This service is maintained by Benedikt Hopmann. The following privacy policy applies to the processing of your personal data within the online office hours registration system.
With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for which purposes and to what extent, in connection with the provision of our application.
The terms used are not gender-specific.
Last updated: 20 April 2026
Benedikt Hopmann
Universität Siegen
Fakultät II: Bildung · Architektur · Künste
Department Erziehungswissenschaft, Sozialpädagogik
Hölderlinstraße 3
57076 Siegen
E-mail address: benedikt.hopmann@uni-siegen.de
Phone: +49 271 740-4084
The following overview summarises the types of data processed and the purposes of their processing, and refers to the data subjects concerned.
The following provides an overview of the legal bases under the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection rules may apply in your or our country of residence or establishment. Should more specific legal bases be applicable in individual cases, we will inform you of these in the privacy policy.
In addition to the data protection regulations of the GDPR, national data protection rules apply in Germany. These include in particular the Act on Protection against Misuse of Personal Data in Data Processing (Bundesdatenschutzgesetz – BDSG). The BDSG contains in particular special provisions on the right of access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated individual decision-making, including profiling. It also governs data processing for employment purposes (§ 26 BDSG), in particular with regard to the establishment, performance or termination of employment relationships and the consent of employees. Furthermore, the data protection laws of the individual German federal states may apply.
We implement appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, ensuring availability of and segregation of such data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data and responses to data security threats. We also take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of privacy by design and by default.
TLS encryption (https): In order to protect the data you transmit via our online service, we use TLS encryption. You can recognise such encrypted connections by the prefix https:// in the address bar of your browser.
Abuse prevention through rate limiting: To protect against abusive requests (e.g., automated bulk booking or cancellation of appointments), pseudonymised checksums (SHA-256 hashes) of the requesting person's IP address are temporarily stored in the database when security-sensitive actions are performed. These hash values do not allow a direct inference to the IP address and are automatically deleted after a maximum of 15 minutes. For the password reset function, a hash value of the entered e-mail address is additionally stored to detect excessive request rates; this is also automatically deleted after a maximum of 60 minutes. The legal basis is the legitimate interest in the security and protection of the system (Art. 6(1)(f) GDPR).
In the course of our processing of personal data, it may be transmitted to or disclosed to other parties, companies, legally independent organisational units or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if processing takes place in the context of using third-party services or disclosing or transmitting data to other persons, entities or companies, this is done only in accordance with legal requirements.
Subject to express consent or contractually or legally required transmission, we only process or have data processed in third countries with a recognised level of data protection, on the basis of contractual obligations through so-called standard contractual clauses of the EU Commission, in the presence of certifications or binding internal data protection rules (Art. 44 to 49 GDPR, European Commission information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).
The data processed by us will be erased in accordance with legal requirements as soon as consent given for processing is revoked or other permissions cease to apply (e.g., if the purpose of processing such data has ceased to apply or the data is not required for that purpose). If the data is not erased because it is required for other legally permissible purposes, its processing will be restricted to these purposes. That is, the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is required for the assertion, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.
Automatic erasure of booking data: Office hour appointments and associated booking data (name, e-mail address and any comment provided by the booking person) are automatically erased once the appointment time is more than seven days in the past. Erasure is carried out daily by an automated process.
Our data protection notices may also contain further information on the retention and erasure of data that takes precedence for the respective processing activities.
We process users' data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.
Further information on processing operations, procedures and services:
When contacting us (e.g., by contact form, e-mail, telephone or via social media) and in the context of existing user and business relationships, the information provided by the inquiring persons is processed insofar as this is necessary to respond to contact inquiries and any requested measures.
Further information on processing operations, procedures and services:
Instructors have the option of importing their office hour appointments into a calendar application via a personal calendar interface (iCal feed, RFC 5545). Access to this feed is protected by an individual, cryptographically secured token and is only accessible to the respective instructor.
Note on cloud synchronisation: Many calendar applications (e. g., Google Calendar, Apple Calendar, Microsoft Outlook) automatically synchronise imported calendar data with the servers of the respective provider. If the iCal feed is integrated into such an application, the personal data it contains – in particular the names of students – will be transmitted to and stored by the provider of the calendar application. Instructors are asked to take this into account when choosing their calendar application and to integrate the iCal feed only into applications whose level of data protection meets the requirements of the GDPR. The respective privacy policy of the third-party provider governs the processing by such providers.
The iCal token can be reset at any time in the admin area under Settings. A reset token permanently invalidates the previous feed link.
We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as changes require your cooperation (e.g., consent) or other individual notification.
Where we provide addresses and contact information of companies and organisations in this privacy policy, please note that addresses may change over time and ask you to verify the information before contacting us.
As a data subject, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Exercising your rights: Students who have booked an office hours appointment can delete their booking data themselves by using the cancellation link included in their booking confirmation. Uncancelled booking data is automatically deleted seven days after the appointment date. For all other requests regarding access, rectification or erasure of your data, please contact the responsible person named above by e-mail.
This section provides an overview of the terms used in this privacy policy. Many of the terms are taken from the law and defined primarily in Art. 4 GDPR. The statutory definitions are binding. The following explanations are intended primarily to aid understanding. The terms are sorted alphabetically.