Privacy Policy

Privacy Policy

Preamble
This Privacy Policy explains what types of personal data (“data”) we process, for which purposes, and to what extent. It applies to all processing activities carried out by us, including the provision of our services, our websites, mobile applications, and external online presences such as our social media profiles (collectively referred to as the “Online Offering”). The policy applies to visitors, customers, and business partners alike. All terms used in this document are intended to be gender‑neutral.

Last updated: March 31, 2025

Controller

Winter Real Estate
Jakob Winter
Kirrlohstraße 11
88339 Bad Waldsee
Germany

Authorized representative: Jakob Winter
Email: info@wecurateforyou.com

Overview of processing activities

Types of data processed

  • Master data
  • Payment data
  • Contact details
  • Content data
  • Contract data
  • Usage data
  • Metadata, communication and procedural data
  • Event data (e.g. Facebook)
  • Log data

Categories of data subjects

  • Clients and service recipients
  • Prospective customers
  • Communication partners
  • Users
  • Business and contractual partners
  • Participants

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations
  • Communication
  • Security measures
  • Direct marketing
  • Office and organizational procedures
  • Affiliate tracking
  • Administrative and organizational processes
  • IT security (e.g. firewall)
  • Feedback
  • Surveys and questionnaires
  • Marketing
  • User profiling
  • Provision and optimization of our online offering
  • IT infrastructure
  • Public relations
  • Sales promotion
  • Business processes and operational management

Definitions

Affiliate tracking: Recording and evaluation of links that direct users from partner websites to offers on other sites. Tracking values such as referrer, timestamps, partner IDs, user identifiers and campaign parameters may be stored to determine commissions.

Master data: Core information required to identify and manage contractual partners or user accounts, such as names, addresses, contact details, birth dates and identifiers.

Firewall: A security system that protects networks or devices from unauthorized access.

Content data: Information created or published by users, including text, images, videos, audio files and associated metadata.

Contact data: Information enabling communication, such as phone numbers, postal addresses, email addresses or social media identifiers.

Metadata, communication and procedural data: Information describing the context, structure or transmission of data, including timestamps, communication logs, workflows and audit trails.

Usage data: Information about how users interact with digital services, such as page views, navigation paths, device information, IP addresses and activity timestamps.

Personal data: Any information relating to an identified or identifiable natural person.

Profiles with user‑related information: Automated processing of personal data to analyze or predict personal aspects such as interests, behavior or preferences.

Log data: System‑generated records of events or activities, such as IP addresses, timestamps or error messages.

Controller: The entity responsible for determining the purposes and means of processing personal data.

Processing: Any operation performed on personal data, including collection, storage, analysis, transmission or deletion.

Contract data: Information relating to contractual relationships, such as contract terms, durations, payment conditions or obligations.

Payment data: Information required to process financial transactions, such as bank details, transaction IDs or billing information.

Legal bases

We process personal data based on the following legal grounds under the GDPR:

  • Consent (Art. 6(1)(a) GDPR): When individuals voluntarily agree to the processing of their data for specific purposes.
  • Performance of a contract (Art. 6(1)(b) GDPR): When processing is necessary to fulfill contractual obligations or respond to pre‑contractual requests.
  • Legal obligation (Art. 6(1)(c) GDPR): When processing is required to comply with statutory duties.
  • Legitimate interests (Art. 6(1)(f) GDPR): When processing is necessary to protect our legitimate interests or those of third parties, provided these do not override the rights of the data subject.

In addition, the German Federal Data Protection Act (BDSG) applies, including rules on access rights, deletion, objections and processing of special categories of data.

Security measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, implementation costs, and the nature and scope of processing.

  • Protection of confidentiality, integrity and availability of data
  • Physical and digital access controls
  • Secure data transmission
  • Procedures for exercising data subject rights
  • Data deletion and incident response processes
  • Privacy‑by‑design and privacy‑by‑default principles

TLS/SSL encryption (HTTPS): To protect data transmitted via our online services, we use TLS/SSL encryption. This ensures that information exchanged between users and our website is securely encrypted and protected from unauthorized access.

Data transfers

We may transfer personal data to third parties such as IT service providers or content providers integrated into our website. All transfers are carried out in accordance with legal requirements, and appropriate agreements are in place to ensure data protection.

International data transfers

If data is transferred to countries outside the EU/EEA (“third countries”), this is done in compliance with the GDPR.

For transfers to the United States, we rely primarily on the EU‑US Data Privacy Framework (DPF). Where necessary, we also use Standard Contractual Clauses (SCCs) as an additional safeguard. For transfers to other third countries, equivalent safeguards apply, such as SCCs, explicit consent or legal obligations.

Data storage and deletion

We delete personal data in accordance with legal requirements when consent is withdrawn, the purpose of processing no longer applies, or no other legal basis exists. Certain data must be retained for statutory periods (e.g. tax or commercial law).

General retention periods (Germany):

  • 10 years: Accounting records, annual financial statements, inventories and related documents
  • 8 years: Invoices and booking receipts
  • 6 years: Business correspondence and other relevant documents
  • 3 years: Data required to handle potential warranty or compensation claims

Data retained for legal reasons is processed only for those purposes.

Rights of data subjects

As a data subject, you have the following rights under Articles 15–21 GDPR:

  • Right to object: You may object at any time to the processing of your personal data based on Art. 6(1)(e) or (f) GDPR, including profiling. If your data is processed for direct marketing, you may object at any time to such processing.
  • Right to withdraw consent: You may withdraw previously given consent at any time.
  • Right of access: You may request confirmation as to whether your data is being processed and obtain access to this data and related information.
  • Right to rectification: You may request the correction or completion of inaccurate or incomplete data.
  • Right to erasure and restriction: You may request the deletion of your data or the restriction of processing in accordance with legal requirements.
  • Right to data portability: You may receive your data in a structured, commonly used, machine‑readable format or request its transfer to another controller.
  • Right to lodge a complaint: You may file a complaint with a supervisory authority if you believe that the processing of your personal data violates the GDPR.

Business services

We process the data of our contractual and business partners (“contractual partners”) to fulfill contractual obligations, respond to inquiries and manage administrative and organizational tasks.

  • Provision of agreed services
  • Communication
  • Safeguarding our rights
  • Ensuring operational and IT security
  • Involvement of service providers such as telecommunications, logistics, banks, tax advisors or payment processors

Data is only shared with third parties when necessary for these purposes or required by law.

Types of data processed: Master data, payment data, contact data, contract data.

Legal bases: Contract performance (Art. 6(1)(b) GDPR), legal obligations (Art. 6(1)(c) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Payment procedures

If we process payment data (e.g. bank details, transaction IDs), this is done exclusively for the purpose of handling financial transactions. Depending on the payment method, data may be transmitted to banks, payment service providers or financial institutions. Processing is based on Art. 6(1)(b) GDPR and, where applicable, Art. 6(1)(f) GDPR (secure payment processing).

Provision of the online offering and web hosting

We process user data to provide our online services securely and efficiently. This includes hosting and server infrastructure, log files, security monitoring and ensuring website functionality.

Log data may include: IP addresses, timestamps, URLs accessed, browser types and error messages.

Processing is based on our legitimate interests in providing a secure and reliable online service (Art. 6(1)(f) GDPR).

Use of cookies

We use cookies and similar technologies to enable website functionality, store user preferences, analyze usage patterns and improve user experience. Where required by law, we obtain user consent before setting non‑essential cookies (Art. 6(1)(a) GDPR). Essential cookies are processed based on legitimate interests (Art. 6(1)(f) GDPR). Users can manage cookie settings in their browser.

Blogs and publication media

If we operate blogs or similar publication formats, we process content and usage data to provide these services. Comments or contributions may be publicly visible. Processing is based on our legitimate interests in communication and content provision (Art. 6(1)(f) GDPR).

Contact and inquiry management

When users contact us (e.g. via email, phone or forms), we process the provided data to handle inquiries. This may include contact details, communication content and metadata (timestamps, technical information).

Legal bases: Contract performance or pre‑contractual steps (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR).

Newsletters and electronic notifications

If users subscribe to newsletters, we process their email addresses and related data to send updates and marketing information. We use double‑opt‑in procedures where required. Users may unsubscribe at any time. Processing is based on consent (Art. 6(1)(a) GDPR).

Marketing communication

We may contact users via email, phone or mail for marketing purposes, provided this is legally permitted or based on consent. Users may object to marketing communication at any time.

Surveys and questionnaires

We may conduct surveys to improve our services. Participation is voluntary. Data is processed based on consent or our legitimate interests in service optimization.

Affiliate programs and affiliate links

We participate in affiliate programs that track user interactions with affiliate links. Tracking may involve cookies or identifiers to attribute transactions to specific partners. Processing is based on our legitimate interests in efficient marketing and cooperation with partners (Art. 6(1)(f) GDPR).

Customer reviews and rating procedures

If users submit reviews or testimonials, we may publish them with their consent. Users can request the removal or anonymization of their reviews where legally permissible.

Social media presences

We maintain profiles on social networks to communicate with users and provide information. Data processing on these platforms is subject to the terms and privacy policies of the respective providers. We process data based on our legitimate interests in public relations and communication (Art. 6(1)(f) GDPR).

Plugins and embedded content

Our website may integrate third‑party content such as videos, maps, social media posts, fonts or scripts. These providers may collect user data (e.g. IP addresses, device information) when such content is loaded.

Where required, we obtain consent before loading non‑essential third‑party content. Otherwise, processing is based on our legitimate interests in providing a functional and attractive online offering.

Management, organization and tools

We use tools for internal organization, communication, project management and document handling. These tools may process user data as part of service provision. Processing is based on our legitimate interests in efficient and secure business operations (Art. 6(1)(f) GDPR).

Changes and updates

We may update this Privacy Policy to reflect changes in legal requirements or our processing activities. The current version is always available on our website.

Scroll to Top