© Hahnemühle 2026

Privacy Policy

Information about how we collect, use, store, share, and protect your personal data, and the rights you can exercise when using our services.

Last changed:27 May 2026
Download

1. Information about the collection of personal data

The protection of your personal data during the collection, processing and use on the occasion of your visit to our website or the use of our app is an important concern for us. Your data will only be processed within the framework of the statutory provisions. Below you will find information on what data is collected during your visit to one of our online services and how it is used:

1.1. Collection and processing of data

Every access to one of our online services and every retrieval of a file stored on one of our online services is logged. The storage serves internal system-related IT security and statistical purposes. The following data is logged: Name of the retrieved file, date and time of the retrieval, amount of data transferred, notification of successful retrieval, web browser and requesting domain.

In addition, the IP addresses of the requesting computers are logged in abbreviated form.

When using the app, we require your device identification, unique number of the terminal device (IMEI = International Mobile Equipment Identity), unique number of the network subscriber (IMSI = International Mobile Subscriber Identity).

Personal data is only collected if you provide this information voluntarily, for example as part of an enquiry via our contact form or to register for certain services.

We use the so-called double opt-in procedure for newsletter registration. This system works in such a way that you first enter your surname and first name including a valid e-mail address when registering. You will then receive an e-mail from us with a confirmation link. Only after your confirmation will your account with us be activated.

When registering for the "Hahnemühle Excellence Program", we automatically check at domain level on an anonymous basis whether the domain from which you wish to register is approved for this use.

1.2. Use and disclosure of personal data

If you have provided us with personal data without further consent, we will only use this data to answer your enquiries, to process contracts concluded with you and for technical administration.

Your personal data will only be passed on to third parties or otherwise transferred if this is necessary for the purpose of processing the contract - in particular the transfer of order data to suppliers - or if this is necessary for invoicing purposes or if you have given your prior consent. You have the right to revoke your consent at any time with effect for the future.

Stored personal data will be deleted if you revoke your consent to storage, if knowledge of the data is no longer required to fulfil the purpose for which it was stored, or if storage of the data is not permitted for other legal reasons.

1.3. Revocation

If you have given your consent to the processing of your data, you may revoke this consent at any time. Such a revocation will affect the permissibility of processing your personal data after you have expressed it to us.

1.4. Weighing of interests

Where we base the processing of your personal data on the balance of interests, you may object to the processing. This is the case if, in particular, the processing is not necessary for the performance of a contract with you, which we will set out in each case in the description of functions below. When exercising such an objection, we ask you to explain the reasons why we should not process your personal data as we have done. In the event of your justified objection, we will review the merits of the case and either cease or adapt the data processing or show you our compelling legitimate grounds for continuing the processing.

1.5. Advertising objection

Of course, you can object to the processing of your personal data for the purposes of advertising and data analysis at any time. You can send your objection to advertising to the contact details listed under f. below.

1.6. The responsible party according to Art. 4 para. 7 DS-GVO is:

Hahnemühle FineArt GmbH
Hahnestrasse 5
37586 Dassel
Germany
Contact person: Jannis Mocha
Phone: +49 5561 791 361 / +49 5561 791 305
E-mail: datenschutz@hahnemuehle.com
Website: www.hahnemuehle.com

The name and address of the data protection officer can be found at the end of this declaration.

2. Your rights

2.1. You have the following rights in relation to us regarding personal data relating to you:

  • Right of access,
  • Right to rectification or deletion
  • Right to restriction of processing
  • Right to object to processing
  • Right to data portability.

2.2. You also have the right to complain to a data protection supervisory authority about our processing of your personal data.

3. Cookies

Read more about the use of cookies in our Cookie Notice.

4. Protection against misuse and automated access: CAPTCHA services

To protect our online services, forms, registration processes, login areas, account functions and other interactive features against misuse, spam, automated access, credential stuffing, fraudulent registrations, bot attacks and similar security risks, we use CAPTCHA and bot-detection technologies. These technologies help us determine whether an interaction with our online services is carried out by a human user or by an automated system.

The processing is necessary to ensure the security, availability and integrity of our online services and to protect our users, customer accounts, systems and data against abusive or unlawful use.

The legal basis for this processing is Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in securing our online services, preventing misuse and fraud, protecting user accounts and ensuring the reliable operation of our digital services. Where the use of cookies or comparable technologies requires consent under applicable law, the legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with the applicable ePrivacy rules. You may withdraw your consent at any time with effect for the future.

4.1. Use of Cloudflare Turnstile

We use Cloudflare Turnstile, a service provided by Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA, and/or its affiliated companies, to protect our online services worldwide against automated access and misuse.

Cloudflare Turnstile is used to verify whether an interaction with our online services originates from a human user or from an automated program. Depending on the risk assessment, the verification may take place invisibly in the background or with minimal user interaction. Cloudflare states that Turnstile runs non-interactive JavaScript challenges and evaluates signals relating to the visitor and browser environment in order to detect bots and avoid intrusive visual CAPTCHA tasks where possible.

In connection with Cloudflare Turnstile, the following categories of data may be processed in particular:

  • IP address;
  • browser and device information;
  • operating system information;
  • user-agent data;
  • information about the visited website, page, form, or interaction;
  • time and result of the verification request;
  • technical signals, browser environment information, and challenge results;
  • tokens or identifiers required to verify the CAPTCHA result.

Cloudflare states that Turnstile processes these signals for the purpose of detecting and blocking bots, and not to identify, profile or target individuals. Cloudflare also states that, where it processes personal data as a processor for its customers, the customer determines the lawful basis and Cloudflare processes the data on the customer's behalf and under its instructions.

Cloudflare may process personal data in countries outside the European Economic Area, in particular in the United States. Where personal data is transferred to third countries, we ensure that appropriate safeguards are in place, such as standard contractual clauses or other lawful transfer mechanisms, where required by applicable data protection law.

Further information on Cloudflare Turnstile and Cloudflare's privacy practices can be found in Cloudflare's Turnstile Privacy Notice and Cloudflare's general privacy information can be found on https://www.cloudflare.com/en-gb/turnstile-privacy-policy/.

4.2. Use of Tencent CAPTCHA for users in China

For users accessing our online services from the People's Republic of China, we may use Tencent CAPTCHA, a service provided by Tencent Cloud, instead of or in addition to other CAPTCHA services. Tencent CAPTCHA is used because certain international CAPTCHA services may not be reliably accessible in China and because we need to provide secure and functional access to our services for users located in China.

Tencent CAPTCHA is used to protect our online services against automated access, malicious registrations, credential stuffing, bot activity, spam, abusive requests, scraping and other security risks. Tencent describes its CAPTCHA service as being suitable for login and registration scenarios, protection against malicious bulk registrations and credential stuffing, as well as protection against malicious crawlers and automated abuse.

Depending on the configuration and risk assessment, Tencent CAPTCHA may verify the user invisibly in the background or request additional interaction from the user. Tencent describes the service as using intelligent detection to assess user risk, allowing trusted users to skip challenges, while suspicious users may be asked to complete a verification challenge.

In connection with Tencent CAPTCHA, the following categories of data may be processed in particular:

  • IP address;
  • browser, device, and operating system information;
  • user-agent data;
  • network and request information;
  • page, form, or interaction data;
  • time and result of the verification request;
  • behavioural, environmental and risk-assessment signals;
  • device or browser fingerprints were used for fraud and bot prevention;
  • CAPTCHA ticket, token, or similar verification result.

Tencent Cloud states that its CAPTCHA product is designed to protect login, registration, promotional, posting and data-protection scenarios against automated misuse and malicious access. Tencent's Chinese product information also refers to security mechanisms such as proof-of-work verification, trajectory analysis, feature detection, credit history, device fingerprinting, anti-emulator measures, virtual-machine hardening, blacklists and graded verification.

Tencent Cloud may process personal data in countries outside the European Economic Area, including China and/or other locations depending on the service configuration. Tencent Cloud's data processing terms provide for data protection obligations, assistance with data subject rights and security obligations, and refer to lawful transfer mechanisms such as standard contractual clauses where applicable.

Further information on Tencent CAPTCHA and Tencents's privacy practices can be found on https://www.tencentcloud.com/document/product/301/69460.

We use Tencent CAPTCHA only where this is necessary to provide secure and reliable access to our online services for users in China or where Cloudflare Turnstile or another CAPTCHA service is not technically suitable or reliably available.

4.3. Retention period

We do not use CAPTCHA data to create user profiles for advertising purposes. The verification result is used to determine whether the requested interaction may be accepted, rejected or subjected to further verification.

We store CAPTCHA-related data only for as long as necessary for the security purposes described above, including fraud prevention, misuse detection, troubleshooting, evidence preservation and compliance with legal obligations. Data processed by Cloudflare or Tencent is retained in accordance with their applicable service terms, data processing agreements, and privacy notices.

4.4. Objection

Where the processing is based on Art. 6 para. 1 lit. f GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation. However, if CAPTCHA verification is necessary for the security and functionality of our online services, we may be unable to provide certain forms, registration, login or account functions without such verification.

5. Use of Google Analytics

Subject to your consent, we use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics helps us understand how visitors use our websites and online services. This helps us measure reach, evaluate content and functions, identify technical or usability issues, improve our online services, and tailor them to users' needs.

Google Analytics may process the following categories of data in particular:

  • pages visited and interactions with our online services;
  • time and duration of visits;
  • approximate geographic location;
  • device, browser, and operating system information;
  • referrer URL;
  • IP address;
  • cookie identifiers, online identifiers, and similar technical identifiers;
  • events such as clicks, form interactions, or navigation behaviour.

Google provides privacy controls for Google Analytics that allow website operators to configure data collection and retention, including options relating to regional data settings, advertising features, data sharing, and retention periods.

We use Google Analytics only with your prior consent, where required by applicable law. The legal basis is therefore Art. 6 para. 1 lit. a GDPR in conjunction with the applicable ePrivacy rules. You may withdraw your consent at any time with effect for the future by changing your cookie or privacy settings on our website.

Google Analytics uses cookies and similar technologies to analyse user behaviour. The information generated may be transmitted to and stored by Google on servers outside the European Economic Area, in particular in the United States. For international transfers, Google refers to safeguards for advertising and analytics products, including contractual and supplementary measures intended to meet the requirements of European data protection law.

We have concluded a data processing agreement with Google, where required. Google processes Google Analytics data partly on our behalf and in accordance with our instructions. Depending on the configuration and Google's applicable terms, Google may also process certain data for its own purposes. Further information is available in Google's privacy and Google Analytics documentation.

Where available, we configure Google Analytics in a privacy-conscious manner. This may include, in particular:

  • consent-based loading of Google Analytics;
  • disabling Google Analytics before consent is given;
  • limiting data retention periods;
  • disabling or restricting advertising features unless separately consented to;
  • using IP-related privacy settings provided by Google;
  • limiting data sharing settings where appropriate.

You can prevent cookies from being stored by selecting the appropriate settings in your browser. You can also prevent Google Analytics from collecting data generated by the cookie and relating to your use of the website, and prevent Google from processing such data, by installing the Google Analytics opt-out browser add-on. Google states that this add-on is compatible with Chrome, Safari, Firefox, and Microsoft Edge.

Please note that if you block or delete cookies, withdraw consent, or use browser-based blocking mechanisms, some website functions or analytics measurements may be limited.

6. External links

For your optimal information, you will find links on our site that refer to third-party sites. Among others, also to our presences on Facebook, Twitter, Instagram, YouTube, and LinkedIn. Insofar as this is not obviously recognisable, we point out that it is an external link. We have no influence on the content and design of these pages of other providers and therefore refer to their data protection declarations. The guarantees of this data protection declaration therefore, naturally do not apply there.

6.1. Use of our Meta Offerings.

We are jointly responsible for the use of our Facebook or Instagram offers with Meta Platforms Ireland Limited (Facebook Ireland Limited) - hereinafter referred to as Meta - , 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, www.facebook.com/help/contact/540977946302970, as joint controller pursuant to Art. 26 DSGVO as well as the Facebook Page Insights Supplement (https://www.facebook.com/legal/terms/page_controller_addendum ).

Meta processes (personal) data when using Facebook products - including when visiting our Facebook or Instagram page - even from persons who are not logged into any of the Facebook services. Which (personal) data these are in detail, how, for which purposes and on which legal basis they are processed, is described by Facebook in its data policy (https://www.facebook.com/privacy/policy/?section_id=13-HowToContactMeta), which applies to all Facebook products. There you will also find information on how to contact Meata as well as on the settings options for advertisements, cookies, etc. Data may be transferred to countries outside the European Union.

More information about the cookies used by Meta when having a Facebook account, using Facebook products (including the website and apps) or visiting other websites and apps that use Meata products (including the "Like" button or other Facebook technologies) is provided by Facebook in the Cookie Policy (https://www.facebook.com/policies/cookies/). Information on how to manage information held about you can also be found at this link: https://www.facebook.com/policies/cookies/

When you visit our Facebook or Instagram pages, Meta collects, among other things, your IP address. Together with other information that Meta receives through cookies, Meta provides us as the operator of the Meta service with statistical information about the use of the respective service (so-called page insights). These are summarised data that show how users interact with the site. These page insights may be based on personal data collected by Meta in connection with a user's visit to or interaction with our respective Meta services and their content. Meta provides more information about this here: https://www.facebook.com/privacy/policyhttps://www.facebook.com/about/privacy

We may use Page Insights to anonymously evaluate reach, page views, time spent on video posts, actions (likes, comments, sharing of posts) and by age, gender and location (as indicated by users in their respective Facebook (Meta) profiles). In doing so, settings can be made for the evaluation of the reach or corresponding filters can be set with regard to the selection of a time period, the consideration of a specific post as well as demographic groupings (e.g. female, 20-30 years old). This data is anonymised, aggregated and abstracted. These settings therefore do not allow us to draw any conclusions about individuals. The evaluation serves to optimally design the offer on our pages for the purpose of public relations and marketing.

The legal basis for this data processing is Art. 6 para. 1 lit. a and f DSGVO.

We, as the provider of the information service, do not collect and process any further data from the use of the pages.

Irrespective of your rights against us, you have the right to lodge a complaint with the Irish Data Protection Commission (responsible for Meta Platforms Ireland Limited (Facebook Ireland Limited)) (Art. 77 DSGVO).

If you have specific questions about the protection of your data, please contact our data protection officer or the data protection officer of Meta Platforms Ireland Limited (Facebook Ireland Limited)) https://www.facebook.com/help/contact/540977946302970,

6.2. Use of our X (ex Twitter) service.

We use the technical platform and the services of X Corp, 865 FM 1209, Building 2, Bastrop, TX 78602, USA, for the short message service offered here. The data controller for persons living outside the United States is X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland.

We would like to point out that you use the X short message service offered here and its functions under your own responsibility. This applies in particular to the use of the interactive functions (e.g. sharing, rating).

Information on which data is processed by X and for which purposes can be found in Twitter's privacy policy: https://x.com/en/privacy.

We have no influence on the type and scope of the data processed by X, the type of processing and use or the transfer of this data to third parties. We also have no effective means of control in this respect.

By using X, your personal data will be processed by X Corp. in the United States, Ireland and any other country in which X Corp. does business, regardless of your place of residence.

On the one hand, X processes your voluntarily entered data such as name and user name, email address, telephone number or the contacts in your address book when you upload or synchronise it.

On the other hand, X also evaluates the content you share to see what topics you are interested in. Stores and processes confidential messages that you send directly to other users and can determine your location based on location data, wireless network information or via your IP address in order to send you advertising or other content.

For evaluation, X Corp. may use analysis tools such as X or Google Analytics. We have no influence on the use of such tools by X Corp. If tools of this kind are used by X Corp., we have neither commissioned this nor approved or supported this in any other way. The data obtained from this analysis is also not made available to us. Only certain non-personal information about posting activity, such as the number of profile or link clicks through a particular posting, is viewable in our account. We have no way of preventing or turning off the use of such tools on their X account.

As X Corp. is a non-European provider with a European branch only in Ireland, it is bound by European data protection regulations. This concerns, for example, your rights to information, blocking or deletion of data or the possibility to object to the use of usage data for advertising purposes.

You have options to restrict the processing of your data in the general settings of your X account and under the item "Data protection and security". In addition, you can restrict Twitter's access to contact and calendar data, photos, location data, etc. on mobile devices (smartphones, tablet computers) in the settings options there. However, this depends on the operating system used.

Further information on these points is available on the following Twitter support pages:

https://help.x.com/en/safety-and-security/x-privacy-settings

You can find out about the possibility of viewing your own data on X here: https://help.x.com/en/managing-your-account/accessing-your-x-data#.

Information about the inferences X draws about you can be found here: https://twitter.com/your_twitter_data

Information on the available personalisation and data protection settings can be found here (with further references):

https://twitter.com/personalization

Furthermore, you have the option of requesting information via the Twitter data protection form or the archive requests:

https://help.x.com/en/forms/privacy

https://help.x.com/en/managing-your-account/how-to-download-your-x-archive

We do not collect any data ourselves via your X account. However, the data you enter on X, in particular your user name and the content published under your account, are processed by us insofar as we retweet or reply to your postings, if applicable, or also write postings from us that refer to your account. The data you freely publish and disseminate on X is thus included by us in our offer and made accessible to our followers.

Further information on Twitter and other social networks, and how you can protect your data, can also be found at www.youngdata.de.

6.3. Use of our LinkedIn service

We operate our accounts in accordance with the principles set out below:

We are jointly responsible with LinkedIn Ireland Unlimited Company,Wilton Place, Dublin 2, Ireland https://www.linkedin.com/help/linkedin/answer/a517594/den-linkedin-kundenservice-kontaktieren?lang=en hereinafter referred to as the "Platform Operator".

We only process your personal data, such as your surname and first name, your e-mail address and IP address, etc., if there is a legal basis for doing so. You can find more detailed information on processing by the platform operator in the platform operator's data protection declaration.

Data is therefore only passed on to third parties if there is a legal basis for the processing. For example, we disclose personal data to persons or companies that act as processors for us in accordance with Art. 28 DSGVO. A processor is anyone who processes personal data on our behalf - i.e. in particular in an instruction and control relationship with us.

In accordance with the requirements of the GDPR, we conclude a contract with each of our processors to oblige them to comply with data protection regulations and thus to provide comprehensive protection for your data.

We would like to point out that your data may also be passed on to third parties by the platform operator. However, we have no influence on this.

You can find more detailed information on processing by the platform operator in the platform operator's data protection declaration.

We store all personal data that you transmit to us only for as long as they are needed to fulfil the purposes for which these data were transmitted or as long as this is required by law. Once the purpose has been fulfilled and/or the legal storage periods have expired, the data will be deleted or blocked by us, insofar as this is technically possible for us.

Information on data storage by the platform operator can be found in its privacy policy, see above.

This platform uses SSL encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us or the platform operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. There is no separate indication within apps that SSL encryption is available.

If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

Collection and storage of personal data as well as their type and purpose of use

When you access the website of the platform operator, information is automatically sent to the server of the platform operator by the browser used on your end device or by the app. This information is temporarily stored by the platform operator in a so-called log file.

However, this data is only available to the platform operator. It is not possible for us to access this data. Further information can be found in the platform operator's data protection declaration, see above.

We do not collect any personal data about you. However, it is possible to obtain pseudonymised data in the form of statistics about the users of our site over a certain period of time. The software for analysing user statistics is usually provided by the platform operator itself, but in some cases it is also possible to integrate third-party software (e.g., Google Analytics). Here, data about the users of the site can be collected, such as age, gender, country of origin, browser used, and interests.

However, this data is always pseudonymised, and it is not possible for us to make statements about individual users based on this data alone. We use this data exclusively to optimise the content we offer and its marketing and to adapt it to the respective user interests. This is a legitimate interest in accordance with Art. 6 para. 1 p. 1 lit. f DSGVO.

Furthermore, it is possible for you to interact with our account. You can do this, for example, by marking a post with "Like", sharing or commenting on it, or by writing to us directly.

When you interact with us, data processing by us is usually inevitable, as this allows us to see your account and thus makes personal data about you accessible to us; for example, your username, your profile picture or the date or time of the interaction.

We use this data exclusively to optimise the content we offer and its marketing and to adapt it to the respective user interests. This is a legitimate interest pursuant to Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest follows from the above-mentioned reason of optimising the content provided by us on our profile. Furthermore, the data collected is information that is only made available to us through your interaction with our profile. This establishes a relevant and appropriate relationship between you and our profile.

Where deletion is possible by us, personal data will be deleted by us after 28 days at the latest, unless there is a legal basis for further processing beyond this period.

Further information on data processing by the platform operator can be found in the respective privacy policy of the platform operator, see above.

This platform uses cookies. We have no influence on which cookies the platform operator uses. You can find more information in the privacy policy of the platform operator under the following link: https://www.linkedin.com/legal/privacy-policy?_l=de_EN

To enforce your rights, you can contact the platform operator directly if the processing is carried out by the platform operator. We have provided you with the contact details of the platform operator as the data controller at the beginning of this document. Of course, you can also contact us to enforce your rights.

Regarding changes to the data protection statements by the platform operator, please refer to the platform operator's data protection statement, see above.

6.4. Use of YouTube

We also use the function for embedding YouTube videos of Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland; "YouTube") on some of our online offers.YouTube is a company affiliated with Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). The function displays videos stored on YouTube in an iFrame on the website. The option "Extended data protection mode" is activated. This means that YouTube does not store any information about visitors to the website. Only when you watch a video is information about it transmitted to YouTube and stored there. Your data may be transmitted to the USA. The use of cookies or comparable technologies takes place with your consent on the basis of § 15 para. 3 p. 1 TMG in conjunction with. Art. 6 para. 1 lit. a DSGVO. The processing of your personal data is carried out with your consent on the basis of Art. 6 para. 1 lit. a DSGVO. You can revoke your consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent until revocation.

For more information on the collection and use of data by YouTube and Google, your rights in this regard and ways to protect your privacy, please refer to YouTube's privacy policy at https://policies.google.com/privacy?hl=dehttps://www.youtube.com/t/privacy.

7. Security

We take state-of-the-art technical and organisational security measures to protect the data you provide us from accidental or intentional manipulation, loss, destruction or from access by unauthorised persons. For example, the data you enter in the contact form is transmitted to us in encrypted form. The security measures are continuously improved in line with technological developments.

Notice:

We make every effort to store your personal data in such a way that it is not accessible to third parties by taking all technical and organisational measures. When communicating by e-mail, we cannot guarantee complete data security during transport, so we recommend that you send confidential information by post.

8. Right to information

Upon written request, we will be happy to inform you about the personal data stored about you. Please contact the persons named under 1 f. or our data protection officer:

Dipl.-Ing. Jörg Hagen
Königstraße 50a
30175 Hanover
E-mail: info(at)jhcon.de

9. Use of My Art Registry

The photographer/artist assures that the low-res photographs (thumbnail) of all works of art uploaded by him/her are free of third-party rights and that he/she may freely dispose of them. He/she also assures that persons depicted or the owners of the rights to depicted works of fine or applied art, as well as the authors of images from which the depicted photographs/works of art were created by editing or redesigning, have given their consent to publication and exploitation in verifiable form. The photographer/artist shall indemnify Hahnemühle against all claims asserted against Hahnemühle by third parties on account of an infringement of their rights. The indemnity obligation shall also include the costs incurred by Hahnemühle in defending such claims. The obligation to indemnify shall not apply if the photographer proves that the artist is not at fault.