Privacy Policy
www.m2beaute.com
Last updated: January 2024
Table of Contents
-
Name and address of the controller
-
Contact details of the Data Protection Officer
-
General information about data processing
-
Rights of the data subject
-
Provision of the website and creation of log files
-
Use of cookies
-
Newsletter
-
E-mail contact
-
Contact form
-
Use of corporate social media presences
-
Use of corporate presences in career-related social media
-
Hosting
-
Registration
-
Online shop
-
Payment options
-
Shipping providers
-
Plug-ins used
-
Name and address of the controller
The controller of the data as defined under the General Data Protection Regulation (GDPR) and other data protection provisions is:
M2 Beauté Cosmetics GmbH
Anna-Schneider-Steig 4
50678 Cologne
Germany
49 (0) 1805 - 28 83 63
-
Contact details of the Data Protection Officer
The Data Protection Officer of the controller is:
DataCo GmbH
Nymphenburger Str. 86
80636 Munich
Germany
+49 89 7400 45840
-
General information about data processing
1. Scope of personal data processing
We process the personal data of our users only to the extent necessary to provide a functioning website and our content and services. Our users' personal data is routinely processed only with the consent of the user. An exception to this applies in cases where prior consent cannot be obtained for reasons of fact and the processing of the data is required by law.
2. Legal basis for the processing of personal data
Article 6(1)(1)(a) of the GDPR serves as the legal basis in cases where we have obtained consent from the data subject.
Article 6(1)(1)(b) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the performance of a contract to which the data subject is a party. This also applies to processing operations which are required in order to carry out pre-contractual measures.
Article 6(1)(1)(c) of the GDPR serves as the legal basis for the processing of personal data if it is necessary for the fulfillment of a legal obligation which applies to our company.
Article 6(1)(1)(d) of the GDPR serves as the legal basis in the event that the data subject's vital interests or those of another natural person require the processing of personal data.
Article 6(1)(1)(f) of the GDPR serves as the legal basis if the processing is necessary to safeguard the legitimate interests of our company or a third party and if the interests and fundamental rights and freedoms of the data subject do not override such interests.
3. Data erasure and period of storage
The data subject's personal data will be erased or locked as soon as the purpose of storage ceases to apply. Storage may also occur when required under European or national legislation in the form of EU regulations, laws, or other provisions which apply to the controller. The data shall also be locked or erased in such cases when the relevant storage period specified by the provisions in question expires, unless the data still needs to be stored in order to conclude or fulfill a contract.
-
Rights of the data subject
If your personal data is processed, you are a data subject as defined under the GDPR and are entitled to the following rights in relation to the data controller:
1. The right of access by the data subject (Art. 15 GDPR)
You have the right to demand confirmation from us as to whether or not we are processing personal data which pertains to you.
In the event that we are, you have the right to access the data in question and the following information:
-
Purposes of processing
-
Categories of personal data processed
-
Recipients or categories of recipients
-
Planned storage period or the criteria for determining this period
-
The existence of rights to rectification, erasure, restriction of processing, and objection
-
The right to lodge a complaint with the competent supervisory authority
-
The source of the data (if collected from a third party), where relevant
-
The existence of any automated decision-making, including profiling, and meaningful information about the logic involved, the significance, and the expected consequences, where relevant
-
The transfer of personal data to any third country or international organization, where relevant
2. Right to rectification (Art. 16 GDPR)
In the event that your personal data is incorrect or incomplete, you have the right to request the immediate correction or addition of personal data.
3. Right to restriction of processing (Art. 18 GDPR)
If any of the following criteria are fulfilled, you have the right to demand the restriction of the processing of your personal data:
-
You are contesting the accuracy of your personal data, whereby you are entitled to restriction of processing for a period which will enable us to verify the accuracy of the personal data.
-
In the context of unlawful processing, whereby you oppose the erasure of the personal data and request the restriction of use of the personal data instead.
-
We no longer need the personal data for the purposes of the processing, but you need your personal data for the purpose of establishing, exercising, or defending your own legal claims.
-
After you have objected to the processing, whereby restriction will apply for the duration of the review as to whether our legitimate reasons override your reasons.
4. Right to erasure ("right to be forgotten") (Art. 17 GDPR)
If any of the following reasons apply, you have the right to demand the immediate erasure of your personal data:
-
Your data is no longer necessary for the processing purposes for which it was originally collected.
-
You revoke your consent and no other legal basis for the processing applies.
-
You object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.
-
Your personal data is being processed unlawfully.
-
Erasure is required in order to fulfill a legal obligation which applies to us under EU or Member State law.
-
The personal data was collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.
Please note that the reasons specified above do not apply if the processing is necessary:
-
in order to exercise the right to freedom of expression and information;
-
in order to fulfill a legal obligation or perform a task which is in the public interest and applies to us;
-
for reasons of public interest in the area of public health;
-
for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
-
in order to establish, exercise, or defend legal claims.
5. Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used and machine-readable format or to request its transmission to another controller.
6. Right to object to specific data processing (Art. 21 GDPR)
You have the right to object to processing of your personal data which is taking place on the basis of Art. 6(1)(1)(e) or (f) GDPR for reasons relating to your particular situation at any time. The same also applies in regard to any profiling conducted on the basis of these provisions.
If your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for the purposes of such marketing at any time; the same also applies in regard to profiling to the extent that it is related to such direct marketing.
7. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that personal data pertaining to you is being processed in violation of the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR. A list of the supervisory authorities with local jurisdiction in Germany can be found on the website of the German Federal Commissioner for Data Protection via the following link: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
8. Use of the Data Subject Request Tool (DSR) for the management of data subject requests
8.1. Scope of processing personal data
We use functionalities of the data protection plug-in „DSR“ of DataCo GmbH, Dachauer Str. 65, 80335, Munich, Bavaria, Germany (hereinafter referred to as: DataCo).
By using the button „Submit Data Subject Request“, all visitors of our website have the opportunity to make use of their data subject rights. To do so, you specify your relationship to our company, which data subject right you wish to exercise, provide further optional information and, if necessary, identify yourself with further characteristics. The data subject request will then be processed by us.
The following personal data will be processed by DataCo:
- First and last name
- Relationship to the controller (employee, customer, interested party, etc.)
- E-mail address
- Further voluntarily communicated personal data
For further information on the processing of data by DataCo, please click here: https://www.dataguard.com/privacy-policy
In addition, to ensure technical functionality, logfiles may be forwarded to DataCo GmbH, which include the following:
- Browser type and version used
- The user’s operation system
- The user’s internet service provider
- The user’s IP address
- Date and time of access
- Websites from which the user's system made the request
8.2. Purpose of the data processing
The use of DSR serves to protect the data protection rights of our website visitors. We enable you to make use of your data subject rights and to contact us quickly and easily.
8.3. Legal basis for data processing
The legal basis for the use of the DSR tool and the processing of corresponding data is your declaration of consent in accordance with art. 6 para. 1 s. 1 lit. a GDPR.
The legal basis for the use of the logfiles is our legitimate interest in ensuring the technical functionality of the tool according to art. 6 para. 1 s. 1 lit. f GDPR.
8.4. Duration of storage
Data will be stored for as long as necessary to fulfil the purposes described in this privacy policy or as required by law.
8.5. Objection and removal
The user has the possibility to revoke the consent to the processing of their personal data or object the processing of logfiles at any time by contacting the data controller by mail or by using the DSR tool.
-
Provision of the website and creation of log files
1. Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the computer system of the visiting computer.
The following data is collected in this context:
-
Information on browser type and version used
-
The user's operating system
-
The user's IP address
-
Date and time of access
-
Websites from which the user's system arrives on our website
-
Websites that the user's system access through our website
This data is stored in our system's log files. This data is not stored together with the user's other personal data.
2. Purpose of data processing
Temporary storage of the IP address by the system is necessary in order to allow the delivery of the website to the user's computer. This requires the user's IP address to be stored for the duration of the session.
The data is stored in log files in order to ensure the functionality of the website. We also use this data to optimize the website and to ensure the security of our IT systems. Data is not analyzed for marketing purposes in this context.
These purposes also account for our legitimate interest in data processing as per Art. 6(1)(1)(f) GDPR.
3. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6(1)(1)(f) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the context of collecting data in order to provide the website, this is the case when the respective session has ended.
In the context of storing data in log files, this is the case after seven days at latest. Storage beyond this period is possible. In this event, the users' IP addresses are erased or distorted such that association with the visiting client is no longer possible.
5. Possibility of objection
The collection of data for the provision of the website and the storage of data in log files is essential for the website's operation. The user can object to this. Whether or not the objection will be successful must be determined by means of a consideration of interests.
-
Use of cookies
1. Description and scope of data processing
We employ technical tools for various functions during your visit to our website, particularly cookies, which can be stored on your device. When you access our website and anytime afterwards, you have a choice of whether to generally allow the use of cookies or to select which individual additional functions you would like to allow. You can make changes to your selections in your browser settings or with our consent manager. Cookies are text files or information in databases that are saved to your hard drive and associated with the browser you use so that certain information can be provided to the entity that created the cookies. In the following, we describe which kinds of cookies we use:
We use technically necessary cookies that are necessary for the technical set-up of the website. Without these cookies, it may be impossible for our website to be displayed (fully and correctly), or support functions may be unavailable.
The following data is stored and transmitted by the technically necessary cookies:
-
Language settings
-
Usage of website functions
We also use cookies that are not technically necessary on our website. Text files that do not solely serve to facilitate website functionality and also collect other data are classified as cookies that are not technically necessary.
The following data is processed through the use of cookies that are not technically necessary:
-
Date and time at which website is accessed
-
Adjustment of ads displayed to the user
-
Tracking of browsing behavior
-
Linking the website visit with other social media platforms
2. Purpose of data processing
The purpose of using technically necessary cookies is to ensure the functionality of our website. Some of our website's functions cannot be offered without the use of cookies. These functions require the browser to be recognized again after changing pages.
We need the technically necessary cookies for the following applications:
-
Retention of language settings
-
Website functionality
Cookies that are not technically necessary are used for the purpose of improving the quality of our website, its content, and thus our reach and profitability. The use of these cookies allows us to learn how the website is used, enabling us to optimize our offering on a continuous basis. We use these cookies for the following purposes in particular:
Analysis of visitor behavior in order to improve user experience.
3. Legal basis for data processing
The storage of information on the end user's terminal system and/or access to information already stored on the end user's terminal system are subject to the provisions of the German Act on Data Protection for Telecommunications and Telemedia (TTDSG). When the placement and reading of cookies is technically necessary, this is done in order to ensure the functionality of our website. In this case, cookies are stored and accessed on your terminal system on the basis of Section 25(2)(2) TTDSG. Information is stored and accessed on your terminal system for the purpose of simplifying the use of our website for you and enabling us to offer our services to you in accordance with your preferences. In addition, some of our website's features cannot function and thus cannot be offered without the use of these cookies. These cookies are generally erased after the end of the session (e.g. when the user logs out or closes the browser) or after the end of a specified period. Information on deviating storage periods for cookies can be found in the following sections of this Privacy Policy.
If cookies which are not technically necessary are used, this takes place on the basis of your express consent, which you can grant via the cookie banner. The basis for storing and accessing information in this case is Section 25(1) TTDSG in conjunction with Art. 6(1)(a) and Art. 7 GDPR. You can revoke or subsequently re-issue consent with future effect at any time by configuring your cookie settings accordingly. Alternatively, you can prevent the storage of cookies by configuring your browser settings accordingly. In this context, please note that any changes made to browser settings will apply only to the respective browser used. In cases where personal data is processed after the information has been stored and accessed on your terminal system, the provisions of the GDPR apply. Information on this subject can be found in the following sections of this Privacy Policy.
-
Newsletter
1. Description and scope of data processing
Our website offers the opportunity to subscribe to a free newsletter. For the dispatch of the newsletter, we use the service provider Optimizely GmbH, Wallstraße 59, 10179 Berlin, Germany. When a user registers for the newsletter, the data from the registration form is transmitted to us.
-
E-mail address
-
Last name
-
First name
-
Date of birth
Data is not shared with third parties in connection with the processing of data for the delivery of newsletters. The data is used exclusively for the delivery of the newsletter.
2. Purpose of data processing
The user's email address is collected for the purpose of delivering the newsletter.
Other personal data is collected in the context of the registration process for the purpose of preventing the misuse of services or the e-mail address used.
3. Legal basis for data processing
The legal basis for the processing of data after registration for the newsletter by the user, subject to the user's consent, is Art. 6(1)(1)(a) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The user's e-mail address is stored only as long as the newsletter subscription is active.
The other personal data collected in the context of the registration process is typically erased after a period of seven days.
5. Possibility of revocation
The newsletter subscription can be canceled by the user in question at any time. Every newsletter contains a corresponding link for this purpose.
This also allows the user to revoke their consent to the storage of personal data collected during the registration process.
-
E-mail contact
1. Description and scope of data processing
Users can contact us via the e-mail address provided on our website. In this case, the user's personal data that is transmitted together with the e-mail will be stored.
This data is used exclusively for processing the conversation.
2. Purpose of data processing
The necessary legitimate interest in the processing of data also exists in the case of contact via e-mail.
3. Legal basis for data processing
The legal basis for the processing of data transmitted in the context of sending an e-mail is Art. 6(1)(f) GDPR. Our legitimate interest in this context is in providing optimal answers to inquiries you submit via e-mail.
If the e-mail contact is intended to conclude a contract, an additional legal basis for processing is Art. 6(1)(b) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In regard to the personal data which is sent via e-mail, this is the case when the respective conversation with the user is ended. The conversation is ended when it is apparent from the context that the matter in question has been definitively resolved.
The additional personal data gathered during the sending process is erased after a period of seven days at latest.
5. Possibility of objection
If the user contacts us via e-mail, they may object to the storage of their personal data at any time. In this case, we will be unable to continue the conversation.
No data is stored in the case of a contact inquiry.
All personal data stored in the course of establishing contact will be deleted in this case.
-
Contact form
1. Description and scope of data processing
A contact form that can be used to make contact electronically is available on our website. If a user makes use of this option, the data entered in the input form is transmitted to us and stored.
The following data is stored at the time the message is sent:
-
E-mail address
-
Last name
-
First name
-
Address
-
Telephone/mobile number
-
None
2. Purpose of data processing
We process the personal data from the contact form's input screen or the provided e-mail address solely for the purpose of handling the contact.
The other personal data processed during the sending process serves the purpose of preventing misuse of the contact form and ensuring the security of our IT systems.
3. Legal basis for data processing
The legal basis for processing data transmitted in the context of sending an e-mail is Art. 6(1)(1)(f) GDPR. Our legitimate interest in this context is in providing optimal answers to inquiries you submit to us via contact form. If the e-mail contact is intended to conclude a contract, an additional legal basis for processing is Art. 6(1)(1)(b) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In regard to the personal data from the input screen of the contact form and the personal data sent via e-mail, this is the case when the respective conversation with the user is ended. The conversation is ended when it is apparent from the context that the matter in question has been definitively resolved.
The additional personal data gathered during the sending process is erased after a period of seven days at latest.
5. Possibility of objection
If the user contacts us via the input screen of the contact form, they can object to the storage of their personal data at any time.
No data is stored in the case of a contact inquiry.
All personal data stored in the course of establishing contact will be deleted in this case.
-
Use of corporate social media presences
Use of corporate social media presences
Instagram:
Instagram, part of Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
We use our company page to provide information and offer Instagram users an opportunity to communicate with us. If you perform an action on our corporate Instagram presence (e.g. comments, contributions, likes, etc.), it is possible that you will make personal data public by doing so (e.g. real name or profile picture). However, since we typically have little to no influence over the processing of your personal data by Instagram, the company which shares responsibility for the M2 Beauté Cosmetics GmbH corporate presence, we are unable to make binding statements on the purpose and scope of the processing of your data.
We use our corporate social media presence to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for:
-
Products
-
Competitions
In this context, publications via the corporate presence contain the following content:
-
Information about products
-
Competitions
-
Advertising
-
Customer contact
In this context, every user is free to publish personal data through their activities.
In the event that we process your personal data in order to analyze your online behavior, offer competitions to you, or carry out lead campaigns, this takes place on the basis of your express declaration of consent in accordance with Art. 6(1)(1)(a) and Art. 7 GDPR. The legal basis for processing personal data for the purpose of communication with customers and prospective customers is Art. 6(1)(1)(f) GDPR. In this context, our legitimate interest is in answering your inquiry optimally / being able to provide the requested information. If contact is made with the intention of concluding a contract, Art. 6(1)(b) GDPR serves as an additional legal basis for processing.
The data generated with the corporate presence is not stored in our own systems.
In cases where your personal data will be processed in third countries, we have established suitable guarantees in the form of standard data protection clauses in accordance with Art. 46(2)(c) GDPR. A copy of these standard data protection clauses can be requested from us.
You can object to the processing of your personal data that we collect in the context of your use of our corporate Instagram presence at any time and assert your rights as a data subject, which are specified in Section IV of this Privacy Policy. To do so, send us an informal email via service@m2beaute.com. \n More information on the processing of your personal data by Instagram and the corresponding possibilities for objection can be found here:
Instagram: https://help.instagram.com/519522125107875
Pinterest:
Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland
We use our company page to provide information and offer Pinterest users an opportunity to communicate with us. If you perform an action on our corporate Pinterest presence (e.g. comments, contributions, likes, etc.), it is possible that you will make personal data public by doing so (e.g. real name or profile picture). However, since we typically have little to no influence over the processing of your personal data by Pinterest, the company which shares responsibility for the M2 Beauté Cosmetics GmbH corporate presence, we are unable to make binding statements on the purpose and scope of the processing of your data.
We use our corporate social media presence to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for:
-
Products
-
Competitions
In this context, publications via the corporate presence contain the following content:
-
Information about products
-
Competitions
-
Advertising
-
Customer contact
In this context, every user is free to publish personal data through their activities.
In the event that we process your personal data in order to analyze your online behavior, offer competitions to you, or carry out lead campaigns, this takes place on the basis of your express declaration of consent in accordance with Art. 6(1)(1)(a) and Art. 7 GDPR. The legal basis for processing personal data for the purpose of communication with customers and prospective customers is Art. 6(1)(1)(f) GDPR. In this context, our legitimate interest is in answering your inquiry optimally / being able to provide the requested information. If contact is made with the intention of concluding a contract, Art. 6(1)(b) GDPR serves as an additional legal basis for processing.
The data generated with the corporate presence is not stored in our own systems.
In cases where your personal data will be processed in third countries, we have established suitable guarantees in the form of standard data protection clauses in accordance with Art. 46(2)(c) GDPR. A copy of these standard data protection clauses can be requested from us.
You can object to the processing of your personal data that we collect in the context of your use of our corporate Pinterest presence at any time and assert your rights as a data subject, which are specified in Section IV of this Privacy Policy. To do so, send us an informal email via service@m2beaute.com. \n More information on the processing of your personal data by Pinterest and the corresponding possibilities for objection can be found here:
Pinterest: https://policy.pinterest.com/de/privacy-policy
YouTube:
YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, United States
We use our company page to provide information and offer YouTube users an opportunity to communicate with us. If you perform an action on our corporate YouTube presence (e.g. comments, contributions, likes, etc.), it is possible that you will make personal data public by doing so (e.g. real name or profile picture). However, since we typically have little to no influence over the processing of your personal data by YouTube, the company which shares responsibility for the M2 Beauté Cosmetics GmbH corporate presence, we are unable to make binding statements on the purpose and scope of the processing of your data.
We use our corporate social media presence to communicate and exchange information with (potential) customers. In particular, we use our corporate presence for:
-
Products
-
Competitions
In this context, publications via the corporate presence contain the following content:
-
Information about products
-
Competitions
-
Advertising
-
Customer contact
In this context, every user is free to publish personal data through their activities.
In the event that we process your personal data in order to analyze your online behavior, offer competitions to you, or carry out lead campaigns, this takes place on the basis of your express declaration of consent in accordance with Art. 6(1)(1)(a) and Art. 7 GDPR. The legal basis for processing personal data for the purpose of communication with customers and prospective customers is Art. 6(1)(1)(f) GDPR. In this context, our legitimate interest is in answering your inquiry optimally / being able to provide the requested information. If contact is made with the intention of concluding a contract, Art. 6(1)(b) GDPR serves as an additional legal basis for processing.
The data generated with the corporate presence is not stored in our own systems.
In cases where your personal data will be processed in third countries, we have established suitable guarantees in the form of standard data protection clauses in accordance with Art. 46(2)(c) GDPR. A copy of these standard data protection clauses can be requested from us.
You can object to the processing of your personal data that we collect in the context of your use of our corporate YouTube presence at any time and assert your rights as a data subject, which are specified in Section IV of this Privacy Policy. To do so, send us an informal email via service@m2beaute.com. \n More information on the processing of your personal data by YouTube and the corresponding possibilities for objection can be found here:
YouTube: https://policies.google.com/privacy?gl=DE&hl=de
-
Use of corporate presences in career-related social media
1. Scope of data processing
We make use of the opportunity to maintain corporate presences in career-related social media. We maintain corporate presences on the following career-related social media networks:
LinkedIn:
LinkedIn, Unlimited Company, Wilton Place, Dublin 2, Ireland
We use our page to provide information and offer users an opportunity to communicate with us.
The corporate presence is used for applications, information/PR, and active sourcing.
We have no information on the processing of your personal data by the company that shares responsibility for the corporate presence. Further information on this can be found in the privacy policy of:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
If you perform an action on our corporate presence (e.g. comments, contributions, likes, etc.), it is possible that you will make personal data public by doing so (e.g. real name or profile picture).
2. Legal basis for data processing
The legal basis for the processing of personal data for the purpose of communication with customers and prospective customers is Art. 6(1)(1)(f) GDPR. In this context, our legitimate interest is in answering your inquiry optimally / being able to provide the requested information. If contact is made with the intention of concluding a contract, Art. 6(1)(b) GDPR serves as an additional legal basis for processing.
3. Purpose of data processing
Our corporate presence serves the purpose of informing users about our services. In this context, every user is free to publish personal data through their activities.
4. Duration of storage
We store your activities published via our corporate presence and personal data until consent is revoked. We also observe the relevant statutory retention periods.
5. Possibility of objection
You can object to the processing of your personal data that we collect in the context of your use of our corporate presence at any time and assert your rights as a data subject, which are specified in Section IV of this Privacy Policy. To do so, send us an informal email via the e-mail address specified in this Privacy Policy.
Further information about exercising your rights can be found here:
LinkedIn:
https://www.linkedin.com/legal/privacy-policy?trk=hb_ft_priv
-
Hosting
The website is hosted on servers by a service provider we have engaged.
Our service provider is:
Amazon AWS
Information automatically transmitted by your browser when you visit the website is automatically collected and stored in "server log files" by the servers. The following information is stored:
-
Browser type and version
-
Operating system used
-
Referring URL
-
Host name of the accessing computer
-
Date and time of server request
-
IP address
This data is not aggregated with data from other sources. This data is collected on the basis of Art. 6(1)(f) GDPR. Our legitimate interest in regard to the processing of this data is in ensuring the error-free presentation of our website and optimizing its functions.
The website's server is geographically located in Germany.
-
Registration
1. Description and scope of data processing
We offer users the option of registering with our website, which requires the provision of personal data. In this context, the data is entered into an input screen, transmitted to us, and stored. We will not disclose this data to third parties. The following data is collected during the registration process:
-
E-mail address
-
Last name
-
First name
-
Address
The user's consent to the processing of this data is obtained in the registration process.
2. Purpose of data processing
User registration is necessary in order to maintain certain content and services on our website.
Customer account creation.
3. Legal basis for data processing
The legal basis for the processing of data, subject to the user's consent, is Art. 6(1)(1)(a) GDPR.
4. Duration of storage
The data will be deleted as soon as it is no longer necessary for the purpose of its collection.
In regard to the data collected during the registration process, this is the case when the registration for our website is canceled or modified.
5. Possibility of revocation in the case of consent
As a user, you have the option to cancel your registration at any time. You can have your stored data changed at any time.
Customers can erase their accounts from the customer account page.
-
Online shop
We offer an online shop on our website. We use the following online shop software for this:
Shopware 6
The website and online shop are hosted on external servers by a service provider we have engaged.
Our service provider is:
Zum goldenen Hirschen
Information automatically transmitted by your browser when you visit the website is automatically collected and stored in "server log files" by the servers. The following information is stored:
-
Browser type and version
-
Operating system used
-
Referring URL
-
Host name of the accessing computer
-
Date and time of server request
-
IP address
This data is not aggregated with data from other sources. This data is collected on the basis of Art. 6(1)(f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of their website, which necessitates the recording of server log files.
We have concluded an agreement on contracted processing with the relevant service provider, under which we require the relevant service provider to protect user data and refrain from disclosing it to third parties.
The website's server is geographically located in Germany.
-
Payment options
1. Description and scope of data processing
We offer our customers various payment methods for the settlement of their orders. To facilitate this, we route customers to the platform of the relevant payment service provider according to their choice of payment method. After the payment process has been completed, we receive the customer's payment data from the payment service providers or our bank and process it in our systems for invoicing and accounting purposes.
Payment via credit card
Customers have the option of concluding the payment process via credit card.
If you have selected payment via credit card, payment data will be forwarded to payment service providers for settlement of the payment. All payment service providers observe the requirements of the Payment Card Industry (PCI) Data Security Standards and have been certified by an independent PCI-qualified security assessor.
The following data is typically transmitted in the context of payment via credit card:
-
Purchase amount
-
Date and time of the purchase
-
First and last name
-
Address
-
E-mail address
-
Credit card number
-
Period of validity of the credit card
-
Security code (CVC)
-
IP address
-
Telephone number / mobile number
Payment data is forwarded to the following payment service providers:
-
PayPal
Further information on data protection policies as well as options for revocation and removal in regard to payment service providers can be found here:
Payment via PayPal
Customers have the option of concluding the payment process via the payment service provider PayPal. In addition to a direct payment method, PayPal also offers purchases on account and via direct debit, credit card, and payment in installments.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg.
If you select PayPal as a payment method, your data which is necessary for the payment process will be transmitted to PayPal automatically.
This entails the following data in particular:
-
Name
-
Address
-
E-mail address
-
Telephone/mobile number
-
IP address
-
Bank details
-
Card number
-
Expiration date and CVC code
-
Item quantity
-
Item number
-
Data on goods and services
-
Transaction total and tax information
-
Information on past purchasing behavior
The data transmitted to PayPal may be sent to credit agencies under certain circumstances. This transmission occurs for the purpose of identity and credit standing verification.
PayPal may also potentially disclose your data to third parties in cases where this is necessary for the fulfillment of contractual obligations or when the data is to be processed via contracted processing. The transmission of your personal data within companies that are affiliated with PayPal is subject to the binding corporate rules that have been approved by the competent supervisory authorities. These can be found here:
https://www.paypal.com/de/webapps/mpp/ua/bcr
Other data transfers may take place on the basis of protective contractual provisions. For more information, please contact PayPal.
All PayPal transactions are subject to PayPal's privacy policy. This can be found here:
https://www.paypal.com/de/webapps/mpp/ua/privacy-full/.
-
Shipping providers
1. Description and scope of data processing
If you order products or services on our website for which a shipping provider is engaged for delivery, you will receive your order and shipping confirmation via your e-mail address, as well as notifications that your delivery has arrived and/or been received and other potential delivery options depending on the respective shipping provider.
Data is transmitted to the following service providers:
-
DHL Paket GmbH, Strässchensweg 10, 53113 Bonn, Germany
-
FedEx Express – European Office, Taurusavenue 111, 2132 LS Hoofddorp, Netherlands
-
UPS Europa SA, Ave Ariane 5, Brussels, B-1200, Belgium
The transmitted data typically entails:
-
Name
-
Address
-
E-mail address
2. Purpose of data processing
The purpose of processing personal data in this context is to provide shipping providers with the opportunity to inform recipients about shipping progress via e-mail and thus to increase the probability of a successful delivery.
3. Legal basis for data processing
The legal basis for the transmission of your e-mail address to the respective shipping provider and the use thereof is your consent in accordance with Art. 6(1)(a) GDPR. The legal basis for the transmission of your address data (first name, last name, address) to the respective shipping provider is Art. 6(1)(1)(b) GDPR, since the processing of this data is necessary for the performance of the concluded purchase agreement.
4. Duration of storage
The transmitted data will be erased by the respective shipping provider once the package has been delivered successfully.
5. Possibility of objection
The shipping provider's notification service can be canceled by the relevant user at any time. Every e-mail contains a corresponding opt-out link for this purpose.
-
Plug-ins used
We use plug-ins for various purposes. The plug-ins used, their purpose, and the relevant legal basis are listed in the following:
Plug-in |
Purpose |
Legal basis |
Google Tag Manager (Google LLC) |
Personal data is processed for the purpose of ensuring consolidated and clear administration and the efficient integration of third-party services. |
As a general rule, the legal basis for processing the user's personal data is the user's consent in accordance with Art. 6(1)(1)(a) GDPR. |
Lexicon / Glossary Professional | Pro |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
SEO Breadcrumb Advanced for Shopware 6 |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Blog Magazine Add-On (including WordPress import) | Public Profiles |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Tile Layouts for Shopping Experiences |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
CMS Powerpack |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
FAQ Manager |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Public Profiles | Basic Version |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Additional Tab Manager Field (HTML/PDF/Video) |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Advanced Slider Elements | Advanced sliders for Shopping Experiences |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Custom JavaScript/CSS Manager for Shopware 6 |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
HTML Shopping Experiences Element with Twig Compiler |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Custom Template Manager |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Manufacturer Slider for Shopping Experiences |
The purpose of the plug-in is to optimize the presentation of the website. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Captcha as text or mathematical formula | Spam protection |
The purpose of the plug-in is to optimize the functions of the contact form. |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
SEO Redirects (301 and 302 redirects) for Shopware 6 |
System expansion for the operation of the shop system |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Set up test server / staging environment |
System expansion for the operation of the shop system |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
BCC-Mailer |
System expansion for the operation of the shop system |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Migration Assistant |
System expansion for the operation of the shop system |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Shopware Store |
Shop system for the fundamental operation of the website |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
PayPal for Shopware 6 |
We use these plug-ins for processing payments in our online shop. |
As a general rule, the legal basis for processing the user's personal data is the fulfillment of a contract with the user in accordance with Art. 6(1)(1)(b) GDPR. |
wallee |
We use these plug-ins for processing payments in our online shop. |
As a general rule, the legal basis for processing the user's personal data is the fulfillment of a contract with the user in accordance with Art. 6(1)(1)(b) GDPR. |
ExportOnEvent |
We use this plug-in for event-based data exports via e-mail and FTP |
As a general rule, the legal basis for processing the user's personal data is the user's consent in accordance with Art. 6(1)(1)(a) GDPR. |
Private Shop – restrict shop access/log-in (B2B, B2C, distributor, distribution) |
System expansion for the operation of the shop system |
The legal basis for processing personal data is the controller's legitimate interest in achieving an external impact with the website in accordance with Art. 6(1)(1)(f) GDPR. |
Duration of storage
Your personal information is stored as long as necessary in order to fulfill the purposes described in this Privacy Policy or as long as prescribe by law.
Revocation and removal option
You have the right to revoke your consent to the processing of personal data at any time. The withdrawal of consent will not affect the lawfulness of processing carried out on the basis of your consent before it was revoked.
Notice on risks
Your personal data will potentially be transmitted to the US. There is no adequacy decision in accordance with Art. 45(3) GDPR in place for the US. Please note that data transmission in the absence of an adequacy decision poses certain risks which we would like to inform you about in the following:
US intelligence agencies use certain online identifiers (such as IP addresses or unique identification numbers) as a starting point for the surveillance of individual persons. As such, the possibility cannot be ruled out that these intelligence agencies have already collected information about you which could be used to associate the data transferred in this context with you.
Providers of electronic communication services headquartered in the US are subject to surveillance by US intelligence agencies in accordance with 50 U.S. Code Section 1881a ("FISA 702"). This states that providers of electronic communication services headquartered in the US are obligated to provide personal data to US authorities in accordance with 50 U.S. Code Section 1881a without this entitling you to any potential options for legal recourse. The encryption of data in the data centers of the provider of electronic communication services cannot provide adequate protection in itself, since providers of electronic communication services have a direct obligation to provide or grant access to imported data that is in their possession or custody or under their control. This obligation has been expressly defined as extending to the cryptographic keys required in order to read the data.
The fact that this is not merely a "theoretical risk" is demonstrated by the ECJ judgment of July 16, 2020 (Case C 311/18, "Schrems II").
For this reason, we have concluded guarantees with our service providers in the form of standard data protection clauses in accordance with Art. 46(2)(c) GDPR. A copy of these standard data protection clauses can be requested from us.
This Privacy Policy was created with the assistance of DataGuard.