fbpx

Privacy Policy

Last updated: 06.02.2020

By way of this privacy policy, we would like to inform you of which types of your personal data we process, as well as the purposes for which and the extent to which we process this data. This privacy policy applies to all personal data processing activities we carry out, both to provide our services and, in particular, on our website and on other online platforms, such as our social media profiles.

1 Controller

2 Overview of processing activities

The following overview summarises the types of data processed and the purposes of processing, and refers to data subjects.

  • Types of data processed

Inventory data (e.g. names, addresses), content data (e.g. text, photos, videos), contact data (e.g. email addresses, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. web pages visited, interest in content, access times), contract data (e.g. subject matter of the contract, term, customer category), payment data (e.g. bank details, invoices, payment history)

  • Categories of data subject

Business and contract partners, prospects, communication partners, customers, users (e.g. website visitors, users of online services)

  • Purposes of processing

Evaluation of user actions, office and organisational processes, direct marketing (e.g. by email or post), interest and behaviour-based marketing, contact requests and communication, conversion tracking (evaluating the effectiveness of marketing measures), profiling (creating user profiles), reach measurement (e.g. access statistics, detection of returning visitors), security measures, tracking (e.g. interest/behaviour-based profiling, use of cookies), contractual performances and services, managing and responding to enquiries

3 Relevant legal bases

Our legal bases for processing personal data are listed below. In this regard, it is important to note that national data protection regulations may apply in addition to the provisions set down in the General Data Protection Regulation (GDPR).

  • Consent (Art. 6 (1), sentence 1, (a) of the GDPR)
  • Performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR)
  • Legal obligation (Art. 6 (1), sentence 1, (c) of the GDPR)
  • Legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR)

In Germany, the German Federal Data Protection Act (BDSG) applies in addition to the data protection provisions set down the GDPR. In particular, the BDSG contains special rules on the right of access, right to erasure, right to object, the processing of special categories of personal data, processing for other purposes, and transmission and automated individual decision-making. In addition, it governs data processing for the purposes of an employment relationship (Section 26 of the BDSG), particularly with regard to establishing, implementing and terminating employment relationships, plus employee consent. Individual federal states’ data protection laws may also apply.

4 Security measures

We use the widespread SSL (Secure Socket Layer) process on our website in combination with the highest level of encryption supported by your browser, which is usually 256-bit encryption. If your browser does not support 256-bit encryption, we shall use 128-bit v3 technology instead. The key or padlock symbol in your browser’s status bar shows you whether pages on our website are using encrypted data transmission.

We also implement appropriate technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are continuously updated in line with technological advances.

5 Transmission and disclosure of personal data

As part of our personal data processing activities, the data may be transferred or disclosed to other bodies, companies or individuals. Recipients of this data may include the likes of payment institutions during payment processes, service providers tasked with providing IT services, or providers of services and content incorporated into a website. In such cases, we comply with legal requirements and, in particular, enter into appropriate contracts or agreements with recipients of your data to protect the same.

6 Data processing in third countries

If we process data in a third country (i.e. outside of the European Union (EU) and the European Economic Area (EEA)), or if third-party services are used for processing or data is disclosed or transmitted to other individuals, bodies or companies for processing, this shall take place only in compliance with legal requirements.

7 Use of cookies

Our website uses cookies. Cookies are small files that your browser creates automatically and stores on your terminal device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not harm your terminal device and do not contain viruses, trojans or any other type of malware. They contain information generated in connection with the specific terminal device used. However, this does not mean that we are directly informed of your identity.

Cookies are used to improve your experience when using our website. We use ‘session cookies’ to detect whether you have previously visited individual pages of our website. Session cookies are deleted automatically once you leave our site.

We also use temporary cookies to make the website more user-friendly. These cookies are stored on your terminal device for a fixed period of time. If you visit our website again to use our services, the fact that you previously visited shall be detected and your information and settings shall be retained, so you don’t need to enter the same details again.

We also use cookies to record and analyse website usage statistics and to optimise the content we offer you. If you visit our website again, these cookies enable us to automatically detect that you have visited before. These cookies are deleted automatically after a fixed period of time.

The data processed by cookies is necessary for the specified purposes to protect our legitimate interests and those of third parties in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.

Most browsers automatically accept cookies. However, you can configure your browser not to store cookies on your computer or to always display a message before a new cookie is stored. However, if you disable all cookies, you may be unable to use all of the features of our website.

The legal basis on which we process your personal data using cookies depends on whether we ask for your consent. If we ask for your consent and you consent to the use of cookies, your consent forms the legal basis for such processing. Otherwise, the data processed using cookies is processed based on our legitimate interests (e.g. in operating and improving our online content) or, if the use of cookies is necessary, to fulfil our contractual obligations.

Regardless of whether processing is carried out based on your consent or is permitted by law, you may withdraw any consent you granted or object to the processing of your data using cookie technologies at any time.

8 Commercial and business services

We process our customers’ and prospects’ data as part of contractual and similar legal relationships and related measures, and when communicating with contractual partners (or prior to entering into a contract), e.g. including to respond to enquiries.

We process this data to fulfil our contractual obligations, to safeguard our rights and for the purpose of related administrative tasks and business organisation. We only forward customer data to third parties to the extent permitted by applicable law and required for the aforementioned purposes or to comply with legal obligations, or with the consent of the contractual partner (e.g. to telecommunications and transport companies involved in our operations, banks, tax and legal advisors, payment service providers or tax authorities).

We erase the data once statutory warranty and similar obligations elapse, which is generally after four years or, where the data is stored in a customer account, for the duration for which archives need to be retained on legal grounds (e.g. usually 10 years for tax purposes). We erase data disclosed to us during a customer order in accordance with the contract and once the contracted work has been completed.

If we use third-party providers or platforms to provide our services, the respective third-party providers’ or platforms’ terms and conditions and privacy policies shall apply to the relationship between users and the providers.

Customers may create an account on our website. If customers need to register for a customer account, they shall be notified to this effect and of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent log-in and use of the customer account, we store customers’ IP addresses and access times as evidence of the registration and so that we can prevent misuse of the customer account.

When a customer closes their account, the associated data is erased except where it must be retained on legal grounds. The customer is responsible for backing up their data when closing their customer account.

We process our customers’ data for our online shop and within the scope of our activity to allow customers to select and purchase/order the selected products, goods and associated services or to engage us to provide the selected services, and to enable payment for, delivery/execution of or provision of the same.

The information required is indicated when placing the order or concluding the contract and includes the information needed for delivery and billing, as well as contact information for any consultation needed.

The legal bases are: performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR), legal obligation (Art. 6 (1), sentence 1, (c) of the GDPR), legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR).

9 Web hosting via Strato

We use the web hosting services provided by STRATO AG, Pascalstrasse 10, 10587 Berlin, Germany, for our website and have also concluded a processing contract to this effect with STRATO pursuant to Art. 28 of the GDPR. You can find more information in STRATO’s privacy policy at https://www.strato-hosting.co.uk/privacy-policy/.

The legal basis is our legitimate interest in operating and maintaining the operational security of this website in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.

10 Services provided by Ecwid for the online shop

We use the web hosting services provided by Ecwid Inc., 687 S. Coast Highway 101 Suite 239 Encinitas, CA 92024, USA, for our website and have entered into a contract to this effect with Ecwid Inc. pursuant to Art. 28 of the GDPR. You can find more information in Ecwid Inc.’s privacy policy at https://www.ecwid.com/eu-privacy-policy.

The legal basis is our legitimate interest in operating and maintaining the operational security of this website in accordance with Art. 6 (1), sentence 1, (f) of the GDPR.

11 Payment service providers

In addition to banks and credit institutions, we engage the services of other payment service providers (hereinafter referred to as ‘payment service providers’) in our contractual and other legal relationships, to comply with legal obligations or based on our legitimate interests, so that we can offer the data subjects efficient and secure payment methods.

The data processed by the payment service providers includes inventory data (e.g. name and address), bank details (e.g. account number or credit card number), passwords, transaction numbers and checksums, and contract, amount and recipient-related information. This information is necessary to execute the transaction. However, the data entered is only processed and stored by the payment service providers. This means that we do not receive any account or credit card information; we only receive confirmation of successful payment or notification of a failed payment. In certain circumstances, the payment service providers may transmit the data to credit agencies so that identity and credit checks can be performed. Please refer to the payment service providers’ GTCs and privacy policies.

The respective payment service provider’s terms and conditions and privacy policy apply to payment transactions and can be viewed on the relevant website or in the relevant transaction app. Please refer to these for further information and to exercise cancellation rights, access rights and other data subject rights.

The following data is processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter of the contract, term, customer category), usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

The legal bases for processing are: performance of a contract and steps prior to entering into a contract (Art. 6 (1), sentence 1, (b) of the GDPR), legitimate interests (Art. 6 (1), sentence 1, (f) of the GDPR).

Services and service providers used:

Mastercard: payment services; service provider: Mastercard Europe SA, Chaussée de Tervuren 198A, B-1410 Waterloo, Belgium; website: https://www.mastercard.co.uk/en-gb.html; privacy policy: https://www.mastercard.co.uk/en-gb/about-mastercard/what-we-do/privacy.html.

Visa: payment services; service provider: Visa Europe Services Inc., London branch, 1 Sheldon Square, London W2 6TT, United Kingdom; website: https://www.visa.co.uk; privacy policy: https://www.visa.co.uk/legal/privacy-policy.html.

American Express: payment services; service provider: American Express Europe S.A. (Germany branch), Theodor-Heuss-Allee 112, 60486, Frankfurt am Main; website: https://www.americanexpress.com/uk/; privacy policy: https://www.americanexpress.com/uk/legal/online-privacy-statement.html

Diners Club: payment services; service provider: Diners Club International Ltd., 2500 Lake Cook Road, Riverwoods, IL 60016, USA, for the ‘Diners’, ‘Diners Club’ and ‘Discover’ payment brands; privacy policy: https://www.dinersclub.co.uk/legal/privacy-policy 

JCB: payment services; service provider: JCB International Co., Ltd., 5-1-22, Minami Aoyama, Minato-Ku, Tokyo, Japan; privacy policy: http://www.jcbeurope.eu/privacy/index.html 

Union Pay: payment services; service provider: Union Pay International Co., Ltd., Germany Branch, An der Welle 4, 60322 Frankfurt, for the ‘CUP’ and ‘Union Pay’ payment brands; privacy policy: http://www.unionpayintl.com/en/privacyNotice/ 

PayPal: payment services; service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg, Luxembourg; website: https://www.paypal.com/uk; privacy policy: https://www.paypal.com/uk/webapps/mpp/ua/privacy-full.

Stripe: payment services; service provider: Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland; privacy policy: https://stripe.com/gb/privacy.

12 Contact form

We provide a contact form, which you can use to contact us with any questions that you may have, on our website. The form requires you to enter a valid email address so that we know who submitted the enquiry and to enable us to respond. You can also choose to provide other information. Data processing for the purpose of contacting us is based on your voluntary consent, in accordance with Art. 6 (1), sentence 1, (a) of the GDPR.

13 Marketing by post, email or telephone

We process personal data for marketing purposes, which may take place using various channels such as email, telephone and post. We comply with legal requirements and, unless the communication is permitted by law, obtain the necessary consent. Recipients have the right to withdraw any consent they may have granted or to object to marketing communication at any time.

After this withdrawal of consent or objection, we may store the data necessary to evidence consent for up to three years based on our legitimate interests before erasing the same. This data shall only be processed to defend any claims. An individual erasure request can be made at any time if the existence of previous consent is at the same time confirmed.

The following data is processed for the purpose of direct marketing based on consent given (Art. 6 (1), sentence 1, (a) of the GDPR) or a legitimate interest (Art. 6 (1), sentence 1, (f) of the GDPR): inventory data (e.g. names, addresses), contact details (e.g. email address, telephone numbers).

14 Newsletter

If you wish to subscribe to and regularly read our newsletter, you shall need to register with your full name and a valid email address, thereby giving your consent to our processing of your personal data. Please also read the declaration of consent on the newsletter registration form.

Before we can send you the newsletter, you need to confirm your subscription to our email newsletter through a double opt-in procedure. This procedure is used to ensure that the email address provided belongs to you. You shall receive a confirmation and authorisation email from us, and we shall ask you to click on the link in the email to confirm that you wish to receive our newsletter. If you do not confirm your subscription, your personal data shall be erased within a reasonable period of time.

In addition to your registered email address, we also store the registration time, confirmation time, IP address and consent text related to your registration. We shall only use the email address to send you our newsletter, unless you have expressly consented to another use.

Small, ‘invisible’ files (beacons) sent with the newsletter may be used to perform various analyses to improve the products and services we offer. The IP address, the browser used and time that the newsletter was accessed and opened, as well as details of the links clicked on in the newsletter are recorded and statistically evaluated.

The newsletter is sent based on the recipient’s consent in accordance with Art. 6 (1), sentence 1, (a) of the GDPR and Art. 7 of the GDPR in conjunction with Section 7 (2), Point 3 of the German Act against Unfair Competition. Opening and click-through rates are analysed based on our legitimate interest in accordance with Art. 6 (1), sentence 1, (f) of the GDPR. We have an interest in continuously optimising the products and services we offer for our users and in analysing user behaviour in order to do so.

Email delivery service provider:

The newsletter is sent via Sendinblue SAS, 55 Rue d’Amsterdam, 75008 Paris, France (hereinafter referred to as the ‘email delivery service provider’). The email delivery service provider’s privacy policy can be viewed at https://www.sendinblue.com/legal/termsofuse/.

We have concluded a processing contract with the provider pursuant to Art. 28 of the GDPR.

You may withdraw your consent if you no longer wish to receive the newsletter. You can thus unsubscribe from the newsletter at any time. Please use the link provided for this purpose in the newsletter.

15 Online marketing

We process personal data for the purpose of online marketing, which includes displaying promotional and other content (jointly referred to as ‘content’) based on users’ potential interests and measuring the effectiveness of this content.

User profiles are created for this purpose and stored in a file (a ‘cookie’) or similar methods are used to store relevant user information so that the aforementioned content can be displayed. Such information could include the likes of content viewed, websites visited and online networks used, as well as communication partners and technical information such as the browser and computer system used and information about usage times. If users have consented to their location data being shared, this data may also be processed.

Users’ IP addresses are also stored but we use IP masking (i.e. pseudonymisation by truncating the IP address) to protect our users. Generally speaking, no personally identifiable user data (such as names or email addresses) is stored as part of online marketing process, as data is pseudonymised. This means that even we as the provider of the online marketing process do not know the user’s identity, since we only see the information stored in the profiles.

The information in the profiles is usually stored in cookies or using a similar method. These cookies can generally also later be identified on other websites that use the same online marketing process and analysed to display content, supplemented with additional data, and stored on the online marketing service provider’s server.

In certain cases, exceptions apply that mean personally identifiable data may be assigned to profiles. For example, this is the case if a user is a member of a social network whose online marketing process we use and the network links the user’s profile with the above-mentioned information. Please note that users can enter into additional agreements with the providers, e.g. by giving consent at the time of registration.

We only have access to summarised information about the success of our advertising. However, we can use conversion tracking to verify which of our online marketing measures has led to a conversion, i.e. which measure led to the conclusion of a contract. Conversion tracking is only used to analyse the success of our marketing measures.

If we ask users for their consent when using third-party providers, the legal basis for data processing is their consent (Art. 6 (1), sentence 1, (a) of the GDPR). Otherwise, user data is processed based on our legitimate interests (i.e. our interest in efficient, economical and user-friendly services, in accordance with Art. 6 (1), sentence 1, (f) of the GDPR). Please refer to the information about the use of cookies in this privacy policy for further information about this matter.

The following user data is processed: usage data (e.g. web pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Processing is carried out for the purpose of tracking, remarketing, evaluation of user actions, interest and behaviour-based marketing, profiling, conversion tracking and reach measurement.

Please also see the privacy policies published by the respective providers and their opt-out options. If no explicit option is given to opt out, one alternative is to disable cookies in your browser settings. However, doing so may mean that you are unable to use our website’s features. We therefore recommend using the following overall opt-out options offered for your territory: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) All territories: http://optout.aboutads.info.

Services and service providers used:

Google Analytics: online marketing and web analytics; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/en_uk/about/analytics/; privacy policy: https://policies.google.com/privacy; Privacy Shield (guarantee of the data protection level for data processing in the USA): https://www.privacyshield.gov; option to opt out: opt-out plug-in: https://tools.google.com/dlpage/gaoptout?hl=en-GB, ad display settings: https://adssettings.google.com/authenticated.

16 How is social media integrated?

Our domain offers the option of sharing social media posts via the social networks Tumblr, Pinterest, Twitter, Facebook, Blogger, Gmail and Yahoo Mail. When the user clicks on the embedded graphic, they are redirected to the Tumblr, Pinterest, Twitter, Facebook, Blogger, Gmail, Yahoo Mail or Google+ site, and it is therefore only at this point that user information is transmitted to the respective provider. In this case, the legal basis for data processing is the user’s consent in accordance with Art. 6 (1), sentence 1, (a) of the GDPR.

If the user is also logged into their profile on the social network concerned, the visit to our website shall be assigned to their profile when they click on the button. If the user does not wish social networks to gather data via the website, they should log out before visiting the website. However, cookies shall still be set each time the website is accessed by clicking on the corresponding link. This means that using this function may allow data to be collected and a profile to be created, which may sometimes also be associated with an individual user. To prevent this from happening, the user can click to disable the link in question on the website. The user may also adjust their browser settings so that cookies are categorically not accepted; however, please note that doing so may restrict our website’s functionality. Information about how personal data is handled when you use these websites can be found in the relevant privacy policies published by the providers.

  • Facebook

The privacy policy for Facebook (operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA) can be found at https://en-gb.facebook.com/about/privacy/.

  • Twitter

The privacy policy for Twitter (operated by Twitter Inc., 795 Flom St., Suite 600, San Francisco, CA 94107, USA) can be found at https://twitter.com/privacy.

  • Google+/Gmail/Blogger

The privacy policy for Google+/Gmail/Blogger (operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) can be found at https://policies.google.com/privacy.

  • Pinterest

The privacy policy for Pinterest (operated by Pinterest Inc., 808 Brannan Street, San Francisco, CA 94103, USA) can be found at https://policy.pinterest.com/en-gb/privacy-policy.

  • Tumblr

The privacy policy for Tumblr (operated by Aut O’Mattic A8C Ireland Ltd., Business Centre, No.1 Lower Mayor Street, International Financial Services Centre, Dublin 1, Ireland) can be found at https://www.tumblr.com/privacy/en_eu.

  • Yahoo

The privacy policy for Yahoo (operated by Oath (EMEA) Ltd., 5–7 Point Square, North Wall Quay, Dublin 1, Ireland) can be found at https://policies.yahoo.com/ie/en/yahoo/privacy/index.htm?redirect=no.

  • Blogger

17 Plug-ins and tools

Booking appointments via Acuity Scheduling

The Acuity Scheduling service is used on this website to simplify the appointment booking process. When this service is used, data is transmitted to Acuity Scheduling in the USA. To comply with the European level of data protection, Acuity Scheduling offers its users the option of entering into an international data transfer agreement created based on EU standard contractual clauses. We have entered into this agreement with Acuity Scheduling to protect your data. Please note that, as the operator of the website, we do not receive any detailed information regarding the content of the data transmitted or how it is used by Acuity Scheduling. The legal basis for this processing, pursuant to Art. 6 (1), sentence 1, (f) of the GDPR, is our legitimate interest in offering you a user-friendly, time-saving and modern way of booking appointments with us. Please also note that you are not obligated to use this service to book your appointments. If you do not wish to use this service, you can also book appointments using the other available contact methods.

You can find more information in Acuity Scheduling’s privacy policy at https://acuityscheduling.com/privacy.php

These functions are offered by Acuity Scheduling Inc., NY, USA.

18 Erasing data

The data that we process is erased in accordance with legal requirements once the consent allowing processing is withdrawn or other permissions cease to apply. If data is not erased because it is needed for other, legally permissible purposes, processing of said data shall be limited to these purposes, i.e. the data shall be blocked and shall not be processed for other purposes. For example, this applies to data that must be retained to comply with provisions set down in commercial and tax law and data that needs to be stored to assert, exercise or defend legal claims or to protect another natural person’s or legal entity’s rights. Further information about the erasure of personal data is provided in the specific data protection provisions of this privacy policy.

19 Modifying and updating the privacy policy

We kindly request that you regularly review the content of our privacy policy. We update the privacy policy whenever doing so becomes necessary due to modifications in our data processing activities. We shall inform you if such modifications mean that you need to take action (e.g. give consent) or if individual notification is otherwise required.

20 Data subjects’ rights

As a data subject according to the GDPR, you have various rights, arising in particular from Arts. 15 to 18 and Art. 21 of the GDPR:

Right to object: You have the right, on grounds relating to your particular situation, to object at any time to processing of your personal data that is based Art. 6 (1), sentence 1, (e) or (f) of the GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purposes of such marketing, which includes profiling to the extent that it is related to such direct marketing.

Right to withdraw your consent: You have the right to withdraw your consent at any time.

Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, a right of access to this data, and the right to further information and a copy of the data in accordance with the legal requirements.

Right to rectification: According to the legal requirements, you have the right to request that inaccurate or incomplete personal data concerning you be rectified.

Right to erasure and restriction of processing: According to the legal requirements, you have the right to request that data concerning you be erased or, alternatively, to request that the data processing activities be restricted.

Right to data portability: According to the legal requirements, you have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format or to request that the data be transmitted to another controller.

Lodging complaints with the supervisory authority: According to the legal requirements, you also have the right to lodge a complaint with a supervisory authority, particularly in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider the processing of your personal data to be in violation of the GDPR.

Our competent supervisory authority:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstrasse 219
10969 Berlin

Tel.: +49 30 13889 0
Fax: +49 30 2155050
Email: mailnox@datenschutz-berlin.de

 

 

Pin It on Pinterest