We appreciate your interest in our website. The security of your personal data is of utmost importance to us. Therefore, we would like to inform you below which data of your visit we use for which purposes.
Last amended on: 16 October 2018
69121 Heidelberg, Germany
Types of the data processed:
- Inventory data (e.g., names, addresses)
- Contact information (e.g., e-mail, phone numbers)
- Content data (e.g. text input, photographs, videos).
- Contract data (e.g. subject matter of the contract, term, customer category)
- Payment data (e.g. bank details, payment history)
- User data (e.g., websites visited, interest in content, access times)
- Meta/communication data (e.g., device information, IP addresses)
Hereinafter, unless further described, referred to as “data”.
Processing of special categories of data (Art. 9 (1) GDPR):
In principle, no special categories of data are processed unless they are sent by the users for the processing, e.g., entered in online forms.
Categories of data subjects:
- Customers/prospective customers/suppliers.
- Visitors and users of the online offer.
In the following, we also refer to the data subjects as “users”.
Restriction of processing
- Provision of the online offer, its content and features.
- Provision of contractual services, servicing and customer support.
- Responding to contact inquiries and communicating with users
- Marketing, advertising and market research.
Applicable legal bases
- We shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, in accordance with Article 32 GDPR, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of processing, as well as probability and severity of the risk to the rights and freedoms of natural persons; the measures shall include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as the access, input, transmission, security of availability and its separation. Furthermore, we have established procedures that guarantee the exercise of data subject rights, deletion of data and responding to data risks. Furthermore, we already consider the protection of personal data during the development or selection of hardware, software and procedures, in accordance with the the general principles relating to personal data processing, the principles of data protection by design and by default. (Art. 25 GDPR).
- These security measures include, in particular, the encrypted transmission of data between your browser and our server.
Cooperation with contract processors and third parties
- If we disclose data to other persons and companies (contract processors or third parties) within the scope of our processing, pass on the data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal authorisation (e.g., if a transmission of the data to third parties, such as payment service providers, in accordance with Art. 6 (1) (b) GDPR is required for contract fulfilment), your consent, a legal obligation provides for this or on the basis of our legitimate interests (e.g., if agents, web hosts, etc. are commissioned).
- If we commission third parties with the processing of data on the basis of a so-called “order processing contract”, this takes place on the basis of Art. 28 GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure or transfer of data to third parties, this shall only take place if it occurs for the fulfilment of our (pre)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual authorisations, we only process the data in a third country or have the data processed in a third country if the specific requirements of Art. 44 (ff) GDPR are met. This means, for example, that the processing is carried out on the basis of specific safeguards, such as the officially recognised determination of a data protection level corresponding to the EU (e.g., for the USA by the “Privacy Shield”) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
Rights of the data subject
- You are entitled to request confirmation as to whether the data concerned are being processed and to request information about the data as well as further information and a copy of the data in accordance with Art. 15 GDPR.
- Pursuant to Art. 16 GDPR, you are entitled to request the completion or rectification of your personal data.
- In accordance with Art. 17 GDPR, you are entitled to request that the relevant data be erased without undue delay or, alternatively, demand a restriction on the processing of the data in accordance with Art. 18 GDPR.
- You are entitled to request that the personal data you have provided to us be received in accordance with Art. 20 GDPR and to request its transmission to other controllers.
- In accordance with Art. 77 GDPR you are entitled to lodge a complaint with the competent supervisory authority.
Right of revocation
You have the right to revoke consent once granted in accordance with Art. 7 (3) GDPR at any time with effect for the future.
Right to object
You can choose to opt out of the future processing of your personal data at any time in accordance with Art. 21 GDPR. This right to object applies in particular to the processing of data for the purposes of direct advertising.
Cookies and right to object in direct advertising
Deletion of data
- According to statutory regulations, documents must be retained for six years as per Section 257 (1) of the German Commercial Code (HGB) (accounting ledgers, inventories, opening balance sheets, annual financial statements, trade letters, accounting records, etc.) and for 10 years as per Section 147 (1) of the German Fiscal Code (AO) (accounts and records, situation reports, accounting records, trade and business letters, other documents of relevance for taxation, etc.).
Provision of contractual services
- We process inventory data (e.g., names and addresses as well as contact information of users), contract data (e.g., services used, names of contacts, payment information) for the purpose of fulfilling our contractual obligations and services in accordance with Art. 6 (1) (b) GDPR. The entries marked as mandatory in online forms are required for the conclusion of the contract.
- Users can optionally create a user account, in particular by viewing their orders. During the registration process, the required information will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regard to the user account will be deleted, subject to their retention, for commercial or tax reasons, in accordance with Art. 6 (1) (c) GDPR . It is the responsibility of the users to back-up their data in the event of termination taking place before the end of the agreement. We are entitled to irretrievably delete all user data stored during the term of the contract.
- As part of the registration and repeated logins and the use of our online services, we store the IP address and the time of the respective user action. The storage takes place on the basis of our legitimate interests, as well as those of users, to protect against abuse and other unauthorised use. Distribution of this data to third parties does not take place as a matter of principle, unless it is required to pursue our claims or a legal obligation for this exists in accordance with Art. 6 (1) c of the GDPR.
- We process user data (e.g., the visited websites of our online offer, interest in our products) and content data (e.g., entries in the contact form or user profile) for marketing purposes in a user profile in order to show the user product information based on their previously used services, for example.
- The deletion takes place after the expiry of statutory warranty and similar obligations, the necessity of the retention of the data is reviewed every three years; in the case of statutory archiving obligations the deletion takes place after their expiry (termination of the retention obligation under commercial law (6 years) and tax law (10 years)); user account information remains until deleted.
- When you contact us (via contact form or e-mail), the information provided by the user to process the contact inquiry and its processing will be managed in accordance with Art. 6 (1) (b) GDPR.
- The inquiries that are no longer necessary are deleted. We review the requirement every two years; requests from customers who have a customer account are stored permanently and are linked to the customer account details for deletion. In the case of statutory archiving obligations, the deletion takes place after their expiry (termination of the retention obligation under commercial law (6 years) and tax law (10 years)).
- If users leave comments or other reviews, their IP addresses are stored on the basis of our legitimate interests as defined in Art. 6 (1) (f) GDPR.
- This takes place for our safety, if someone leaves illegal contents in comments and contributions (insults, forbidden political propaganda, etc.). In this case we can be prosecuted ourselves for the comment or contribution and are therefore interested in the identity of the author.
Collection of access data and log files
- For the purposes of our legitimate interests, in accordance with Art. 6 (1) point f GDPR, we collect data every time the server on which the service is located is accessed (so-called server log files). These access logs include the name of the webpage and/or file accessed by the user, the date and time of access, the amount of data transferred, notification of successful retrieval, details of the web browser used (including the version), the User’s operating system, the referrer URL (of the previous page linking to our website), the IP address and the requesting provider.
- Log file information is retained for security reasons (e.g. to detect improper use or fraud) for a maximum of seven days before being deleted. Data that is to be retained as evidence shall be excluded from deletion until the relevant case has been finalised.
Online presence in social media
- We maintain online presence based on our legitimate interests within the meaning of Art. 6 (1) (f) GDPR within social networks and platforms in order to communicate with active customers, prospective customers and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Cookies & reach measurement
- Cookies are data packets that are transferred from our web server or third parties’ web servers to the user’s web browser and stored there for later retrieval. Cookies may comprise small files or any other kinds of information storage.
- We use “session cookies”, which are only stored on our website throughout your current visit (e.g., to enable the storage of your login status or the the shopping cart function and thus the use of our website). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. A cookie also contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and log out or close your browser, for example. Similarly, we use “Persistent cookies”. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.
- If the user does not wish cookies to be stored on their computer, we hereby request that they disable the relevant option in their browser settings. Stored cookies can be deleted in the browser settings at any time. Disabling cookies may prevent you from enjoying the full functionality of these websites.
- You can block cookies that are used for tracking and online advertising by visiting the opt-out page of the network advertising initiative (http://optout.networkadvertising.org/) and also by managing your preferences on the U.S. website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).
- Google is certified under the Privacy Shield framework which offers a guarantee of compliance with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use this information on our behalf for the purpose of evaluating use of our Websites by the User, compiling reports on activity on the Websites, and providing us with other services relating to the use of the Websites and use of the Internet. This process may involve creating pseudonymised usage profiles of users from the processed data.
- We use Google Analytics to display the Google add and its affiliate advertising services, only to those users who have shown an interest in our online offering or who have certain features (e.g., interests in certain topics or products that are determined by the websites visited) that we transmit to Google (so-called “Remarketing” or “Google Analytics Audiences”). With Remarketing Audiences, we also want to make sure that our ads are in line with the potential interest of users and are not annoying.
- We only use Google Analytics with IP anonymisation enabled. This means that Google truncates the user’s IP address within Member States of the European Union and in other countries that are party to the Agreement on the European Economic Area. The complete IP address will be transferred to a Google server in USA and truncated there only in exceptional cases.
- For more information on how Google uses data and how to opt out, please refer to Google’s websites: https://www.google.com/intl/de/policies/privacy/partners(“How Google uses data when you use our partners’ sites or apps”), https://policies.google.com/technologies/ads (“How Google uses data in advertising”), https://adssettings.google.com/authenticated (“Control the information Google uses to show you ads”).
Google Remarketing Services
In order to ensure sufficient data security when submitting forms and to ward off spam, bots and viruses, in some cases we use the service reCAPTCHA of Google Inc. on our website. This is especially useful for distinguishing whether the input is made by a human or Abused by automated, machine processing. The query includes the sending of the IP address and any other data required by Google for the reCAPTCHA service to Google. For this purpose, your input will be transmitted to Google and used there.
However, if IP anonymisation is activated on this website, your IP address will be truncated by Google beforehand within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
- With the following information, we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures and your rights of objection. By subscribing to our newsletter, you agree to the reception and the described procedures.
- Content of the newsletter: We only send newsletters, emails and other electronic notifications containing advertising information (hereinafter referred to as "newsletter") with the consent of the recipient or legal permission. If the contents of the newsletter are specifically described within the scope of registration, they are decisive for the consent of the user. In addition, our newsletters contain information about our products, offers, promotions and our company.
- Double-Opt-In and logging: The registration to our newsletter takes place in a so-called double-opt-in procedure. This means that after registration, you will receive an email in which you will be asked to confirm your registration. This confirmation is necessary so that nobody can register with other people's email addresses. The registrations for the newsletter are logged in order to be able to prove the registration process according to the legal requirements. This includes the storage of the registration and confirmation time, as well as the IP address. Likewise, changes of your data stored with the dispatch service provider are logged.
- Newsletter2Go is used as newsletter software. Your data will be transmitted to Newsletter2Go GmbH. Newsletter2Go is prohibited from selling your data and from using it for purposes other than sending newsletters. Newsletter2Go is a German, certified supplier, which was selected after the requirements of the GDPR and the Bundesdatenschutzgesetz (Federal Law for Data Protection). Further information can be found here: https://www.newsletter2go.de/informationen-newsletter-empfaenger/
- Furthermore, according to its own information, the dispatch service provider may use this data in pseudonymous form, i.e. without allocation to a user, to optimize or improve its own services, e.g. for technical optimization of the dispatch and presentation of the newsletter or for statistical purposes in order to determine the countries of origin of the recipients. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself or pass them on to third parties.
- Registration data: To subscribe to the newsletter, it is sufficient to provide your email address. Optionally, we ask you to enter a name, so we can address you personally in the newsletter. Entering your date of birth is optional and serves to send you a special voucher on your birthday.
- Performance measurement: The newsletters contain a so-called "web-beacon", i.e. a pixel-sized file, which is retrieved from the server of the dispatch service provider when the newsletter is opened. Within the scope of this retrieval, technical information, such as information about the browser and your system, as well as your IP address and time of retrieval are first collected. This information is used for the technical improvement of the services based on the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined with the help of the IP address) or the access times. The statistical surveys also include determining whether the newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our nor the dispatch service provider's intention to monitor individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our contents to them or to send different contents according to the interests of our users.
- The newsletter is sent and the success measured based on the recipient's consent pursuant to Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Para. 2 No. 3 UWG or based on legal permission pursuant to § 7 Para. 3 UWG.
- The registration procedure is recorded based on our legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR and serves as proof of consent to receive the newsletter.
- Cancellation/revocation - Newsletter recipients can cancel the subscription to our newsletter, i.e. revoke their consent, at any time. You will find a link to unsubscribe from the newsletter at the end of each newsletter. At the same time, your consent to the performance measurement expires. A separate revocation of the performance measurement unfortunately is not possible, the entire newsletter subscription must be cancelled in this case. With the cancellation of the newsletter, personal data is deleted, unless its storage is legally required or justified, in which case the processing is limited to these exceptional purposes only. In particular, we may store the deleted email addresses for up to three years based on our legitimate interests before we delete them for the purpose of sending the newsletter in order to be able to prove that you have previously given your consent. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of a consent is confirmed at the same time.
Facebook Custom Audiences
- Due to our legitimate interests in the analysis, optimization and economic operation of our online service and for these purposes, the so-called "Facebook pixel" of the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used within our online service.
- Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
- Using the Facebook pixel, Facebook is able to identify visitors to our online offering as a target group for the presentation of ads (so-called "Facebook ads"). Accordingly, we use Facebook pixels to display Facebook ads placed by us only to Facebook users who have shown an interest in our online offering or who have certain features (e.g. interests in certain topics or products that are determined on the basis of the websites visited) that we transmit to Facebook (so-called "custom audiences"). Using Facebook pixels, we also want to ensure that our Facebook ads match the potential interest of users and are not annoying. Using Facebook pixels, we can also track the effectiveness of Facebook ads for statistical and market research purposes by tracking whether users were referred to our website after clicking on a Facebook ad (known as "conversion").
- Facebook processes the data in accordance with Facebook's data usage policy. Accordingly, general information about the presentation of Facebook ads in Facebook's data usage policy: https://www.facebook.com/policy.php. Specific information and details about Facebook pixels and how they work can be found in the help section of Facebook: https://www.facebook.com/business/help/651294705016616.
- You may opt out of Facebook pixel collection and use of your information to display Facebook ads. To control what types of ads you see on Facebook, you can go to the page set up by Facebook and follow the instructions on how to set up usage-based ads: https://www.facebook.com/settings?tab=ads. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
Amazon affiliate program
Integration of third-party services and content
- Within the scope of our online offer and following our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR), we use content or service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter referred to as "content"). This always presupposes that the third-party providers of this content perceive the IP address of the user, since they would not be able to send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content. We make every effort to use only those contents whose respective providers only use the IP address to deliver the contents. Third party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring web pages, visit times and other information about the use of our online offering, as well as may be linked to such information from other sources.
- The following list provides an overview of third party providers and their contents, along with links to their data protection declarations, which contain further information on the processing of data and, in some cases already mentioned here, possible objections (so-called opt-out):
- If our customers use third-party payment services (e.g. PayPal or Sofortüberweisung), the terms and conditions and data protection notices of the respective third party providers, which are available on the respective websites or in their transaction applications, apply.
- For payment in advance and purchase on account, the payment is processed by Komfortkasse. In this case, we pass on the necessary personal data to LTC Information Services GmbH. The data protection regulations of Komfortkasse can be found here: https://komfortkasse.eu/datenschutz. The passing on of the data takes place exclusively for the purpose of the payment completion.
- We use Stripe, an offer of the American Stripe Inc. (hereinafter "Stripe"), for the handling of payments by means of instant bank transfer, Giropay and credit cards (legal basis according to GDPR, if and to the extent applicable: Art. 6 Para. 1 Bst. b u. f GDPR). Stripe is certified according to both the EU-American and the Swiss-American Privacy Shield and thus guarantees adequate data protection: Data protection declaration, entry in the Privacy Shield list.
- Evaluation reminder by Trusted Shops: If you have given us your express consent to do so during or after your order by activating a checkbox or clicking a button provided for this purpose, we will send your email address to Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Köln (www.trustedshops.de) so that they can remind you of the possibility of submitting an evaluation by email. This consent can be revoked at any time by sending a message to the contact option described below or directly to Trusted Shops.
- Use of Vimeo.com (embedding of videos): By embedding videos, it comes - technically conditioned - to calls of the servers of the offeror (Vimeo, Inc., New York, USA) and to the exchange of browser and end device data. Vimeo is responsible for the processing of this data. According to Vimeo, it guarantees adequate data protection by complying with the EU-American as well as the Swiss-American Privacy Shield: https://vimeo.com/privacy