Introduction

With the following privacy policy, we aim to inform you about the types of your personal data (hereinafter referred to as “data”) that we process, the purposes for which we process them, and the extent of such processing. This privacy policy applies to all processing of personal data conducted by us, including in the provision of our services and especially on our websites, in mobile applications, and within external online presences such as our social media profiles (collectively referred to as “Online Offer”).

The terms used are not gender-specific.

Table of Contents

Introduction
Controller
Overview of Processing Activities
Relevant Legal Bases
Security Measures
Transmission of Personal Data
Data Processing in Third Countries
Deletion of Data
Use of Cookies
Provision of the Online Offer and Web Hosting
Contact and Inquiry Management
Newsletters and Electronic Notifications
Web Analytics, Monitoring, and Optimization
Social Media Presences
Plugins and Embedded Features and Content
Amendments and Updates to the Privacy Policy
Rights of Data Subjects
Definitions

Controller

The Modesty Argument UG (haftungsbeschränkt)

Kaulbachstraße 51a
80539 Munich, Germany

Authorized Representative:
Michelle Heyer

Email Address:
contact@the-modesty-argument.de

Overview of Processing Activities

The following overview summarizes the types of data we process, the purposes of their processing, and the affected individuals.

Types of Processed Data:

• Master data
• Contact data
• Content data
• Usage data
• Meta/communication data

Categories of Affected Individuals:

• Communication partners
• Users

Purposes of Processing:

• Provision of contractual services and customer support
• Handling contact inquiries and communication
• Direct marketing
• Audience measurement
• Feedback
• Marketing
• Creating profiles with user-related information
• Provision of our online offer and ensuring user-friendliness
• IT infrastructure

Relevant Legal Bases

Below is an overview of the legal bases under the GDPR upon which we process personal data. Please note that, in addition to GDPR provisions, national data protection regulations may apply in your or our country of residence. If more specific legal bases apply in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR): The data subject has given their consent to the processing of their personal data for one or more specific purposes.

• Performance of a Contract and Pre-contractual Inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR): Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract.

• Legal Obligation (Art. 6 para. 1 sentence 1 lit. c GDPR): Processing is necessary for compliance with a legal obligation to which the controller is subject.

• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection provisions of the GDPR, national regulations in Germany, such as the Federal Data Protection Act (BDSG), apply. The BDSG includes specific rules on the right to access, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making in individual cases including profiling. Additionally, state data protection laws of individual federal states may apply.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements to ensure a level of security appropriate to the risk. These measures consider the state of the art, implementation costs, the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

The measures include safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, transfer, availability, and separation of the data itself. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data compromise. Additionally, we take the protection of personal data into account as early as the development or selection of hardware, software, and procedures, following the principles of privacy by design and privacy by default.

SSL Encryption (https):

To protect your data transmitted via our online offer, we use SSL encryption. You can recognize encrypted connections by the prefix “https://” in your browser’s address bar.

Transmission of Personal Data

In the course of processing personal data, it may occur that data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. The recipients of this data may include IT service providers or providers of services and content integrated into a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if the processing involves the use of services from third parties or disclosure/transfer of data to other persons, entities, or companies, such processing will only take place in compliance with legal requirements.

Subject to explicit consent or legally required transmission, we process or allow data to be processed only in third countries with a recognized level of data protection, through contractual obligations based on standard contractual clauses by the EU Commission, the existence of certifications, or binding internal data protection regulations (Art. 44-49 GDPR). For more information, visit the EU Commission’s information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection.

Deletion of Data

The data we process is deleted in accordance with legal requirements as soon as their permitted consents are revoked, or other permissions cease to apply (e.g., if the purpose for which they were processed ceases or they are no longer necessary for the purpose).

If the data is not deleted because it is required for other and legally permissible purposes, its processing will be limited to these purposes. This means that the data will be blocked and not processed for other purposes. For example, this applies to data that must be retained for commercial or tax reasons or that is necessary for asserting, exercising, or defending legal claims or protecting the rights of another natural or legal person.

Our privacy notices may also include additional details on the retention and deletion of data that apply primarily to the respective processing activities.

Use of Cookies

Cookies are small text files or other storage notes that store information on end devices and read information from end devices. For example, they can store login statuses, shopping cart content in an online shop, accessed content, or functions used within an online offer. Cookies can also be used for various purposes, such as ensuring the functionality, security, and comfort of online offers, or creating analyses of visitor flows.

Consent Notes: We use cookies in compliance with legal requirements. Therefore, we obtain prior consent from users unless such consent is not legally required. Consent is not required, for example, if storing and reading information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offer) explicitly requested by them. The revocable consent is clearly communicated to the users and contains information about the respective cookie use.

Legal Basis for Processing Cookie Data: The legal basis for processing users’ personal data using cookies depends on whether we ask users for their consent. If consent is given, the legal basis for processing the data is the declared consent. Otherwise, the data processed using cookies is based on our legitimate interests (e.g., the economic operation of our online offer and improving its usability) or, if required to fulfill our contractual obligations, when the use of cookies is necessary to fulfill our contractual obligations. The purposes for which cookies are processed are explained in this privacy policy or as part of consent and processing procedures.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

• Temporary Cookies (Session Cookies): Temporary cookies are deleted at the latest after a user has left the online offer and closed their end device (e.g., browser or mobile application).
• Permanent Cookies: Permanent cookies remain stored even after the end device is closed. For example, login statuses can be saved, or preferred content displayed when the user visits a website again. Similarly, user data collected via cookies can be used for reach measurement. Unless otherwise specified, users can assume that cookies are permanent and their storage duration can be up to two years.

General Notes on Revocation and Objection (Opt-Out): Users can revoke their consent at any time and object to the processing according to legal requirements under Art. 21 GDPR. Users can also declare their objection through the settings of their browser.

Provision of the Online Offer and Web Hosting

To provide our online offer securely and efficiently, we utilize the services of one or more web hosting providers, from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may utilize infrastructure and platform services, computing capacity, storage space, and database services, as well as security services and technical maintenance services.

The data processed in the course of providing the hosting service may include all information related to users of our online offer, which is generated during usage and communication. This typically includes the IP address, which is necessary to deliver the content of the online offer to browsers, and all entries made within our online offer or websites.

Types of Processed Data:

• Content data (e.g., entries in online forms)
• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Categories of Affected Individuals:

• Users (e.g., website visitors, users of online services)

Purposes of Processing:

• Provision of our online offer and user-friendliness
• Information technology infrastructure (operation and provision of IT systems and technical devices, such as computers and servers)

Legal Bases:

• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Additional Notes on Processing Activities, Procedures, and Services:

• Collection of Access Data and Log Files: We (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the accessed websites and files, date and time of access, transmitted data volumes, messages on successful access, browser type and version, the user’s operating system, referrer URL (previously visited page), and typically IP addresses and the requesting provider.

These server log files can be used for security purposes, for example, to prevent server overloads (especially in the case of misuse attacks, such as DDoS attacks) and to ensure the stability and performance of the servers.

Deletion of Data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that requires further retention for evidentiary purposes is excluded from deletion until the respective incident is fully resolved.

Contact and Inquiry Management

When contacting us (e.g., via contact form, email, phone, or social media) or within the context of existing user and business relationships, the information provided by the requesting individuals is processed to the extent necessary to respond to contact inquiries and any requested actions.

Responding to contact inquiries and managing contact and inquiry data within contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre-)contractual inquiries and, additionally, based on our legitimate interests in responding to inquiries and maintaining user or business relationships.

Types of Processed Data:

• Master data (e.g., names, addresses)
• Contact data (e.g., email addresses, phone numbers)
• Content data (e.g., entries in online forms)

Categories of Affected Individuals:

• Communication partners

Purposes of Processing:

• Handling contact inquiries and communication
• Provision of contractual services and customer support

Legal Bases:

• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)
• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)
• Legal Obligation (Art. 6 para. 1 sentence 1 lit. c GDPR)

Newsletters and Electronic Notifications

We send newsletters, emails, and other electronic notifications (hereinafter referred to as “newsletters”) only with the consent of the recipients or a legal authorization. If the contents of the newsletter are specifically described during registration, they are decisive for the user’s consent. Otherwise, our newsletters contain information about our services and us.

To sign up for our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter or additional information, if required for the purposes of the newsletter.

Double-Opt-In Procedure:

The registration for our newsletter generally takes place using a so-called double-opt-in procedure. This means you will receive an email after registration, asking you to confirm your registration. This confirmation is necessary to ensure that no one can register with someone else’s email address. The registrations for the newsletter are logged to document the registration process in accordance with legal requirements. This includes storing the registration and confirmation time as well as the IP address. Changes to your data stored with the mailing service provider are also logged.

Deletion and Restriction of Processing:

We may store unsubscribed email addresses for up to three years based on our legitimate interests to prove prior consent before deleting them. The processing of this data will be limited to the purpose of defending against possible claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist (“blocklist”).

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we engage a service provider for the email dispatch, this is done based on our legitimate interests in an efficient and secure dispatch system.

Legal Basis Information:

The dispatch of newsletters is based on the consent of the recipients or, if consent is not required, on our legitimate interests in direct marketing, provided and to the extent it is legally permitted (e.g., in the case of existing customer advertising). If we commission a service provider to send emails, this is based on our legitimate interests in an efficient and secure dispatch. The registration process is logged based on our legitimate interests to document that it was conducted in compliance with the law.

Content:

Information about us, our services, promotions, and offers.

Types of Processed Data:

• Master data (e.g., names, addresses)
• Contact data (e.g., email addresses, phone numbers)
• Meta/communication data (e.g., device information, IP addresses)
• Usage data (e.g., visited websites, interest in content, access times)

Categories of Affected Individuals:

• Communication partners

Purposes of Processing:

• Direct marketing (e.g., via email or postal)

Legal Bases:

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Opt-Out:
You can cancel the receipt of our newsletter at any time, i.e., withdraw your consent, or object to further receipt. A link to cancel the newsletter can be found at the end of each newsletter, or you can use one of the contact methods listed above, preferably email.

Additional Notes on Processing Activities, Procedures, and Services:

• Measurement of Opening and Click Rates: The newsletters contain a so-called “web beacon,” a pixel-sized file retrieved from our server or, if we use a mailing service provider, from their server when the newsletter is opened. During this retrieval, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval, is collected.

This information is used to technically improve our newsletter based on technical data or target groups and their reading behavior, retrieval locations (which can be determined using the IP address), or access times. This analysis also includes determining whether the newsletters are opened.

Web Analytics, Monitoring, and Optimization

Web analytics (also referred to as “audience measurement”) serves to evaluate visitor flows to our online offer and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of audience measurement, we can, for example, identify when our online offer or its features or content are most frequently used or invite reuse. Similarly, we can understand which areas require optimization.

In addition to web analytics, we may use testing procedures to test and optimize different versions of our online offer or its components.

Unless otherwise stated below, profiles may be created for these purposes, i.e., data compiled into a usage process, and information stored in a browser or end device and retrieved from there. Collected information may include visited web pages and their elements, as well as technical data, such as the browser used, the operating system, and usage times. If users have agreed to the collection of their location data with us or with the providers of the services we use, location data may also be processed.

IP addresses of users are also stored; however, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored within the framework of web analytics, A/B testing, or optimization. Instead, pseudonyms are used. This means neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles.

Legal Basis Information:
If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Types of Processed Data:

• Usage data (e.g., visited web pages, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Categories of Affected Individuals:

• Users (e.g., website visitors, users of online services)

Purposes of Processing:

• Audience measurement (e.g., access statistics, identifying returning visitors)
• Profiles with user-related information (e.g., creating user profiles)

Security Measures:

• IP Masking (Pseudonymization of IP addresses)

Legal Bases:

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Additional Notes on Processing Activities, Procedures, and Services:

• Google Analytics: Web analysis, audience measurement, and user flow measurement;
  
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Website: https://marketingplatform.google.com/intl/en/about/analytics/
  • Privacy Policy: https://policies.google.com/privacy
  • Data Processing Agreement: https://business.safety.google/adsprocessorterms
  • Standard Contractual Clauses: https://business.safety.google/adsprocessorterms
  • Opt-Out Option: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=en; Settings for ad displays: https://adssettings.google.com/authenticated

Social Media Presences

We maintain online presences on social networks and process user data in this context to communicate with active users on those networks or to offer information about us.

We point out that user data may be processed outside the European Union. This may pose risks to users because, for example, it could make it more difficult to enforce users’ rights.

Additionally, user data is usually processed for market research and advertising purposes within social networks. For example, user profiles can be created based on user behavior and resulting interests. These profiles can then be used to place advertisements inside and outside the networks that are presumed to align with users’ interests. For these purposes, cookies are generally stored on users’ devices, in which user behavior and interests are stored. Furthermore, data can also be stored in the user profiles regardless of the devices used (especially if users are members of the respective platforms and logged in).

For a detailed presentation of the respective processing and opt-out options, we refer to the privacy policies and information provided by the operators of the respective networks.

Also, in cases of requests for information and the assertion of user rights, we note that these are best addressed directly to the providers. Only the providers have access to user data and can take appropriate measures and provide information. If you need further assistance, you can contact us.

Types of Processed Data:

• Contact data (e.g., email addresses, phone numbers)
• Content data (e.g., entries in online forms)
• Usage data (e.g., visited websites, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)

Categories of Affected Individuals:

• Users (e.g., visitors to our social media presences, users of online services)

Purposes of Processing:

• Handling contact inquiries and communication
• Feedback collection (e.g., via online forms)
• Marketing

Legal Bases:

• Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Additional Notes on Processing Activities, Procedures, and Services:

• Instagram:
  
  • Service Provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA
  • Website: https://www.instagram.com
  • Privacy Policy: https://instagram.com/about/legal/privacy
• Facebook Pages:
  
  • Service Provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
  • Website: https://www.facebook.com
  • Privacy Policy: https://www.facebook.com/about/privacy
  • Joint Responsibility Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data
  • Standard Contractual Clauses: https://www.facebook.com/legal/EU_data_transfer_addendum
• Pinterest:
  
  • Service Provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA
  • Website: https://www.pinterest.com
  • Privacy Policy: https://about.pinterest.com/privacy-policy

Plugins and Embedded Features and Content

We integrate functional and content elements obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”) into our online offer. These may include graphics, videos, or city maps (hereinafter referred to collectively as “content”).

The integration requires that the third-party providers of this content process users’ IP addresses since they could not send the content to their browsers without the IP address. The IP address is therefore necessary for the presentation of this content or functionality. We strive to use only such content whose respective providers use the IP address solely for delivering the content. Third-party providers may also use “pixel tags” (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and contain technical information about the browser and operating system, referring websites, visit times, and other details about the use of our online offer, as well as be linked to such information from other sources.

Legal Basis Information:
If we ask users for their consent to the use of third-party providers, the legal basis for processing data is consent. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient, economic, and user-friendly services). In this context, we also refer to the information on the use of cookies in this privacy policy.

Types of Processed Data:

• Usage data (e.g., visited web pages, interest in content, access times)
• Meta/communication data (e.g., device information, IP addresses)
• Master data (e.g., names, addresses)
• Contact data (e.g., email addresses, phone numbers)
• Content data (e.g., entries in online forms)

Categories of Affected Individuals:

• Users (e.g., website visitors, users of online services)

Purposes of Processing:

• Provision of our online offer and user-friendliness

Legal Bases:

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)
• Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

Additional Notes on Processing Activities, Procedures, and Services:

• Google Fonts (retrieved from Google servers):
  Purpose: Retrieving fonts (and symbols) for a technically secure, maintenance-free, and efficient use of fonts and symbols regarding timeliness, uniform presentation, and potential licensing restrictions. The provider of the fonts receives the user’s IP address to provide the fonts in the user’s browser. Technical data (language settings, screen resolution, operating system, and hardware) is also transmitted.

• Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Website: https://fonts.google.com/
• Privacy Policy: https://policies.google.com/privacy
• YouTube Videos:
  Video content integrated into the online offer.
  
  • Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Website: https://www.youtube.com/
  • Privacy Policy: https://policies.google.com/privacy
  • Opt-Out Option: https://tools.google.com/dlpage/gaoptout?hl=en; Settings for ad displays: https://adssettings.google.com/authenticated

Amendments and Updates to the Privacy Policy

We ask you to regularly review the contents of our privacy policy. We will adjust the privacy policy as soon as changes in our data processing activities make this necessary. We will inform you when changes require your cooperation (e.g., consent) or other individual notifications.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that these addresses may change over time, and we ask you to verify the information before contacting us.

Rights of Data Subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 GDPR:

• Right to Object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Article 6 para. 1 lit. e or f GDPR; this also applies to profiling based on these provisions. If personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
• Right to Withdraw Consent: You have the right to withdraw your consent at any time.
• Right of Access: You have the right to request confirmation as to whether data concerning you is being processed and to access information about this data as well as to obtain further information and a copy of the data in accordance with the legal requirements.
• Right to Rectification: You have the right, in accordance with legal requirements, to request the completion or correction of inaccurate data concerning you.
• Right to Erasure and Restriction of Processing: You have the right, under the legal provisions, to demand that data concerning you be deleted immediately or, alternatively, to demand restriction of the processing of the data in accordance with the legal provisions.
• Right to Data Portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used, and machine-readable format or to request its transmission to another controller, in accordance with the legal provisions.
• Right to Lodge a Complaint with a Supervisory Authority: You have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, workplace, or the location of the alleged infringement, if you believe that the processing of your personal data violates the provisions of the GDPR.

Definitions

In this section, you will find an overview of the terms used in this privacy policy. Many of the terms are defined by law and primarily in Article 4 GDPR. The legal definitions are binding. The following explanations, however, are intended to aid understanding. The terms are listed alphabetically.

• Personal Data: “Personal data” refers to all information relating to an identified or identifiable natural person (referred to as “data subject”). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more specific characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Profiles with User-Related Information: The processing of “profiles with user-related information” (or simply “profiles”) includes any type of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects related to a natural person (depending on the type of profiling, these can include different information regarding demographics, behavior, and interests, such as interactions with websites and their content). Profiling often uses cookies and web beacons.
• Audience Measurement: Audience measurement (also known as web analytics) refers to the evaluation of visitor traffic to an online offer and can include behavior or interests in specific content, such as webpages. With audience analysis, website operators can determine, for example, when visitors visit their website and what content they are interested in. This allows them to better tailor the content of the website to the needs of visitors. Audience measurement often uses pseudonymous cookies and web beacons to recognize returning visitors and obtain more accurate analyses of an online offer’s usage.
• Controller: The “controller” is the natural or legal person, authority, institution, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processing: “Processing” means any operation or set of operations that is performed on personal data or on sets of personal data, whether by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning, combining, restricting, erasing, or destroying.