Privacy Notice

Privacy Policy

This privacy policy explains the nature, scope and purpose of the processing of personal data (consequently referred to as “data”).

This refers to data in the context of the performance of our service and in the context of our online service (and the associated websites functions and content related to that), as well as external online presences, such as our social media profile (consequently referred to as “online service”).

With regard to the terminology used, e.g. “processing” or “controller” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).



Marimo GmbH
Muenchener Str. 45 (Hofhaus)
60329 Frankfurt am Main


Managing Directors:
Tobias Rösch, Dietmar Segl

HRB 90200 District court Frankfurt am Main

VAT-ID DE 275486623


Types of processed data

– master data (e.g. person-reference data, names or addresses).

– contact details (e.g. e-mail, telephone numbers).

– content data (e.g. text entries, photos, videos).

– usage data (e.g. visited websites, interest in contents, access time).

– meta-/communication data (e.g. device information, IP adresses).


Categories of data subjects

Visitors and users of online service (subsequently we also refer to data subjects generally as “users”).


Purpose of processing

– provision of the online service, its functions and content.

– response to contact requests and communication with users.

– safety measures.

– reach measurement/marketing.


Terminology used

“Personal data” refers to all information concerning an identified or an identifiable natural person (consequently referred to as “data subject”).

Identifiable is a natural person who can be identified directly or indirectly.

Direct or indirect identification is possible:

– in particular by reference: to an identifier such as a name, to an identification number, to location data, to an online identifier (e.g. a cookie).

– or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” is any operation which is performed whether or not with automated means.
“Processing” is also any set of operations on personal data.
The term “processing” has a comprehensive and extensive meaning.
It covers practically every handling of data.

“Pseudonymisation” is the processing of personal data in a certain way.

For “pseudonymisation” it must be the case that the personal data can no longer be attributed to a specific data subject without the use of additional information.
This applies to the case where:
– this additional information is kept separately
– and that data is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Controller” means:

The natural or legal person, public authority, agency or body which alone or jointly with others, determines the purposes and means of processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller.


Relevant legal bases

In accordance with Art. 13 GDPR, we inform you about the legal basis of our data processing.

Users from the validity area of the data protection regulation are users from the EU and from the EEC.

In case the legal bases in the data protection regulation have not been mentioned, the following applies to users:

The legal basis for obtaining consent is Art. 6 (1) lit. a and Art. 7 GDPR;

The legal basis for processing necessary for the performance of our services and the execution of contractual measures as well as the responses to inquiries is Art. 6 (1) lit. b GDPR;

The legal basis for processing, which is necessary for the compliance of our legal obligations is Art. 6 (1) lit. c GDPR;

In case that vital interests of the data subject or another natural person require the processing of personal data, Art.6 (1) lit. d GDPR applies.

The legal basis for processing that is necessary for the performance of a task carried out in public interest or in the exercise of an official authority, is Art. 6 (1) lit. e GDPR.

In this case, the task must have been assigned to the controller.

The legal basis for processing in order to safeguard our legitimate interests is Art. 6 (1) lit. f GDPR.

The processing of data for purposes other than that for which they were collected, is determined in accordance with the guidelines of Art. 6 (4) GDPR.

The processing of specific categories of data (in accordance with Art. 9 (1) GDPR) is determined in accordance with the guidelines of Art. 9 (2) GDPR.


Safety measures

We take adequate technical and organisational measures for the implementation of legal requirements in order to ensure a level of protection appropriate to the risk.

These measures will be concerned with the following factors:
– the state of technology
– the implementation costs
– the nature, the scope, the circumstances and purposes of processing
– the varying probability of occurrence

– the severity of the risk to the rights and freedoms of natural persons.

The measures include in particular the security of the confidentiality, the integrity and availability of data. This is done by checking the following measures:
– the physical access to the data
– the access to the data
– the entry of the data
– the transfer of the data
– the security of the data
– the availability of the data
– the separation of the data.
In addition, we have established procedures, which insure the performance of data subject rights, as well as the deletion of data and the reaction to data endangerment.

Furthermore, we already consider the protection of personal data through the development or selection of hardware, software and processing methods. This corresponds to the principle of data protection through design and by default.


Cooperation with processors, controllers and third parties

If in the context of our data processing, third parties are referred to other persons or companies (processors, joint controllers or third parties).
Thereby, personal data may be disclosed, to a third party transmitted or otherwise access to data granted to these individuals and companies.
This is done only on the basis of a legal permission (e.g. if a data transmission to a third party, as for example a payment service provider, is required to fulfil the contract), if the user has consented, if a legal obligation stipulates this, or on the base of our legitimate interests (e.g. the use of contractors, webhosts, etc.).

If we disclose, transmit or otherwise grant access of data to third parties, this will be done to other companies of our company group.

This is done in particular for administrative purposes as a legitimate interest and moreover on a legal basis.


Transmission to third countries

If we process data in a third country, this is done in the context of use of third parties services and enjoyment or in the context of a disclosure, i.e. transmission of data to other persons or companies.

Third countries are countries outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation.

This occurs only to fulfil our (pre)contractual obligations, on the basis of your consent, on a legal obligation or on the basis of our legitimate interests.
Pending on legal or contractual permissions, we process or have the data processed in a third country only in the presence of legal requirements.
That is, the processing is done e.g. on the basis of specific guarantees, such as the officially recognized level of data protection (e.g. for the USA through the “privacy shield”) or under the observation of officially recognized special contractual obligations.


Rights of data subjects

You have the right to obtain a confirmation whether or not your concerned data has been processed. You also have the right of access to information about this data as well as other information and copies of the data according to legal requirements.

According to legal requirements, you have the right to request the completion of your personal data or the rectification of inaccurate data concerning you.

You have in the context of legal requirements the right to request the erasure of personal data. Alternatively, you can request in the context of legal requirements the restriction of data processing.

You have the right to request the reception of the personal data that you have already sent to us in the context of legal requirements.

You additionally have the right to ask for transfer of this data in the context of legal requirements.

Furthermore, you have the right to lodge a complaint to the competent supervisory authority in the context of legal requirements.


Right of withdrawal

You have the right to withdraw the given consent with effect for the future.


Right of objection

You can object to the future processing of your data in the context of legal requirements at any time. The objection may in particular be made against processing for direct marketing purposes.


Cookies and right of objection in direct marketing

“Cookies” are small files that are stored on users’ computers. Different information can be stored within cookies.

A cookie serves primarily to store the information about a user (or the device on which the cookie is stored) during or after his visit to an online service.

Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online service and closes his browser. In such a cookie, the contents of a shopping cart for example can be stored in an online shop or a login status.

“Permanent” or “persistent” cookies refer to cookies that remain stored even after the browser has been closed. Thus, for example, the login status can be saved if users visit it after several days. Likewise, in such a cookie, the interests of the users which are used for reach measurement or marketing purposes can be stored.

“Third-party cookie” refers to as cookies that are offered by providers other than the person responsible for the online service (otherwise, if it is only their cookies, this is called “first -party cookies”).

We can use temporary and permanent cookies and clarify this in the context of our privacy policy.

If users do not want cookies to be stored on their machine, they are asked to deactivate this option in their browser’s system settings.
Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online service.

A general objection against the use of cookies used for the purposes of online marketing can be explained in a variety of services, especially in the case of tracking, on the US page

or the EU page

Furthermore, the storage of cookies can be achieved by deactivating them in the settings of the browser. Please note that in this case not all functions of this online service can be used.


Deletion of personal data

The data processed by us will be deleted or restricted in processing,

in accordance with legal requirements.

Unless explicitly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer necessary for their intended purpose and the deletion does not conflict with any legal retention requirements.

If the data is not deleted because it is required for other and legally permitted purposes, its processing will be restricted. That is, the data is blocked and not processed for other purposes.
This applies, for i.e to data that must be kept for reasons regarding commercial or tax laws.


Changes and updates of privacy policy

We request you to regularly inform yourself about the content of our privacy policy. We will adjust the privacy policy as soon as the changes to the data processing we perform require it.

We will inform you as soon as the changes require your participation (e.g. consent) or other individual notification.


Hosting and email-Dispatch

The hosting services we use serve for providing the following services:

– infrastructure and platform services
– computing capacity
– storage space and database services
– e-mail dispatch
– security services
– technical maintenance services
We use these services for the purpose of operating this online service.

Here we, or our hosting provider, process data from customers, interested parties and visitors of this online service. The following data is processed:
– master data
– contact details
– content data
– contract data
– usage data
– meta and communication data

This is done on the basis of our legitimate interests in an efficient and secure provision of this online offer according to Art. 6 (1) lit. f. GDPR in association to Art. 28 GDPR (conclusion of order processing contract).


Collection of access data and Logfiles

We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files), on the basis of our legitimate interests, in accordance with Art. 6 (1) lit. f GDPR. The access data includes the name of the retrieved web page, the file, the date and the time of retrieval, the amount of data transferred, the notification of successful retrieval, the browser type and version, the user’s operating system, the referrer URL (the previously visited page), the IP address and the requesting provider.Logfiles information is stored for security purposes (e.g. to investigate abusive or fraudulent activities) for a maximum of 7 days and is then deleted.Data which further storage is required for evidential purposes, are excluded from the deletion until the final clarification of the incident.


Online presences in social media

We entertain online presences within social networks and platforms in order to actively communicate there with customers, interested parties and users, and to inform them about our services.We point out that data of the users outside the area of ​​the European Union can be processed.This may result in risks to users because, e.g. the enforcement of user rights could be complicated.

With respect to US providers who are certified under the privacy shield, we point out that they are committed to respect EU privacy policy standards.

Furthermore, the data of the user are usually processed for market research and advertising purposes.In this way, e.g. user profiles are created from the user behavior and the resulting interests of the users.The usage profiles may in turn be used to e.g. activate advertisements inside and outside the platforms, that are presumably in line with users’ interests.For these purposes, cookies are usually stored on the computers of the users, in which the user behavior and the interests of the users are stored.Furthermore, data can also be stored in the usage profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

The processing of personal data occurs on the basis of our legal interests in an effective information of users and communication with users in accordance with Art. 6 (1) lit. f. GDPR.

If the users are asked for a consent to the above-described data processing by the respective providers of the platforms, the legal basis of the processing is Art. 6 (1) lit. a. Art. 7 GDPR.

For a detailed presentation of the respective processing and objection possibilities (opt out), we point to the following linked information of the providers.

Also, in the case of requests for information and the establishment of user’s rights, we point out that this can be claimed most effectively from the providers.

Only the providers always have access to the data of the users and can directly take appropriate measures and provide information.

If you still need help, then you can contact us.

– Facebook, -pages, -groups, (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the basis of an agreement on collective processing of personal data – Privacy policy:, especially for pages:, Opt-out: and, Privacy Shield:

– Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) –

Privacy policy:, Opt-Out:, Privacy shield:

– Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy policy/ Opt-Out:

– Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – Privacy Policy:, Opt-out:, Privacy shield:

– Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Privacy policy / Opt-out:

– LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – Privacy policy :, Opt-out:, Privacy shield:

– Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) – Privacy Policy / Opt-out:

– Wakalet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) – Privacy Policy / Opt-out:

– Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) – Privacy policy / opt-out:


Integration of services and contents of third parties

For our online service on the basis of our legal interests (i.e. interest in the analysis, optimization and economic operation of our online offer according to Art. 6 (1) lit. f. GDPR) we utilize content or services offered by third-party providers.

This is necessary to provide their contents and services, e.g. to include videos or fonts (uniformly referred to as “content”).

This always presupposes that the third-party providers of this content observe the IP address of the users, since they cannot send the content to their browser without it.

The IP address is therefore required for the presentation of this content.

We make an effort to use only content for which the respective providers use the IP address only for the delivery of the content.

Third-party providers can further use so-called pixel-tags (invisible graphics also referred to as “web beacons”) for statistical or marketing purposes.

Information such as visitor traffic can be evaluated through the “pixel tags”, on the pages of this website.

The pseudonymous information can further be stored in cookies on the user’s device and may include technical information about the browser and operating system, referring web pages, time of visit and other information regarding the use of our online service, and can also be linked to such information from other sources.



We can embed videos of the “Vimeo” platform of Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA.

Privacy policy: We point out, that Vimeo may use Google Analytics and refer to the privacy policy ( as well as opt-out options for Google Analytics ( or Google’s settings for data usage for marketing purposes (



We embed videos of the YouTube platform of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. Privacy policy:, opt-out:



Within our online service, functions and content of the service Instagram, offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA, can be embedded.

For this, e.g. content such as images, videos, or texts and buttons that allow users to share content from this online service on Instagram.

If the users are members of the platform Instagram, Instagram can match the page views of the above-mentioned contents and functions to the respective users’ profiles.

Privacy policy of Instagram: