Privacy policy – boomstok

🎁

Save up to 20% on all Toys with “FLAT26OFF” code

To comply with our obligations under Art. 13 GDPR, you will be informed through this privacy policy about the type and scope as well as the purpose of the processing of personal data (hereinafter referred to as “data”) that arises during the provision of our services and within our online offering. This online offering includes in particular the necessary web pages and associated functions and content as well as external online presences, such as profiles on social networks and media.

With regard to the terminology used, reference is made to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

1 Controller

The controller for data processing within the meaning of Art. 13 para. 1 GDPR is:

Internet Up GmbH
Hermann-Weinhauser-Straße 73
81673 Munich
Germany

Managing Directors: Damian Prus, Alan Szymanek

Email: [email protected]

2 Data subjects

Visitors and users of our online offering are affected by the data processing carried out by us.

3 Types of processed data

In the case of merely accessing our online offering, i.e. without registration or provision of other information, only the data transmitted by the respective user’s browser to our server (so-called “server log files”) will be collected. The following data are affected:

Date and time of access
Amount of data sent in bytes
Source/reference from which you accessed the page
Used IP address

Usage data (e.g. so-called cookies, visited web pages, interest in content, access times)
Meta/communication data (e.g. software information, IP/MAC addresses, operating system used and browser).

If the respective user also completes a registration or provides other information, the following data will also be processed:

Master data (e.g. personal master data, names, addresses)
Contact data (e.g. email addresses, telephone numbers)

Content data (e.g. text entries, photo and video materials)

4 Purpose of Data Processing

The processing of data is carried out:

to provide the online offering, including its functions and contents,

to fulfill and process contractual obligations resulting from an order,
to respond to contact inquiries and communicate with users,
to ensure security measures,
to measure the reach of the website,
for marketing purposes,

to ensure the permanent functionality of our information technology systems and the technology of our website, and
to provide information necessary for criminal prosecution to law enforcement authorities in the event of a cyber attack.

5 Terms Used

“Personal data” means, according to Art. 4 No. 1 GDPR, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

“Processing” means, according to Art. 4 No. 2 GDPR, “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

“Profiling” means, according to Art. 4 No. 4 GDPR, “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

“Pseudonymisation” means, according to Art. 4 No. 5 GDPR, “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

“A filing system” means, according to Art. 4 No. 6 GDPR, “any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.”

“Controller” means, according to Art. 4 No. 7 GDPR, “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

“Processor” means, according to Art. 4 No. 8 GDPR, “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

“Recipient” means, according to Art. 4 No. 9 GDPR, “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.”

“Recipient” according to Art. 4 No. 9 GDPR means “a natural or legal person, public authority, agency or other entity to whom personal data are disclosed, whether a third party or not. However, authorities that may receive personal data in the context of a particular investigation mandate under Union law or the law of the Member States shall not be regarded as recipients; the processing of such data by those authorities shall be in compliance with the applicable data protection provisions according to the purposes of the processing.”

The “IP address” is a combination of numbers assigned to a device by an Internet Service Provider to provide access to the internet.

6 Legal basis

In accordance with Art. 13 para. 1 lit. c GDPR, we are obliged to inform you about the legal basis of our data processing.

For users within the scope of the General Data Protection Regulation (GDPR), which applies to the European Union (EU) and the European Economic Area (EEA), the following applies with the proviso that no other legal basis is mentioned in the data protection declaration:

6 para. 1 lit. a and Art. 7 GDPR is the legal basis for processing data based on consent.

6 para. 1 lit. b GDPR is the legal basis for processing data for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract, as well as for responding to inquiries.

6 para. 1 lit. c GDPR is the legal basis for processing data in order to comply with a legal obligation.

6 para. 1 lit. d GDPR is the legal basis for processing personal data in order to protect the vital interests of the data subject or of another natural person.

6 para. 1 lit. e GDPR is the legal basis for processing data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

6 para. 1 lit. f GDPR is the legal basis for processing data for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

6 para. 4 GDPR concerns the processing of data for purposes other than those for which the data were initially collected. Such processing is only possible under the conditions specified in this provision.

Art. 9 para. 2 GDPR sets special requirements for the processing of special categories of data (corresponding to Art. 9 para. 1 GDPR).

7 Security measures

To ensure an appropriate level of protection for the risk involved, we take appropriate technical and organizational measures

in accordance with legal requirements, taking into account the state of the art

implementation costs, the nature, scope, circumstances and purposes of processing as well as
the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

These measures include, in particular, ensuring the confidentiality, integrity, and availability of data through

control of physical access to the data
control of access to the data

control of the input, transmission, availability and separation of the data.

In addition, we have established procedures to ensure the exercise of data subject rights, data deletion, and response to data breaches.

8 Cooperation with processors, joint controllers and third parties

For certain services, it is necessary in the course of our data processing to disclose data to other persons (usually companies), i.e. to transmit data to them or otherwise grant them access to data. These companies are processors or joint controllers on the one hand, and third parties such as payment service providers on the other. Such disclosure is only based on a legal permission or obligation, consent by the user, or on the basis of our legitimate interests, which are present, for example, when using agents or web hosts for administrative purposes.

In the event that we make data accessible to other companies within our corporate group (through disclosure, transmission or granting of access in any other form), this is done in particular for administrative purposes. This represents a legitimate interest within the meaning of Art. 6 para. 1 lit. GDPR. In addition, access may also be based on a legal obligation.

9 Transfers of Data to Third Countries

Disclosure, transfer, or other accessibility of data to a person (including a company) in a third country (i.e., outside of the EU, EEA, or the Swiss Confederation) takes place if the legal requirements are met. This is particularly the case for processing necessary to fulfill our contractual or pre-contractual obligations. Otherwise, processing must be based on your consent, a legal obligation, or our legitimate interests. Additionally, we are obligated to ensure the necessary minimum standards in this situation. We only process or allow data to be processed in third countries with an acknowledged level of data protection and contractual obligation through so-called standard data protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

10 Rights of the Data Subject

You have the right to obtain information, upon request, whether data concerning you are being processed. Moreover, you have a right, according to legal requirements, to further information and disclosure of the data in the form of a copy.

You have the right to have incomplete data concerning you completed and incorrect data concerning you rectified.

You have the right, according to legal requirements, to have data concerning you deleted immediately. Alternatively, you have the right to restrict processing of the data within the framework of legal requirements (see also right to object).

You have the right, according to legal requirements, to receive data concerning you that you have provided to us and to demand their transmission to other responsible parties.

You have the right to lodge a complaint with the competent supervisory authority.

11 Right of Withdrawal

You can withdraw your given consent at any time with future effect.

12 Right to Object

_______________________

You have the right to object, according to legal requirements, to the future processing of data concerning you. The objection may also be directed in particular against processing for the purposes of direct marketing.
________________________

13 Cookies

Our website uses cookies. Cookies are pieces of information that are transmitted by our web server or third-party web servers to your browser and stored there for later retrieval. Cookies can be small files or other types of information storage. Information is stored in cookies that are specific to the device being used. Cookies contain a characteristic string of characters that enable a unique identification of the browser when the website is accessed again. A cookie also contains information about its origin and storage period. This does not mean, however, that we directly obtain knowledge of your identity.

We use cookies to make our website more user-friendly and secure.

There are different types of cookies. Please note that not all of the cookies listed here may be used when you visit our website. If third-party companies use cookies for analysis purposes, we will inform you separately in this privacy policy and may request your consent.

Necessary cookies

These are cookies that are necessary to navigate our websites and operate the basic functions of the website, such as assigning anonymous session IDs to bundle multiple related queries to a server.

Performance cookies

Performance cookies are used to improve the user-friendliness of a website and thus the user experience. Performance cookies collect information about the usage of our websites, such as the internet browser and operating system used; domain name of the website from which you came, number of visits, average length of stay, and pages accessed. These cookies do not store any information that allows personal identification of the user. The information collected with the help of cookies is aggregated and therefore anonymous.

Analysis cookies

We use analysis cookies to improve the user-friendliness of our website. With analysis cookies, we can determine how our website is used and, for example, how it is accessed based on preferences and search terms.

Advertising cookies

We use advertising cookies to offer you more targeted relevant content. They are also used to measure and control the effectiveness of advertising campaigns. Marketing cookies record whether a website is visited and which content is used. This information may be shared with third parties, such as advertisers, and is often linked to third-party site functionality (third-party cookies).

Social media cookies

Social media cookies are set by social networks. For example, you can register on our site using the login details of a social network.

How can I delete cookies or disable tracking?

You can either delete individual cookies or remove the entire cookie inventory via your browser settings. Under “Help” or “Settings,” you should find information about managing your cookies in your browser.

You can also receive information and instructions on how to delete these cookies or block their storage in advance, depending on your browser provider, at the following links:

Mozilla Firefox: https://support.mozilla.org/en-US/kb/delete-cookies-remove-info-websites-stored
Internet Explorer: https://support.microsoft.com/en-us/topic/delete-and-manage-cookies-168dab11-0753-043d-7c16-ede5947fc64d
Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
Opera: http://www.opera.com/help

Safari: https://support.apple.com/en-us/HT201265

You can also manage the cookies of many companies and functions individually used for advertising. To do this, use the corresponding user tools created as part of self-regulatory programs in many countries, such as the US website http://optout.aboutads.info/ or the EU site Your Online Choices http://www.youronlinechoices.com.

Most browsers also offer a “Do Not Track” feature that allows you to indicate that you do not want to be “tracked” by websites. When this feature is activated, the respective browser informs advertising networks, websites, and applications that you do not want to be tracked for the purpose of behavioral advertising and similar purposes. Depending on your browser provider, you can find information and instructions on how to activate this feature at the following links:

Mozilla Firefox: https://www.mozilla.org/en-US/firefox/dnt
Internet Explorer: https://support.microsoft.com/en-us/help/17288/windows-internet-explorer-11-use-do-not-track

14 Deletion of Data

In accordance with legal requirements, we delete or restrict the processing of data we have collected.

We delete the data stored by us as soon as the purpose for which they were stored has ceased to apply, there are no legal storage obligations, and no deviating provisions have been made in this privacy policy.

If the data cannot be deleted due to the necessity for other legally permissible purposes (e.g., retention for commercial or tax law reasons), their processing is restricted. In this case, the data are processed solely for this purpose and are otherwise blocked.

15 Changes to the Privacy Policy

Legal changes or changes in our data processing may require an adaptation of this privacy policy. For this reason, we ask you to regularly inform yourself about the content of our privacy policy. If a change requires an action on your part (e.g., consent) or other individual notification, we will inform you in an appropriate manner.

16 Processing for Business Purposes

In addition, we process contract data (e.g., subject matter of the contract, term, date of conclusion) as well as payment data (e.g., bank account number) from our customers, prospective customers, and business partners in order to provide contractual services as well as other services. These include in particular service-related services, customer care, marketing, advertising, and market research.

17 Online Shop and Customer Account

In the context of the ordering process on our platform, we process user data to enable them to select, store, and order products and services, as well as payment and delivery or execution. This includes inventory data, communication data, contract data, and payment data. The affected persons are our customers, interested parties, and other business partners.

The purpose of the processing is to provide contractual services within the scope of operating an online shop, invoicing, delivery, and customer services. We use session cookies to store the contents of the shopping cart and the items viewed. In addition, we use permanent cookies to store the login status.

The data processing is carried out on the one hand to fulfill our services and perform contractual measures (e.g. enabling the execution of ordering processes between users), and on the other hand to comply with legal requirements (e.g. legally required archiving of business transactions for commercial and tax purposes).

The information marked as required is necessary to establish and fulfill the contract.

Data will only be disclosed to third parties within the scope of delivery and payment, within the framework of legal authorizations and obligations, and on the basis of our legitimate interests, which we expressly inform about in this privacy policy. Examples include disclosures to legal and tax consultants, financial institutions, shipping companies, and authorities.

Our users have the option to create a user account. This enables them in particular to view their orders and access other services such as canceling an order or preparing a return. Users are informed about the mandatory information required for registration.

The accounts created by us are of a non-public nature and cannot be indexed by search engines. In the event of termination of such an account by the user, the data relating to the user account will be deleted, unless its storage is necessary for commercial or tax reasons.

All information collected in the context of the customer account will remain in place until it is deleted, with subsequent archiving in the event of a legal obligation or our legitimate interests. An example of this is in the event of legal disputes.

It is the responsibility of the user to secure the data before the end of the contract in the event of termination.

We store the IP address used by you during registration, subsequent logins, and when using our online services, as well as the time of each user action. This storage is based on our legitimate interests, as it protects users from abuse and other unauthorized use. These data will not generally be disclosed to third parties. This does not apply if they are necessary to pursue our legal claims as a legitimate interest or if there is a legal obligation to do so.

After the expiration of the statutory warranty rights or other contractual rights or obligations, such as payment claims or contractual obligations from contracts, the data collected and stored by us will be deleted. The necessity of data retention is reviewed every three years. If retention is required due to legal archiving obligations, the data will be destroyed after the obligation has expired.

We use the following online store provider:

WordPress Foundation, 660 1st Avenue, San Francisco, CA 94118, USA, website: https://wordpress.org; Privacy Policy: https://wordpress.org/about/privacy/.

18 Administration, Financial Accounting, Office Organization, Contact Management

We process data in the course of performing administrative tasks, organizing our operations, financial accounting, and complying with legal obligations such as archiving. The data processed are the same data we use to provide our contractual services. This processing is carried out in accordance with Art. 6 para. 1 lit. c. GDPR, Art. 6 para. 1 lit. f. GDPR.

Customers, prospects, business partners, and website visitors are affected by the processing. The purpose and our interest in processing lie in the administration, financial accounting, office organization, and archiving of data, which serve to maintain our business activities, perform our duties, and provide our services. Deletion of data concerning contractual services and contractual communication corresponds to the information provided for these processing activities.

We disclose or transmit data to the tax authorities, consultants such as tax advisors or auditors, as well as other fee offices and payment service providers.

Furthermore, based on our business interests, we store information about suppliers, event organizers, and other business partners, for example, for later contact. We generally store this mostly company-related data permanently.

19 Business Analysis and Market Research

We analyze the data available to us, especially those concerning business transactions, contracts, and inquiries, to operate our business economically. In doing so, we also try to identify market trends and the wishes of our contractual partners and users (marketing, market research). For these purposes, we process inventory data, communication data, contract data, payment data, usage data, and metadata based on Art. 6 para. 1 lit. f. GDPR. In the course of processing, we may, for example, compare the information of registered users within their profiles with the services they have used.

The analyses are designed to increase user-friendliness and cost-effectiveness and to optimize our offering. The analyses are carried out solely for our own purposes and are not disclosed externally unless they are anonymous analyses with summarized values.

The persons affected by these measures include our contractual partners, prospects, customers, visitors, and users of our online offerings.

If such analyses or profiles are personal in nature, they will be deleted or anonymized upon termination of the user’s contract. Otherwise, this will be done two years after the conclusion of the contract. Furthermore, the overall business analyses and general trend determinations are made as anonymous as possible.

20 Participation in Affiliate Partner Programs:

As part of our online offer, we use industry-standard tracking measures for the operation of the affiliate system, to the extent necessary.

The legal basis for this is the protection of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR, particularly in the interest of analyzing, optimizing, and economically operating our online offer.

The services we offer are also advertised and linked on other websites. There are affiliate systems that are based on the operator of the respective website receiving a commission once a user clicks on an affiliate link and subsequently makes use of the respective offer. In addition, there are “after-buy systems” where third-party links or services are offered after a contract has been concluded.

To check whether users who express an interest in our offer by clicking on such an affiliate link or who have shown interest in our online presence for an offer also actually make use of it, it is necessary for our online offer to track the surfing behavior of our users. This can be achieved by supplementing the affiliate links and our offers with certain values. This can be done by adding a component to the link that contains such tracking information or in other ways, such as by setting a cookie.

The tracking information includes in particular:

The referring website (referrer)
Time

An online ID of the website operators on which the affiliate link was located
An online ID of the respective offer
An online ID of the user, and
Tracking-specific values (e.g. advertising material ID, partner ID, and categorizations).

The online ID of the users used here contains only pseudonymous values. This means that the online IDs themselves do not contain personal data such as names or email addresses.

The ID is only used to determine whether the same user who clicked on an affiliate link or showed interest in an offer within our online presence actually took advantage of the offer, usually by concluding a contract with the provider. However, in general, both we and the partner company have the online ID together with other user data, so that the ID is to be considered personal data in this respect. This is necessary because only through this process can the partner company inform us whether the user has taken advantage of the offer and we have to pay the agreed commission.

21 Registration Function

Users have the option to create a user account. When registering, the necessary mandatory information is disclosed to users. Processing of this data is based on Art. 6 (1) lit. b GDPR for the purpose of providing the user account. In particular, login information (name, password, and email address) is collected and processed. All data entered during registration will be used for the purpose of using the user account and related purposes.

Our users can receive information relevant to their user account via email. This may include technical changes.

In the event of termination of a user account by the user, their data regarding the user account, subject to a legal retention obligation, will be deleted. Users are responsible for securing their data prior to the end of the contract in case of termination. We reserve the right to permanently delete all user data stored during the contract period.

In addition, we store the IP address and time of the respective user action as part of the registration and login function. This is based on both our legitimate interests and those of the users, as this is intended to protect against misuse and unauthorized use. This data is generally not disclosed to third parties, unless it is necessary to pursue our claims or there is a legal obligation pursuant to Art. 6 (1) lit. c. GDPR. IP addresses are anonymized or deleted no later than 7 days.

We use the following online store provider:

WordPress Foundation, 660 1st Avenue, San Francisco, CA 94118, USA, website: https://wordpress.org; Privacy Policy: https://wordpress.org/about/privacy/.

22 Contact

As part of contacting us, which is possible via contact form, email, telephone, fax, or social media, the user’s information will be processed for the purpose of processing and handling the contact request. The legal basis for contractual/pre-contractual relationships is Art. 6 (1) lit. b. GDPR. In other cases, Art. 6 (1) lit. f. GDPR is applicable. The user’s information is generally stored in a customer relationship management system (“CRM system”) or a comparable request organization.

We delete the collected data regarding the request if it is no longer necessary. The necessity is reviewed every two years. Otherwise, the legal archiving obligations apply.

23 Newsletter

The following information pertains to the contents of our newsletter, the registration, distribution and statistical evaluation processes, as well as your right to object.

By subscribing to our newsletter, you simultaneously agree to receiving it and to the procedures explained herein.

Content of the Newsletter:

We send newsletters in the form of emails and other electronic notifications with promotional information only with the prior consent of the recipient or a legal authorization.

If the contents of the newsletter are specifically described as part of the registration process, they are binding for user consent. Otherwise, our newsletters contain information about our services and ourselves.

Double Opt-In and Logging:

Registration for our newsletter takes place using a double opt-in process.

This means that a message is sent to the email address provided by you, requesting confirmation of your registration by clicking on a specific link. This confirmation is necessary so that users can only register with email addresses to which they themselves have access and cannot misuse other email addresses.

In order to be able to prove the registration process in accordance with legal requirements, every registration for the newsletter is logged. This includes the time of registration and confirmation as well as the user’s IP address.

In addition, changes to your data that are stored with the distribution service provider will be recorded.

Registration data:

For registration for our newsletter, your email address is sufficient. In order to address you personally in the newsletter, we ask you to provide a name in addition.

Legal Basis:

The legal admissibility of the dispatch of newsletters results from the above-mentioned consent of the respective recipient in accordance with Art. 6 para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 para. 2 no. 3 UWG or, if consent is not required, based on our legitimate interests in direct marketing pursuant to Art. 6 para. 1 lit. f. GDPR in conjunction with § 7 para. 3 UWG.

The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR.

These interests consist of establishing and maintaining a user-friendly and secure newsletter system for business purposes, which also enables us to provide evidence of consents.

Termination/Revocation:

You have the right to terminate our newsletter service at any time. This also revokes your consents. A link to unsubscribe from our newsletter can be found at the end of each newsletter. In order to be able to prove a consent that has been given but later revoked, we are entitled to store the deleted email addresses for up to three years based on our legitimate interests. The processing of this data is exclusively for the purpose of defending against claims. If you confirm the former existence of consent to us, you have the opportunity to request individual deletion at any time.

We use the following provider:

Mailchimp: Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; Website: https://mailchimp.com/; Privacy Policy: https://mailchimp.com/legal/privacy/

24 Hosting and Email Delivery

For the operation of our online service, we rely on external hosting services. This includes:

Infrastructure and platform services
Computing capacity, storage space, and database services

Email delivery services, and
Security and technical maintenance services.

In the context of our legitimate interests in an efficient and secure provision of this online service pursuant to Art. 6 para. 1 lit. f DSGVO in conjunction with Art. 28 DSGVO (conclusion of an order processing contract), the following data is processed by us or our hosting provider:

Inventory and contact data,
Content data and contract data, and

Usage, meta, and communication data.

This data processing concerns both our customers and interested parties and visitors to our online service.

We use the following online store provider:

WordPress Foundation, 660 1st Avenue, San Francisco, CA 94118, USA, website: https://wordpress.org; Privacy Policy: https://wordpress.org/about/privacy/.

25 Use of External Payment Service Providers

As part of our services and products, we offer effective and secure payment options through third-party providers.

If you choose a specific service provider as a payment option during the ordering process, your data will be automatically transmitted to the respective payment service provider. By selecting one of these payment options, you consent to the transmission of personal data required for billing or installment payment or for identity and creditworthiness checks.

The transmitted personal data usually includes first name, last name, address, date of birth, gender, email address, IP address, telephone number, mobile phone number, and other data that is necessary for processing an invoice or installment purchase. Personal data that is related to the respective order is also necessary to process the corresponding contract.

The purpose of data transmission is particularly identity verification, payment administration, and fraud prevention.

The terms and conditions and privacy policies of the respective payment service providers apply to payment transactions, which can be accessed within the respective websites or transaction applications. We also refer to the terms and conditions of the individual payment providers if you want to assert your affected rights. If you have any problems, please feel free to contact us first.

We use the following external payment providers:

Stripe: Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA; Website: https://stripe.com/de; Privacy Policy: https://stripe.com/de/privacy

PayPal: PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg; Website: https://www.paypal.com/de/; Privacy Policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Amazon Payments: Amazon Payments Europe s.c.a., 5 Rue Plaetis, 2338 Luxembourg, Luxembourg; Website: https://stripe.com/de; Privacy Policy: https://stripe.com/de/privacy

Sofort: Sofort GmbH, Theresienhöhe 12, 80339 Munich, Germany; Website: https://www.sofort.de/; Privacy Policy: https://www.sofort.de/datenschutz.html

Google Pay: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Website: https://pay.google.com/; Privacy Policy: https://policies.google.com/privacy?hl=en&gl=en

Apple Pay: Apple Inc. One Apple Park Way, Cupertino, 95014 California, USA; Website: https://www.apple.com/de/apple-pay/; Privacy Policy: https://www.apple.com/legal/privacy/

26 Collection of access data and log files

Based on our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR, we or our hosting provider collect data on every access to the server on which this service is located (so-called server log files). This data includes:

Name of the accessed website and, if applicable, specific files
Date and time of access
Amount of data transmitted
Notification of successful access
Browser type and version, operating system of the user

Referrer URL (the previously visited page)
IP address and
The requesting provider.

Log file information is stored for up to seven days for security reasons and then deleted. This serves in particular to investigate abusive or fraudulent activities. If data is suitable as evidence for the clarification of a matter, it will be excluded from deletion until the matter has been finally clarified.

27 Google Tag Manager

The Google Tag Manager is used to manage so-called website tags via a single interface, through which Google Analytics and other Google marketing services can be integrated into our online offering. The Tag Manager only implements the respective tags, i.e. it does not process any personal data of the users. With regard to the processing of such data, reference is made to the following usage guidelines for Google services: https://www.google.com/intl/de/tagmanager/use-policy.html.

28 Google Analytics

Based on our legitimate interests in analyzing, optimizing and economically operating our online offering within the meaning of Art. 6 para. 1 lit. f. GDPR, we use the web analysis service Google Analytics, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google uses cookies that contain information about the use of the online offering by users and are usually transmitted to a Google server in the USA and stored there. There is no adequacy decision of the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission.

The information is processed because of our interest in evaluating the use of our online offering and in recording the activities within this offering. In addition, other services related to the use of this online offering and internet use are provided. This enables Google to create pseudonymous usage profiles of the users from the processed data.

We only use Google Analytics with IP anonymization enabled. This means that the IP address of users is shortened by Google within member states of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other Google data.

If users do not agree to such data processing, they have the option to deactivate the setting of any cookies via their browser settings.

In addition, users can prevent the collection of data generated by the cookie and related to their use of the online offering by Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

Further information on data use by Google, setting and objection options, can be found in Google’s privacy policy (https://policies.google.com/privacy) and in the settings for displaying advertisements by Google (https://adssettings.google.com/authenticated).

The personal data of users will be deleted or anonymized after 14 months.

29 Google AdSense with personalized ads:

Based on our legitimate interests in the analysis, optimization, and economic operation of our online offering pursuant to Art. 6 (1) lit. f. GDPR, we use the AdSense service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, where personal data is processed. These data are usually transferred to a Google server in the USA and stored there. The European Commission has not made an adequacy decision with respect to the USA. Our cooperation is based on the standard data protection clauses of the European Commission.

The AdSense service enables us to integrate advertisements or other offers into our online presence for which we receive remuneration. For this purpose, user data, such as clicks on an advertisement and the users’ IP address, is processed, with the IP address being truncated by the last two digits. Therefore, the processing of user data is pseudonymized.

We use AdSense with personalized ads. Google uses the websites or apps visited by users and the user profiles created based on them to draw conclusions about their interests. Advertisers use this information to target their campaigns to these interests, which is advantageous for both users and advertisers. Ads are considered personalized by Google when captured or known data determines or influences ad selection. This includes, among other things, previous search queries, activities, website visits, app usage, demographic and location information. Specifically, this includes demographic targeting, interest category targeting, remarketing, and targeting of lists for customer match and audience lists uploaded to DoubleClick Bid Manager or Campaign Manager.

Further information on data usage by Google, settings, and objection options are provided in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for displaying ads by Google (https://adssettings.google.com/authenticated).

30 Google AdSense with non-personalized ads

We use AdSense with non-personalized ads. The ads are not displayed based on user profiles. Non-personalized ads are not based on previous user behavior. Targeting is based on contextual information, including rough (e.g., on a local level) geographic targeting based on current location, content on the current website or app, and current search terms. Google prohibits any personalized targeting, including demographic targeting and targeting based on user lists.

31 Google AdWords and Conversion Measurement

Based on our legitimate interests in analyzing, optimizing, and economically operating our online offering in accordance with Art. 6 para. 1 lit. f. GDPR, we use the online marketing method Google “AdWords” of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which processes personal data. These are usually transferred to a server of Google in the USA and stored there. There is no adequacy decision of the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission.

Using Google “AdWords”, we can place advertisements in the Google advertising network (e.g. in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the advertisements. This allows us to display advertisements for and within our online offering in a more targeted manner, only presenting users with advertisements that potentially correspond to their interests. For example, if a user is shown ads for products that he or she has shown interest in on other online offerings, this is referred to as “remarketing”. For these purposes, when our website and other websites where the Google advertising network is active are called up, a code from Google is executed immediately by Google and so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user’s device (comparable technologies may also be used instead of cookies). This file records which websites the user has visited, which content he or she is interested in, and which offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, time of visit, and further information about the use of the online offering.

Furthermore, we receive an individual “conversion cookie”. The information obtained with the help of the cookie is used by Google to create conversion statistics for us. However, we only learn the anonymous total number of users who clicked on our advertisement and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information that would allow users to be personally identified.

The user data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the name or email address of users, for example, but processes the relevant data related to cookies within pseudonymous user profiles. From Google’s perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who that cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google’s servers in the USA.

Further information on data use by Google, as well as options for settings and objections, can be found in Google’s privacy policy (https://policies.google.com/technologies/ads) and in the settings for displaying advertising by Google (https://adssettings.google.com/authenticated).

32 Google Doubleclick

Based on our legitimate interests in analyzing, optimizing, and economically operating our online offering under Art. 6 para. 1 lit. f. GDPR, we use the online marketing process Google “Doubleclick” by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which processes personal data. This data is usually transmitted to and stored on a Google server in the USA. There is currently no adequacy decision by the European Commission for the USA. Our cooperation is based on the standard data protection clauses of the European Commission.

With the help of Google “Doubleclick,” we can place ads in the Google advertising network (e.g., in search results, videos, on websites, etc.). Doubleclick is characterized by displaying ads in real-time based on presumed user interests. This allows us to display ads more targeted to users’ interests within and for our online offering. For example, if a user is shown ads for products they have shown interest in on other online offerings, this is referred to as “remarketing.” For this purpose, Google executes a code on our and other websites where the Google advertising network is active, and so-called (re)marketing tags (invisible graphics or code, also known as “web beacons”) are integrated into the website. These tags enable an individual cookie, i.e., a small file, to be stored on the user’s device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, what content they are interested in, which offers the user has clicked on, technical information about the browser and operating system, referring websites, visiting time, and further information about the use of the online offering.

The user’s IP address is also recorded, although this is shortened within the member states of the European Union or other contracting states of the Agreement on the European Economic Area and only transmitted to and shortened by a Google server in the USA in exceptional cases. Google may also combine this information with information from other sources. If the user subsequently visits other websites, ads tailored to their presumed interests may be displayed based on their user profile.

The user’s data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the user’s name or email address, but rather processes the relevant data based on cookies within pseudonymous user profiles. From Google’s perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. However, this does not apply if a user has expressly allowed Google to process the data without pseudonymization. The information collected by Google marketing services about the user is transmitted to Google and stored on Google servers in the USA.

Further information on data usage by Google, as well as options for settings and objection, can be found in Google’s Privacy Policy (https://policies.google.com/technologies/ads) and in the settings for displaying ads by Google (https://adssettings.google.com/authenticated).

33 Facebook Pixel, Custom Audiences, and Facebook Conversion

In order to pursue our legitimate interests in analyzing, optimizing, and economically operating our online services, we use the so-called “Facebook Pixel,” which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland, and processes personal data. This data is usually transmitted to and stored on a server of Google in the United States. There is no adequacy decision of the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission. For users residing outside the EU, Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA is responsible.

The use of a Facebook Pixel enables Facebook to select visitors to our online services as a target group for displaying advertisements (so-called “Facebook Ads”).

We then use this Facebook Pixel to display our Facebook Ads to Facebook users who have also shown an interest in our online services. In addition, we also want to target certain groups of people who have characteristics such as interests in certain topics or products, which are determined through the visited websites. Such characteristics are transmitted to Facebook by us (so-called “Custom Audiences”).

The use of the Facebook Pixel also helps us determine how well our Facebook Ads are received by potential customers. It is very important to us that our Ads do not appear intrusive. With the help of the Facebook Pixel, we can precisely evaluate the effectiveness of Facebook advertisements for statistical and market research purposes. We check whether the respective user was redirected to our website after clicking on a Facebook Ad (so-called “Conversion”).

Facebook processes the data in accordance with Facebook’s data usage policy: https://www.facebook.com/policy.

Special information and details on the Facebook Pixel and its functionality can be found in the help section of Facebook: https://www.facebook.com/business/help/651294705016616.

Each user can object to the collection of data by the Facebook Pixel and the use of data for displaying Facebook Ads.

In addition, it is possible to precisely configure which types of advertisements should be displayed within Facebook. This is done via the page set up by Facebook, following the instructions for settings on usage-based advertising: https://www.facebook.com/settings?tab=ads.

The settings are platform-independent. Therefore, they are applied to all devices used. Furthermore, the use of cookies for measuring reach and advertising purposes can also be objected to.

This can be done via the deactivation page of the Network Advertising Initiative (http://optout.networkadvertising.org/) or via the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).

34 Online presence in social media

We operate online presences within the framework of social networks and platforms in order to communicate with their users and inform them about our offer.

In doing so, user data may be processed outside the European Union.

This can entail risks for the respective users. For example, enforcing the rights of users may be more difficult. There is no adequacy decision by the European Commission for the USA. Our cooperation is based on standard data protection clauses of the European Commission.

In addition, user data is generally also processed for market research and advertising purposes. For example, usage behavior and resulting interests of users are used to create usage profiles. These can then be used for personalized advertising within and outside the platforms, which correspond to the users’ presumed interests.

The technical implementation is usually done by the use of cookies that are stored on the users’ computers. These contain the users’ surfing behavior, from which their interests can be inferred. It should be noted that data from other devices used by the user may also be stored in the usage profiles. This is particularly the case when users are logged in as members of the respective platforms.

The processing of users’ personal data is carried out within the framework of our legitimate interests in effectively informing and communicating with users in accordance with Art. 6 para. 1 lit. f GDPR. In the event of the platforms’ request for users to consent to the above-described data processing, Art. 6 para. 1 lit. a, Art. 7 GDPR is the legal basis for the processing.

For a detailed description of the respective processing and the possibility of objection (opt-out), we refer to the linked information of the providers below.

Requests for information and the exercise of user rights can be most effectively made to the providers themselves, as they have access to the users’ data and can directly take appropriate measures and provide information. If you still need help, we will be happy to assist you.

Facebook, pages, groups (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) on the basis of an agreement on joint processing of personal data – privacy policy: https://www.facebook.com/about/privacy/, specifically for pages: https://www.facebook.com/legal/terms/information_about_page_insights_data, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.
Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – privacy policy: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated.
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – privacy policy/opt-out: http://instagram.com/about/legal/privacy/.
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) – privacy policy: https://twitter.com/de/privacy, opt-out: https://twitter.com/personalization.

Pinterest (Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA) – privacy policy/opt-out: https://about.pinterest.com/de/privacy-policy.
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – privacy policy https://www.linkedin.com/legal/privacy-policy, opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) – privacy policy/opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

We value your privacy and the information you consent to share in relation to our SMS marketing service. We use this information to send you text notifications (for your order, including abandoned checkout reminders), text marketing offers, and transactional texts, including requests for reviews from us.Opt-in data and consent for text messaging will not be shared with any third parties except for messaging partners,for the purpose of enabling and operating our text messaging program.

Opt-in data and consent for text messaging will not be shared with any third-parties except for messaging partners, for the purpose of enabling and operating our text messaging program.

Our website uses cookies to keep track of items you put into your shopping cart, including when you have abandoned your checkout. This information is used to determine when to send cart reminder messages via SMS.