Privacy Policy

Ensuring data security, data transparency and the implementation of and compliance with data protection regulations is of paramount importance to us. In principle, visitors can use the contents of our website without providing personal data. However, the use of special services could require the processing of personal data. We always process personal data lawfully and in a manner that is comprehensible to the data subject for specified, clear and legitimate purposes. We always carry out data processing in compliance with the regulations of the Data Protection Regulation (GDPR) and other data protection regulations that are binding for us. Data processing is appropriate to the respective purpose and limited to what is necessary for the purposes of processing. The data will only be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures.

The following privacy policy allows the user of this website an overview of the data collected and processed by us.

Subject matter and scope of the privacy policy

The following data protection declaration serves to inform the user about the type, scope, purpose, duration and legal basis of the processing of personal data as well as the rights to which the user is entitled.

The data protection declaration relates exclusively to the visit to and use of the website www.ivybears.com. If there are links to other websites of different providers, our data protection declaration does not apply to these sites. We have no control or influence over personal data processed via these sites. We recommend that visitors to such linked sites consult the data protection declarations provided there in order to find out about the type and scope of data processing.

We reserve the right to adapt and amend these data protection provisions at any time with effect for the future in accordance with the provisions of data protection law. The latest version can be accessed at www.ivybears.com

Definitions

The following terms used in this privacy policy represent basic terms of the GDPR and shall be briefly explained to the user for better comprehensibility:

Personal data

Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing

Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

Profiling

Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.

Pseudonymization

Pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Filing system

Filing system means any structured set of personal data accessible according to certain criteria, regardless of whether this collection is maintained centrally, decentrally, or according to functional or geographical criteria.

Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Recipient

Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The aforementioned and other definitions can be found in Article 4 of the GDPR and can be accessed at
https://eur-ex.europa.eu

Name and contact details of the controller

Controller within the meaning of the GDPR and other national data protection laws of the member states of the European Union as well as other data protection regulations is:Rocket Sales GmbH

Düsseldorf Office
Grünstrasse 15
40212 Düsseldorf,
Stilwerk, 3. Stock
C/O Mindspace

Fone: +49 (0) 251 2891980
E-Mail: hello@ivybears.com
Internet: hello@ivybears.com

General information on the processing of personal data

Scope of data processing

As a matter of principle, we only process users’ personal data to the extent that this is necessary in order to provide a functioning website including the associated content. As a rule, the processing of personal data is only initiated on the basis of the consent of the respective user. In cases where obtaining prior consent is not possible for actual reasons and the processing of user data is permitted by legal regulations, this rule is deviated from.

Legal basis for data processing

If personal data is collected in the course of the data subject’s consent, the processing of this data is based on Art. 6 (1) a) GDPR. In the case of processing of personal data that is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures, the legal basis for the processing of such data is Art. 6 (1) b) GDPR.If the processing of personal data is necessary for compliance with a legal obligation to which we are subject, the processing of such data shall be carried out on the basis of Art. 6 (1) c) GDPR.If vital interests of the data subject or another natural person make processing of personal data necessary, the processing of such data shall be based on Article 6(1)(d) of the GDPR.If the processing is necessary to protect a legitimate interest on our part or on the part of a third party and the interests, fundamental rights and freedoms of the data subject do not override the former interest, the lawfulness of the data processing results from Art. 6 (1) f) GDPR.

Deletion of the data / duration of storage

Deletion or blocking of the personal data of the data subject shall take place as soon as the purpose of the storage ceases to apply. The data will also be deleted or blocked if a storage period prescribed by legal regulations of the European Union or national legal regulations of the member states of the European Union or other data protection regulations expires. Storage may be maintained if this is necessary for the conclusion or performance of a contract.

Provision of the internet site

Nature and scope of data processing

Each time our website is accessed, the system used by us automatically collects data and information from the computer system of the accessing computer. This may result in the collection of the following data:

  • The browser types and versions used,
  • The operating system of the accessing user,
  • The internet service provider of the accessing user,
  • The Internet protocol address (IP address) of the accessing user,
  • The date and time of access to the website,
  • The website from which a user accesses the website of the (so-called referrer),
  • The subpages that a user of the website accesses,
  • Other similar data and information that serve to avert danger in the event of attacks on the systems of the.

This collected data and information is stored anonymously in the log files of the system we use. IP addresses are only stored insofar as this is necessary for the provision of services and the retrievability of the website. IP addresses of users are anonymized a short time after the end of the respective session. The data is not stored together with personal data of the user and does not allow any conclusions to be drawn about the person of the user.

Purpose of data processing

The temporary storage of data and information is necessary for us to be able to correctly deliver the content of our website to the user’s system. The storage of the user’s IP address is necessary for the duration of the session. In order to ensure the functionality of the website, the data and information is stored in log files. In addition, the data is used to optimize the content of the website and to ensure the security and permanent functionality of the information technology systems and technology of the website. In the event of cyber attacks, the collected data may constitute necessary information for the investigating law enforcement authorities. The static and anonymous collection of data and information is carried out to optimize data protection and data security in our company. This is to ensure the highest possible protection of collected and processed personal data.

Duration of data storage

The IP addresses stored in the log files are deleted after 7 days at the latest. The data is not archived beyond this period.

Objections against the data processing

The data subject may object to data processing in principle. However, the collection of data and information for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of our website. We therefore have compelling legitimate grounds for the data processing which override the interests, rights and freedoms of the data subject.

Legal basis

For the temporary storage of data and information, in particular in log files, Art. 6 (1) f) GDPR serves as the legal basis. The legitimate interest in collecting the IP address is the interest in providing our website, optimizing the content of the website, ensuring the security and permanent functionality of the information technology systems and the technology of the website. The provision of personal data is neither legally nor contractually required. However, without the processing of the above data, the functionality and accessibility of our website is limited.

Cookies and Web analysis

We use cookies on our website. Cookies are text files that are stored by the internet browser on the user’s computer system. When an internet page is called up, a cookie may be stored on the user’s operating system. This cookie contains a specific character string that allows recognition and identification of the internet browser when the internet page is called up repeatedly.

Nature and scope of data processing

Website cookies

The following types of cookies are used, the scope and functionality of which are explained below:aa. Transient cookiesTransient cookies include, in particular, session cookies. These store a so-called session ID, with which various requests of the user’s terminal device can be assigned. This allows the end device to be recognized when the user returns to the website.bb. Persistent cookiesPersistent cookies are permanent cookies that are used to permanently maintain the settings of a website for the user.

Third party cookies

aa. Google Analytics

Google Analytics” is a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland (Google). Google Analytics uses cookies, which enable an analysis of the user behavior of the data subject. In particular, the so-called Google DoubleClick cookie is used, which enables recognition of the user’s browser when visiting other websites and is used to display interest-based advertising. The information and data collected by Google on the basis of the cookies about the visit and use of our website, in particular the IP address of the user, may be transferred to a server of the US parent company (Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) and stored there. We have concluded an order processing agreement with Google Ireland Limited.

On our behalf, Google will use this information for the purpose of evaluating the use of the website by the respective user, compiling reports on the activities of the respective user on the website and providing us with other services relating to the use of the website and internet usage. A pseudonymous usage profile of the respective user can be created from the processed data.We use Google Analytics only under activation of the anonymization of the IP address of the respective user. The extension “anonymizeIP” is used for this purpose. The IP address of the user concerned is shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area, so that it is no longer possible to refer to a person. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. The IP address transmitted by Google Analytics from the browser of the respective user is not merged with other data from Google. Google may pass this personal data on to third parties.Google provides more information on terms of use, privacy, Google Analytics and cookies at the links below: https://www.google.de/intl/de/policies/ https://support.google.com/analytics/answer/6004245?hl=de http://www.google.com/policies/technologies/ads/ https://policies.google.com/technologies/types?hl=de

bb. Google Ads

To advertise our offers, we use the advertising tool “Google Ads” offered by Google (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Google Ads enables users to place their own advertisements in the Google search engine results and in the Google advertising network. The user specifies certain keywords in advance in order to place and find the advertisements. The respective advertisement is then displayed in the search engine results when the user retrieves a keyword-relevant search result via the Google search engine. If a user accesses the website of the user of Google Ads via a Google ad, a so-called conversion cookie is stored by Google on the user’s end device. This loses its validity after 30 days. It does not serve to identify the person concerned. If the conversion cookie is still active, it is used to find out whether certain subpages on the visited website have been called up. Through the conversion cookie, both the user of Google Ads and Google can see whether a data subject who has accessed the user’s website via an ad has generated a sale, i.e. has made use of the offer or abandoned it. The data and information collected in the context of the use of the conversion cookie are used by Google to create visit statistics for the website of the user. These visit statistics can in turn be used by the user to determine the total number of users who have accessed the user’s website via ads. This serves to determine the success or failure of the respective ad and to be able to optimize future ads. Neither the user nor other advertisers of Google Ads receive information from Google by means of which the data subject could be identified.Information about the usage behavior, such as internet pages visited by the user, is stored by means of the conversion cookie. When the internet pages are called up, the IP address of the person concerned is also transmitted to Google. This personal data is stored by Google. The data may be transferred to a server of the US parent company (Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA) and stored there. Google may pass on the personal data to third parties.

Google provides more information on the use of Google Ads at the links below:

https://ads.google.com/
https://support.google.com/google-ads/

cc. Google Tag Manager

On our website, we use the “Google Tag Manager”, a service of Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland (Google). This tool allows us to integrate and manage website tags centrally via a user interface. The Google Tool Manager itself only implements tags without setting any cookies or collecting or passing on personal data. When using the tool, other tags are triggered, which in turn may collect user data (e.g. Google Analytics and Google Ads). However, the Google Tag Manager does not access this data. If a deactivation is made at domain or cookie level, this will affect all tracking tags that were implemented with the tool.

Google provides more information about the Google Tag Manager here: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/

Google LLC is designated as Privacy Shield certified. A current certificate can be viewed via the link below:

https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

However, this agreement concluded between the USA and the European Commission does not guarantee an adequate level of data protection (see below – Data processing outside the EU).

dd. Social Media Pixel

On our website, we use “Facebook Pixel”, a service of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland (Facebook). This is used to display interest-based advertisements (“Facebook Ads”) placed by us to Facebook users who have visited our website or have shown interest in our offer or in certain topics or products (so-called “Custom Audiences”). The use of the tool allows us to ensure that our Facebook ads are only made available to users who also show a potential interest in our offers. This is intended to prevent a harassing effect of the Facebook ads on users who are not interested. Since we are shown whether a user has been redirected to our website after clicking on our Facebook ads (so-called conversion), we can also determine the effectiveness of our Facebook ads. This serves market research purposes.

Facebook Pixel uses cookies to log the visit to our website by a Facebook user, provided that the user was logged into their Facebook user account during this visit. However, this process does not allow us to draw any conclusions about the person of the user. The user data collected by Facebook Pixel is anonymous for us. However, it may happen that Facebook links the collected data to the user’s Facebook account. Even if the user was not logged into their Facebook account, it is possible that Facebook collects and stores the user’s IP address and possibly other user data (such as the user ID). Facebook may use the data for its own analyses and advertisements. We have no influence on this process. Nor do we have any influence on any further use of the data by Facebook.

Facebook provides the following links for more information about privacy, cookies, ads and Facebook Pixel:

https://www.facebook.com/about/privacy

https://www.facebook.com/policies/cookies

https://help.instagram.com/1896641480634370?ref=ig

https://www.facebook.com/ads/about/?entry_product=ad_preferences_hub

https://www.facebook.com/business/help/742478679120153?id=1205376682832142

The data collected by Facebook may be transferred to a server of the US parent company (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA) and stored there. Facebook may pass on the personal data to third parties.

Facebook Inc. is designated as Privacy Shield certified. A current certificate can be accessed via the link below:

However, this agreement concluded between the USA and the European Commission does not guarantee an adequate level of data protection.

Data processing outside the EU

Regarding the processing of data originating from the EU, the US does not offer an adequate level of data protection on the basis of a decision by the EU Commission. There are not suitable guarantees which means there is a data security risk for the data subject. Possible risks could include the US authorities accessing data originating in the EU for monitoring purposes and being allowed to use this data. Measures undertaken by the authorities may, in certain circumstances, not be limited to the extent necessary. Regarding these measures undertaken by the authorities, the data subject is not entitled to any legal remedies with which the data subject can legally enforce their data privacy rights vis-à-vis the authorities.

In the course of visiting our website, the user is made aware of these circumstances and our privacy policy and consent is obtained from the user for the processing of the data.

Purpose of data processing

The website’s own cookies enable us to set up our website in a more user-friendly and effective manner and to optimize information and offers. Cookies may in part be technically necessary to enable the use of various functions of the website (e.g. language selection, login, shopping cart function). Third-party cookies are used as part of the analysis and advertising tools to increase page traffic and improve the quality of our online offering. By using the tools and cookies, we learn how our website is requested and used by visitors. Based on this knowledge, we can constantly optimize our offer and align it with the interests of the user. In addition, it enables us to place targeted advertising that is relevant to the user’s interests.

Duration of data storage

The website’s own transient cookies expire after the end of the respective session and closure of the browser by the user. The persistent cookies expire after a specified duration, which may differ depending on the cookie.

Google provides overviews of the types of cookies used by Google and the expiry times under the following links:

https://policies.google.com/technologies/types?hl=de
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=de

Objections against the data processing

Changing the internet browser settings

Under the menu items “Settings” or “Help” of the respective internet browser, the user can usually retrieve information regarding the management of cookies. The user can prevent the storage of cookies by changing the settings of the internet browser used. Already stored cookies can be deleted by the user at any time – individually or in their entirety. In this case, the user may not be able to fully use all the functions of our website.The providers of the most popular internet browsers provide information on how to delete and manage cookies at the links below:

Microsoft Internet Explorer: https://support.microsoft.com/de-de/help/17442/windows-internet-explorer-delete-manage-cookies

Google Chrome:

https://support.google.com/accounts/answer/61416?hl=de https://support.google.com/chrome/answer/95647?hl=de&hlrm=en

Mozilla Firefox: https://support.mozilla.org/de/kb/cookies-loeschen-daten-von-websites-entfernen

Apple Safari: https://support.apple.com/kb/PH17191?locale=de_DE&viewlocale=de_DE

Opera: https://help.opera.com/de/latest/web-preferences/#cookies

Do-not-track functions

The providers of the most popular internet browsers also provide a “do-not-track” function. By activating this function, the user can inform websites, applications and advertising networks that they do not want their surfing behavior to be recorded, i.e. “tracked”. By activating this function, the user may receive less relevant advertising.

Information about this feature can be found in the links below:

Internet Explorer: https://support.microsoft.com/de-de/help/17288/windows-internet-explorer-11-use-do-not-track

Google Chrome: https://support.google.com/chrome/answer/2790761?co=GENIE.Platform%3DDesktop&hl=de

Mozilla Firefox: https://www.mozilla.org/de/firefox/dnt/

Opt-out procedure

aa. Google Analytics

The user can prevent the collection of the data generated by the cookies and related to their use of the website (including the IP address), as well as the processing of this data by Google, by installing the browser add-on available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en/a>

bb. Google Ads

The user can object to interest-based advertising by Google by following the instructions available at www.google.de/settings/ads  and deactivating personalized advertising on the web and in Google Search.

cc. Facebook-Pixel

Settings regarding Facebook ads can be made by the user via the following:

Facebook page: https://www.facebook.com/settings?tab=ads

The user can also object to cookies used for advertising purposes and reach measurement via the deactivation page of the network advertising initiative http://optout.networkadvertising.org as well as via the U.S. website http://www.aboutads.info/choices or the European website

http://www.youronlinechoices.com/uk/your-ad-choices

Revocation

The user may at any time revoke any consent given to us for the use of cookies and the processing of personal data. The communication channels listed under III. are available to the user for transmitting the revocation. However, we have no influence on the data collected and stored by Google and Facebook.

Legal basis

We have a legitimate interest in the processing of personal data using technically necessary cookies within the meaning of Art. 6 (1) f) GDPR. This is to use cookies for the optimization and interest-based coordination of our range of services.

The legal basis for data processing by means of cookies which are not technically necessary is the consent of the user within the meaning of Art. 6 (1) p. 1 a) GDPR.

Google Web Fonts

In order to be able to display customized fonts on our website, we use so-called web fonts, an offer from Google. We have stored the web fonts locally on the server we use. A connection to the servers used by Google therefore does not take place when using the web fonts. More information about Google Web Fonts can be found at the following link: https://developers.google.com/fonts/faq.

Contact possibility via the website

Description and scope of data processing

In compliance with legal requirements, we keep a postal address, a telephone number and an email address available for retrieval on our website. The user is free to contact us via these channels. If the user contacts us voluntarily via these channels, the user’s personal data transmitted in the process (e.g. name, address, telephone number, email address) will be stored. Without the express consent of the user or a legal basis, the personal data will not be transferred to third parties. The data is not transferred to a third country.

Social networks

The user can also contact us electronically through the social networks aa. Facebook (operator: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland) und bb. Instagram (operator: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland). We do not collect any data when visiting the aforementioned portals. However, the respective portal operator may collect its own data about visitors to its pages. We have no control or influence over the data collection there. We would like to point out that Facebook and Instagram may transfer the collected data to a server of the US parent company (Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA) and store it there. Facebook and Instagram each provide their own privacy statements under the linkshttps://de-de.facebook.com/privacy/explanationhttps://help.instagram.com/519522125107875

Purpose of data processing

Personal data voluntarily transmitted to us by the user via the aforementioned channels will be processed exclusively for the purpose of handling the contact and enabling further communication. If the user’s contact serves to carry out pre-contractual measures, the personal data will be processed for contract negotiations or the content of a contractual relationship.

Duration of data storage

The deletion of the data transmitted in the above-mentioned ways takes place as soon as they are no longer needed to achieve the purpose of their collection. In the case of contact, this is the case when the conversation with the user concerned has ended. The conversation has ended when the circumstances indicate that the matter in question has been conclusively clarified. This does not apply if the user has expressly consented to the further use of the data. We have no knowledge about the duration of data processing by the above-mentioned social networks. We also have no possibility to influence the duration. In this regard, as well as with regard to any objections to the data processing, you should contact the respective social network directly.

Objections to the data processing

The user may revoke consent given for the processing of personal data at any time. The user may object to the storage of their personal data at any time. In this case, the conversation using the data will not be continued. The communication channels listed under III. are available to the user for the transmission of the revocation and the objection. All personal user data stored in the course of contacting us will be deleted in this case.

Legal basis

In case of an existing consent of the user, the processing of the data is lawful according to Art. 6 para. 1 a) GDPR. If the contact serves the implementation of pre-contractual measures, the processing of the data is also permissible according to Art. 6 para. 1 b) GDPR. We also have a legitimate interest in the processing of personal data to handle the contact and to enable further communication within the meaning of Art. 6 (1) f) GDPR.

The provision of personal data is neither legally nor contractually required. However, without it, it is not possible to deal with the established contact.

Registration

Description and scope of data processing

By providing personal data (first name/last name, email address), the user can register on our website and create a customer account. After the data has been transmitted, it is stored by us. The date and time of registration are also recorded. In the course of registration, the user is informed of this data protection declaration and consent is obtained from the user for the processing of the data. The data is not transferred to a third country.

Purpose of data processing

Registration on our website enables the user to make use of our services and offers, in particular to place orders for goods.

Duration of data storage

The deletion of the data takes place as soon as they are no longer needed to achieve the purpose of their collection. This is in any case the case if the customer changes their data within the customer account or deletes the account entirely. Something else applies if the user has expressly consented to the further use of the data.

Objections to the data processing

The user may revoke consent given for the processing of personal data at any time. The user can delete their customer account at any time without giving reasons. The user can declare the revocation in writing, by telephone and electronically. The communication channels listed under III. are available to the user for the transmission of the revocation.

Legal basis

In case of an existing consent of the user, the processing of the data is lawful according to Art. 6 para. 1 a) GDPR. We also have a legitimate interest in the provision of the registration option to enable the use of our offers and services within the meaning of Art. 6 (1) f) GDPR. The provision of personal data is neither legally nor contractually required. However, registration and the creation of a customer account are not possible without it.

Processing of personal data for the execution of contracts

Description and scope of data processing

Via the store on our website, the user can submit applications for the conclusion of civil law purchase contracts to us. During the order process, the user provides his personal data (first name / last name, address (street, house number, zip code, city) email address), or these data are taken from the created customer account. After the data has been transmitted, it will be stored by us. In the event of the conclusion of a purchase contract, we process the personal user data for the processing of the contract. The processing of the data takes place to the extent that the execution of the contract requires in each case. In general, the data is not transferred to a third country.

Purpose of data processing

The processing of this personal user data serves the proper execution of the concluded contract and the fulfillment of the legal obligations arising from the contractual relationship (e.g. sending of the goods to the customer, invoicing).

Duration of data storage

The deletion of the data takes place as soon as they are no longer needed to achieve the purpose of their collection. Generally, we store the personal data for the duration of the contractual relationship. After the contract has been completely fulfilled, the data is blocked for further processing and completely deleted after the expiry of any relevant statutory periods (e.g. statutory warranty or contractual guarantee periods). The retention of data provided for under commercial and tax regulations, if applicable, will be carried out for the periods applicable under these regulations. Something else applies if the user has expressly consented to the further use of the data.

Objections to the data processing

Consent given for the processing of personal data may be revoked by the user at any time. The revocation can be declared in writing, by telephone and electronically. The communication channels listed under III. are available to the user for this purpose. If the data processing is necessary for the fulfillment of the contract, an early deletion of the data is only possible if the deletion does not conflict with any contractual or legal obligations.

Legal basis

In the case of an existing consent of the user, the processing of the data is lawful according to Art. 6 para. 1 a) GDPR. If the data processing serves the fulfillment of the contract, it is also permissible according to Art. 6 para. 1 b) GDPR. The provision of personal data is generally neither legally nor contractually required. However, this is necessary for the conclusion of a contractual relationship and the processing of the contract.

Newsletter dispatch by email

Description and scope of data processing

The user has the option of registering to receive a newsletter free of charge via our website. To subscribe to the newsletter, the user enters the required minimum data (email address) in the input mask provided. After the data has been transmitted, it is stored by us. The date and time of registration for the newsletter is also recorded. In the course of registration, the user is referred to this Privacy Policy and the consent of the user for the processing of data is obtained. The data collected is used exclusively for sending newsletters and is not passed on to third parties. The data is not transferred to a third country. As a rule, only our own offers are advertised within the newsletter.

Purpose of data processing

The user’s email address is used to send the requested newsletter to the user. The delivery serves to enable extended advertising measures and customer loyalty.

Duration of data storage

The deletion of the data takes place as soon as they are no longer needed to achieve the purpose for which they were collected. This is the case if we stop sending newsletters or the user revokes their consent to receive the newsletter.

Objections to the data processing

The user may unsubscribe from the newsletter at any time and revoke the consent given for the processing of personal data by selecting the unsubscribe link placed in the email. The user can also declare their revocation via the communication channels listed under III.

Legal basis

In the case of an existing consent of the user, the processing of the data is lawful according to Art. 6 para. 1 a) GDPR. There is also a legitimate interest in enabling the delivery of the requested newsletter within the meaning of Art. 6 (1) f) GDPR. Likewise, in enabling proof of possible misuse of the email address used. The provision of personal data is neither legally nor contractually required. However, the dispatch of newsletters cannot be carried out without the data.

Sending review requests by email

Description and scope of data processing

In the course of the ordering process, we ask the user with reference to this privacy policy whether they agree to receive review requests by email. If the user gives us such consent, we use the email address provided by the user in the course of registration / ordering to ask them to submit a review.

Purpose of data processing

The user’s email address is used to send them review requests. The delivery serves to enable extended advertising measures and customer loyalty.

Duration of data storage

The deletion of the data takes place as soon as they are no longer needed to achieve the purpose for which they were collected. This is the case when we stop sending review requests or the user revokes their consent to receive them.

Objections to the data processing

The user may revoke the consent given for the processing of his/her email address at any time by selecting the unsubscribe link placed in the email. The user can also declare the revocation in writing, by telephone and electronically via the communication channels listed under III.

Legal basis

In case of an existing consent of the user, the processing of the data is lawful according to Art. 6 para. 1 a) GDPR.

The provision of personal data is neither legally nor contractually required. However, the sending of review requests cannot be made without the data.

Disclosure of data to third parties

Description and scope of data processing

Personal data will not be disclosed to third parties without the express consent of the data subject. Excluded from this is a transfer to those service providers whose services we use for the processing of contractual relationships or as part of an order processing (Art. 28 GDPR). In addition to the recipients named in the preceding and following sections of this privacy policy, these may include recipients of the following categories: IT/EDP service providers (esp. host, customer support, financial accounting, payroll accounting), financial service providers (e.g. payment service providers, collection companies), shipping service providers, credit agencies, tax advisors. In general, the data is not transferred to a third country.

Payment service provider

aa. PayPal

To settle a fee owed to us, the user can use the services of the online payment service PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, (PayPal). In the course of the ordering process, the user is automatically redirected to the payment page of PayPal, where the payment must be confirmed. To process the payment, the payment data collected for this purpose will be passed on to PayPal. PayPal may collect its own data through the use of the payment service.

If the payment method “invoice” via PayPal Plus is available to the user during the order process, the user is asked to consent to the disclosure of the data that PayPal requires in order to carry out an identity and credit check. In the case of consent, this data will be passed on to PayPal. For the identity and credit check PayPal passes on the data to suitable credit agencies. PayPal provides further information on this at https://www.paypal.com/de/webapps/mpp/ua/useragreement-full?locale.x=de_DE#int_6b .

We have no control or influence with regard to the data collection by PayPal or the respective requested credit agency. The user should contact PayPal directly regarding the data collected by PayPal. PayPal provides its own privacy policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full .

bb. Apple Pay

The user can also make payments via “Apple Pay”. This is a service of Apple Distribution International Limited (Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland) (Apple). For users not resident in Germany, the responsibility for the service may differ. Apple provides an overview of all Apple partner companies at https://www.apple.com/de/legal/privacy/de-ww/affiliated-company  . This payment option is available for end devices running the iOS, watchOS or macOS operating systems on which the “Apple Pay” function is activated.

The transaction data is transmitted to Apple in encrypted form. Before the data is sent to the payment processor, Apple encrypts it again with a developer-specific key that ensures that only the website through which the purchase was made can access the encrypted data. Together with a transaction-specific, dynamic security code, Apple sends the user’s device account number to the relevant website after the payment has been made. The payment card (debit or credit card) number stored with Apple is not transmitted. Apple also does not store the card number on the terminal device used or on Apple servers, so that the transaction data cannot be traced back to the user. To release the payment, the user may have to enter a code stored with Apple or verify the payment by using the “Face ID” or “Touch ID” function of the end device used.

Apple stores anonymized transaction data such as the approximate purchase amount, the approximate date and time, and whether the transaction was completed successfully. Apple uses this data to improve “Apple Pay” and other Apple products and services. Due to the anonymization of the data, no conclusions can be drawn regarding the person of the user.

When “Apple Pay” is used on an iPhone or Apple Watch to confirm a purchase made through a Mac, the Mac and the authorization device communicate over an encrypted channel on Apple’s servers. Apple does not retain any of this information in a format that identifies the individual user. The user can disable the Apple Pay feature on the Mac in the iPhone’s settings.

Apple provides more information on the “Apple Pay” payment method and data protection at https://www.apple.com/de/apple-pay und https://support.apple.com/de-de/HT203027 .

Purpose of data processing

The processing of this personal data serves the proper handling of the contractual relationship existing with the user and the fulfillment of the legal obligations arising from the contractual relationship. The transfer of data to payment service providers serves to outsource and optimize payment processing.

Duration of data storage

The deletion of the data takes place as soon as they are no longer needed to achieve the purpose for which they were collected. The duration of the processing of personal user data by PayPal and Apple is beyond our knowledge/ influence/ and responsibility. For information about the specific duration of data processing, the user should contact PayPal and Apple directly.

Objections to the data processing

The user may revoke consent given for the processing of personal data at any time. For this purpose, the user has the communication channels listed under III. at their disposal. If the data processing is necessary for the fulfillment of the contract, an early deletion of the data is only possible if the deletion does not conflict with any contractual or legal obligations. To exercise any rights existing against PayPal or Apple, the user should contact the payment service providers directly.

Legal basis

The provision of personal data is neither required by law nor by contract. Without them, however, the use of our range of services is not possible, or potentially only possible to a limited extent.

Automated decision making including profiling

An automatic decision-making process for the establishment and implementation of business relationships within the meaning of Art. 22 GDPR is not carried out by us. Personal data is not processed by us in an automated manner. Personal data is not used to evaluate certain personal aspects relating to the user (profiling).

Rights of the data subject

Right to confirmation

Any data subject may obtain from the controller confirmation as to whether personal data relating to him or her are being processed (Art. 15(1), clause 1 GDPR).

Right to information

Any person affected by the processing of personal data may at any time request from the controller free of charge information about the personal data stored about them and the following information (Art. 15 para. 1 (2). clause 1 GDPR):

The purposes of processing:

The categories of personal data that are processed;

The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;

If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;

The existence of a right to rectification or erasure of personal data concerning them or to restriction of processing by the controller or a right to object to such processing;

The existence of a right of appeal to a supervisory authority;

If the personal data are not collected from the data subject, any available information on the origin of the data;

The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

If personal data are transferred to a third country or to an international organization, the data subject has the right to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

Every data subject has the right to request information on whether personal data concerning him or her is transferred to a third country or to an international organization. In this context, it may be requested to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer (Art. 15 (2) GDPR).

Right to rectification

Any person affected by the processing of personal data has the right to obtain from the controller the rectification without delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject may also request the completion of incomplete personal data, including by means of a supplementary declaration (Article 16 GDPR).

Right to deletion

Any person affected by the processing of personal data has the right vis-à-vis the controller to erase personal data concerning him or her without undue delay. The controller is obliged to erase personal data without undue delay if one of the following reasons applies (Art. 17(1) GDPR).

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

The data subject revokes his/her consent on which the processing is based pursuant to Art. 6 para. 1 a) GDPR or Article 9 (2) a) GDPR and there is no other legal basis for the processing.

The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR.

The personal data have been processed unlawfully.

The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.

The personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

If the controller has made the personal data public and is obliged to erase it pursuant to Article 17(1) of the GDPR, s/he shall take reasonable measures, including technical measures, taking into account the available technology and the cost of implementation, to inform data controllers who process the personal data that a data subject has requested the erasure of all links to, or copies or replications of, that personal data (Article 17(2) GDPR).

The right to erasure does not exist insofar as the processing is necessary (Art. 17 (3) GDPR)

To exercise of the right to freedom of expression and information;

To comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

For reasons of public interest in the area of public health pursuant to Art. 9 (2) h) and i) GDPR and Art. 9 (3) GDPR;

For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) of the GDPR, where the right referred to in Article 17(1) of the GDPR is likely to render impossible or seriously prejudice the achievement of the purposes of such processing; or

To assert, exercise or defend legal claims.

Right to restriction of processing

The data subject has the right to obtain from the controller the restriction of processing if one of the following conditions is met (Art. 18(1) GDPR):

The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data,

The processing is unlawful and the data subject refuses the erasure of the personal data and instead requests the restriction of the use of the personal data;

The controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the assertion, exercise or defense of legal claims; or

If the processing of personal data has been restricted, such data may be processed – apart from being stored – only with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State (Art. 18(2) GDPR).

A data subject who has obtained a restriction of processing pursuant to Article 18(21) of the GDPR shall be informed by the controller before the restriction is lifted (Article 18(3) of the GDPR).

Right to data portability

Any person concerned by the processing of personal data has the right to receive the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used and machine-readable format, and has the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that

The processing is based on consent pursuant to Art. 6 (1) a) GDPR or Art. 9 (2) a) GDPR or to a contract pursuant to Art. 6 (1) b) GDPR and

The processing is carried out with the aid of automated procedures (Art. 20 (1) GDPR).

In exercising his or her right to data portability pursuant to Art 20, paragraph 1, GDPR the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible (Art. 20(2) of the GDPR).

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 20(3) GDPR).

Right of objection

Any person concerned by the processing of personal data has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her carried out on the basis of Article 6(1)(e) or (f) of the GDPR, including to any profiling based on those provisions. The controller shall no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims (Article 21(1) GDPR). If personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this shall also apply to profiling insofar as it is related to such direct marketing (Article 21 (2) of the GDPR).If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes (Article 21 (3) GDPR).In connection with the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications (Article 21(5) GDPR).

Right to revoke a declaration of consent under data protection law

Every person affected by the processing of personal data has the right to revoke his or her declaration of consent under data protection law at any time vis-à-vis the controller. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation (Art. 7 (3) GDPR).

Automated decision in individual cases including profiling

Any person concerned by the processing of personal data has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22(1) GDPR). This does not apply if the decision

is necessary for the conclusion or performance of a contract between the data subject and the controller,

is permitted by Union or Member State legislation to which the controller is subject and that legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

with the express consent of the data subject (Art. 22(2) GDPR)

Decisions covered by Article 22(2) of the GDPR may not be based on special categories of personal data pursuant to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject (Article 22(4) of the GDPR).

In order to exercise the rights listed above, the data subject may contact the data controller identified in III. above.

Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, any data subject of the processing of personal data shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, workplace or the place of the alleged breach, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR (Article 77 GDPR).

SSL Encryption

In order to protect the transmission of confidential content and to prevent third parties from accessing the content, we use SSL encryption on our website. This type of encryption can be recognized by the display “https://” appearing in the address line of the browser as well as by the lock symbol.