Privacy Policy

PRIVACY POLICY

This privacy policy informs you about the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).
With regard to the terms used, such as “processing” or “controller,” we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

TYPES OF DATA PROCESSED

Inventory data (e.g., names, addresses)
Contact data (e.g., email addresses, telephone numbers)
Content data (e.g., text entries, photographs, videos)
Usage data (e.g., visited websites, interest in content, access times)
Meta/communication data (e.g., device information, IP addresses)

CATEGORIES OF DATA SUBJECTS

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).

PURPOSE OF PROCESSING

Provision of the online offering, its functions, and content
Responding to contact requests and communication with users
Security measures
Reach measurement/marketing

DEFINITIONS USED

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); a natural person is considered identifiable if they can be identified directly or indirectly, particularly by association with an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided such additional information is kept separately and is subject to technical and organisational measures that ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, particularly to analyse or predict aspects concerning job performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

RELEVANT LEGAL BASIS

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. Where the legal basis is not specified in the privacy policy, the following applies:

The legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR.
The legal basis for processing for the performance of our services and contractual measures and responding to inquiries is Art. 6(1)(b) GDPR.
The legal basis for processing to fulfil our legal obligations is Art. 6(1)(c) GDPR.
The legal basis for processing to safeguard our legitimate interests is Art. 6(1)(f) GDPR.
Should processing be necessary to protect the vital interests of the data subject or another natural person, Art. 6(1)(d) GDPR serves as the legal basis.

SECURITY MEASURES

In accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access, as well as access to, input, transfer, securing of availability, and separation of data. We have also put in place procedures to ensure the exercise of data subject rights, deletion of data, and responses to data breaches. Furthermore, we consider the protection of personal data in the development and selection of hardware, software, and procedures in line with the principle of data protection by design and by default (Art. 25 GDPR).

COOPERATION WITH PROCESSORS AND THIRD PARTIES

If we disclose data to other persons and companies (processors or third parties), transmit such data to them, or otherwise grant them access in the course of our processing, this is done only on the basis of legal permission (e.g., if the transfer of data to third parties, such as payment service providers, is required for contract fulfilment under Art. 6(1)(b) GDPR), if you have consented, if a legal obligation requires it, or on the basis of our legitimate interests (e.g., use of agents, web hosting providers, etc.).

If we commission third parties with processing data on the basis of a so-called “processing agreement,” this is done in accordance with Art. 28 GDPR.

DATA TRANSFERS TO THIRD COUNTRIES

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs within the use of services of third parties or disclosure/transfer of data to third parties, this is done only if it is required to fulfil our (pre-)contractual obligations, based on your consent, due to a legal obligation, or based on our legitimate interests.

Subject to legal or contractual permissions, we process or have data processed in a third country only under the special conditions of Art. 44 et seq. GDPR. That is, processing occurs, for example, on the basis of special guarantees, such as an officially recognised adequacy decision confirming a level of data protection equivalent to the EU (e.g., “Privacy Shield” for the USA), or compliance with officially recognised special contractual obligations (“standard contractual clauses”).

RIGHTS OF DATA SUBJECTS

You have the right:

to request confirmation as to whether data concerning you are processed and to obtain information about these data, as well as further information and a copy of the data in accordance with Art. 15 GDPR.
to request the completion or correction of inaccurate data concerning you in accordance with Art. 16 GDPR.
in accordance with Art. 17 GDPR, to request immediate deletion of data concerning you, or alternatively, in accordance with Art. 18 GDPR, to request restriction of processing.
to receive the data concerning you that you have provided to us in accordance with Art. 20 GDPR and request their transfer to another controller.
in accordance with Art. 77 GDPR, to lodge a complaint with the supervisory authority.

RIGHT TO WITHDRAW CONSENT

You have the right to withdraw consent granted in accordance with Art. 7(3) GDPR with effect for the future.

RIGHT TO OBJECT

You may object to the future processing of your data at any time in accordance with Art. 21 GDPR. The objection may particularly concern processing for purposes of direct marketing.

COOKIES AND RIGHT TO OBJECT TO DIRECT MARKETING

“Cookies” are small files stored on users’ devices. Various information can be stored within cookies. They primarily serve to store user-related information during or after a visit to an online offering.

We may use temporary and permanent cookies and explain this within this privacy policy.

If users do not want cookies stored on their device, they may disable this option in their browser settings. Stored cookies can be deleted in the browser settings. Disabling cookies may result in functional limitations of the online offering.

A general objection to the use of cookies used for online marketing purposes can be declared via the U.S. site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be prevented by disabling them in the browser settings. Please note that not all functions of this online offering may then be available.

DELETION OF DATA

Data processed by us will be deleted or restricted in processing in accordance with Art. 17 and 18 GDPR. Unless explicitly stated otherwise in this privacy policy, data stored by us will be deleted as soon as they are no longer required for their intended purpose and no legal retention obligations prevent deletion.

BUSINESS-RELATED PROCESSING

In addition, we process:

Contract data (e.g., subject matter of the contract, duration, customer category)
Payment data (e.g., bank details, payment history)

from our customers, prospects, and business partners for the purpose of providing contractual services, customer service, marketing, advertising, and market research.

ORDER PROCESSING IN THE ONLINE SHOP AND CUSTOMER ACCOUNT

We process customer data during order transactions in our online shop to enable users to select, order, pay for, and receive the products or services of their choice.

Processed data include inventory data, communication data, contract data, and payment data. Affected persons include customers, prospects, and business partners.

The processing is carried out for the purpose of providing contractual services within the operation of an online shop, including billing, delivery, and customer service. Session cookies are used to store shopping cart contents, and permanent cookies for login status.

Processing is based on Art. 6(1)(b) GDPR (contract execution) and Art. 6(1)(c) GDPR (statutory archiving requirements). Required fields are necessary for conclusion and fulfilment of the contract. Data are disclosed to third parties only within the scope of delivery, payment, or legal permissions.

EXTERNAL PAYMENT SERVICE PROVIDERS

We use external payment service providers, through whose platforms users and we can process payment transactions.

Examples include:
PayPal (https://www.paypal.com/de/webapps/mpp/ua/privacy-full)
Stripe (https://stripe.com/de/privacy)

Data processed by payment service providers include inventory data, bank details, passwords, transaction details, and more. We do not receive bank or credit card information.

ADMINISTRATION, FINANCIAL ACCOUNTING, OFFICE ORGANISATION, CONTACT MANAGEMENT

We process data as part of administrative tasks, accounting, office organization, and fulfilling legal obligations (e.g., archiving). These correspond to the same data processed for contractual services.

HOSTING AND EMAIL DELIVERY

Hosting services we use serve to provide infrastructure, platform services, computing capacity, storage, databases, email delivery, security services, and technical maintenance.

We or our hosting providers process inventory data, contact data, content data, contract data, usage data, and meta/communication data of customers, prospects, and users on the basis of our legitimate interests in secure and efficient provision of the online offering.

ONLINE PRESENCES IN SOCIAL MEDIA

We maintain online presences on social networks and platforms to communicate with active users there and inform them about our services. When accessing these networks, their terms and privacy policies apply.