Data Privacy

Privacy Policy

This Privacy Policy explains which type of personal data and how much we collect for which purpose (hereinafter referred to as "data") so that we can provide our services both within our online presence and on the websites, features and content linked to it, as well as external online presences such as our social media profiles (hereinafter referred to as “online content”). With regard to the definitions uses, e.g. “processing” or “controller”, please refer to Art. 4 of the General Data Protection Regulation (GDPR).


Peppermint Holding GmbH
Neues Kranzler Eck
Kurfürstendamm 21
DE-10719 Berlin

Tel: +49 30 59 00 64-400
Fax: +49 30 59 00 64-401

Managing Directors: Ingeborg Neumann (General & Managing Partner), Marcus Baumbach

Headquarters: Berlin
District court: Amtsgericht Charlottenburg HRB 63808
Tax Office for Corporations I
VAT ID No. DE 190888731

Types of data processed

- Basic data (e.g. personal details, names or addresses).
- Contact data (e.g. email addresses, telephone numbers).
- Content data (e.g. text entries, photos, videos).
- Usage data (e.g. websites visited, interest in content, access data).
- Meta/Communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online content (hereinafter also referred to as “users” in general).

Processing purpose

- To provide the online content, its features and content.
- Answering contact requests and communication with users.
- Security measures.
- Reach measurement/Marketing

Definitions used

“Personal data” is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far reaching and covers practically all types of data handling.

“Pseudonymisation” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal basis

According to Art. 13 GDPR, we must provide you with the legal basis for our data processing. If the legal basis is not mentioned in the privacy policy, the following applies to users within the jurisdiction of the General Data Protection Regulation (GDPR), i.e. the EU and the EEC:
The legal basis for obtaining consent is Art. 6 Par. 1 Cl. a) and Art. 7 GDPR;
the legal basis for processing to fulfil our services and carry out contractual measures as well as answer enquiries is Art. 6 Par. 1 Cl. b) GDPR;
the legal basis for processing to fulfil our legal obligations is Art. 6 Par. 1 Cl. c) GDPR.
In the event that vital interests of the data subject or another natural person require personal data to be processed, Art. 6 Par. 1 Cl. d) GDPR serves as the legal basis.
The legal basis for the required processing to perform a task carried out in general public interest or when exercising public authority entrusted to the controller is Art. 6 Par. 1 Cl. e) GDPR.
The legal basis for processing to safeguard our legitimate interests is Art. 6 Par. 1 Cl. f) GDPR.
The processing of data for purposes other than those for which they were collected is governed by the provisions of Art. 6 Par. 4 GDPR.
The processing of special categories of data (according to Art. 9 Par. 1 GDPR) is governed by the provisions of Art. 9 Par. 2 GDPR.

Security measures

In accordance with legal requirements, we carry out appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the type, extent, circumstances and purposes of the processing, as well as the different occurrence probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

In particular, these measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to, inputting, disclosure, securing and separation of the data. Furthermore, we have set up procedures that guarantee the exercise of data subjects' rights, the deletion of data and the reaction to data threats. We also consider the protection of personal data as early as the development stage and when it comes to selecting hardware and software, as well as processes in accordance with the principle of data protection through technology design and data protection-friendly default settings.

Working with processors, joint controllers and third parties

Should we disclose data to other persons and companies (processors, joint controllers or third parties) within the scope of our processing, transfer the data to them or otherwise grant them access to the data, this shall only take place on the basis of legal permission (e.g. if transferring the data to third parties, such as payment service providers, is necessary for the fulfilment of the contract), users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g. when using agents, web hosts, etc.).

Should we disclose, transmit or otherwise grant access to data to other companies within our group of companies, this is done particularly for administrative purposes, as a legitimate interest and, beyond that. based on corresponding legal requirements.

Transfers to third countries

Should we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or should this be done whilst utilising third party services or disclosing or transferring data to other persons or companies, this shall only be to fulfil our (pre)contractual obligations, based your consent, a legal obligation or based on our legitimate interests. Subject to express consent or contractually required transfer, we only process or have the data processed in third countries with a recognised level of data protection, including US processors certified under the "Privacy Shield" or on the basis of special guarantees, such as a contractual obligation through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44–49 GDPR, EU Commission website).

Rights of the data subject

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and to obtain access to this data as well as additional information and copies of the data in accordance with the legal requirements.

In accordance with the legal requirements, you have the right to have relevant personal data completed or to have inaccurate personal data that concerns you rectified.

In accordance with the legal requirements, you have the right to demand the deletion of personal data concerning you without undue delay or, in accordance with the legal requirements, the right to demand that the processing of the data is restricted.

You have the right to request to obtain the personal data concerning you, which you provided to us in accordance with the legal regulations, and request that the data is transmitted to another controller.

In accordance with the legal requirements, you also have the right to lodge a complaint with the competent authorities.

Right of revocation

You have the right to revoke any consent you have given with effect for the future.

Right to object

In accordance with the legal requirements, you may object to the future processing of personal data concerning you at any time. This right may be used particularly to object to processing for the purposes of direct marketing.

Cookies and the right to object to direct marketing

“Cookies” are small files that are saved on a user’s computer. Various details can be saved in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is saved) during or after the user has visited online content. Temporary cookies – "session cookies" or "transient cookies” – are cookies that are deleted after a user leaves a website and closes their browser. Items added to a shopping basket in an online shop or a login status, for example, can be stored in such a cookie. “Permanent" or "persistent” cookies are those that remain saved even after the browser is closed. This means that a login status can be saved if a user wants to access it again after a few days. User interests can also be stored in these types of cookies, which are then used for reach measurement or marketing purposes. “Third-party cookies” are those offered by other providers other than the person or company responsible for the online content (conversely, when they mean their own cookies they are termed “first-party cookies”).

We may use temporary and permanent cookies and explain this in our privacy policy.

If we ask the user to consent to the use of cookies (e.g. via a cookie consent pop-up) the legal ground for this processing is Art. 6 Par. 1 Cl. a) GDPR. Otherwise, the user’s personal cookies will be processed according to the following explanations within the framework of this privacy policy on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content in accordance with Art. 6 Par. 1 Cl f) GDPR) or if the use of cookies is necessary for the provision of our contract-related services, in accordance with Art. 6 Par. 1 Cl. b) GDPR, or if the use of cookies is necessary for the performance of a task in the public interest or in the exercise of official authority, pursuant to Art. 6 Par. 1 Cl. e) GDPR.

If users do not wish cookies to be saved on their computers, they are asked to deactivate the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. Not accepting cookies may affect the way the online content works.

A general objection to the use of cookies used for online marketing purposes is explained for a large number of services, especially in the case of tracking, on the US website or the EU page Furthermore, it is possible to turn off cookie saving in the browser settings. Please note that this may mean that not all functions of this online offering can be used.

Data deletion

The data processed by us will be deleted in accordance with the legal regulations or their processing will be restricted. Unless expressly stated in this privacy policy, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them.

If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means the data will be locked and not processed for other purposes. For example, this applies to data that must be retained for commercial or tax reasons.

Changes and updates to the privacy policy

We asked to regularly check the content of our privacy policy. We will adapt it as soon as changes performed in the data processing make this necessary. We will inform you as soon as the changes require cooperation (e.g. consent) or other individual notification on your part.

Privacy policy during the application process

We process applicant data only for the purpose and within the framework of the application process in accordance with the legal requirements. The processing of applicant data is carried out to fulfil our (pre)contractual obligations within the scope of the application process as defined by Art. 6 Par. 1 Cl. b) GDPR, Art. 6 Par. 1 Cl. f) GDPR if data processing becomes necessary for us, e.g. within the framework of legal proceedings (in Germany, Art. 26 BDSG also applies).

The application process requires applicants to provide us with their personal data. If we offer an online form, the necessary applicant data are marked, otherwise they result from the job descriptions and generally include personal details, postal and contact addresses and documents belonging to the application, such as a cover letter, curriculum vitae and certificates. In addition to this, applicants can provide us with extra information.

By submitting their application to us, applicants consent to the processing of their data for the purposes of the application process in accordance with the type and scope set out in this privacy policy.

If special categories of personal data within the meaning of Art. 9 Par. 1 GDPR are voluntarily disclosed in the application process, their processing is also carried out in accordance with Art. 9 Par. 2 Cl. b) GDPR (e.g. health data, such as severely disabled status or ethnic origin). If special categories of personal data within the meaning of Art. 9 Par. 1 GDPR are requested of the applicant in the application process, their processing is also carried out in accordance with Art. 9 Par. 2 Cl. a) GDPR (e.g. health data, if this is required to carried out the job).

Where available, applicants may submit their applications using an online form on our website. The data will be transmitted to us encrypted according to the state of the art.
Applicants can also send us their applications by e-mail. Please note, however, that e-mails are generally not sent in encrypted form and the applicants themselves must ensure that they are encrypted. We therefore cannot assume any responsibility for the transmission path of the application between the sender and the recipient on our server and therefore recommend using an online form or sending the application by post.

In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application is not successful, the applicant's data will be deleted. Applicant data will also be deleted if an application is withdrawn. Applicants are entitled to do this at any time.

Subject to a justifiable revocation by the applicant, deletion will take place after a period of six months so that we can answer any follow-up questions regarding the application and meet our obligations to provide evidence under the Equal Treatment Act. Invoices for any reimbursement of travel expenses will be archived in accordance with tax law provisions.

Talent pool

As part of the application process, we offer applicants the opportunity to be included in our "talent pool" for a period of two years based on consent as defined in Art. 6 Par. 1 Cl. a) and Art. 7 GDPR.

The application documents in the talent pool will be processed solely as part of future job advertisements and for the employee search and will be destroyed at the latest after expiry of the deadline. Applicants are informed that their consent to their inclusion in the talent pool is voluntary, has no influence on the current application procedure and that they can revoke this consent at any time for the future and make objections in accordance with Art. 21 GDPR.

Making contact

When contacting us (e.g. via contact form, email, telephone or social media), the user's details are used to process the contact enquiry and to process it in accordance with Art. 6 Par. 1 Cl. b) (as part of contractual/pre-contractual relationships), Art. 6 Par. 1 Cl. f) (other enquiries) GDPR. The user data can be stored in a customer relationship management system ("CRM system") or comparable enquiry organization.

We will delete these enquiries once they are no longer required. We review the necessity to keep these enquiries every two years; furthermore, the statutory archiving obligations apply.

Hosting and sending email

The hosting services used by us serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services and technical maintenance services which we use for the purpose of operating this online content.

For this, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data from clients, interested parties and visitors to this online content based on our legitimate interests in the efficient and secure provision of this online content in accordance with Art. 6 Par. 1 Cl. f) GDPR in conjunction with Art. 28 GDPR (conclusion of an order processing contract).

Collection of access data and log files

Based on our legitimate interests in accordance with Art. 6 Par. 1 Cl. f) DSGVO, we, and/or our hosting provider, collect data every time the server on which this service is located is accessed (so-called server log files). This access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.

Log file information is stored for security reasons (e.g. for the clarification of abuse or fraud actions) for a maximum of 7 days and is deleted afterwards. Data that need to be retained longer for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google uses cookies. The information generated by the cookie about the user’s use of the online content is usually transferred to a Google server in the USA and stored there.

Google uses this information on our behalf to evaluate the user’s use of our online content, to compile reports on the activities within this online content and to provide us with other services associated with the use of this online content and the internet. Pseudonymous user profiles can be created from the processed data.

We only use Google Analytics with IP anonymisation enabled. This means that the user’s IP address is shortened by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user's browser is not merged with other Google data. Users may refuse the use of cookies by selecting the appropriate settings on their browser; furthermore, users can prevent Google collecting and processing the data generated by the cookie relating to their use of the online content by downloading and installing the browser plug-in available under the following link:

Deactivating data collection via Google Analytics for this website

If we ask the user for consent (e.g. via a cookie consent pop-up) the legal ground for this processing is Art. 6 Par. 1 Cl. a) GDPR. Otherwise, the user’s personal data will be processed on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content in accordance with Art. 6 Par. 1 Cl. f) GDPR).

Where data is processed in the USA, we would like to point out that Google is certified under the Privacy Shield Agreement and thereby warrants compliance with European data protection law (

Further information about data usage by Google, settings and appeal procedures can be found in Google’s privacy policy ( as well as in the settings for the display of adverts by Google (

The user’s personal data is either deleted or anonymised after 14 months.

Online presence on social media

We maintain online presences within social networks and platforms in order to be able to communicate with clients, interested parties and other active users, and to inform them about our services.

We would like to point out that user data may be processed outside the European Union. This could result in risks for users as it could make it more difficult to enforce users' rights. With respect to US providers certified under the Privacy Shield, we would like to point out that they are committed to complying with EU privacy standards.

Additionally, user data is usually processed for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of users. The user profiles can in turn be used to place advertisements inside and outside the platforms which are presumed to correspond to the interests of the users. For these purposes, cookies are usually saved on the user's computer, which contain information pertaining to the user's usage behaviour and interests. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

The processing of the user’s personal data is carried out on the basis of our legitimate interests in effective user information and communication with users in accordance with Art. 6 Par. 1 Cl. f) GDPR. If the users are requested by the respective providers of the platforms to give their consent to the aforementioned data processing, the legal basis for the processing is Art. 6 Par. 1 Cl. a) and Art. 7 GDPR.

For a detailed description of the respective processing and the opt-out options, please refer to the following linked information from the providers.

Also in the case of information requests and the assertion of user rights, we point out that these can be asserted most effectively with the providers. Only the providers have access to the user data and can take direct, appropriate measures and provide information. Should you still require help, please get in touch with us.

- Facebook, Facebook pages, Facebook groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) based on an agreement on the joint processing of personal data - Privacy Policy:, particularly for pages:, Opt-Out: and, Privacy Shield:

- Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – Privacy Policy:, Opt-Out:, Privacy Shield:

- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Policy/Opt-Out:

- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - Privacy Policy:, Opt-Out:, Privacy Shield:

- Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – Privacy Policy/Opt-Out:

- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Privacy Policy, Opt-Out:, Privacy Shield:

- Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) - Privacy Policy/Opt-Out:

- Wakalet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom) - Privacy Policy/Opt-Out:

- Soundcloud (SoundCloud Limited, Rheinsberger Str. 76/77, 10115 Berlin, Germany) - Privacy Policy/Opt-Out:

Inclusion of services and third-party content

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online content in accordance with Art. 6 Par. 1 Cl. f) GDPR), we include content or service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content”) within our online content.

This always assumes that the third-party providers of this content recognise the user’s IP address, as they would not be able to send the content to their browser without the IP address. The IP address is therefore crucial for depicting the content. We strive to use this content only when the provider uses the IP address solely for the distribution of the content. Third parties may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be saved in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visit times and other information about the use of our website; it may also be linked to similar information from other sources.

Google Maps

We embed maps from “Google Maps” service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The data processed may particularly include IP addresses and users’ location data, which are not collected without their consent (usually within the framework of the settings of their mobile devices). The data may be processed in the USA. Privacy Policy:, Opt-Out:

Created using the Privacy Policy Generator from lawyer Dr. Thomas Schwenke

Information on the newsletter and consent

The following information is intended to inform you about the content of our newsletter, as well as the registration, delivery and statistical analysis processes, as well as your rights to object. By subscribing to our newsletter, you give your consent to receiving it and the processes described.


Content of the newsletter

We send newsletters, e-mails and other electronic notifications containing advertising information (hereinafter “Newsletter”) solely with the recipient’s consent or based on a legal authorisation. Provided that the content of the Newsletter is specifically described during the registration process, it constitutes consent by the user.


Double opt-in and logging

A double opt-in process is used when you register for our Newsletter. That means that you receive an e-mail after registration in which you will are asked to confirm your registration. This confirmation is necessary so that no one can log on using someone else’s e-mail address.

Newsletter registrations are logged in order to be able to provide proof of the registration process in accordance with legal requirements. This includes logging and storing the time of registration and confirmation as well as the IP address. Changes made to your data which is stored at MailChimp are also logged.


Use of the “MailChimp” delivery service

The newsletter is sent using ‘MailChimp’, a newsletter delivery platform from the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

The e-mail addresses of our newsletter recipients, as well as their other data described in this information, are stored on the servers of MailChimp in the USA. MailChimp uses this information to send and analyse the newsletter on our behalf. Furthermore, according to its own information, MailChimp may use this data to optimize or improve its own services, e.g. to technically optimize the sending and presentation of newsletters or for economic purposes to determine from which countries the recipients come. However, MailChimp does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.

We trust in the reliability, and the IT and data security of MailChimp. MailChimp is certified under the US-EU “Privacy Shield“ agreement and has thus pledged to adhere to the EU data protection regulations. We have furthermore concluded a “Data Processing Agreement” with MailChimp. This is a contract, in which MailChimp commits itself to protect the data of our users, to process them according to its Privacy Policy on our behalf and in particular not to pass them on to third parties. You can view MailChimp’s Privacy Policy here.


Registration data

To register for our newsletter, you only need to provide your e-mail address.

You may optionally also provide your first name and surname. This information is only used to personalise the newsletter.


Statistical collection and analyses

The newsletters contain a “web beacon”, i.e. a pixel-sized file which is retrieved from the MailChimp server the newsletter is opened. This file retrieval mainly serves to gather technical information, such as information on your browser, your system and your IP address at the time of retrieval. This information is used for technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their access locations (which can be determined by means of the IP address) or the access times.

The statistical analyses also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be associated with individual newsletter recipients. However, it is neither our aim nor that of MailChimp to monitor individual users. Instead, the analyses are used to identify the reading habits of our users and to adapt our content to them or to send different content according to out users’ interests.


Online access and data management

There are some cases in which we direct newsletter recipients to the MailChimp's website. For example, our newsletters include a link with which newsletter recipients can access the newsletters online (e.g. in case of display problems in e-mail programs). Furthermore, newsletter recipients can subsequently correct their data, such as their e-mail address. MailChimp’s Privacy Policy can also be accessed on their website.

In this context we would like to point out that cookies are used on MailChimp website and that personal data is processed by MailChimp, its partners and service providers (e.g. Google Analytics). We do not have any influence over this data collection. Further information can be found in MailChimp's Privacy Policy. We would also like to point out that you can object to the collection of data for advertising purposes on the websites and (for the European region).



You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. Your consent to its delivery via MailChimp and the statistical analyses expire at the same time. It is unfortunately not possible to separately withdraw delivery by MailChimp or the statistical analysis.

A link to cancel the newsletter can be found at the end of each newsletter.


Legal basis from the General Data Protection Regulation

In accordance with the provisions of the General Data Protection Regulation (GDPR) applicable from 25th May 2018, we hereby inform you that consent to the sending of e-mail addresses is granted on the basis of Art. 6 Para. 1 a), 7 GDPR as well as Section 7 Para. 2 No. 3 and Para. 3 Unfair Competition act (UWG). The use of mailing service provider MailChimp, execution of statistical collection and analyses as well as logging of the registration process, are based on our legitimate interests according to Article 6Para. 1 f) GDPR. Our interest extends to our use of a user-friendly and secure newsletter system, which serves not only our business interests but is also in line with user’s expectations.

We should furthermore like to point out that you can object to future processing of your personal data at any time in accordance with the statutory provisions as per Article 21 GDPR. In particular, you may object to processing for the purposes of direct marketing.