Data protection
Information on Data Protection
With this data protection notice, we inform you about our handling of your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Bestsales Online GmbH (hereinafter referred to as "we" or "us") is responsible for data processing.
Content
- General Information
- Contact
- Legal Basis
- Duration of Storage
- Categories of Data Recipients
- Data Transfer to Third Countries
- Processing when exercising your rights
- Your Rights
- Right to Object
- Data Protection Officer
- Data Processing on our Website
- Processing of Server Log Files
- Hosting by Shopify
- Online Shop
- Payment Service Provider
- Newsletter
- Product Reviews and Satisfaction Surveys
- Cookies
- Consent Management Tool
- Analyzing our Website
- a) Hotjar
- Tracking & Retargeting
- a) Google Analytics
- b) Meta-Pixel
- c) TikTok-Pixel
- d) Snap-Pixel
- e) Google Ads
- External Media and Third-Party Services
- a) Cloudflare
- Use of Contact Data for Customer Matching
- a) Google Customer Match
- b) Facebook Custom Audiences
III. Data Processing on our Social Media Pages
- Visiting a Social Media Page
- Communication via Social Media Pages
- Further Data Processing
- Applications
- Contact by Email
- Customer and Prospect Data
- Use of Email Address for Marketing Purposes
-
Note for Data Subjects in Switzerland
I. General Information
1. Contact
If you have any questions or suggestions regarding this information or wish to contact us to exercise your rights, please address your inquiry to
Bestsales Online GmbH
Weidegrund 13
21614 Buxtehude
Tel.: +49 4161 752 9250
Email: shop@indicode.com
2. Legal Basis
The data protection term "personal data" refers to all information relating to an identified or identifiable natural person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. Data processing by us only takes place on the basis of a legal permission. We process personal data only with your consent (Section 25 (1) TDDDG or Art. 6 (1) (a) GDPR), for the performance of a contract to which you are a party or at your request for the performance of pre-contractual measures (Art. 6 (1) (b) GDPR), for compliance with a legal obligation (Art. 6 (1) (c) GDPR) or if the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data (Art. 6 (1) (f) GDPR).
3. Duration of Storage
Unless otherwise stated in the following notices, we only store data for as long as it is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal retention obligations may arise in particular from commercial or tax law provisions. From the end of the calendar year in which the data was collected, we will retain such personal data contained in our accounting records for ten years and personal data contained in commercial letters and contracts for six years. In addition, we will retain data related to consent requiring proof and to complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to the processing for this purpose.
4. Categories of Data Recipients
We use processors as part of the processing of your data. The processing operations carried out by such processors include, for example, hosting, email dispatch, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing measures or destruction of files and data carriers. A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors do not use the data for their own purposes, but carry out data processing exclusively for the controller and are contractually obliged to ensure appropriate technical and organizational measures for data protection. In addition, we may transfer your personal data to entities such as postal and delivery services, house banks, tax advisors/auditors or the financial administration. Further recipients may result from the following notices.
5. Data Transfer to Third Countries
Our data processing may involve the transfer of certain personal data to third countries, i.e., countries where the GDPR is not applicable law. Such a transfer takes place lawfully if the European Commission has determined that an adequate level of data protection is provided in such a third country. If such an adequacy decision of the European Commission does not exist, a transfer of personal data to a third country will only take place if suitable safeguards pursuant to Art. 46 GDPR are in place or if one of the conditions of Art. 49 GDPR is met.
If there is no adequacy decision and nothing else is stated below, we use the EU standard data protection clauses as suitable safeguards for the transfer of personal data to third countries. You have the possibility to obtain or view copies of these EU standard data protection clauses. To do this, please contact the address given under Contact.
If you consent to the transfer of personal data to third countries, the transfer will take place on the legal basis of Art. 49 (1) (a) GDPR.
6. Processing when exercising your rights
If you exercise your rights under Articles 15 to 22 GDPR, we will process the personal data provided for the purpose of implementing these rights by us and to be able to provide proof thereof. Data stored for the purpose of providing information and its preparation will only be processed for this purpose and for data protection control purposes, and otherwise the processing will be restricted in accordance with Art. 18 GDPR.
These processing operations are based on the legal basis of Art. 6 (1) (c) GDPR in conjunction with Articles 15 to 22 GDPR and Section 34 (2) BDSG.
7. Your Rights
As a data subject, you have the right to assert your data subject rights against us. In particular, you have the following rights:
- You have the right, in accordance with Art. 15 GDPR and Section 34 BDSG, to request information about whether and, if so, to what extent we process personal data concerning you.
- You have the right, in accordance with Art. 16 GDPR, to demand that we rectify your data.
- You have the right, in accordance with Art. 17 GDPR and Section 35 BDSG, to demand that we erase your personal data.
- You have the right, in accordance with Art. 18 GDPR, to demand the restriction of processing of your personal data.
- You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and to transmit those data to another controller.
- If you have given us separate consent to data processing, you can withdraw this consent at any time in accordance with Art. 7 (3) GDPR. Such a withdrawal will not affect the lawfulness of processing carried out prior to the withdrawal based on the consent.
- If you believe that the processing of personal data concerning you violates the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.
8. Right to Object
You have the right, in accordance with Art. 21 (1) GDPR, to object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR, on grounds relating to your particular situation. If personal data about you is processed by us for direct marketing purposes, you can object to this processing in accordance with Art. 21 (2) and (3) GDPR.
9. Data Protection Officer
You can reach our data protection officer at the following contact details:
Email: datenschutzbeauftragter@bestsales-online.de
Herting Oberbeck Datenschutz GmbH
Hallerstr. 76, 20146 Hamburg
https://www.datenschutzkanzlei.de
II. Data Processing on our Website
When you use the website, we collect information that you provide yourself. In addition, during your visit to the website, certain information about your use of the website is automatically collected by us. In data protection law, the IP address is generally also considered personal data. An IP address is assigned to every device connected to the internet by the internet provider so that it can send and receive data.
1. Processing of Server Log Files
When our website is used for purely informational purposes, general information that your browser transmits to our server is initially stored automatically (i.e., not via registration). This typically includes: browser type/version, operating system used, page accessed, the previously visited page (referrer URL), IP address, date and time of the server request, and HTTP status code.
The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) (f) GDPR. This processing serves the technical administration and security of the website. The stored data is automatically deleted unless there is a legitimate suspicion of illegal use based on concrete evidence and further examination and processing of the information is necessary for this reason. We are unable to identify you as a data subject based on the stored information. Articles 15 to 22 GDPR therefore do not apply in accordance with Art. 11 (2) GDPR.
2. Hosting by Shopify
We use the Shopify shop system for the purpose of hosting and displaying our website. Shopify is offered by the service provider Shopify International Limited (Ireland, EU). All data collected on our website is processed on our behalf on the servers of Shopify International Limited.
Further information on data protection at Shopify can be found in Shopify's data protection notices at https://www.shopify.de/legal/datenschutz.
3. Online Shop
To the extent that you order a product via our website, we process personal data exclusively for contract execution or to be able to provide you with the ordered product. As part of the booking or ordering process, we only process the data that you yourself have entered in the input mask, as well as payment information, if applicable. In order to be able to deliver the ordered products to you, we transmit the data required for delivery to one of our shipping service providers as specified in the order. The legal basis for the processing is Art. 6 (1) (b) GDPR. All data fields marked as mandatory fields are required to process your order. Failure to provide them will result in us being unable to process your order.
The provision of further data is voluntary. We process such voluntarily provided data on the basis of Art. 6 (1) (f) GDPR.
You have the option to create a customer account in our online shop by registering. If you have registered for a customer account, your stored data will automatically be entered into the order form when you order a product in our shop. In addition, you can use the customer account to check the status of your orders and save products to a wish list. It is not necessary to register for a customer account to place an order in our online shop.
The information required for registration can be seen from the input mask. The provision of information marked as mandatory is absolutely necessary for the registration to be completed. A valid email address is required for registration. To confirm registration, you will first receive a registration email that you must confirm via a link (double opt-in). After registration, you can log in to the customer account by entering your email address and the password you used. The processing of the data provided during registration and use of the customer account is based on the legal basis of Art. 6 (1) (b) GDPR.
4. Payment Service Provider
To pay for ordered products in our online shop, you can choose between different options. For this, we work with Shopify International Limited (Ireland, EU) as our primary payment provider. Shopify International Limited acts as our processor and processes your payment data on our behalf.
The payment data you provide during the order process will be transmitted by us to the payment service providers, insofar as this transmission is necessary for the execution of the payment transaction.
The legal basis for this transmission is Art. 6 (1) (b) GDPR.
Please note that, in addition, the respective payment information is processed by the relevant payment service providers under their own responsibility.
We use the following payment service providers:
- Stripe
If you pay for your order by credit card, payment is processed via the payment service Stripe, offered by Stripe Payments Europe Ltd. (Ireland, EU). Further information on Stripe's data protection can be found here: https://stripe.com/de/privacy#translation
- PayPal / PayPal Express Checkout
You have the option to pay via the PayPal service of PayPal Europe S.a.r.l. et Cie s.c.a. (Luxembourg, EU). In this case, PayPal may transmit your address data stored with PayPal, which we process exclusively for contract execution. Further information on data protection at PayPal can be found at: https://www.paypal.com/webapps/mpp/ua/privacy-full.
- Klarna (Invoice Purchase)
We offer payment by invoice in cooperation with Klarna AB (publ) (Sweden, EU). For this purpose, Klarna must carry out an identity and credit check. For this purpose, when choosing this payment method, further data (such as your date of birth, gender, and telephone number) will be collected and transmitted to Klarna, which you can find in detail in Klarna's terms and conditions. The legal basis for the transmission to Klarna is Art. 6 para. 1 lit. b GDPR. Furthermore, Klarna processes the data on its own responsibility. Further information on data protection at Klarna can be found at https://www.klarna.com/de/datenschutz/
5. Newsletter
We offer the option to subscribe to our newsletter on our website. After registration, we will regularly inform you about current news regarding our offers. A valid email address is required to subscribe to the newsletter. To verify the email address, you will first receive a registration email, which you must confirm via a link (double opt-in). If you subscribe to the newsletter on our website, we process personal data such as your email address and your name on the basis of your given consent. The processing is based on the legal basis of Art. 6 para. 1 lit. a GDPR. You can revoke the given consent at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above. The legality of the data processing operations already carried out remains unaffected by the revocation.
When you subscribe to the newsletter, we also store the IP address as well as the date and time of registration. The processing of this data is necessary to be able to prove a given consent. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 lit. c in conjunction with Art. 7 para. 1 GDPR).
We also analyze the reading behavior and opening rates of our newsletter. For example, we evaluate the data generated when our emails are delivered and retrieved, on the one hand in aggregated and anonymized form (delivery rate, opening rate, click rates, unsubscribe rate, bounce rate, visits, conversions) to measure the use and success of the emails. The legal basis for the analysis of our newsletter is Art. 6 para. 1 lit. f GDPR and the processing serves our legitimate interest in optimizing our newsletter. You can object to this at any time by contacting one of the contact channels mentioned above.
On the other hand, we also evaluate the data generated when you retrieve and use these emails (time of opening, hyperlinks clicked, documents downloaded) as well as movement data on downstream websites personally in connection with your email address, in order to provide you with individualized information in the future that best takes your interests and needs into account. We use the collected anonymous and personal data to provide you with personalized content and individualized information in our promotional emails and on downstream websites. The legal basis for data processing in the context of emails is Art. 6 para. 1 lit. a GDPR. You can revoke the given consent at any time with effect for the future, for example via the "unsubscribe" link in the newsletter or by contacting us via the channels mentioned above.
For the management of subscriptions, the dispatch of the newsletter and the analysis, we use the service Klaviyo, of Klaviyo, Inc. (USA). Your email address will therefore be transmitted by us to the service provider. If you do not want your data to be processed by this service provider, you should not subscribe to the newsletter or unsubscribe from it again.
Please note the information in the section "Data transfer to third countries".
6. Product reviews and satisfaction surveys
You have the opportunity to rate our products and services and to participate in satisfaction surveys. To do this, you will receive a link after completing your order, through which you can share your feedback with us.
For collecting and displaying product reviews, we use the service provider Judge.me from Judge.me Ltd (UK). Judge.me acts as our processor and processes your personal data on our instructions. Product reviews submitted via Judge.me are published in our webshop under the reviewed product. Your name will be displayed in an abbreviated form, so that only the initials of your first and last name, as well as the corresponding review including the date of the review, are visible to visitors of the webshop.
In some cases, we may also invite you to participate in a satisfaction survey. In this case, you will receive an email from us with further information about the survey. For sending these emails, we use the Klaviyo service from Klaviyo, Inc. (USA). Your email address will therefore be transmitted by us to the service provider. Please also note the information in the section "Newsletter".
When rating our products and participating in satisfaction surveys, your personal data may be transferred to third countries. Please therefore note the information in the section "Data transfer to third countries".
7. Cookies
On our website, we use cookies and similar technologies ("cookies"). Cookies are small data records that are stored by your browser when you visit a website. This identifies the browser used and allows it to be recognized by web servers. You have full control over the use of cookies through your browser. You can delete cookies at any time in your browser's security settings. You can generally object to the use of cookies or for specific cases via your browser settings.
The use of cookies is partly technically necessary for the operation of our website and thus permissible without the user's consent. We may also use cookies to offer special functions and content, as well as for analysis and marketing purposes. This may include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with § 25 Abs. 1 TDDDG and, if applicable, Art. 6 Abs. 1 lit. a GDPR. Information on the purposes, providers, technologies used, stored data, and storage duration of individual cookies can be found in the cookie settings of our Consent Management Tool. You can access this at any time via the "Data Settings" link in the footer of our website.
8. Consent Management Tool
This website uses the Consent Management Tool Pandectes from Pandectes OÜ (Estonia, EU) to control cookies and the processing of personal data.
The consent banner allows users of our website to give consent for certain data processing activities or to revoke previously given consent. By confirming the "I accept" button or by saving individual cookie settings, you agree to the use of the associated cookies.
The legal basis for data protection is your consent in the sense of Art. 6 para. 1 lit. a GDPR.
In addition, the banner helps us to provide proof of the declaration of consent. For this purpose, we process information about the declaration of consent and other log data related to this declaration. Cookies are also used to collect this data. The processing of this data is necessary to be able to prove a given consent. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 lit. c in conjunction with Art. 7 para. 1 GDPR).
You can revoke your consent for cookies at any time via the "Data settings" link in the footer of our website.
9. Analysis of our website
a) Hotjar
We use the Hotjar service from the provider Hotjar Ltd. (Malta, EU) on our website to analyze movements on our website using so-called "heatmaps." These heatmaps show, for example, how far users scroll and which buttons users click how often. Furthermore, the tool also makes it possible to collect feedback directly from website users. In this way, we gain valuable information to make our website even faster and more customer-friendly. With Hotjar, we can only track which buttons are clicked, the movement of the mouse, how far is scrolled, the screen size of the device, device type, and browser information. We also receive information about your geographical location (country) and the preferred language for displaying our website. Areas of the websites where personal data of you or third parties are displayed are automatically hidden by Hotjar and are therefore not traceable by the tool at any time.
The processing of your data is based on your consent according to Art. 6 para. 1 lit. a GDPR.
Cookies are placed on your device to integrate the service. The setting of cookies and the access to information stored on your device is done with your consent, which you can revoke at any time with future effect via our Consent Management Tool. Further information on data protection at Hotjar can be found in Hotjar's privacy policy at https://www.hotjar.com/legal/policies/privacy/.
10. Tracking & Retargeting
a) Google Analytics
We use the Google Analytics service from Google Ireland Limited (Ireland, EU) on our website.
Google Analytics is a web analytics service that allows us to collect and analyze data on user behavior on our website. Google Analytics enables us to measure interaction data from various devices and from different sessions. This allows us to put individual user actions into context and analyze long-term relationships.
Google Analytics uses cookies for this purpose, which enable an analysis of the use of our website. In addition, personal data in the form of IP addresses, device identifiers, and information about the interaction with our website are processed. Some of this data consists of information stored on your device. Furthermore, additional information is stored on your device via the cookies used.
Google Ireland will process the data collected in this way on our behalf to evaluate the use of our website by users, to compile reports on the activities within our website, and to provide us with further services associated with the use of our website and internet usage. Pseudonymous user profiles of users can be created from the processed data.
The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 para. 1 lit. a GDPR. You can revoke this consent at any time with future effect via our Consent Management Tool.
We only use Google Analytics with activated IP anonymization. This means that the IP address of users will be shortened by Google Ireland within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The IP address transmitted by the user's browser will not be merged with other data. The shortening of the IP address takes place on servers in the EU.
Data on user actions is stored for a period of two months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.
We also use the Google Analytics advertising features (remarketing). This feature allows us, in conjunction with Google's cross-device features, to display advertisements more targeted and to present users with interest-based ads. Through remarketing, users are shown advertisements and products for which interest has been determined on other websites in the Google network. Through this function, we can link advertising target groups created via Google Analytics remarketing with the cross-device functions of Google Ads. This way, interest-based, personalized advertising messages that were adapted to a user's previous usage and surfing behavior on one device (e.g., mobile phone) can also be displayed on another device of the user (e.g., tablet or PC).
If you have given corresponding consent, Google will link your web and app browsing history with your Google account for this purpose. This way, the same personalized advertising messages can be displayed on every device where you log in with your Google account. The aggregation of the collected data in your Google account is based solely on your consent, which you can give or revoke at Google. Data is then collected via Google Analytics for advertising purposes for these linked services. To support the remarketing function, Google Analytics collects the Google-authenticated IDs of users, which are temporarily linked to our Google Analytics data. This serves to define and create target groups for cross-device advertising.
Further information on how data from websites or apps is used by Google for advertising purposes can be found in Google's notes at: www.google.com/policies/technologies/ads/.
b) Meta Pixel
We use the Meta Pixel, a Meta Business tool from Meta Platforms Ireland Limited (Ireland, EU) on our website. Information about the contact details of Meta Platforms Ireland Ltd. and the contact details of Meta Platforms Ireland Ltd.'s data protection officer can be found in Meta Platforms Ireland Ltd.'s data policy at https://www.facebook.com/about/privacy.
The Meta Pixel is a JavaScript code snippet that allows us to track the activities of visitors to our website. This tracking is called conversion tracking. For this purpose, the Meta Pixel collects and processes the following information (so-called event data):
- Information about actions and activities of visitors to our website, such as searching for and viewing a product or purchasing a product;
- Specific pixel information such as the pixel ID and the Facebook cookie;
- Information about buttons clicked by visitors to the website;
- Information present in HTTP headers, such as IP addresses, information about the web browser, the page location, and the referrer;
- Information about the status of ad tracking deactivation/restriction.
Some of this event data consists of information stored on your device. Furthermore, cookies are also used via the Meta Pixel, through which information is stored on your device. Such storage of information by the Meta Pixel or access to information already stored on your device only takes place with your consent in accordance with Section 25 (1) TDDDG.
The event data collected via the Meta Pixel is used for targeting our advertisements and improving ad delivery on Meta products such as the social media platforms Facebook and Instagram, for personalizing features and content, and for improving and securing Meta products. For this purpose, the event data collected on our website using the Meta Pixel is transmitted to Meta Platforms Ireland Ltd. This collection and transmission of event data is carried out by us and Meta Platforms Ireland Ltd. as joint controllers. We have concluded an agreement with Meta Platforms Ireland Ltd. regarding joint processing, which defines the distribution of data protection obligations between us and Meta Platforms Ireland Ltd. In this agreement, we and Meta Platforms Ireland Ltd. have, among other things, agreed that:
- we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR regarding the joint processing of personal data;
- Meta Platforms Ireland Ltd. is responsible for enabling the rights of data subjects in accordance with Art. 15 to 20 GDPR with regard to the personal data stored by Meta Platforms Ireland Ltd. after the joint processing.
You can access the agreement concluded between us and Meta Platforms Ireland Ltd. at https://www.facebook.com/legal/controller_addendum.
Meta Platforms Ireland Ltd. is solely responsible for the processing of the transmitted event data that follows the transmission. Further information on how Meta Platforms Ireland Ltd. processes personal data, including the legal basis on which Meta Platforms Ireland Ltd. relies and the possibilities for exercising your rights vis-à-vis Meta Platforms Ireland Ltd., can be found in the Meta Platforms Ireland Ltd. data policy at https://www.facebook.com/about/privacy.
We have also commissioned Meta Platforms Ireland Ltd. to prepare reports on the impact of our advertising campaigns and other online content (campaign reports) and to generate analyses and insights about users and their use of our website, products and services (analyses), based on the event data collected via the Meta Pixel. For this purpose, we transmit personal data contained in the event data to Meta Platforms Ireland Ltd. The transmitted personal data is processed by Meta Platforms Ireland Ltd. as our processor to provide us with campaign reports and analyses.
The collection and transmission of personal data by us to Meta Platforms Ireland Ltd. and the commissioned processing of personal data by Meta Platforms Ireland Ltd. for the creation of analyses and campaign reports only take place if you have previously given your consent. The legal basis for the processing of personal data is therefore Art. 6 para. 1 lit. a GDPR.
c) TikTok Pixel
We use the TikTok Pixel on our website. The TikTok Pixel is a TikTok Advertiser Tool from the two providers
- TikTok Technology Limited (Ireland, EU)
- TikTok Information Technologies UK Limited (UK) (both are hereinafter jointly referred to as "TikTok").
The TikTok Pixel is a JavaScript code snippet that allows us to understand and track visitor activities on our website. The TikTok Pixel collects and processes information about visitors to our website or the devices they use (so-called event data).
The event data collected via the TikTok Pixel is used for targeting our advertisements and for improving ad delivery and for personalized advertising. For this purpose, the event data collected on our website using the TikTok Pixel is transmitted to TikTok.
In some cases, this event data involves information stored on your device. In addition, the TikTok Pixel also uses cookies to store information on your device. Such storage of information by the TikTok Pixel or access to information already stored on your device only takes place with your consent. The legal basis for the collection and transmission of personal data by us to TikTok is therefore Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time via our Consent Management Tool.
This collection and transmission of event data is carried out by us and TikTok as joint controllers. We have concluded an agreement with TikTok regarding joint processing, which defines the distribution of data protection obligations between us and TikTok. In this agreement, we and TikTok have, among other things, agreed that:
- we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR regarding the joint processing of personal data;
- TikTok is responsible for enabling the rights of data subjects in accordance with Art. 15 to 20 GDPR with regard to the personal data stored by TikTok after the joint processing.
You can access the agreement concluded between us and TikTok at https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.
TikTok is solely responsible for the processing of the transmitted event data that follows the transmission. Further information on how TikTok processes personal data, including the legal basis on which TikTok relies and the possibilities for exercising your rights vis-à-vis TikTok, can be found in TikTok's data policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.
d) Snap Pixel
We use the Snap Pixel from Snap Camera GmbH (Germany) on our website. The Snap Pixel allows us to define visitors to our website as a target audience for displaying ads on the social media platform Snapchat (so-called "Snapchat Ads"). Accordingly, we use the Snap Pixel to show our Snapchat Ads only to Snapchat users who have shown an interest in our online offerings or who have certain characteristics (e.g., interests in certain topics or products, determined based on the websites visited) that we transmit to Snapchat.
With the help of the Snapchat Pixel, we also want to ensure that our Snapchat Ads correspond to the potential interests of users and do not appear annoying. The Snapchat Pixel also allows us to understand the effectiveness of Snapchat ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Snapchat ad.
The processing of your data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.
Cookies are placed on your device to integrate the service. The setting of cookies and access to information stored on your device occur with your consent, which you can revoke at any time with future effect via our Consent Management Tool. When using the service, the transfer of your data to the United Kingdom cannot be ruled out. We base the data transfer to the United Kingdom on the adequacy decision of the European Commission in accordance with Art. 45 GDPR. Further information on data protection at Snap Group Limited can be found in the privacy notices of Snap Group Limited https://www.snap.com/de-DE/privacy/privacy-policy/#european-union-users.
e) Google Ads
We use the Google Ads online advertising program from Google Ireland Limited (Ireland, EU) on our website, through which we place advertisements on the Google search engine. If you reach our website via a Google ad, Google places a cookie on your device ("Conversion Cookie"). A different conversion cookie is assigned to each Google Ads customer, so that the cookies cannot be tracked across the websites of different Ads customers. The information obtained with the help of the cookie is used to generate conversion statistics. This tells us the total number of users who clicked on one of our Google ads. However, we do not receive any information that allows users to be personally identified.
The processing of your data is based on your consent in accordance with Art. 6 para. 1 lit. a GDPR.
The setting of cookies takes place with your consent, which you can revoke at any time with future effect via the Consent Management Tool. When using the service, the transfer of your data to the USA cannot be ruled out. Please refer to the section "Data transfer to third countries" for information on this. Further information on data protection at Google can be found in Google's privacy policy at https://policies.google.com/privacy#infocollect.
11. External media and third-party services
a) Cloudflare
We use the Cloudflare service from Cloudflare Inc. (USA) on our website to display content. For such integration, the processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Cloudflare. You can object to this data processing at any time via the settings of your browser or certain browser extensions. Please note that this may lead to functional restrictions on the website.
The processing of your data is based on Art. 6 para. 1 lit. f GDPR and is based on our legitimate interest in optimizing and operating our website economically.
When using the service, a transfer of your data to the USA cannot be ruled out. Please refer to the section "Data transfer to third countries" for information on this. Further information on data protection at Cloudflare can be found in Cloudflare's privacy policy at https://www.cloudflare.com/privacypolicy/.
12. Use of contact data for customer matching
a) Google Customer Match
We use the Customer Match function within the Google Ads service of Google Ireland Ltd. (Ireland, EU). This function enables us to display advertisements more precisely in Google services based on customer lists, thereby increasing the relevance of the advertising for users. If we have previously collected this data from you, we transmit your email address, telephone number, postal address, and mobile device ID to Google Ireland Ltd (Google) for this purpose. Before we transmit the data to Google, we perform one-way encryption of the data using the SHA256 algorithm. The so-called hash strings of the data are then automatically compared by Google with those of the corresponding data from existing Google accounts. In the event of a match, the respective Google account is added to a customer list created for us. If the data does not match, it may still be used by Google as part of policy compliance checks. After the data has been matched and the policy compliance check has been completed, the data is deleted by Google.
The processing of your data is based on the legal basis of Art. 6 para. 1 lit. f GDPR and is based on our legitimate interest in displaying our advertising more precisely.
As a Google user, you can control which ads you see in Google services via the Google ad settings. This also applies to ads with the "Customer Match" function. Information on data protection for Google Ads Customer Match can be found at: https://support.google.com/google-ads/answer/6379332?hl=de. General information on data protection at Google can be found here: https://policies.google.com/privacy?hl=de.
b) Facebook Custom Audiences
We use the personal data you provide for customer matching using the Custom Audiences function offered by Meta Platforms Ireland Limited (Ireland, EU).
The Custom Audiences function allows us to create target audiences – a so-called Custom Audience – from users of Meta services based on customer lists, in order to display advertisements more precisely in Meta services such as the Facebook platform and thus increase the relevance of the advertising for users. For this purpose, we transmit your email address, phone number, and address to Meta Platforms Ireland Limited (Meta). With the help of this personal data, we create target audiences for advertisements. Before the data is used by Meta for matching, the data is hashed using one-way encryption and thus pseudonymized. These so-called hash strings of the data are then automatically compared by Meta with the hash strings of corresponding data about users of Meta services that are already available at Meta. In the event of a match, the users are added to the target audience. As soon as the Custom Audience has been created by Meta, the hashed data is deleted, regardless of whether there was a match or not. Further information on the Custom Audiences function can be found here.
The processing of your data is based on the legal basis of Art. 6 para. 1 lit. f GDPR and is based on our legitimate interest in displaying our advertising more precisely.
Meta Platforms Ireland Limited's general privacy policy can be found at: https://de-de.facebook.com/privacy/explanation
III. Data processing on our social media pages
We maintain a company page on several social media platforms. Through this, we want to offer further opportunities for information about our company and for exchange. Our company has company pages on the following social media platforms:
- Facebook of Meta Platforms Ireland Limited, (Ireland, EU), hereinafter "Meta";
- Instagram of Meta Platforms Ireland Limited, (Ireland, EU);
- TikTok of TikTok Technology Limited, (Ireland, EU), hereinafter "TikTok".
If you visit or interact with a profile on a social media platform, personal data about you may be processed. Information associated with a social media profile used also regularly constitutes personal data. This also includes messages and statements made using the profile. In addition, certain information about your visit to a social media profile is often automatically collected, which may also constitute personal data.
1. Visiting a social media page
When you visit our social media page, through which we present our company or individual products from our offering, certain information about you is processed. The operators of the social media platforms are solely responsible for this processing of personal data. Further information on the processing of personal data can be found in their privacy policies, which we link to below:
- Meta (https://www.facebook.com/privacy/explanation). Meta offers the possibility to object to certain data processing; relevant information and opt-out options can be found at https://www.facebook.com/settings?tab=ads;
- TikTok (https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE).
The operators of social media platforms collect and process event data and profile data and provide us with anonymized statistics and insights for our pages, which help us gain insights into the types of actions people perform on our page (so-called "Page Insights"). These Page Insights are created based on certain information about people who have visited our page. This processing of personal data is carried out by the social media operators and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our page and improving our page based on these insights. The legal basis for this processing is Art. 6 Para. 1 lit. f GDPR.
We cannot assign the information obtained via Page Insights to individual user profiles that interact with our pages. We have entered into joint controller agreements with the operators of the social media platforms, which define the distribution of data protection obligations between us and the operators. Details about the processing of personal data for the creation of Page Insights and the agreement concluded between us and the operators can be found at the following links:
- Meta (https://www.facebook.com/legal/terms/information_about_page_insights_data);
- TikTok (https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms).
You also have the option to assert your rights against the operators. Further information on this can be found at the following links:
- Meta (https://www.facebook.com/privacy/explanation);
- TikTok (https://privacytiktok.zendesk.com/hc/en-us/requests/new).
We have agreed with Meta and TikTok that the Irish Data Protection Commission is the lead supervisory authority that oversees the processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see www.dataprotection.ie) or with any other supervisory authority.
2. Communication via Social Media Pages
We also process information that you have provided to us via our company page on the respective social media platform. Such information may include the username used, contact details, or a message to us. Such processing by us takes place as the sole controller. We process this data based on our legitimate interest in contacting inquiring persons. The legal basis for data processing is Art. 6 Para. 1 lit. f GDPR. Further data processing may occur if you have consented (Art. 6 Para. 1 lit. a GDPR) or if it is necessary to fulfill a legal obligation (Art. 6 Para. 1 lit. c GDPR).
3. Ordering via our TikTok Shop
We have activated the TikTok Shop function on our TikTok presence to enable a direct way to order our products on TikTok. The provider of the TikTok Shop is TikTok Technology Limited, (Ireland, EU), hereinafter referred to as "TikTok".
If you visit our TikTok Shop or place an order through it, both we and TikTok process your personal data.
TikTok is particularly responsible for personalizing content and offering discounts and processes the usage information collected via your user account for this purpose. In addition, TikTok independently takes care of checking and managing submitted reviews. We have no influence on these data processing operations. Further information on data processing by TikTok can be found in Section B of the EU TikTok Shop Terms of Use and in TikTok's general privacy policy.
If you place an order with us via the TikTok Shop, we process your provided personal data for the purpose of order processing. This is done via our internal systems and corresponds to the processing via our own webshop. Payments are always processed via Stripe. For further information on the processing of personal data in the context of order processing, please refer to Section II of this privacy policy.
If TikTok provides us with personal order data for the technical processing of the order, TikTok acts as our processor for these data processing operations. This also applies to the transfer of personal data to payment or logistics service providers or if we import previously submitted reviews from other portals into our TikTok Shop.
When ordering via TikTok, a data transfer to third countries cannot be excluded. Please therefore note the information in Section I, Paragraph 5 of this data protection notice.
IV. Further Data Processing
1. Applications
If you apply to our company, we process your application data exclusively for purposes related to your interest in a current or future employment with us and the processing of your application. Your application will only be processed and reviewed by the relevant contact persons within our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. Should we not be able to offer you employment, we will store the data you have submitted for up to six months after a possible rejection for the purpose of answering questions related to your application and rejection. This does not apply if legal provisions prevent deletion, further storage is necessary for evidentiary purposes, or you have expressly consented to longer storage.
The legal basis for data processing is Section 26 Para. 1 S. 1 BDSG or Art. 6 Para. 1 lit. b GDPR. Should we store your applicant data beyond the six-month period and you have expressly consented to this, we inform you that this consent can be freely revoked at any time in accordance with Art. 7 Para. 3 GDPR. Such a revocation does not affect the legality of the processing carried out based on the consent until the revocation.
2. Contacting us by email
If you send us a message via the provided contact email, we will process the transmitted data for the purpose of answering your inquiry. We process this data based on our legitimate interest in contacting inquiring persons. The legal basis for data processing is Art. 6 Para. 1 lit. f GDPR. If the inquiry relates to a contract already concluded or yet to be concluded with you, the legal basis is Art. 6 Para. 1 lit. b GDPR.
3. Customer and Prospect Data
If you contact our company as a customer or prospect, we process your data for the establishment or execution of the contractual relationship to the necessary extent. This regularly includes the processing of the personal master, contract, and payment data provided to us, as well as contact and communication data of our customers and contact persons of commercial customers and business partners. The legal basis for these processing operations is Art. 6 para. 1 lit. b GDPR, if the contract is concluded with you. Otherwise, the legal basis is our legitimate interest in fulfilling our contractual obligations in accordance with Art. 6 para. 1 lit. f GDPR.
In addition, we process customer and prospect data for evaluation and marketing purposes. These processing operations are based on Art. 6 para. 1 lit. f GDPR and serve our interest in further developing our offer and informing you specifically about our offers.
Further data processing may occur if you have consented (Art. 6 para. 1 lit. a GDPR) or if it is necessary to fulfill a legal obligation (Art. 6 para. 1 lit. c GDPR).
4. Use of the email address for marketing purposes
We may use your email address provided during registration or order to inform you about our own similar products and services.
The legal basis is Art. 6 Para. 1 lit. f GDPR in conjunction with Section 7 Para. 3 UWG. You can object to this at any time without incurring any costs other than the transmission costs at the basic rates. To do this, you can unsubscribe by clicking on the unsubscribe link included in every mailing.
5. Notice for data subjects in Switzerland
If you are a data subject within the scope of the Swiss Federal Act on Data Protection, the additional information under this point applies.
The legal references made in this data protection information are addressed to data subjects in Switzerland in accordance with the comparable provisions of the Federal Act on Data Protection. This applies in particular to the applicable data subject rights under Articles 25-29, 32 DPA.
Data processing also takes place in the following countries outside Switzerland:
- Germany (EU)
- Denmark (EU)
- Austria (EU)
- Ireland (EU)
- Malta (EU)
- Estonia (EU)
- United States of America
- United Kingdom
We guarantee an adequate level of data protection. This is ensured by:
- an established adequate level of data protection in accordance with Art. 16 Para. 1 DPA for the recipient country;
- Standard data protection clauses that the FDPIC has previously approved, issued or recognized, in particular the standard contractual clauses of the European Commission;
- an international treaty that regulates an adequate level of data protection.
Status: [1.0, 22.01.2024]


