FREE WORLDWIDE SHIPPING

FREE WORLDWIDE SHIPPING

Privacy Policy and Data Protection

Preamble

With the following privacy policy, we would like to inform you about which types of your personal data (hereinafter also referred to as “data”) we process for which purposes and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences such as our social media profiles (collectively referred to below as “Online Services”).

The terms used are not gender-specific.

Last updated: March 10, 2024

Table of Contents

Controller

Börsenstraße 4
70174 Stuttgart, Germany

Email address:

service@boeres.tech

Imprint:

boeres.tech/pages/imprint

Contact Details of the Data Protection Officer

service@boeres.tech

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the GDPR legal bases on which we rely for processing personal data. Please note that, in addition to the GDPR provisions, national data protection regulations of your or our country of residence or habitual abode may also apply. If more specific legal bases apply in certain cases, we will point this out in the privacy policy.

  • Consent (Article 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual enquiries (Article 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.
  • Compliance with a legal obligation (Article 6(1)(c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection provisions in Germany: In addition to the GDPR, Germany has national data protection regulations. These include, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains specific provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, transfers, and automated decision-making including profiling. Furthermore, data protection laws of individual federal states may also apply.

Note on the applicability of the GDPR and the Swiss Federal Act on Data Protection (FADP): These privacy notices serve to inform pursuant to both the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).

Overview of Processing Activities

The following table outlines the types of data processed, the purposes for which they are processed, and the categories of data subjects.

Categories of Processed Data

  • Master data.
  • Payment data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication, and process data.
  • Contact information (Facebook).
  • Event data (Facebook).

Categories of Data Subjects

  • Customers.
  • Employees.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Business and contractual partners.

Purposes of Processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Contact requests and communication.
  • Security measures.
  • Direct marketing.
  • Web analytics.
  • Targeting.
  • Office and organizational procedures.
  • Remarketing.
  • Conversion tracking.
  • Affiliate tracking.
  • Management and response to enquiries.
  • Feedback.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online services and user-friendliness.
  • Information technology infrastructure.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include in particular safeguarding the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, entry, transmission, backup, and separation of the data. We have also established procedures to ensure that data subjects’ rights are respected, that data can be deleted, and that we are able to respond quickly to data breaches. Furthermore, we consider data protection when developing or selecting hardware, software, and service providers, in accordance with the principles of data protection by design and by default.

TLS Encryption (https): To protect the data you transmit via our Online Services, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.

Disclosure of Personal Data

As part of our processing of personal data, it may be necessary to transfer or disclose the data to other entities, companies, or persons. Recipients of such data may include service providers commissioned by us in the IT sector or providers of services and content integrated into a website. In such cases, legal requirements are observed and, in particular, appropriate contracts or agreements to protect your data are concluded with the recipients.

  • Types of data processed: master data (e.g., names, addresses); contact data (e.g., email, telephone numbers)
  • Data subjects: customers;
  • Purposes of processing: delivery of ordered goods

Disclosure of Personal Data to Shipping Service Providers:

  • DHL
    If delivery of the goods is carried out by the shipping service provider DHL (DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany), we will, with your explicit consent given during the ordering process and in accordance with Art. 6 (1)(a) GDPR, provide your email address to DHL prior to delivery to arrange a delivery appointment or for delivery notification. Otherwise, we will only share the recipient’s name and delivery address with DHL so that they can carry out the delivery in accordance with Art. 6 (1)(b) GDPR. Disclosure is only made to the extent necessary for the delivery of the goods. In this case, prior coordination of the delivery appointment or delivery notification with DHL is not possible.

    You may withdraw your consent at any time with future effect by contacting the responsible person named above or the shipping service provider DHL.

  • DHL Express
     If the delivery of goods is carried out by the shipping service provider DHL Express (DHL Express Germany GmbH, Heinrich‑Brüning‑Str. 5, 53113 Bonn, Germany), we will, in accordance with Art. 6 (1)(a) GDPR and provided you have given your explicit consent during the ordering process, share your email address with DHL Express prior to delivery to arrange a delivery appointment or receive a delivery notification. Otherwise, we will only share the recipient’s name and delivery address with DHL Express for the purpose of delivery in accordance with Art. 6 (1)(b) GDPR. Disclosure is limited to what is necessary for the delivery of the goods. In this case, prior coordination of a delivery appointment or delivery notification with DHL Express is not possible. You may withdraw your consent at any time with future effect by contacting the aforementioned responsible person or DHL Express.
  • FedEx
     If the delivery of goods is carried out by the shipping service provider FedEx (FedEx Express Germany GmbH, Langer Kornweg 34 k, 65451 Kelsterbach), we will, in accordance with Art. 6 (1)(a) GDPR and provided you have given your explicit consent during the ordering process, share your email address and telephone number with FedEx prior to delivery to arrange a delivery appointment or receive a delivery notification. Otherwise, we will only share the recipient’s name and delivery address with FedEx for the purpose of delivery in accordance with Art. 6 (1)(b) GDPR. Disclosure is limited to what is necessary for the delivery of the goods. In this case, prior coordination of a delivery appointment or delivery notification with FedEx is not possible. You may withdraw your consent at any time with future effect by contacting the aforementioned responsible person or FedEx.
  • GLS
     If the delivery of goods is carried out by the shipping service provider GLS (GLS – General Logistics Systems Germany GmbH & Co. OHG, GLS Germany‑Str. 1‑7, 36286 Neuenstein, Germany), we will, in accordance with Art. 6 (1)(a) GDPR and provided you have given your explicit consent during the ordering process, share your email address and telephone number with GLS prior to delivery to arrange a delivery appointment or receive a delivery notification. Otherwise, we will only share the recipient’s name and delivery address with GLS for the purpose of delivery in accordance with Art. 6 (1)(b) GDPR. Disclosure is limited to what is necessary for the delivery of the goods. In this case, prior coordination of a delivery appointment or delivery notification with GLS is not possible. You may withdraw your consent at any time with future effect by contacting the aforementioned responsible person or GLS.

International Data Transfers

Where we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or disclosure/transmission of data to other persons, entities, or companies occurs when using third‑party services, this is done only in compliance with legal requirements.

Subject to explicit consent or transmission based on legal or contractual obligations, we process or have data processed only in third countries with a recognized level of data protection, based on appropriate safeguards such as contractual commitments via the EU Commission’s standard contractual clauses or where certifications or binding internal data protection rules exist (Art. 44–49 GDPR; EU Commission info: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Data processing in third countries: When we process data in a third country (i.e., outside the EU/EEA) or processing occurs as part of using third‑party services or disclosing/transferring data to other persons, organizations, or companies, this is done only in accordance with legal requirements.

Subject to explicit consent or legally/contractually required transfers (see Art. 49 GDPR), we process or have data processed only in third countries with a recognized level of data protection (Art. 45 GDPR), provided contractual obligations are met by adhering to the EU Commission’s standard contractual clauses (Art. 46 GDPR) or where certifications or binding internal data protection rules exist (see Art. 44–49 GDPR; EU Commission info: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

EU‑US Data Privacy Framework: Under the so‑called “Data Privacy Framework” (DPF), the EU Commission recognized the data protection level of certain US companies as adequate by adequacy decision of July 10, 2023. The list of certified companies and more information on the DPF can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/. We inform you which of our service providers are certified under the Data Privacy Framework as part of our privacy information.

Disclosure of personal data abroad: Under the Swiss Federal Act on Data Protection (FADP), we disclose personal data abroad only if an adequate level of protection for the data subjects is ensured (Art. 16 Swiss FADP). If the Federal Council determines that no adequate level exists, we implement alternative safeguards. These may include international agreements, specific guarantees, contractual data protection clauses, standard data protection clauses approved by the Swiss FDPIC, or international data protection provisions previously recognized by the FDPIC or another competent authority.

Under Art. 16 Swiss FADP, exceptions to cross‑border data disclosures may be made under certain conditions, including the data subject’s consent, contract performance, public interest, protection of life or physical integrity, publicly available data, or data from a legally prescribed register. Such disclosures always comply with legal requirements.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, particularly those in Articles 15–21:

  • Right to object: You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data under Art. 6 (1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing, you have the right to object at any time to the processing of your personal data for such marketing purposes; this includes profiling to the extent it relates to direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to ascertain whether your data are being processed and to receive information and a copy of the data in accordance with legal provisions.
  • Right to rectification: You have the right to request completion of incomplete data or correction of inaccurate data concerning you, in accordance with legal provisions.
  • Right to erasure and right to restriction of processing: Under legal conditions, you have the right to request immediate deletion of the data or, alternatively, restriction of processing.
  • Right to data portability: You have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format, or to request transmission to another controller, pursuant to legal requirements.
  • Right to lodge a complaint with a supervisory authority: Under the law and without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with a data protection authority—particularly in the Member State of your habitual residence, your workplace, or the place of the alleged infringement—if you believe processing of your personal data violates the GDPR.

Rights under the Swiss FADP:

As a data subject under the Swiss FADP, you have the following rights:

  • Right of access: You have the right to request confirmation of whether personal data concerning you are being processed, and to receive the information necessary to exercise your rights under the Swiss FADP and ensure transparent data processing.
  • Right to data release or transfer: You have the right to request release of your personal data provided to us in a commonly used electronic format and its transfer to another controller, unless this is disproportionate.
  • Right to rectification: You have the right to request correction of incorrect personal data concerning you.
  • Rights to object, erasure, and destruction: You have the right to object to processing of your data and to request deletion or destruction of personal data concerning you.

Use of Cookies

Cookies are small text files or other data records that store information on user devices and read information from those devices. For example, to save the login status of a user account, the contents of a shopping cart in an online shop, retrieved content, or used features. Cookies can also be used for various purposes such as functionality, security, and usability of online offerings, as well as for analyzing visitor flow.

Consent Information: We use cookies in accordance with legal requirements. Therefore, we obtain users’ consent in advance unless this is not legally required. In particular, consent is not required if storage and retrieval of information, including cookies, are strictly necessary to provide a service explicitly requested by the subscriber or user. Essential cookies typically include those for displaying and operating the online service, load balancing, security, storing user preferences and selections, or similar purposes related to delivering the primary and secondary functions of the requested online service. Users are clearly informed of their right to withdraw consent, and details on cookie usage are provided.

Legal Basis for Data Protection: The legal basis on which we process users’ personal data using cookies depends on whether we request users’ consent. If users consent, the processing is based on their explicit consent. Otherwise, cookie-based data processing is based on our legitimate interests (e.g., operating and improving the usability of our online services) or, if necessary to fulfill our contractual obligations, on the necessity of cookies to perform our contractual duties. The specific purposes of our cookie processing are detailed in this privacy policy or in our consent and processing procedures.

Retention Period: Regarding retention, the following types of cookies are distinguished:

  • Temporary Cookies (also “Session Cookies”): These are deleted at the latest when a user leaves an online service and closes their device (i.e., browser or mobile application).
  • Persistent Cookies: These remain stored even after the device is closed. For example, login status may be saved, or preferred content may be displayed immediately upon revisiting a site. Similarly, user data collected via cookies may be used for audience measurement. Unless we explicitly inform users about cookie types and retention periods (e.g., when obtaining consent), users should assume cookies are persistent and may be retained for up to two years.

General Notes on Withdrawal and Objection (“Opt-Out”): Users can withdraw their consent at any time and, in accordance with legal requirements, object to processing. Users can restrict cookie use in their browser settings (though this may limit functionality). To object to cookies used for online marketing, users can also visit https://optout.aboutads.info and https://www.youronlinechoices.com/.

  • Legal Basis: Legitimate interests (Article 6(1)(f) GDPR); Consent (Article 6(1)(a) GDPR).

Further Information on Processing Methods, Procedures, and Services Used:

  • Consent‑Based Cookie Data Processing: We use a cookie management solution that allows users to grant, manage, and withdraw consent for the use of cookies or the procedures and providers listed in the cookie management solution. The consent declaration is stored so that it does not need to be requested again, and can be evidenced in compliance with legal requirements. Storage may occur server‑side and/or in a cookie (so‑called opt‑out cookie or similar technology) to associate consent with a user or device. Subject to specific information from cookie management providers, the following applies: Consent may be stored for up to two years. In this case, a pseudonymous user identifier is generated and stored along with the date/time of consent, details on the scope of consent (e.g., which categories of cookies and/or providers), as well as browser, system, and device information; Legal basis: Consent (Article 6 (1)(a) GDPR); Provider: not defined; Website: not defined; Privacy Policy: not defined.
  • Consentmo GDPR: Cookie consent management; Stored data (on the provider’s server): the user’s anonymized IP address (last three digits set to 0), date and time of consent, browser details, the URL from which consent was given, an anonymous, random, encrypted key value; the user’s consent status; Website: https://www.consentmo.com/; Privacy Policy: https://www.consentmo.com/privacy-policy-terms-of-service/.

Business Services

We process data from our contractual and business partners, e.g., customers and prospects (hereinafter “Contractual Partners”), in the context of contractual and similar legal relationships as well as related actions and communications with partners, including pre‑contractual inquiries.

We process this data to fulfill our contractual obligations, including delivering agreed services, any update obligations, warranty claims, and troubleshooting. Furthermore, we process data to protect our rights and for administrative tasks related to these obligations and company organization. We also process data based on our legitimate interests in proper and efficient business operations and security measures to protect our partners and business activities from misuse, data compromise, and threats to confidentiality, information, and rights (e.g., when engaging telecommunications, transport, and other auxiliary services, subcontractors, banks, tax and legal advisors, payment service providers, or tax authorities). Under applicable law, we share partners’ data with third parties only to the extent necessary for these purposes or to comply with legal obligations. Contractual Partners are informed of additional processing (e.g., marketing) within this privacy policy.

We inform Contractual Partners which data are required for the aforementioned purposes at or before data collection, e.g., in online forms by special marking (e.g., color coding) and/or symbols (e.g., asterisks) or in person.

We delete data after statutory warranty and similar obligations expire—generally after four years—unless stored in a customer account or required to be retained for legal archiving. The statutory retention period for tax‑relevant documents and for business ledgers, inventories, opening balance sheets, annual financial statements, supporting documents necessary for understanding them, and other organizational and bookkeeping records is ten years; for received and copies of sent commercial letters, six years. The period begins at the end of the calendar year in which the last entry was made or the document was received, sent, or created.

If we use third‑party providers or platforms to deliver our services, the respective third‑party terms and privacy policies apply to the relationship between users and those providers.

  • Processed Data Types: Master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); contract data (e.g., contract subject, duration, customer group); usage data (e.g., visited websites, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data Subjects: Customers; prospects; business and contractual partners.
  • Purposes of Processing: Provision of contractual services and fulfillment of contractual obligations; security measures; contact requests and communication; office and organizational procedures; management and response to inquiries.
  • Legal Basis: Performance of a contract and pre‑contractual inquiries (Article 6 (1)(b) GDPR); compliance with a legal obligation (Article 6 (1)(c) GDPR); legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

  • Customer Account: Customers can create an account within our online offering (e.g., customer or user account, hereinafter “Customer Account”). If creating a Customer Account is required, customers are informed of this and the details needed to register. Customer Accounts are not public and cannot be indexed by search engines. During registration and subsequent login and use of the Customer Account, we store the account holders’ IP addresses along with access times to verify logins and prevent potential misuse. Once the Customer Account is closed, its data are deleted after the closure date unless retention is necessary for reasons other than providing the account or is required by law (e.g., internal storage of customer data, order processing, or invoicing). Customers are responsible for backing up their data when closing their account; Legal basis: performance of a contract and pre-contractual enquiries (Article 6 (1)(b) GDPR).
  • Online Shop and E-Commerce: We process our customers’ data to enable them to select, purchase, or order the chosen products, goods, and related services and to handle payment, delivery, or execution of other services. If necessary, we use service providers—particularly postal, freight, and shipping companies—to deliver or execute orders for our customers. For payment processing, we use the services of banks and payment service providers. The required details are indicated during the ordering or a similar ordering process and include delivery or alternative provision details, invoicing information, and contact details needed for support; Legal basis: performance of a contract and pre-contractual enquiries (Article 6 (1)(b) GDPR).

Use of Online Marketplaces for Listing and Sales

We offer our services on online marketplaces operated by other providers. In addition to our privacy policy, the privacy policies of the respective marketplaces apply. This is particularly relevant for payment processing and the methods used on the platforms for performance measurement and behavior-based advertising.

  • Processed data types: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, telephone numbers); contract data (e.g., contract subject, duration, customer group); usage data (e.g., visited websites, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: customers.
  • Purposes of processing: provision of contractual services and fulfillment of contractual obligations; marketing.
  • Legal basis: performance of a contract and pre-contractual enquiries (Article 6 (1)(b) GDPR); legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

Providers and Services in the Course of Business Operations

In the course of our business activities, we use additional services, platforms, interfaces, or plug‑ins from third‑party providers (hereinafter “Services”) in compliance with legal requirements. Their use is based on our interest in the proper, lawful, and efficient management of our business operations and internal organization.

  • Types of data processed: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., email, phone numbers); content data (e.g., text entries, photographs, videos); contract data (e.g., contract subject, duration, customer group); usage data (e.g., visited websites, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: customers; prospects; users (e.g., website visitors, online service users); business and contractual partners; employees (e.g., staff, applicants); communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: provision of contractual services and fulfillment of contractual obligations; office and organizational procedures; direct marketing (e.g., via email or postal mail); web analytics (e.g., access statistics, recognition of returning visitors); feedback collection (e.g., via online forms); marketing.
  • Legal basis: legitimate interests (Article 6 (1)(f) GDPR); consent (Article 6 (1)(a) GDPR).

Further information on processing methods, procedures, and services used:

  • DATEV: Software for accounting, communication with tax advisors and authorities, including document storage; Service provider: DATEV eG, Paumgartnerstr. 6 – 14, 90429 Nuremberg, Germany; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.datev.de/web/de/mydatev/online-anwendungen/; Privacy policy: https://www.datev.de/web/de/m/ueber-datev/datenschutz/; Data processing on behalf: provided by the service provider.
  • Loox: Creation of testimonials, customer experiences, and reviews, as well as a rewards system for customers; Service provider: Loox Online Ltd., 2 Rehov Har Sinai, 6581602 Tel Aviv‑Jaffa, Israel; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Website: https://loox.app/; Privacy policy: https://loox.io/legal/privacy_policy_users.pdf.
  • Brevo: Email delivery and automation services; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Data processing agreement: provided by the service provider; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/de/legal/privacypolicy/.
  • Trusted Shops (Trustbadge): Review and rating platform – Under the joint responsibility between us and Trusted Shops, please direct data protection inquiries and rights assertions primarily to Trusted Shops using the contact details in their privacy policy. You may also contact any data protection officer of your choice; your request will be forwarded as necessary. The Trustbadge is provided by a U.S.-based CDN provider. Adequate protection is ensured by standard contractual clauses and other contractual measures. When the Trustbadge is loaded, the web server automatically logs a server log file containing your IP address, date/time of access, data volume transferred, and requesting provider. The IP address is anonymized immediately so it cannot be linked to you personally. The anonymized data are used for statistical and error‑analysis purposes. If you have given consent, after completing your order the Trustbadge accesses order data stored on your device (total order amount, order number, purchased product, if applicable) and your email address, which is hashed with a one‑way cryptographic function. The hash value, along with order data, is transmitted to Trusted Shops under Article 6 (1)(a) GDPR to verify whether you are registered for Trusted Shops services. If so, further processing is based on the contractual agreement between you and Trusted Shops. If you are not yet using the services or did not consent to automatic detection via the Trustbadge, you may later register manually or secure protection under any existing user agreement. To do so, the Trustbadge accesses the total order amount, order number, and email address stored on your device. This is required for us to offer purchase protection. Data are transmitted to Trusted Shops only if you actively opt in by clicking the designated button in the so‑called “trust card.” If you choose the services, further processing is based on the contractual agreement with Trusted Shops under Article 6 (1)(b) GDPR to complete your purchase protection registration and secure your order, and to send review invitations by email if applicable. Trusted Shops uses providers for hosting, monitoring, and logging. Legal basis is Article 6 (1)(f) GDPR for uninterrupted operation. Processing may occur in third countries (USA and Israel). Adequate protection for the USA is ensured via standard contractual clauses and other contractual measures; for Israel via an adequacy decision; Service provider: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: consent (Article 6 (1)(a) GDPR), legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.trustedshops.de; Privacy policy: https://www.trustedshops.de/impressum/#datenschutz.

Payment Methods

In the context of contractual and other legal relationships, due to legal obligations, or based on our legitimate interests, we offer data subjects efficient and secure payment options and use, in addition to banks and credit institutions (hereinafter “payment service providers”), other providers.

The data processed by payment service providers include master data such as name and address; payment data such as account or credit card numbers, passwords, TANs, and checksums; and contract‑, total‑, and recipient‑related information. These details are necessary to execute transactions. However, the entered data are processed and stored only by the payment service providers. This means we do not receive account or card information, only confirmation or rejection of payment. In certain cases, data may be transmitted by the payment service providers to credit agencies to verify identity and creditworthiness. Please refer to the terms and privacy policies of the payment service providers.

The terms and privacy policies of the respective payment service providers apply to payment transactions and can be viewed on their websites or transaction interfaces. We also refer to these for information on withdrawing consent, exercising access rights, and other data subject rights.

  • Processed data types: master data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contract data (e.g., contract subject, duration, customer group); usage data (e.g., visited websites, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status); contact data (e.g., email, phone numbers).
  • Data subjects: customers; prospects; business and contractual partners.
  • Purposes of processing: provision of contractual services and fulfillment of contractual obligations; office and organizational procedures.
  • Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); legitimate interests (Article 6 (1)(f) GDPR).

Further information on the processing methods, procedures, and services used:

  • Service providers:
  • American Express: payment service provider (technical integration of online payment methods); Provider: American Express Europe S.A., Theodor‑Heuss‑Allee 112, 60486 Frankfurt am Main, Germany; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.mastercard.co.uk; Privacy policy: https://www.americanexpress.com/de/legal/online-datenschutzerklarung.html.
  • Apple Pay: payment service provider; Provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.apple.com/apple-pay/; Privacy policy: https://www.apple.com/privacy/privacy-policy/.
  • Giropay: payment service provider (technical integration of online payment methods); Provider: giropay GmbH, An der Welle 4, 60322 Frankfurt, Germany; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.giropay.de; Privacy policy: https://www.giropay.de/rechtliches/datenschutzerklaerung/.
  • Google Pay: payment service provider; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://pay.google.com/intl/en_uk/about/; Privacy policy: https://policies.google.com/privacy.
  • Klarna: payment service provider (technical integration of online payment methods); Provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.klarna.com; Privacy policy: https://www.klarna.com/de/datenschutz.
  • Mastercard: payment service provider (technical integration of online payment methods); Provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B‑1410 Waterloo, Belgium; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.mastercard.co.uk; Privacy policy: https://www.mastercard.co.uk/en-gb/about-mastercard/what-we-do/privacy.html.
  • PayPal: payment service provider (technical integration of online payment methods) (e.g., PayPal, PayPal Plus, Braintree); Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L‑2449 Luxembourg; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.paypal.com; Privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
  • Shop Pay (Shopify): payment service provider (technical integration of online payment methods); Provider: Shopify International Limited, Victoria Buildings, 2nd Floor, 1–2 Haddington Road, Dublin 4, D04 XN32, Ireland; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.shopify.com; Privacy policy: https://www.shopify.com/legal/privacy.
  • Stripe: payment service provider (technical integration of online payment methods); Provider: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://stripe.com/de; Privacy policy: https://stripe.com/en-de/privacy; Basis for data transfers to third countries: EU‑US Data Privacy Framework (DPF).
  • Visa: payment service provider (technical integration of online payment methods); Provider: Visa Europe Services Inc., London Branch, 1 Sheldon Square, London W2 6TT, United Kingdom; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); Website: https://www.visa.de; Privacy policy: https://www.visa.de/datenschutz.
  • SOFORT: payment service provider (technical integration of online payment methods); Provider: Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.sofort.com/; Privacy policy: https://www.sofort.com/de/datenschutzhinweise/.

Provision of Online Services and Web Hosting

We process user data to provide our online services. For this purpose, we process the user’s IP address, which is required to deliver the content and functionalities of our online services to the user’s browser or device.

  • Processed data types: usage data (e.g., visited pages, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status); content data (e.g., text entries, photographs, videos).
  • Data subjects: users (e.g., website visitors, online service users).
  • Purposes of processing: provision of our online services and usability; information technology infrastructure (operation and provisioning of information systems and technical equipment such as computers, servers, etc.); security measures.
  • Legal basis: legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

  • Provision of online services on dedicated server hardware: We use our own server hardware and associated storage, computing capacity, and software to deliver our online services; Legal basis: legitimate interests (Article 6 (1)(f) GDPR).
  • Collection of access data and log files: Access to our online services is logged in so‑called “server log files.” These may include the address and name of requested pages and files, date and time of access, data volume transferred, notification of successful access, browser type and version, user operating system, referrer URL (previously visited page), and typically IP addresses and requesting provider. Log files may be used for security purposes, such as preventing server overload (especially during abusive attacks, e.g., DDoS) and ensuring stability and optimal load balancing; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Retention period: log file information is stored for up to 30 days then deleted or anonymized. Data retained for evidentiary purposes are excluded from deletion until the incident is finally resolved.
  • Email delivery and hosting: Our web hosting services also cover sending, receiving, and storing emails. For these purposes, we process sender and recipient addresses and other information related to email transmission (e.g., involved providers) and the content of the emails. These data may also be processed for spam detection. Please note that emails are generally not encrypted end‑to‑end on the Internet. They are typically encrypted during transport but not on the servers used to send and receive them (unless end‑to‑end encryption is employed). Therefore, we cannot assume responsibility for the transmission path of emails between sender and receipt on our server; Legal basis: legitimate interests (Article 6 (1)(f) GDPR).
  • Checkdomain: IT infrastructure and related services (e.g., storage and/or computing capacity); Service provider: checkdomain GmbH, part of the dogado Group, Große Burgstraße 27/29, 23552 Lübeck, Germany; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.checkdomain.de/; Privacy policy: https://www.checkdomain.de/agb/datenschutz; Data processing on behalf: provided by the service provider.

Blogs and Publishing Media

We use blogs or similar means of online communication and publication (hereinafter “Publishing Media”). Reader data are processed only to the extent necessary for displaying the medium and facilitating communication between authors and readers, or for security reasons. Otherwise, please refer to the visitor processing information in this privacy policy.

  • Processed data types: master data (e.g., names, addresses); contact data (e.g., email, phone numbers); content data (e.g., text entries, photographs, videos); usage data (e.g., visited pages, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: users (e.g., website visitors, online service users).
  • Purposes of processing: provision of contractual services and fulfillment of contractual obligations; feedback collection (e.g., via online forms); provision of our online services and usability.
  • Legal basis: legitimate interests (Article 6 (1)(f) GDPR).

Contact and Inquiry Management

When contacting us (e.g., by post, contact form, email, phone, or via social media) and within existing user and business relationships, the information provided by inquirers is processed to respond to contact requests and any requested actions.

  • Processed data types: contact data (e.g., email, phone numbers); content data (e.g., text entries, photographs, videos); usage data (e.g., visited pages, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: contact requests and communication; management and response to inquiries; feedback (e.g., via online forms); provision of our online services and usability.
  • Legal basis: legitimate interests (Article 6 (1)(f) GDPR); performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR).

Further information on processing methods, procedures, and services used:

  • Contact form: When users contact us via our contact form, by email, or other communication channels, we process the data provided to handle the communicated request; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR), legitimate interests (Article 6 (1)(f) GDPR).
  • weclapp: software for customer relationship management (CRM), process and sales support (multi‑channel communication, i.e. handling customer enquiries from various channels; sales; process management; analytics; feedback functions); Provider: weclapp SE, Neue Mainzer Straße 66–68, 60311 Frankfurt am Main, Germany; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR), legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.weclapp.com; Privacy policy: https://www.weclapp.com/en/privacy/.
  • Zendesk: management of contact requests and communications; Provider: Zendesk, Inc., 989 Market Street #300, San Francisco, CA 94102, USA; Legal basis: performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR), legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.zendesk.com; Privacy policy: https://www.zendesk.com/company/customers-partners/privacy-policy/; Data processing agreement: https://www.zendesk.de/company/data-processing-form/; Basis for transfers to third countries: EU‑US Data Privacy Framework (DPF).
  • Tidio: chat and chatbot software and related services; Provider: Tidio LLC, 180 Steuart St, San Francisco, CA 94119, USA; Legal basis: legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.tidiochat.com; Privacy policy: https://www.tidio.com/privacy-policy/; Data processing on behalf: provided by the service provider; Basis for transfers to third countries: Standard Contractual Clauses (provided by the service provider).

Messenger Communication

We use messenger services for communication purposes. Please note the following information regarding messenger functionality, encryption, metadata usage, and your options to object.

You can also contact us by other means, such as phone or email. Please use the contact options provided to you or those available within our online services.

If message content (i.e., your message and attachments) is encrypted end‑to‑end, note that messenger providers cannot see the content. Always use an up‑to‑date messenger app with encryption enabled to ensure message security.

However, messenger providers can determine that and when communication took place, process technical metadata from your device, and—depending on your device settings—location metadata.

Legal basis information: If we ask for your permission before communicating via messenger, our processing is based on your consent. Otherwise, when you voluntarily contact us or we communicate with contract partners, we rely on contract performance or our legitimate interests in efficient communication. We do not share your initial contact details with messenger providers without your consent.

Withdrawal, objection, and deletion: You may withdraw consent or object to communication via messenger at any time. Messages are deleted according to our general privacy policy (e.g., after contract termination or required archiving) or once your inquiries are addressed, provided no legal retention obligations prevent deletion.

Alternative communication methods: For security reasons, we reserve the right not to respond via messenger for matters requiring confidentiality or formal requirements. In such cases, we will direct you to appropriate channels.

  • Processed data types: contact data (e.g., email, phone numbers); usage data (e.g., visited pages, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: contact requests and communication; direct marketing (e.g., email or postal).
  • Legal basis: consent (Article 6 (1)(a) GDPR); legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

Chatbots and Chat Functions

We offer online chats and chatbot features (collectively "Chat Services") as communication tools. A chat is an online conversation conducted in real time. A chatbot is software that answers user questions or provides information via messages. When you use our chat functions, we may process your personal data.

If you use our Chat Services within an online platform, your user ID may also be stored on that platform. We may collect data on who interacts with our Chat Services and when. We also store the content of your chat conversations and log login and consent processes for compliance with legal requirements.

Please note that the platform provider can see when users communicate via Chat Services and may collect technical information about the device used and, depending on device settings, location information (metadata) for service optimization and security purposes. The platform may also use communication metadata (i.e., who communicated with whom) for marketing or personalized advertising under its own policies.

If users consent to receive periodic chatbot messages, they can unsubscribe at any time. The chatbot will inform users how to opt out. Unsubscribing deletes their data from the recipient list.

We use this information to operate our Chat Services—e.g., to address users by name, answer inquiries, deliver requested content, and improve the Chat Services (such as training chatbots on FAQs or identifying unanswered requests).

Legal basis information: We use Chat Services based on user consent when we first ask permission to process data (e.g., to send periodic chatbot messages). When responding to inquiries about our services or company, we rely on contract performance or legitimate interests in efficient communication and service optimization.

Withdrawal, objection, and deletion: You may withdraw consent or object to the processing of your data by our chatbot at any time.

  • Processed data types: contact data (e.g., email, phone numbers); content data (e.g., text inputs, photos, videos); usage data (e.g., visited pages, content interests, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: contact requests and communication; direct marketing (e.g., via email or post).
  • Legal basis: consent (Article 6 (1)(a) GDPR); performance of a contract and pre‑contractual enquiries (Article 6 (1)(b) GDPR); legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

  • Tidio: chat and chatbot software and related services; Provider: Tidio LLC, 180 Steuart St, San Francisco, CA 94119, USA; Legal basis: legitimate interests (Article 6(1)(f) GDPR); Website: https://www.tidiochat.com; Privacy Policy: https://www.tidio.com/privacy-policy/; Data processing on behalf: provided by the service provider; Basis for transfers to third countries: Standard Contractual Clauses (provided by the service provider).

Newsletter and electronic communications

We send newsletters, emails, and other electronic communications (collectively “Newsletters”) only with the recipient’s consent or where legally permitted. If the content of a Newsletter is described in detail when you sign up, that description forms the basis of your consent. Otherwise, our Newsletters will contain information about our services and about us.

To subscribe to our Newsletter, you generally only need to provide your email address. However, we may ask for your name for personalized addressing or additional information if required for the newsletter’s purpose.

Double opt‐in procedure: Subscription to our Newsletter typically uses a double opt‑in process. After signing up, you will receive an email asking you to confirm your subscription. This confirmation prevents unauthorized sign‑ups using someone else’s email address.

We log all subscription steps to comply with legal requirements. This includes storing the signup and confirmation timestamps along with the IP address. Any changes you make to your data stored by the mailing provider are also logged.

Deletion and restriction of processing: We may retain unsubscribed email addresses for up to three years based on our legitimate interests to prove past consent. Processing of these addresses is limited to defending against claims. You can request deletion at any time, provided you confirm prior consent. If you permanently object, we may keep your address in a suppression list solely for that purpose.

We log the subscription process under our legitimate interests to prove its proper conduct. If we engage a provider for email delivery, we do so under our legitimate interests in efficient and secure delivery.

Contents:

Information about us, our services, promotions, and offers.

  • Processed data types: identity data (e.g., names, addresses); contact data (e.g., email, phone numbers); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status); usage data (e.g., visited pages, content interests, access times).
  • Data subjects: communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: direct marketing (e.g., by email or post); web analytics (e.g., access statistics, identifying repeat visitors).
  • Legal basis: consent (Article 6(1)(a) GDPR); legitimate interests (Article 6(1)(f) GDPR).
  • Opt‑out: You can unsubscribe from our Newsletter at any time—i.e., withdraw your consent or object to further receipt. A link to unsubscribe is provided at the bottom of each Newsletter, or you may contact us via one of the methods above, preferably by email.

Further information on processing methods, procedures, and services used:

  • Open tracking and click tracking: Our Newsletters include a “web beacon,” a tiny file loaded from our or our mailing provider’s server when you open the Newsletter. This retrieves technical details such as your browser type, system information, IP address, and the time of access. We use these to improve technical delivery, analyze readership habits by geographic region (using IP-based location) and access times, and determine which links are clicked. These metrics are tied to individual recipients and stored in their profiles until deletion. The analysis helps us tailor content and send targeted materials. Open and click tracking and storing the results in user profiles rely on user consent. You cannot opt out of the tracking separately—unsubscribing from the Newsletter entirely will remove stored profile data; Legal basis: consent (Article 6(1)(a) GDPR).
  • Brevo: email delivery and automation services; Provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: legitimate interests (Article 6(1)(f) GDPR); Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/de/legal/privacypolicy/; Data processing on behalf: provided by the service provider.

Commercial communications by email, post, fax or telephone

We process personal data for the purposes of promotional communications via various channels such as email, telephone, post or fax, in compliance with legal requirements.

Recipients have the right to withdraw their consent at any time or to object at any time to promotional communications.

After withdrawal or objection, we retain the data needed to demonstrate past consent to contact or dispatch for up to three years after the end of the year of withdrawal or objection, based on our legitimate interests. Processing of these data is limited to the purpose of defending against any claims. Based on our legitimate interest in permanently respecting users’ withdrawal or objection, we continue to store only those data necessary to prevent renewed contact (e.g., email address, telephone number, name, depending on the channel).

  • Processed data types: identity data (e.g., names, addresses); contact data (e.g., email, telephone numbers).
  • Data subjects: communication partners (recipients of emails, letters, etc.).
  • Purposes of processing: direct marketing (e.g., by email or post).
  • Legal basis: consent (Article 6(1)(a) GDPR); legitimate interests (Article 6(1)(f) GDPR).

Web analytics, monitoring and optimization

Web analytics is used to evaluate visitor traffic on our website and may include pseudonymized data on user behavior, interests or demographic information (e.g., age, gender). With web analytics we can see, for example, when our online services or particular features or content are most frequently accessed or re‑requested, and which areas need optimization.

In addition to web analytics, we may use A/B testing and similar methods to test and optimize different versions of our online services or components.

Unless otherwise stated below, profiles (i.e., data aggregated for a usage process) may be created and stored in a browser or device (“cookies”) and read from there. Collected information includes visited pages and elements used, as well as technical details like browser, operating system and usage times. If users have consented to location collection by us or our service providers, location data may also be processed.

User IP addresses are also stored; however, we apply IP masking (i.e., pseudonymization by truncating the IP) to protect user privacy. Generally, web analytics, A/B testing and optimization do not store personal identifiers (like email addresses or names), only pseudonyms. This means that neither we nor our analytics providers know the user’s real identity, but only the information stored in their profiles for the respective processes.

  • Processed data types: usage data (e.g., visited pages, content interests, access times); meta, communication and process data (e.g., IP addresses, timestamps, identifiers, consent status).
  • Data subjects: users (e.g., website visitors, users of online services).
  • Purposes of processing: remarketing; affiliate tracking; web analytics (e.g., access statistics, recognizing repeat visitors); user profiles (creation of user profiles); provision of our online services and usability.
  • Security measures: IP masking (pseudonymization).
  • Legal basis: consent (Article 6(1)(a) GDPR); legitimate interests (Article 6(1)(f) GDPR).

Further information on processing methods, procedures and services used:

  • Google Analytics 4: We use Google Analytics to measure and analyze usage of our online services via a pseudonymous user ID that contains no personal identifiers such as names or emails. It assigns analytics data to a device to track which content users accessed, search terms used, repeat visits or interactions, usage times and sources referring users to our services, as well as technical aspects of their devices and browsers. Pseudonymous user profiles may be created across devices, and cookies may be used. Google Analytics does not record or store full IP addresses; instead, it derives coarse geolocation (city, region, country) from the IP, then immediately discards the IP. All IP lookups for EU traffic occur on EU‑based servers before data is sent to Google’s processing servers. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: legitimate interests (Article 6(1)(f) GDPR); Website: marketingplatform.google.com/analytics; Privacy policy: policies.google.com/privacy; Processor agreement: business.safety.google/adsprocessorterms; Data transfer basis to third countries: EU‑US Data Privacy Framework (DPF), Standard Contractual Clauses (adsprocessorterms); Opt‑out: gaoptout plugin, ad settings: adssettings.google.com; More info: privacy.google.com/businesses/adsservices.

Online Marketing

We process personal data for the purposes of online marketing, which particularly includes marketing advertising space or displaying advertisements and other content (hereinafter collectively “content”) based on users’ potential interests and measuring their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a “cookie”) or a similar method that retains the relevant user information needed to display the aforementioned content. This information may include, for example, viewed content, visited websites, used online networks, communication partners, and technical details such as the browser used, the computer system used, and information on usage times and functions used. If users have consented to the collection of their ancillary data, that may also be processed.

Users’ IP addresses are also stored. However, we apply provided IP‑masking procedures (i.e., pseudonymization by truncating the IP address) to protect users by using a pseudonym. In general, during the online marketing process, no clear user data (such as email addresses or names) are stored, only pseudonyms. This means that neither we nor the providers of online marketing methods know users’ actual identities, only the information stored in their profiles.

The information in the profiles is usually stored in cookies or similar storage methods. These cookies can later—often on other websites using the same online marketing technology—be read and analyzed for advertising purposes, enriched with other data, and stored on the provider’s server.

In exceptional cases, clear data may be linked to the profiles. For example, this occurs when users are members of a social network whose online marketing technology we use and the network links users’ profiles with the aforementioned data. Please note that users may enter into additional agreements with social network providers or other service providers, e.g., by consenting during a registration process.

Fundamentally, we only have access to aggregated information on the performance of our ads. However, through so‑called conversion tracking, we can verify which of our online marketing processes have led to a “conversion,” i.e., the conclusion of a contract with us. Conversion tracking is used solely to analyze the performance of our marketing activities.

Unless otherwise indicated, please note that the cookies used are stored for a period of two years.

  • Processed data types: content data (e.g., text inputs, photos, videos); usage data (e.g., visited websites, interest in content, access times); meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, consent status); event data (Facebook) (“event data” are data that we may transmit to Facebook, e.g., via Facebook Pixel, regarding individuals or their actions; data include website visits, interactions with content, feature usage, app installs, product purchases, etc.; event data are processed to create audiences for content and advertising (“Custom Audiences”); event data do not include actual contents (such as written comments), login credentials, or contact data (such as names, email addresses, and phone numbers). Facebook deletes event data after a maximum of two years, and Custom Audiences created from them are deleted when our Facebook account is removed); contact data (Facebook) (“contact data” are data concerning identifiable information such as names, email addresses, and phone numbers that may be transmitted to Facebook, e.g., via Facebook Pixel or uploads for matching to form Custom Audiences; after matching to create audiences, the contact data are deleted).
  • Data subjects: users (e.g., website visitors, users of online services).
  • Purposes of processing: web analytics (e.g., access statistics, identifying returning visitors); targeting (e.g., profiling based on interests and behavior, use of cookies); conversion tracking (measuring marketing effectiveness); affiliate tracking; marketing; user profiling (creating user profiles); provision of our online services and usability; remarketing.
  • Security measures: IP masking (pseudonymization of the IP address).
  • Legal basis: consent (Article 6(1)(a) GDPR); legitimate interests (Article 6(1)(f) GDPR).
  • Opt‑Out: We refer to the privacy policies of the respective service providers and their opt‑out options (so-called “opt‑out”). If no explicit opt‑out option is provided, you can disable cookies in your browser settings, which may limit the functionality of our online offerings. We therefore recommend the following additional collective opt‑out options by region: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Interregional: https://optout.aboutads.info.

Further information on processing methods, procedures, and services used:

  • Meta Pixel and Custom Audiences: Using the Meta Pixel (or similar features to transfer event data or contact data via interfaces or other software into apps), Meta can determine the visitors to our online services as target audiences for displaying ads (so‑called “Meta Ads”). Accordingly, we use the Meta Pixel to show our Meta Ads only to Meta users and within the services of partners working with Meta (so‑called “Audience Network” https://www.facebook.com/audiencenetwork/) who have shown interest in our online services or exhibit certain characteristics (e.g., interests in specific topics or products inferred from visited websites) that we transmit to Meta (so‑called “Custom Audiences”). With the help of Meta Pixels, we also ensure that our Meta Ads align with users’ potential interests and are not intrusive. The Meta Pixel also enables us to track the effectiveness of Meta Ads for statistical and market research purposes by showing whether users who clicked on a Meta Ad were referred to our website (known as “Conversion Tracking”); Processor: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Article 6 (1)(a) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; International transfers: EU‑US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: User event data—i.e., behavioral and interest data—are processed for targeted advertising and audience building under the joint controller addendum (https://www.facebook.com/legal/controller_addendum). Joint responsibility is limited to data collection and transmission to Meta Platforms Ireland Limited; further processing is done exclusively by Meta Platforms Ireland Limited, including onward transfers to Meta Platforms, Inc. in the USA under their SCCs.
  • Advanced Matching for Meta Pixel: In addition to event data, contact data (identifying information such as names, email addresses, and phone numbers) are captured or transmitted to Meta within our online service. This contact data processing is for creating Custom Audiences for ad targeting based on inferred user interests. Collection, transmission, and matching with Meta’s data occur only via cryptographic hashes (as used for password storage). After matching, raw contact data are deleted; Legal basis: Consent (Article 6 (1)(a) GDPR); Privacy policy: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; International transfers: EU‑US Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum). Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Facebook Ads: Placement of ads within the Facebook platform and analysis of ad performance; Processor: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Opt‑out: via Facebook’s ad and privacy settings. Further information: User event data are processed under the joint controller addendum (https://www.facebook.com/legal/controller_addendum), limited to data collection and transmission to Meta Platforms Ireland Limited; further processing is by Meta Platforms Ireland Limited.
  • Google Ad Manager: We use the Google Marketing Platform (including Google Ad Manager) to place ads in Google’s ad network (e.g., search results, videos, websites). This platform delivers ads in real time based on users’ presumed interests, enabling more relevant advertising. Remarketing—showing ads for products previously viewed elsewhere—is also supported; Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Further information: https://privacy.google.com/businesses/adsservices. When Google processes as a processor, their Ads Processor Terms and SCCs apply: https://business.safety.google/adsprocessorterms.
  • Google Ads & Conversion Tracking: Online marketing to place ads in Google’s network (search, video, websites) and measure conversions—i.e., if users interact with ads and then use the promoted offers—using anonymized data only; Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6 (1)(a) GDPR) and Legitimate interests (Article 6 (1)(f) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Further information: https://privacy.google.com/businesses/adsservices. Their Ads Processor Terms and SCCs apply for processor roles: https://business.safety.google/adsprocessorterms.
  • Google Ads Remarketing: Also called retargeting, this technology adds users of an online service to a pseudonymous remarketing list so they see ads based on their visit; Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6 (1)(a) GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Further information: https://privacy.google.com/businesses/adsservices. https://business.safety.google/adscontrollerterms.
  • Enhanced Conversions for Google Ads: When customers click our Google Ads and then convert, user‑entered data (email, name, address, phone) are hashed and sent to Google to better assess ad interactions and performance; Legal basis: Consent (Article 6 (1)(a) GDPR). More info: https://support.google.com/google-ads/answer/9888656.
  • Instagram Ads: Placement of ads within Instagram and analysis of ad performance; Processor: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Consent (Article 6 (1)(a) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Opt‑out: via Instagram’s ad and privacy settings. Further information: User event data processed under the joint controller addendum (https://www.facebook.com/legal/controller_addendum).

Partner Program

We offer a partner program, i.e. we provide commissions or other benefits (collectively referred to as “Commission”) to users (collectively referred to as “Partners”) who refer to our offerings and services. The referral is made via a link associated with the partner, or other methods (e.g. discount codes), which allow us to recognize that the use of our services was based on the referral (collectively referred to as “Partner Links”).

In order to track whether users have accessed our services via Partner Links used by partners, we need to know that the user followed a Partner Link. The attribution of Partner Links to the corresponding business transactions or other use of our services is solely for the purpose of calculating commissions and is deleted once it is no longer required for that purpose.

For the above purposes of attributing Partner Links, the Partner Links may be supplemented by certain values that may be part of the link or otherwise stored, for example in a cookie. These values may include in particular the source website (referrer), timestamp, an online identifier of the site operator where the Partner Link was placed, an online identifier of the respective service, the type of link used, the type of service, and an online identifier of the user.

Information on legal basis: Processing of our partners’ data is carried out to provide our (pre-)contractual services. The users’ data are processed based on their consent.

  • Processed data types: Contract data (e.g. contract subject, duration, customer category). Usage data (e.g. visited websites, interest in content, access times).
  • Affected data subjects: Users (e.g. website visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Partner tracking.
  • Legal basis: Consent (Article 6 (1)(a) GDPR). Performance of a contract and pre‑contractual inquiries (Article 6 (1)(b) GDPR).

Further information on processing methods, procedures, and services used:

Customer Reviews and Ratings

We participate in review and rating processes to evaluate, optimize, and promote our performance. When users review us via participating review platforms or methods, the general terms of use and privacy information of those providers also apply. Registration with the respective provider is usually required for posting a review.

To ensure that reviewers have actually used our services, with the customer’s consent we transmit the necessary data related to the customer and the services or products used to the respective review platform (including name, email address, order number or item number). This data is used exclusively to verify the authenticity of the user.

  • Processed data types: Contract data (e.g. contract subject, duration, customer category); Usage data (e.g. visited websites, interest in content, access times). Meta-, communication and process data (e.g. IP addresses, timestamps, identification numbers, consent status).
  • Affected data subjects: Customers. Users (e.g. website visitors, users of online services).
  • Purposes of processing: Feedback (e.g. collecting feedback via online form). Marketing.
  • Legal basis: Legitimate interests (Article 6 (1)(f) GDPR). Consent (Article 6 (1)(a) GDPR).

Further information on processing methods, procedures, and services used:

  • Review Widget: We integrate review widgets into our online services. A widget is a functional and content element embedded in our online services that displays variable information (e.g. as a badge or seal). Although the widget content is displayed within our online services, it is fetched from the provider’s servers in real time to ensure up‑to‑date display, including the current rating. This requires a data connection from our site to the widget provider’s server, and the provider receives certain technical access data (including IP address) necessary to deliver the widget content in the user’s browser. Additionally, the widget provider learns that users have visited our online services. This information may be stored in a cookie and used by the widget provider to determine which participating sites the user has visited. These details may be stored in a user profile and used for advertising or market research purposes; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR).
  • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and opinions; Processor: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Terms & Conditions: https://support.google.com/merchants/topic/7259129?hl=de&ref_topic=7257954; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Further information: As part of the review process, a transaction ID and timestamp and, for direct review invitations, the customer’s email address and country of residence and the review content are processed; full details: https://privacy.google.com/businesses/adsservices. Ads controller terms & SCCs: https://business.safety.google/adscontrollerterms.
  • Trusted Shops (Trustbadge): Review and rating platform—under our joint responsibility with Trusted Shops, for privacy inquiries and exercising your rights please contact Trusted Shops using the channels in their privacy information. Independently, you may contact your data controller at any time, and inquiries will be forwarded as needed. The Trustbadge is served by a US‑based CDN, with adequate protections via SCCs and contractual measures. When loaded, the service logs access data (including IP, timestamp, data volume, requesting host) which is anonymized immediately so it cannot be tied to you. Anonymized data are used for statistics and error analysis. With your consent, after purchase the Trustbadge reads locally stored order details (total amount, order number, purchased product if applicable) and email, hashes the email, and transmits the hash with order details under Article 6 (1)(a) GDPR to Trusted Shops to check registration status. If already registered, processing continues per your agreement with Trusted Shops. If not, you can manually register or purchase buyer protection via the designated button in the Trustbadge. Data are only sent if you opt in. Upon opt‑in, further processing under Article 6 (1)(b) GDPR completes buyer protection registration and secures the order, and may send review invitations by email. Trusted Shops uses hosting, monitoring, and logging sub‑processors. Legal basis: Article 6 (1)(f) GDPR for service continuity. Processing may occur in third countries (USA, Israel) with protections via SCCs and adequacy decisions; Processor: Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany; Legal basis: Consent (Article 6 (1)(a) GDPR), Legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.trustedshops.de; Privacy policy: https://www.trustedshops.de/impressum/#datenschutz.
  • Loox: Creation of testimonials, customer experiences, and reviews plus a rewards system; Processor: Loox Online Ltd., Rehov Har Sinai 2, 6581602 Tel Aviv‑Yafo, Israel; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Website: https://loox.app/; Privacy policy: https://loox.io/legal/privacy_policy_users.pdf.

Social Media Profiles

We maintain online presences on social networks and process user data in this context to communicate with users active there or to provide information about us.

Please note that user data may be processed outside the European Union. This can pose risks for users, for example by making it more difficult to enforce their rights.

In addition, user data on social networks is generally processed for market research and advertising purposes. For example, user profiles may be created based on users’ behavior and related interests. These profiles can then be used, for instance, to place advertising within and beyond the networks that matches users’ interests. For these purposes, cookies are typically stored on the user’s computer to record usage patterns and interests. Furthermore, profile data may be stored independently of the devices used by users (especially if users are or later become members of the respective networks).

For detailed descriptions of the processing operations and opt‑out options, please refer to the respective privacy policies and information provided by the network operators.

Even when exercising access requests and other data subject rights, these are most effectively pursued with the network providers. Only they have access to user data and can take appropriate measures or provide information directly. If you still need assistance, please feel free to contact us.

  • Processed data types: Contact data (e.g. email, phone numbers); content data (e.g. text entries, photographs, videos); usage data (e.g. visited websites, interest in content, access times); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
  • Legal basis: Legitimate interests (Article 6 (1)(f) GDPR).

Further information on the processing methods, procedures, and services used:

Plugins and Embedded Features and Content

In our online services, we integrate functional and content elements that originate from the servers of their respective providers (hereinafter “third parties”). These may include graphics, videos, or maps (hereinafter collectively “content”).

Integration always requires the third parties to process the user’s IP address, as they could not send the content to the user’s browser without it. The IP address is therefore necessary to display these content or features. We strive to use only such content whose providers use the IP address solely for content delivery. Third parties may also use so‑called pixel tags (invisible graphics, also “web beacons”) for statistical or marketing purposes. Pixel tags can be used to assess visitor flows on this website. The pseudonymous information may also be stored in cookies on the user’s device and include technical information about the browser and operating system, referring websites, visit times, and other usage details of our site, and may be linked with similar information from other sources.

  • Processed data types: Usage data (e.g. visited websites, interest in content, access times); meta, communication, and process data (e.g. IP addresses, timestamps, identification numbers, consent status); inventory data (e.g. names, addresses); contact data (e.g. email, phone numbers); content data (e.g. text entries, photos, videos).
  • Data subjects: Users (e.g. website visitors, online service users).
  • Purposes of processing: Provision of our online services and usability; provision of contractual services and fulfillment of contractual obligations.
  • Legal basis: Legitimate interests (Article 6 (1)(f) GDPR).

Further information on processing methods, procedures, and services used:

  • reCAPTCHA: We integrate the “reCAPTCHA” feature to determine whether inputs (e.g. in online forms) are made by humans and not by automated bots. Processed data may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with reCAPTCHA on other sites, possible cookies, and results of manual verification processes (e.g. answering challenges or selecting objects in images). The processing is based on our legitimate interest in protecting our online services from abusive automated crawling and spam; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.google.com/recaptcha/; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Opt‑out: Opt‑out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad settings: https://adssettings.google.com/authenticated.
  • YouTube Videos: Video content; Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Article 6 (1)(f) GDPR); Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; International transfers: EU‑US Data Privacy Framework (DPF); Opt‑out: Opt‑out plugin: https://tools.google.com/dlpage/gaoptout?hl=en, ad settings: https://adssettings.google.com/authenticated.