1. Home
  2. Data Protection

Data Protection

In the following, we inform you about how and why we collect your personal data when you use our website or contact us by e-mail, by phone, or using a contact form. Personal data within the meaning of Art. 4(1) EU General Data Protection Regulation (GDPR) refers to all data that can be personally related to you, e.g. your name, address, e-mail addresses and user behaviour.

 

I. Name and contact information for controller and data protection officer

The controller responsible for processing personal data within the meaning of Art. 4(7) GDPR is:

Vaanah GmbH

Martin-Schmeisser Weg 10 

44227 Dortmund

Phone: +49 176 25 74 81 80
Fax: +49 176 25 74 81 80
Email: info@vaanah.com

(please refer to our statutory information page at https://vaanah.shuup.com/legal-notice).

Our data protection officer, lawyer Mr. xxxxxx xxxx , xxx xxxx xxxx GmbH, our location, can be contacted by phone on our phone  or by e-mail at datenschutz[at]slk-compliance.de.

 

II. General information on the collection and transfer of personal data and the period for which it is stored

Your personal data is mainly processed for the purposes of providing access to our website and establishing and fulfilling a contractual relationship with you. When you contact us by email, by phone or using a contact form, we store the data you give us (e.g. your e-mail address, your name and phone number if applicable) in order to process your enquiry. The principal legal basis for this is Art. 6(1)(b) GDPR. Moreover, we may make use of your separate consent pursuant to Art. 6(1)(a). We also process your data in order to meet our legal obligations, particularly those incumbent on us under commercial and fiscal law. The legal basis for this form of processing is Art. 6(1)(c) GDPR. If necessary, we also process your data on the basis of Art. 6(1)(f) GDPR in order to pursue our legitimate interests or those of third parties. These interests can for example arise in connection with advertising (insofar as you have not objected to the use of your data for this purpose), the exercise or defence of legal claims, guarantees of our company’s IT security, business management measures, and the ongoing development of products and services.

We only disclose your personal data to third parties if you have consented to us doing so pursuant to Art. 6(1)(a) GDPR, if the disclosure of your personal data is necessary to establish, exercise, or defend legal claims or to protect our legitimate interests pursuant to Art. 6(1)(f) GDPR (e.g. affiliated companies, courts, tax consultants, solicitors) and there is no reason to assume that you have an overriding interest in the non-disclosure of your data that is worthy of protection, if your data has to be disclosed to fulfil a legal obligation as per Art. 6(1)(c) GDPR (e.g. financial authorities), or if the disclosure of your data is permitted by law and necessary for the performance of a contract to which you are a party, as described in Art. 6(1)(b) GDPR (e.g. banks, logistics providers, IT service providers).

Your personal data may be transferred to a third country depending on which of our website services you use or request from us. We only transmit personal data to recipients outside the European Economic Area (EEA) if the European Commission has confirmed that an adequate level of data protection exists in the respective third country, if further appropriate data privacy guarantees (e.g. binding internal data privacy regulations or EU Standard Contractual Clauses (SCC)) have been put in place, or if derogations exist within the meaning of Art. 49 GDPR.

We will erase your personal data as soon as it is no longer required for any of the purposes specified in this Privacy Policy. After the contractual relationship with you has expired, we will retain your personal data for as long as the law obliges us to do so. This is regularly required in connection with the statutory retention periods and obligations to produce evidence specified for example in the Commercial and Fiscal Codes. The retention periods stipulated in this legislation can be up to ten years. Personal data may also be retained for the period in which claims can be brought against us (statutory limitation period of three or up to thirty years).

You are only obliged to furnish us with the personal data which we require in connection with the provision and use of certain functions on our website, which we require to establish and execute a contractual relationship with you and fulfil the contractual duties associated with this relationship, or which we are obliged to collect by law. Without this data, we will be unable to provide access to the website and certain of its functions, to conclude a contract with you, or to execute such a contract.

 

III. Collection and processing of personal data on our website

Visiting our website

If you are only using the website for information purposes and do not register or transfer information to us in any other way, we will only collect the personal data which your browser transmits to our server and which is technically necessary to display our website and guarantee its stability and security. This data encompasses your IP address, the query sent by your browser, and the time at which this query is sent. The status and quantity of data transferred in connection with this query are also recorded. We also collect product and version information about your device’s operating system and the browser you are using. Furthermore, we collect information about the web page from which you accessed our website.

The temporary storage of the IP address by the system is necessary to ensure that the website can be displayed in your browser. This is why your IP address must be stored for the duration of the session. The other data is processed to guarantee the functionality of the website. We also use this data for the purpose of optimising our website and ensuring that our information technology systems are stable and secure. The legal basis for this is Art. 6(1)(f) GDPR, based on the weighing of our overriding legitimate interests as mentioned above.

The data we collect is transferred to external service providers (hosting providers, IT service providers, web agencies), who help us process the data for the purposes specified above.

This data will be erased as soon as it is no longer required for the purpose for which it was collected. If the data was collected for the purpose of displaying the website, it will be erased when the respective session ends. Otherwise, the data will be erased within no more than 14 days of the data subject accessing the website.

 

Cookies

When you use our website, we may under certain circumstances use cookies or similar technologies (“cookies”) to obtain information. Cookies are small text files which your browser places on your terminal device to store specific information. If you access our website again later on using the same terminal device, the information stored in the cookies is then sent back to our website or to another website to which the cookie belongs. The information stored and returned enables the respective website to recognise that you have already retrieved and visited it using the browser on your terminal device. This is effected solely by identifying the cookie on your terminal device. We use cookies to improve our website, to store information about your preferred activities on the website and thus adapt it to your personal interests, and to fulfil statutory requirements.

This website uses the following types of cookies, the scope and mode of operation of which are explained below:

Necessary cookies

Functional cookies

Analytical cookies

Marketing cookies

 

Necessary cookies are cookies without which we cannot enable you to access to our website or without which you will be unable to use our website as intended. They are for example required when configuring and saving your privacy settings, when entering and saving user information, and in connection with security functions. Necessary cookies are used without your consent. However, you can deactivate them at any time by changing your browser settings. The legal basis for the processing of personal data using necessary cookies is Art. 6(1)(c) GDPR and Art. 6(1)(f) GDPR; our overriding legitimate interest lies in the technically faultless operation of our website and the services provided through it.

Functional cookies enable us to store functions requested by you and information you have entered, which we can then use to offer you a better, more personalised user experience on our website. This relates to certain functions on our website, the choice of language or the choice of region. The legal basis for processing personal data using functional cookies is your consent pursuant to Art. 6(1)(a) GDPR.

We use analytical cookies to understand how visitors use our website, particularly the areas they visit and the amount of time they spend on the website. We also collect information and log error messages for the purpose of improving our website. The legal basis for processing personal data using analytical cookies is your consent pursuant to Art. 6(1)(a) GDPR.

We use marketing cookies for the purpose of showing you personalised advertising and measuring the effectiveness of our advertising campaigns. For this, we use services and cookies provided by third parties. These third parties can use them to generate profiles of your interests and show you relevant advertisements on other websites. When you visit another website, the website recognises your browser cookie and will show you advertisements based on the information stored in the cookie. The legal basis for processing personal data using marketing cookies is your consent pursuant to Art. 6(1)(a) GDPR.

You can delete all cookies using the appropriate function on your browser. You can also change your browser settings to prevent websites storing and reading cookies on your browser. You can withdraw your consent to the use of non-essential cookies at any time with future effect. The link to your cookie settings is provided at the beginning of our Privacy Policy; you will find a link to our Privacy Policy in the footer below our shop.

 

OneTrust

We use the consent management platform OneTrust provided by OneTrust Technology Limited, 82 St John St, Farringdon, London EC1M 4JN, UK ("OneTrust"). When doing so, we collect your consent or the withdrawal of your consent (cookie preferences), your communication data (e.g. your IP address and browser information) and your user data (e.g. the date and time of your visit).

We use OneTrust to obtain, manage and log your consent to the storage of specific cookies on your terminal device. The legal basis for processing your data is Art. 6(1)(c) GDPR. 

Besides processing the aforementioned data through OneTrust, we transmit the data collected to third parties (e.g. providers of platform, hosting and support services) for processing in line with the purposes specified above (cookie consent management).

The personal data collected will be erased as soon as it is no longer required for processing purposes. As long as the processing to which the consent refers is still taking place, the collected data will be stored for the purpose of fulfilling the accountability obligation set out in Art. 5(2) GDPR. If the data provided is subject to statutory retention periods under fiscal or commercial law, it will be stored for the obligatory retention period of up to ten years and then erased unless you have consented to it being stored for a longer period or your data has to be processed further for the purpose of establishing, exercising, or defending legal claims (statutory limitation period of three years, section 195 BGB (German Civil Code), accountability within the meaning of Art. 5(2) GDPR).

 

Using our webshop

If you wish to order products from our webshop, a contract of sale can only be concluded if you provide the personal data we require to execute your order. The mandatory data needed to execute your order is specially marked; all other information is optional. The legal basis for processing this personal data is Art. 6(1)(b) GDPR.

You have the option of creating a customer account in which we can store your data for any other orders you may place later on. By creating an account under “My Account” or “Register”, the data you provide is stored on a revocable basis. You can delete your customer account at any time by sending a message to the contact specified above. The legal basis for processing this personal data is Art. 6(1)(a) GDPR.

After the contract has been fulfilled, your address, payment, and order data will be stored for the obligatory ten-year retention period specified in fiscal and commercial law. It will then be erased unless you have consented to it being stored for a longer period or your data has to be processed further for the purpose of establishing, exercising, or defending legal claims. The legal basis for processing personal data in order to fulfil statutory storage and retention obligations is Art. 6(1)(c) GDPR.

We process the data you provide for the purpose of executing your order. In order to fulfil the contract, we transmit your data to the forwarder contracted to deliver your order insofar as this is necessary for the purpose of delivering goods you have ordered. Depending on which payment service provider you select during the order process, we transmit the payment data collected for the purpose of processing your payment to the credit institution commissioned to do so and, if applicable, to the payment service providers commissioned by us or the payment service selected. These payment service providers may also collect this data themselves if you create an account with them. In these cases, you must use your access data to log in to the payment service provider’s website during the order process. The privacy policy of the respective payment service provider applies in such cases. We will transmit personal data such as contact data and order data to Klarna so that we can offer you the payment options available through Klarna. This will enable Klarna to determine whether you can use these payment options and adjust them in line with your requirements. General information about Klarna is available here. Klarna will handle your personal information in compliance with the applicable data privacy regulations and the information provided in Klarna’s privacy policy

Orders are processed using ERP solutions from “Afterbuy” (VIA Online GmbH, Krefeld) and “pixi” (Descartes Systems GmbH, Munich). The privacy policy of the respective ERP service provider applies. We have the right to forward this personal data pursuant to Art. 6(1)(b) GDPR. Provided you consent to the transmission of your personal data during the checkout process, your e-mail and address will be forwarded to DHL Paket GmbH so that you can receive information about the delivery status of your order. The legal basis and prerequisite for this is your consent pursuant to Art. 6(1)(a) GDPR. Our service providers may only process or use your data for the purpose it was transmitted to them. You can access this data at any time. We have implemented technical and organisational measures to ensure that data privacy regulations are complied with in cases where data is transmitted to external service providers.

You are under no obligation to provide the personal data specified above. However, this data is required for the conclusion of a contract. Unless you provide this data, it may not be possible to communicate with you or to conclude and execute a contract.

 

Google Analytics

We use the web analysis service Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Analytics uses cookies that are stored on your terminal device and facilitate analysis of your website use. The information about your website use generated by the cookie is usually sent to a Google server in the USA and stored there. Before this takes place, Google uses the add-on “_anonymizeIP()” to shorten your IP address within European Union member states or other states that are party to the agreement on the European Economic Area. Only in exceptional cases is a full IP address sent to a Google server in the USA and shortened there. Google uses this information on our behalf to evaluate your website use, generate reports on website activity, and render other services associated with website and internet use for the website operator.

We use Google Analytics to analyse use of our website and to make regular improvements. The statistics obtained enable us to improve our website and make it more interesting for you as the user. The legal basis for the use of Google Analytics is your consent pursuant to Art. 6(1)(a) GDPR; Art. 49(1)(a) GDPR also applies if your data is transferred to the USA. 

Besides processing the aforesaid data through Google, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (implementation of and assistance with web analysis).

In the exceptional cases where Google transfers personal data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. These clauses are available here: privacy.google.com/businesses/processorterms/mccs. The USA does not guarantee a standard of data privacy equivalent to that enforced in the EU. There is a risk of security authorities accessing your data without legal recourse.

You can prevent cookies from being stored by adjusting your browser settings accordingly. You can also prevent Google from collecting and processing the data generated by the cookie regarding your website use (incl. your IP address) by downloading and installing the browser plug-in available via the following link: tools.google.com/dlpage/gaoptout?hl=en.

The personal data collected will be erased as soon as it is no longer required for processing purposes; this is usually the case once 14 months have expired since the data was collected.

 

Google Ads Conversion and Remarketing

We use the advertising system Google Ads, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”), to draw attention to our offering by placing advertisements (known as Google Ads) on Google and other external websites. Google is responsible for the delivery of Google Ads and the associated data processing. You will find more information about Google Ads at ads.google.com/intl/en_uk/home.

We employ conversion tracking when using Google Ads. If you click on a Google Ad, Google stores cookies on your terminal device which usually expire after 30 days; these cookies are used to collect data relating to visits to our website, including the URL, referrer URL, IP address, device/browser properties and timestamp. The cookies make it possible to identify which of our services you viewed and subsequently used. Google provides us with statistical evaluations that show which parameters of our active Google Ads are working and where optimisation is required.

We also use Google Ads Remarketing. In doing so, our Google Ads are delivered to websites operated by third parties whenever these users or user groups visit a Google website or a website in the Google advertising network. We use Google Ads Remarketing to analyse your user behaviour on our website, e.g. to identify which of our services you were interested in. This enables targeted advertising to be shown to you on other websites even after you have left our website. To do this, Google stores cookies on your terminal device that usually expire after 30 days. The cookies make it possible to identify and analyse which of our services you are interested in.

We use conversion tracking to determine the effectiveness with which clicks on Google Ads lead to certain activities on our website, such as purchases, registrations, or the completion of forms. We use Remarketing to address users or users groups who have already interacted with our website. The legal basis for the use of Google Ads Conversion and Remarketing is your consent pursuant to Art. 6(1)(a) GDPR; Art. 49(1)(a) GDPR also applies if your data is transferred to the USA.

Besides processing the aforesaid data through Google, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (implementation of and assistance with targeted advertising and analyses of the impact and efficiency of this advertising).

In cases where Google transfers personal data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. These clauses are available here: privacy.google.com/businesses/processorterms/mccs. The USA does not guarantee a standard of data privacy equivalent to that enforced in the EU. There is a risk of security authorities accessing your data without legal recourse.

You can prevent the use of the tracking methods described above (i) by adjusting your browser settings accordingly, (ii) by deactivating personalised advertising by installing the plug-in provided by Google at the following link: google.com/settings/ads/plugin, (iii) by deactivating the display of interest-related advertisements by providers through the link aboutads.info/choices, or (iv) by changing your cookie settings on our website.

The personal data collected will be erased as soon as it is no longer required for processing purposes; this is usually the case once 6 months have expired since the data was collected.

 

Awin

We use the affiliate network service Awin, provided by Awin AG, Eichhornstr. 3, 10785 Berlin, Germany (“Awin”), to draw attention to our offering by advertising in the Awin network.

We employ conversion tracking when using Awin. If you click on one of our advertisements in the Awin network, Awin stores cookies on your terminal device which recognise that you have clicked on the ad and been forwarded to our website. Awin saves an individual string of characters for each transaction; this does not disclose the name of the specific user but provides information about our campaign, the advertising partner, the user’s actions and the device used. It also includes information which confirms that a transaction has taken place besides facilitating invoicing, reporting and the correct allocation of commission. This information includes the order value, the type of product and the distribution channel. Awin’s processing of user data does not require direct identification of the user, which means that Awin generally only processes “pseudonymous” data. Awin sends us information about the total number of users who clicked on one of our ads and were forwarded to a page with conversion tracking.

We use conversion tracking with Awin to determine the effectiveness with which clicks on ads in Awin lead to certain activities on our website, such as purchases, registrations, or the completion of forms. The legal basis for the use of Awin conversion tracking is your consent pursuant to Art. 6(1)(a) GDPR.

We and Awin are jointly responsible for part of the aforesaid data processing as set out in Art. 26 GDPR. We have concluded a joint processing agreement with Awin, the main content of which is provided by Awin at awin.com/de/rechtliches/dpa (in German). Both contractual parties are equally responsible for enforcing the rights of data subjects pursuant to Art. 12ff. GDPR and are therefore equally available for answering corresponding enquiries.

Besides processing the aforesaid data through Awin, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (implementation and assistance with tracking the success of an advertising medium and the respective invoicing).

You can prevent the use of the tracking methods described above (i) by adjusting your browser settings accordingly or (ii) by adjusting your cookie settings on our website.

The personal data collected will be erased as soon as it is no longer required for processing purposes.

 

News service via Telegram

Our website offers you the option of requesting news and information about offers in our webshop through the messaging service “Telegram”. We have assigned the technical execution of this service to the company MessengerPeople GmbH, Schwanthaler Straße 32, 80336 Munich.

The messages are sent from an account created in our name. By sending a start message, you give your consent pursuant to Art. 6(1)(a) GDPR to the sender using your personal data (e.g. your surname and first name, telephone number, messenger ID, profile image, messages) for purposes of direct communication and to the data processing necessary when using the messaging service selected. In order to use this service, you will require an existing messaging account with the respective provider. The providers responsible for these messaging services are:

• Telegram: Telegram Messenger LLP, 71- 75 Shelton Street, Covent Garden, London, United Kingdom, privacy policy accessible at telegram.org/privacy

The respective provider will receive personal data (particularly communication metadata) that will also be processed in countries outside the EU (e.g. the USA) in which no appropriate standard of data protection can be guaranteed. More information can be found in the privacy policies of the messaging services mentioned above. The sender has no precise knowledge of or influence over the respective provider’s data processing measures. You can unsubscribe from messages sent by MessengerPeople through Messenger at any time by sending the message “STOP” to the account through which you previously subscribed to the message service. Moreover, you can instruct MessengerPeople to erase the above-mentioned data by sending the message “DELETE ALL DATA” to the corresponding account.

Information on the use and operation of the news service provided by MessengerPeople is also provided when you request the desired news. Detailed information on MessengerPeople's use of personal data is also given in MessengerPeople’s privacy statement, which can be accessed at messengerpeople.com/privacy.

 

Use of data for postal advertising and your right to object

Furthermore, we reserve the right to store your first name, surname, postal address and – insofar as we require this additional information for purposes of our contractual relationship with you – your title, academic degree, year of birth, and profession, industry or business in summarised lists and to use it for our own advertising purposes, e.g. to send you interesting offers and product information by post. You can object to the storage and use of your data for these purposes at any time by sending a message to the contact whose information is provided below.

 

CrossEngage

We use the cross-channel marketing platform Cross Engage, a service provided by CrossEngage GmbH, Bertha-Benz-Str. 5, 10557 Berlin, Germany (“CrossEngage”), to display personalised content and send you advertising messages based on your previous and current use of our services. This service consolidates data from all relevant data sources and makes it available for the development and execution of effective campaigns.

We use CrossEngage to facilitate personalised cross-channel customer engagement. When you use our website, a cookie is placed so that the content can be configured and delivered accordingly. The legal basis for the use of CrossEngage conversion tracking is your consent pursuant to Art. 6(1)(a) GDPR. The data collected through the cookie is transmitted to CrossEngage in pseudonymised format for analysis. 

Besides processing the aforesaid data through CrossEngage, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (facilitation of and assistance with personalised cross-channel customer engagement).

You can prevent the use of the tracking methods described above (i) by adjusting your browser settings accordingly or (ii) by adjusting your cookie settings on our website.

In the case of customers who have placed an order, the following personal data is transmitted to CrossEngage:

Personal master data

Contract master data

Customer history

Contract billing data

The legal basis for processing this personal data is Art. 6(1)(f) GDPR.

The personal data collected will be erased as soon as it is no longer required for processing purposes. The cookie placed is valid for 12 months. 

 

OneSignal

We use the browser message service provided by OneSignal, Inc. 2850 S Delaware St #201, San Mateo, CA 94403, USA. OneSignal collects anonymised IP addresses and generates random IDs for the delivery of messages so that this ID cannot be associated with an individual user.

We use OneSignal to send our visitors push notifications via the native push API of various browsers. The legal basis for the use of OneSignal is your consent pursuant to Art. 6(1)(a) GDPR; Art. 49(1)(a) GDPR also applies if your data is transferred to the United States.

Besides processing the aforesaid data through OneSignal, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (provision of and assistance with technical availability).

The transmission of personal data to OneSignal is subject to the standard data protection clauses mentioned in Art. 46 GDPR. The USA does not guarantee a standard of data privacy equivalent to that enforced in the EU. There is a risk of security authorities accessing your data without legal recourse.

The personal data collected will be erased as soon as it is no longer required for processing purposes.

 

Doofinder

Our website uses the “Doofinder” search technology, provided by Doofinder S.L. Madrid 28037, Rufino González 23 bis, 1º 1, Spain (“DF”), to make visits to our website more attractive and to improve the quality of search results and the speed at which they are returned. Your browser can only use the DF search function by connecting with the DF servers. This informs DF that our website was accessed from your IP address. Along with your IP address, the data collected encompasses the browser agent you are using, the search terms you entered, and the products you clicked on in the search results.

We use DF to improve search behaviour on our website. The legal basis for the use of DF is our legitimate interest in the optimised display of our website pursuant to Art. 6(1)(f); this constitutes an overriding interest when weighed against other interests.

The personal data collected will be erased as soon as it is no longer required for processing purposes; this is usually the case once 12 months have expired since the data was collected.

 

YouTube videos

We have embedded YouTube videos into our online presence. These videos are stored on the website youtube.com operated by the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“YouTube”) and can be played directly from our website. They are all embedded in “privacy-enhanced mode”, which means that the website will not transmit any data about you, as the user, to YouTube if you do not play the videos. The data specified in the next paragraph is not transmitted until you play the videos. 

When you play the videos, your communication data (e.g. your IP address, browser information, device information) is transmitted to YouTube. This transmission takes place regardless of whether or not you are logged into a YouTube account. If you are logged into YouTube, your data will be directly assigned to your account. If you do not want your data to be assigned to your YouTube profile, you will need to log out before clicking on the button. YouTube stores your data as a user profile and uses this data for advertising, market research and/or for configuring its website in a way that meets the user’s needs. This data (including data relating to users who are not logged in) is analysed mainly for the purpose of delivering advertising that meets the user’s needs and informing other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles. If you wish to exercise this right, you will need to contact YouTube.

We use YouTube to show you videos on our website without you first having to access the YouTube platform. The legal basis for the playback of YouTube videos on our website is your consent pursuant to Art. 6(1)(a) GDPR; Art. 49(1)(a) GDPR also applies if your data is transferred to the USA.

In cases where Google transfers personal data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. YouTube’s contract data processing terms, including references to the aforesaid standard data protection clauses, are available at youtube.com/t/terms_dataprocessing. The USA does not guarantee a standard of data privacy equivalent to that enforced in the EU. There is a risk of security authorities accessing your data without legal recourse.

Further information on the purpose and scope of the collection and processing of data by YouTube is provided in the privacy policy. It also includes further information on your rights and how you can change your settings to protect your privacy:

policies.google.com/privacy?hl=en&gl=de

 

Integration of the Trusted Shops Trustbadge

The Trusted Shops Trustbadge is integrated into this website in order to display our Trusted Shops seal of quality together with any reviews given and to offer Trusted Shops products to purchasers after they have placed an order.

The purpose of this is to optimise our marketing by facilitating secure purchasing; this is a legitimate interest that outweighs and overrides other interests pursuant to Art. 6(1)(f) GDPR. The Trustbadge and the services it promotes are provided by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. The Trustbadge is made available by a CDN (Content Delivery Network) provider within the framework of a contract processing agreement. Trusted Shops GmbH also uses service providers from the USA. An adequate standard of data protection is guaranteed. You will find further information about data privacy at Trusted Shops GmbH in our Privacy Policy.

When you click on the Trustbadge, the web server automatically saves a so-called server log file which logs the click and also contains your IP address, the date and time of access, the quantity of data transferred and the provider sending the query (access data). Individual access data is stored in a security database for the purpose of analysing security anomalies. The log files are automatically deleted 90 days after they were generated.

Other personal data is transmitted to Trusted Shops GmbH if you decide to use Trusted Shops products after placing an order or have already registered to use Trusted Shops. The contract concluded between you and Trusted Shops applies. Personal data is automatically collected from your order data for this purpose. Trusted Shops GmbH automatically checks whether you as the purchaser are already registered to use a product by using a neutral parameter, i.e. your e-mail address hashed using a cryptographic one-way function. The e-mail address is converted into this hash value before transmission and cannot be decrypted by Trusted Shops. The parameter is deleted automatically following a check to determine whether or not there is a match.

This is necessary for the protection of our and Trusted Shops’ overriding legitimate interest in providing buyer protection for each specific order and transaction-based rating services pursuant to Art. 6(1)(f) GDPR. Further details, also on lodging objections, are provided above and in the Trusted Shops privacy policy linked through the Trustbadge.

 

Address review

We use the services provided by Deutsche Post Direkt GmbH, Junkersring 57, 53844 Troisdorf, Germany, to review/correct addresses entered during the order process. For this, we send your data (name, address) to Deutsche Post Direkt GmbH to verify your address (determine deliverability). The legal basis for this transmission and data processing is Art. 6(1)(f) GDPR. Our legitimate interest is to ensure the deliverability of shipments, to avoid unnecessary editing of the delivery address, and to prevent shipments from being returned due to incorrect address information. The service provider will delete the transferred data no later than 90 days after the completion of the work requested.

Further information about data protection at Deutsche Post Direkt GmbH and your right to object is provided here: deutschepost.de/de/d/deutsche-post-direkt/deutsche-post-direkt-datenschutz.html.

 

DealClub membership

Participation in the incentive programme is subject to the specified terms and conditions of participation. In order to conclude a membership agreement with you and fulfil the terms and conditions of participation, the date on which your membership of the incentive programme expires will be added to the personal data we already have (your name, address, e-mail address and payment data) and processed accordingly. The legal basis for the processing is Art. 6(1)(b) GDPR.

After the contract has been fulfilled, your customer data will be stored for the obligatory ten-year retention period specified in fiscal and commercial law. It will then be erased unless you have consented to it being stored for a longer period or your data has to be processed further for the purpose of establishing, exercising, or defending legal claims. The legal basis for processing personal data in order to fulfil statutory storage and retention obligations is Art. 6(1)(c) GDPR.

You are under no obligation to provide the personal data specified above. However, this data is required to participate in the incentive programme. Unless you provide this data, it may not be possible to communicate with you or to conclude and execute a contract.

 

IV. Other information about data processing on and off our website

Contact and communication

As a customer, business partner, prospect or supplier, we only collect your personal data if you send it to us by e-mail, post, telephone or through a contact form on our website. In this case, we collect the information disclosed during the course of the correspondence and/or cooperation. This specifically includes the names and contact data transmitted along with the date and reason for the contact. 

The personal data we collect from you is used to provide the products and services you require and to correspond with you (legal basis Art. 6(1)(b) GDPR), to comply with legal obligations (legal basis Art. 6(1)(c) GDPR), or for the purposes of the legitimate interests pursued by ourselves or by third parties (legal basis Art. 6(1)(f) GDPR) as described in this Privacy Policy.

You are under no obligation to provide the personal data specified above. The data provided may be required for the conclusion of a contract. Unless you provide this data, it may not be possible to communicate with you or to conclude and execute a contract.

Based on the statutory regulations or a contractual agreement, the data that is relevant in each individual case is transferred to public bodies where overriding legal requirements exist, to external service providers or other contractors, and to other external bodies where you have given your consent or where the transfer of your data is permitted on grounds of overriding legitimate interest.

This data will be erased as soon as it is no longer required for the purpose for which it was collected. If the data provided is subject to statutory retention periods under fiscal or commercial law, it will be stored for the obligatory ten-year retention period and then erased unless you have consented to it being stored for a longer period or your data has to be processed further for the purpose of establishing, exercising, or defending legal claims (statutory limitation period of three or up to thirty years).

 

Newsletter

You have the option of subscribing to a newsletter in which we inform you of any interesting offers we currently have available. The merchandise and services advertised are specified in the declaration of consent.

We use the so-called double opt-in procedure for newsletter subscriptions. This means that after you register, we send an e-mail to the e-mail address specified asking you to confirm that you wish to receive the newsletter. We also store your IP address and the times at which you register for the newsletter and confirm your registration. The purpose of this procedure is to have proof of your registration and, if necessary, to be able to clarify any improper use of your personal data. The legal basis is Art. 6(1)(a) and (c), Art. 7(1), Art. 5 (2) GDPR.

The only mandatory information required for your subscription to our newsletter is your e-mail address. The provision of other (specially marked) data is optional; this data is used so that we can address you personally. After you confirm your subscription, we will store your e-mail address for the purpose of sending you the newsletter. The legal basis is Art. 6(1)(a) GDPR. This data will be erased as soon as it is no longer required for the purpose for which it was collected. Your e-mail address will accordingly be stored for as long as your subscription remains active. We are entitled to store inactive e-mail addresses up to three years in order to prove a once given consent or to deny potential claims. The legal basis is Art. 6(1)(c), Art. 5(2) GDPR.

You have the right to withdraw your consent to receiving the newsletter and to the evaluation of your personal user behaviour (performance evaluation) at any time by unsubscribing from it. You can withdraw your consent by clicking the link provided in every newsletter e-mail or by sending us a message using the contact information provided on the statutory information page.

Regardless of whether you have given us your separate consent to send you our newsletter, we reserve the right to send advertising for similar goods and services in our product range to the e-mail address that you gave us in connection with the purchase of an item or service insofar as you have not objected to the use of this address for advertising purposes. The legal basis for the delivery of advertising by e-mail is our legitimate interest in direct advertising pursuant to Art. 6(1)(f) GDPR in conjunction with section 7 par. 3 UWG (Act Against Unfair Competition). You can object to the use of your e-mail address for advertising purposes at any time without incurring any costs other than transmission costs charged at the basic rates. You can lodge your objection by clicking the link provided in every e-mail or by sending us a message using the contact information provided on the statutory information page.

The newsletter software used is Mailjet. When you subscribe, your data is sent to Mailjet GmbH. Mailjet is forbidden to sell your data or use it for any other purpose than the delivery of newsletters. Mailjet is a certified German provider that was selected according to the requirements specified in the GDPR. The legal basis is Art. 6(1)(a)and (f) GDPR. You will find further information here: mailjet.com/security-privacy/. You can withdraw your consent to the storage of your data including your e-mail address and to the use of your e-mail address for delivery of the newsletter at any time, for example by clicking on the “Unsubscribe” link in the newsletter.

Our newsletters contain so-called Web Beacons, pixel sized files which are accessed by the Mailjet server when the newsletter is opened. Within this context technical data such as your browser and system data as well as your IP address and the time of your opening – data necessary to technically improve services on the basis of technical data or target groups and their reading behaviour – are collected. Furthermore, your user behaviour is evaluated to the effect that if the newsletters were opened, when they were opened and which links were clicked onto. We use these evaluation to learn more about the reading behaviour of our users and to adapt our content or to be able to offer different contents corresponding to the individual interests of our users. This performance evaluation is covered by your consent according to Art. 6 (1)(a) GDPR concerning the sending of newsletters. That is the reason why you can withdraw your consent to the performance evaluation only in combination with your consent to the sending of newsletters.

 

Privacy information for applicants

As an applicant, we only collect your personal data if you send it to us by e-mail, post, or telephone. This applies both to speculative applications and applications sent in response to job advertisements. In this situation, we collect the personal data you supply during the course of the application procedure. This specifically includes your name, date of birth, contact information, interests, qualifications, education, and professional career. The personal data we collect from you will only be used to conduct the application procedure. The legal bases are Art. 6(1)(a) (b) and (f) GDPR, section 26 BDSG. 

You are under no obligation to provide the personal data specified above. However, the data provided may be required to conclude a contract with you after the application procedure is complete. Unless you provide this data, it may not be possible to communicate with you, continue the application procedure, or conclude a contract.

The data relevant in each case is transmitted on the basis of the applicable legislation or a contractual agreement. Your data is transferred to staff in the human resources departments, members of the management, and the respective department head. Your personal data will not be sent to any third party. We have no intention of sending your data to any recipient in any third country (i.e. a country that is not a member of the EU / EEA) or to any international organisation.

This data will be erased as soon as it is no longer required for the purpose for which it was collected. In the event of a rejection, we will retain your data for a period of six months after completing the application procedure and notifying you that your application has been rejected. If you have consented to your data being stored for a longer period, the regular retention period is two years. Afterwards, we will either erase your data or request your further consent. You may withdraw your consent to the processing of your personal data at any time.

 

V Objection or withdrawal of consent to the processing of your data

If you have consented to the processing of your data, you can withdraw this consent at any time. Once you have sent it to us, this withdrawal will influence the permissibility of the processing of your personal data.

If the processing of your personal data is based on the weighing of interests, you are entitled to object to this processing. This is particularly the case if the processing is not necessary for the fulfilment of a contract with you, as specified in the following description of the respective functions. If you exercise your right to object, we will ask you to specify the reasons why we should not continue processing your personal information as before. If your objection is justified, we will investigate the situation and either stop or adjust the data processing or inform you of the compelling, legitimate grounds on which we are obliged to continue.

You can of course object to the processing of your personal data for advertising and data analysis purposes at any time. You can send us your objection to advertising using the contact information provided in section I.

 

VI. Social media

We also process your personal data when you visit our social media accounts. We mainly maintain these social media accounts to communicate with customers, prospects and users, to increase our brand awareness and to promote our products and services. The respective provider stores your personal data in the form of usage profiles and uses them for purposes of advertising, market research and/or the needs-based design of its network. The main purpose of this profiling is to display needs-based advertising (also for users who are not logged in). Please refer to the explanations of the individual social media accounts provided below for information regarding the purposes of the data processing and the categories of data collected. 

The legal basis for the use of these social media accounts is Art. 6(1)(f) GDPR, since we have a legitimate interest in communicating with and providing information for customers and prospects through these accounts. If your enquiry relates to the formation of a contractual relationship, the legal basis for the processing is Art. 6(1)(b) GDPR.

Besides processing the aforesaid data through the respective provider, we transmit the data collected to third parties (e.g. providers of platform, hosting, support and analytical services) for processing in line with the purposes specified above (facilitation of and assistance with communication, information and advertising).

The personal data collected will be erased as soon as it is no longer required for processing purposes.

 

Facebook

We maintain a social media account on Facebook ("fan page"). This is an online service provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”). When you visit our fan page, Facebook processes your personal data in accordance with Facebook’s data policy. Further information is available at facebook.com/policy.php

We use the service Facebook Page Insights to process your personal data depending on your interaction with our fan page; this data encompasses your Facebook user name, any comments you have published on our fan page, and your activities on our fan page. Page Insights are aggregate statistics generated on the basis of specific events that are logged by Facebook servers when people interact with pages and their associated content, e.g. visits to our fan page, the scope of interactions, visits, the average duration of video playbacks, information about the towns and countries visitors come from, statistics about our visitors’ general connections (“events”) and other information required to answer any queries you may send. Further information about such events is provided at facebook.com/legal/terms/page_controller_addendum. Facebook places Page Insights at our disposal so that we can find out how visitors interact with our fan page and the content associated with it. We only have access to the aggregate page insights processed in the context of events and not to the personal data.

We are jointly responsible with Facebook within the meaning of Art. 26 GDPR for some of the processing of the personal data in the context of events for Page Insights (“Insights data”) performed in connection with our fan page. Our joint responsibility encompasses the generation of events and their aggregation in Page Insights, which are then made available to us. We have concluded an agreement with Facebook for this purpose (“Page Insights Addendum”, facebook.com/legal/terms/page_controller_addendum), which sets out the respective responsibilities for fulfilling the obligations under the GDPR with regard to joint processing. Facebook makes the essence of this Page Insights Addendum available to the data subject (Art. 26(2) GDPR). It is currently provided in the information on Page Insights data, which can be accessed here: facebook.com/legal/terms/information_about_page_insights_data. We are responsible for providing information on the joint processing of personal data. Facebook is responsible for enabling data subjects to exercise their rights pursuant to Art. 15-20 GDPR with regard to the personal data stored by Facebook following the joint processing. The contact data for Facebook’s data controller and data protection officer is available here: facebook.com/about/privacy.

In cases where Facebook transfers personal data to Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. The Facebook EU Data Transfer Addendum with reference to the aforesaid standard data protection clauses is available here: facebook.com/legal/EU_data_transfer_addendum.

 

Instagram

We maintain a social media account on Instagram, an online service provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Instagram”). When you visit our Instagram page, Instagram processes your personal data in accordance with Instagram’s data policy. Further information is available at instagram.com/legal/privacy

We use the service Instagram “Insights” to process your personal data depending on your interaction with our Instagram page; this data encompasses your Instagram user name, any comments you have published on our Instagram page, and your activities on our Instagram page. Insights are aggregate statistics generated on the basis of specific events that are logged by Instagram servers when people interact with pages and their associated content, e.g. visits to our Instagram page, the scope of interactions, visits, the average duration of video playbacks, information about the towns and countries visitors come from, statistics about our visitors’ general connections and other information required to answer any queries you may send. Instagram places Insights at our disposal so that we can find out how visitors interact with our Instagram page and the content associated with it. We only have access to the aggregate insights and not to the personal data.

In cases where Instagram transfers personal data to Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. The Facebook EU Data Transfer Addendum with reference to the aforesaid standard data protection clauses is available here: facebook.com/legal/EU_data_transfer_addendum.

 

WhatsApp

Our website offers you the option of requesting news and information about offers in our webshop through the messaging service “WhatsApp”. We have assigned the technical implementation of this service to the company WhatsBroadcast GmbH, Schwanthaler Straße 32, 80336 Munich.

The messages are sent from a WhatsApp account created in our name. By sending a start message, you consent pursuant to Art. 6 no. 1 lit. a) GDPR to the sender using your personal data (e.g. surname and first name, telephone number, messenger ID, profile image, messages) for purposes of direct communication and to the data processing necessary when using the messaging service selected. In order to use this service, you will require an existing messaging account with the respective provider. The providers responsible for these messaging services are:

Whatsapp: WhatsApp, Inc., 1601 Willow Road, Menlo Park, California 94025, USA, privacy policy retrievable from whatsapp.com/legal/#privacy-policy

Facebook Messenger: Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, privacy policy retrievable from www.facebook.com/about/privacy

Telegram: Telegram Messenger LLP, 71-75 Shelton Street, Covent Garden, London, United Kingdom, privacy policy retrievable from telegram.org/privacy

Insta News: Pylba Inc., 314 27th Avenue, San Mateo, CA, 94403, USA, privacy policy retrievable from apps.pylba.com/privacy

The respective provider will receive personal data (particularly communication meta-data) that will also be processed in countries outside the EU (e.g. the USA) in which no appropriate standard of data protection can be guaranteed. However, Whatsapp Inc and Facebook Inc are certified in accordance with the Privacy Shield framework and thus guarantee to comply with European data protection legislation. More information can be found in the privacy policies of the messaging services mentioned above. The sender has no precise knowledge of or influence over the respective provider’s data processing measures. You can unsubscribe from messages sent by WhatsBroadcast through WhatsApp at any time by sending the message “STOP” to the WhatsApp account through which you previously subscribed to the message service. Moreover, you can request the erasure of the above-mentioned data by WhatsBroadcast by sending the message “DELETE ALL DATA” to the corresponding WhatsApp account.

Information on the use and control of the news service implemented by WhatsBroadcast is also provided when you request the desired news service. Detailed information on WhatsBroadcast's use of personal data is also given in WhatsBroadcast's data policy, which can be accessed at whatsbroadcast.com/privacy.

 

Twitter

We maintain a social media account on Twitter, an online service provided by the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“Twitter”). When you visit our Twitter page, Twitter processes your personal data in accordance with Twitter’s privacy policy. Further information is available at twitter.com/privacy.

We use the service Twitter “Analytics” to process your personal data depending on your interaction with us on Twitter; this data encompasses your Twitter user name, any comments you published in response to our Tweets, and your activities in connection with our Tweets. “Analytics” are aggregate statistics generated on the basis of specific interactions that are logged by Twitter servers when people interact with Tweets and their associated content, e.g. visits to Twitter, the scope of interactions, information about the towns and countries visitors come from, statistics about our visitors’ general connections and other information required to answer any queries you may send. Twitter places Analytics at our disposal so that we can find out how visitors interact with our Tweets page and the content linked with them. We only have access to the aggregate statistics and not to the personal data.

In cases where Twitter transfers personal information to Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. You can request a copy of these standard data protection clauses from Twitter at twitter.com/privacy.

 

YouTube

We maintain a social media account on YouTube, an online service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("YouTube"). When you visit our YouTube channel, YouTube processes your personal data in accordance with YouTube’s data policy. Further information is available at policies.google.com/privacy.

We use the service YouTube Analytics to process your personal data depending on your interaction with us on our YouTube channel; this data encompasses your YouTube user name, any comments you publish on our YouTube channel, and your activities on our YouTube channel. We receive aggregate statistics generated on the basis of specific interactions when people interact with our YouTube channel and its associated content, e.g. visits to our YouTube channel, the scope of interactions, visits, the average duration of video playbacks, information about the towns and countries visitors come from, statistics about our visitors’ general connections, and other information required to answer any queries you may send. YouTube places these statistics our disposal so that we can find out how visitors interact with our YouTube channel and the content associated with it. We only have access to the aggregate statistics and not to the personal data.

In cases where Google transfers personal data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. YouTube’s contract data processing terms, including references to the aforesaid standard data protection clauses, are available at youtube.com/t/terms_dataprocessing.

 

TikTok

We maintain a social media account on TikTok, an online service provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). When you visit our TikTok page, TikTok processes your personal data in accordance with TikTok data policy. Further information is available at tiktok.com/legal/privacy-policy

We use the service TikTok “Analytics” to process your personal data depending on your interaction with our TikTok page; this data encompasses your TikTok user name, any comments you have published on our TikTok page, and your activities on our TikTok page. “Analytics” are aggregate statistics generated on the basis of specific interactions that are logged by TikTok servers when people interact with pages and their associated content, e.g. visits to our TikTok page, the scope of interactions, visits, the average duration of video playbacks, information about the towns and countries visitors come from, statistics about our visitors’ general connections and other information required to answer any queries you may send. TikTok places Analytics at our disposal so that we can find out how visitors interact with our TikTok page and the content associated with it. We only have access to the aggregate statistics and not to the personal data.

In cases where TikTok transfers personal data to TikTok Inc.,10010 Venice Blvd., Suite 301, Culver City, CA 90232, USA, these transfers are subject to the standard data protection clauses mentioned in Art. 46 GDPR. You can request a copy of these standard data protection clauses using the form provided at tiktok.com/legal/report/privacy.

 

VII. Your rights

Pursuant to Art. 15 GDPR, you have the right to request information from us about the personal data we are processing. In particular, you may request information about the purposes for which your data is processed, the categories of personal data processed, the categories of recipients to whom your data has been or will be disclosed, the planned retention period, the existence of a right to rectification, erasure, restriction of processing, the existence of a right to object, the existence of a right of appeal, the source of your data if it was not collected by us, the existence of automated decision-making processes including profiling and, if applicable, meaningful detailed information about what these involve.

Pursuant to Art. 16 GDPR, you have the right to request that inaccurate personal data held by us about you be rectified or incomplete data be completed without undue delay. Pursuant to Art. 17 GDPR, you have the right to request that we erase personal data held by us about you unless this data needs to be processed to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest, or to establish, exercise or defend legal claims.

Pursuant to Art. 18 GDPR, you have to right to request that the processing of your personal data be restricted if you contest its accuracy, if the processing of your data is unlawful but you oppose its erasure, if we no longer need your data but you need it to establish, exercise, or defend legal claims, or if you have objected to the processing of your data in accordance with Art. 21 GDPR. 

Pursuant to Art. 20 GDPR, you have to right to request that the personal data you provided be placed at your disposal in a structured, commonly used and machine-readable format or that it be transferred to another controller. 

Pursuant to Art. 7(3) GDPR, you have the right to withdraw your consent to our processing of your personal data at any time. If you do so, we will in future cease the data processing on which your consent was based.

Pursuant to Art. 77 GDPR, you also have the right to lodge a complaint with a supervisory authority regarding our processing of your personal data, particularly in the member state of your habitual residence, place of work or placed of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.