.g. geographic location of a device or person).

Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and user-friendliness; reach measurement (e.g. access statistics, identification of returning visitors); tracking (e.g. interest-/behavior-based profiling, use of cookies); audience targeting; marketing.
Storage and deletion: Deletion according to the section “General Information on Data Retention and Deletion”. Cookies may be stored for up to 2 years on users’ devices unless otherwise specified.

Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).