‍1. data protection at a glance
‍

General notes and mandatory information
‍

We, the SIS Social Impact School GmbHWe take the protection of your personal data very seriously. This privacy policy informs you about the type, scope and purpose of the processing of personal data on our website.

When you use this website, various personal data is collected. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done.

We would like to point out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.
‍

Note on the responsible body
‍

The controller responsible for data processing on this website is:

SIS Social Impact School GmbH
Auf dem Klemberg 36a
50999 Cologne

Managing Director: Milena Pflügl‍

Registered: Cologne Local Court, HRB 120203‍

Responsible for the content: Milena Pflügl‍

Phone: +49 2236 3212232
E-mail: hallo@impactschool.de
‍

What do we use your data for?
‍

Some of the data is collected to ensure that the website is provided without errors. Other data can be used to analyze your user behavior.
‍

What rights do you have with regard to your data?
‍

You can request information about your stored data at any time, request its correction or deletion, and revoke any consent you have given. You also have the right to request the restriction of processing or to lodge a complaint with a supervisory authority.

‍

Analysis tools and tools from third-party providers
‍

Your surfing behavior can be evaluated by analysis programs. Details can be found in the privacy policy.
‍

Storage duration
‍
Your personal data will remain with us as long as the processing purpose exists. After a request for deletion or revocation of your consent, the data will be deleted unless legal reasons such as tax or commercial law obligations require longer storage. In this case, the deletion will take place after these reasons no longer apply. The legal basis for data processing is your consent (Art. 6 para. 1 lit. a GDPR), contractual necessity (Art. 6 para. 1 lit. b GDPR), legal obligations (Art. 6 para. 1 lit. c GDPR) or legitimate interests (Art. 6 para. 1 lit. f GDPR). Detailed information on this can be found in the respective sections of this privacy policy.
‍

Data Protection Officer
‍
Responsible for data protection:
SIS Social Impact School GmbH
Data protection
Auf dem Klemberg 36a
50999 Cologne
Phone: +49 (0) 2236 3212232
E-mail: datenschutz@impactschool.de
‍

Data transfer to third countries and non-DPF-certified US companies

‍
We use tools from providers from third countries with insecure data protection laws and from US companies that are not certified in accordance with the EU-US Data Privacy Framework (DPF). Your data may be transferred to these countries, where no EU-like level of data protection is guaranteed. Data transfer to the USA is permitted if the recipient is DPF-certified or offers suitable guarantees. Further details can be found in this privacy policy.
‍

Data transmission
‍
We only pass on personal data if it is necessary for the fulfillment of the contract, required by law or in our legitimate interest. In the case of processors, data is only passed on with a valid contract.
‍

Right of withdrawal
‍
You can withdraw your consent to data processing at any time. Previous processing remains lawful.
‍

Right to object (Art. 21 GDPR)
‍
You can object to the processing of your data for special reasons or for advertising purposes at any time. If you object to advertising purposes, your data will no longer be used for this purpose.

2. hosting
‍

We host the content of our website with the following provider:
‍

External hosting
‍

This website is hosted externally. Personal data such as IP addresses, contact requests and website accesses are stored on the hoster's servers. Hosting is carried out to fulfill the contract (Art. 6 para. 1 lit. b GDPR) and in the interest of secure, fast provision (Art. 6 para. 1 lit. f GDPR). If consent has been given (Art. 6 para. 1 lit. a GDPR), this can be revoked at any time. 

The hoster processes the data only according to our specifications. We use the following hoster(s):

United domains AG
Gautinger Street 10
82319 Starnberg

3. data collection on this website
‍

Cookies
‍

Our website uses "cookies", small data packets that are stored on your end device without causing any damage. There are session cookies, which are automatically deleted after the visit, and permanent cookies, which remain stored until they are deleted by you or the browser.

Cookies may originate from us (first-party) or from third-party providers (third-party), e.g. for payment services. Some cookies are technically necessary (e.g. for shopping baskets or videos), others are used for analysis or advertising.

Technically necessary cookies are stored on the basis of Art. 6 para. 1 lit. f GDPR. If you have given your consent to storage (Art. 6 para. 1 lit. a GDPR), you can revoke this at any time.

You can manage cookies in your browser settings. Please note that if you deactivate cookies, the functionality of the website may be restricted.

You can find out which cookies are used in our privacy policy.

‍

Server log files
‍

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are
‍

• Browser type
• Browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Time of the server request
• IP address

This data is not merged with other data sources. This data is collected on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of its website; the server log files must be recorded for this purpose.
‍

Contact form
‍

If you contact us via the contact form, your details, including contact details, will be stored for processing and for possible follow-up questions. Your data will only be passed on with your consent.

Processing is carried out on the basis of Art. 6 para. 1 lit. b GDPR, if it concerns contract inquiries, otherwise on the basis of legitimate interest (Art. 6 para. 1 lit. f GDPR) or your consent (Art. 6 para. 1 lit. a GDPR), which can be revoked at any time. Your data will remain stored until you request its deletion or the purpose of storage no longer applies, whereby statutory retention periods remain unaffected.
‍

Request by e-mail, telephone or fax
‍

If you contact us by e-mail, telephone or fax, we will store and process your request and the personal data transmitted (e.g. name, request) for processing. Your data will only be passed on with your consent.

Processing is carried out in accordance with Art. 6 para. 1 lit. b GDPR for contract inquiries, otherwise on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) or your consent (Art. 6 para. 1 lit. a GDPR). Your data will remain stored until you request its deletion, revoke your consent or the purpose of storage no longer applies. Statutory retention periods remain unaffected.
‍

Communication via WhatsApp
‍

We use WhatsApp Business, offered by WhatsApp Ireland Limited, to communicate with customers and third parties. Communication takes place via end-to-end encryption, but WhatsApp has access to metadata (e.g. sender, recipient, time). According to WhatsApp, user data is shared with the parent company Meta in the USA. You can find more information in the WhatsApp privacy policy.
‍

The use is based on our legitimate interest in fast communication (Art. 6 para. 1 lit. f GDPR) or on your consent, which can be revoked at any time.

Communication content is stored until you ask us to delete it or the purpose no longer applies. Statutory retention periods remain unaffected. Data transfers to the USA are based on standard contractual clauses of the EU Commission.

WhatsApp is certified according to the "EU-US Data Privacy Framework" (DPF). Further information: Data Privacy Framework.
‍

Typeform
‍

We use Typeform, offered by TYPEFORM S.L., to create online forms on our website. The data you enter will be stored on Typeform's servers until you request its deletion, revoke your consent or the purpose no longer applies. Statutory retention periods remain unaffected.

The use of Typeform is based on our legitimate interest in functional forms (Art. 6 para. 1 lit. f GDPR). If you have given your consent, the processing is based on Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TTDSG. You can withdraw your consent at any time.
‍

Pipedrive CRM
‍

We use Pipedrive for our marketing and sales processes. Data is stored for marketing purposes, such as e-mail campaigns or the management of contact information. Pipedrive is a service of Pipedrive. based in Estonia.
‍

Legal basisLegitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to optimize our marketing processes.
‍

5. third party providers
‍

Google Webfonts
‍

We use Google Web Fonts for fonts on the website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. However, the processing only takes place on our servers. The provider processes meta/communication data (e.g. device information, IP addresses) in the EU.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in using an easy-to-use and cost-effective font on our website.

Further information can be found in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
‍

Google Ads
‍

We use Google Ads for advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.

The legal basis for the transfer to a country outside the EEA is an adequacy decision. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed because the EU Commission has decided that the third country offers an adequate level of protection as part of an adequacy decision in accordance with Art. 45 (3) GDPR.
‍

We delete the data when the purpose for which it was collected no longer applies. Further information can be found in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
‍

Oxygen Builder
‍

We use Oxygen Builder to create websites. The provider is Soflyy, 5737 Kanan Rd #437, Agoura Hills, CA 91301, USA. The provider processes meta/communication data (e.g. device information, IP addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in setting up and maintaining a website and thus presenting ourselves to the outside world.
‍

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses issued in accordance with the review procedure pursuant to Art. 93 para. 2 GDPR (Art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.
‍

The data will be deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://oxygenbuilder.com/legal/.
‍‍

Google Analytics
‍

We use Google Analytics for analysis. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses issued in accordance with the review procedure pursuant to Art. 93 para. 2 GDPR (Art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.
‍

The data will be deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
‍

YouTube videos
‍

We use YouTube videos for videos on the website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.

The legal basis for transferring data to a country outside the EEA is consent.
‍

Further information can be found in the provider's privacy policy at https://policies.google.com/privacy.
‍

Facebook Conversion API
‍

We use Facebook Conversion API for analysis. The provider is Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses issued in accordance with the review procedure pursuant to Art. 93 para. 2 GDPR (Art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.
‍

The data will be deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://www.facebook.com/policy.php.
‍

Google Tag Manager
‍

We use Google Tag Manager for analysis and advertising. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. a GDPR. Processing is carried out on the basis of consent. Data subjects can withdraw their consent at any time, e.g. by contacting us using the contact details provided in our privacy policy. The revocation does not affect the legality of the processing until the revocation.

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses issued in accordance with the review procedure pursuant to Art. 93 para. 2 GDPR (Art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.
‍

We delete the data when the purpose for which it was collected no longer applies. Further information can be found in the provider's privacy policy at https://policies.google.com/privacy?hl=de.
‍

 Elementor
‍

We use Elementor to create websites. The provider is Elementor LTD, Tuval St 40, Ramat Gan, Israel. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the EU.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in setting up and maintaining a website and thus presenting ourselves to the outside world.
‍

The data will be deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://elementor.com/terms/.
‍

wordpress.com
‍

We use wordpress.com to create websites. The provider is Aut O'Mattic A8C Ireland Ltd, 25 Herbert Pl, Dublin, D02 AY86, Ireland. The provider processes contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses) and master data (e.g. names, addresses) in the USA.
‍

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in setting up and maintaining a website and thus presenting ourselves to the outside world.
‍

The legal basis for the transfer to a country outside the EEA are standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed by standard data protection clauses issued in accordance with the review procedure pursuant to Art. 93 para. 2 GDPR (Art. 46 para. 2 lit. c GDPR), which we have agreed with the provider.
‍

The data will be deleted when the purpose of its collection no longer applies and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://automattic.com/de/privacy/.

4. social media (Facebook, LinkedIn, Instagram)
‍

Our website uses plugins from the social networks Facebook, LinkedInand Instagram is used. When you visit our pages, a connection to these platforms is established, whereby information (such as your IP address) is transmitted.
‍

Legal basisYour consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time by making the appropriate settings in your browser or on the respective platforms.
‍

5. retargeting and remarketing
‍

We use retargeting technologies such as Google Ads Remarketing and Facebook Custom Audienceto display personalized advertising based on your behavior on our website.
‍

Legal basisYour consent in accordance with Art. 6 para. 1 lit. a GDPR.
You can revoke this consent at any time by blocking cookies in your browser.
‍

6th Newsletter

Newsletter data
‍

If you would like to subscribe to our newsletter, we need your e-mail address and confirmation that you are the owner of this e-mail address and would like to receive the newsletter. Further data is only collected voluntarily. We use this information exclusively for sending the newsletter and do not pass it on to third parties.
‍

The data processing is based on your consent (Art. 6 para. 1 lit. a GDPR), which you can revoke at any time via the "unsubscribe" link in the newsletter.
‍

Your data will be stored until you unsubscribe from the newsletter and then deleted. Email addresses may be stored in a blacklist to prevent future mailings, which serves our legitimate interest (Art. 6 para. 1 lit. f GDPR). You can object to the storage if your interests prevail.
‍

7. audio and video conferencing
‍

Data processing
‍

We use online conferencing tools to communicate with our customers, as listed below. If you communicate with us via video or audio conference, your personal data will be collected and processed by us and the respective provider of the tool. This includes, for example, your e-mail address, telephone number, technical data (such as IP address and device type) and content shared during the conference (e.g. chat messages, files, recordings).

Please note that we only have limited influence on data processing by the providers. Further information on this can be found in the privacy policies of the respective tools.
‍

Purpose and legal basis
‍

The conference tools are used to communicate with prospective or existing contractual partners or to offer certain services to our customers (Art. 6 para. 1 lit. b GDPR). Furthermore, the use of the tools serves the general simplification and acceleration of communication with us or our company (legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR). If consent has been requested, the tools in question are used on the basis of this consent; consent can be withdrawn at any time with effect for the future.
‍

Storage duration
‍

The data collected directly by us via the video and conference tools will be deleted from our systems as soon as you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies. Stored cookies remain on your end device until you delete them. Mandatory statutory retention periods remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the conference tools for their own purposes. For details, please contact the operators of the conference tools directly.
‍

Conference tools used
‍

Zoom
‍
Provider: Zoom Communications Inc, USA. Details on data processing: Zoom privacy policy. Data transfer to the USA is based on standard contractual clauses of the EU Commission.
‍

Microsoft Teams
‍
Provider: Microsoft Ireland Operations Limited. Details: Microsoft Teams Privacy Policy. The company is certified according to the "EU-US Data Privacy Framework" (DPF).
‍

Google Meet
‍
Provider: Google Ireland Limited. Details: Google privacy policy. Google is also certified in accordance with the EU-US Data Privacy Framework (DPF).

8. own services
‍

Handling applicant data
‍
When you apply to us (by email, post or online form), we process your personal data in order to decide on your application. The legal basis for this is § 26 BDSG and Art. 6 para. 1 lit. b GDPR. Your data will only be passed on to persons who are involved in the application process.
‍

If you are not hired, we will retain your data for up to 6 months in order to secure evidence in the event of legal disputes. With your consent, your data may also be included in our applicant pool. Consent to this can be revoked at any time. Data from the applicant pool will be deleted after two years at the latest.
‍

9. your rights
‍

You have the right at any time:
‍

• Information about the processing of your personal data (Art. 15 GDPR).
• Correction of inaccurate data (Art. 16 GDPR).
• Deletion of your data (Art. 17 GDPR).
• Restriction of processing to demand (Art. 18 GDPR).
• Contradiction to object to the processing of your data (Art. 21 GDPR).
• Data portability to demand (Art. 20 GDPR).

You also have the right to lodge a complaint with a data protection supervisory authority.
‍

10. changes to the privacy policy
‍

We reserve the right to update this privacy policy in order to adapt it to changed legal requirements or new services. The current version of the privacy policy, which can be viewed on our website, applies.