General information about data processing
1. Extent of processing personal data
We will generally collect and use personal data of our users only if and to the extent necessary to make available a functional website and/or to provide our content and services. Personal data of our users generally will be collected and/or used only with the prior consent of the user. An exception applies in cases where obtaining prior consent is practically impossible and where data processing is permitted by applicable law. The types of data we process are as follows:
- contact data (e.g., email addresses, telephone numbers)
- user data (e.g., visited websites, interest in content, access times)
- meta/communication data (e.g., device information, IP addresses).
2. Legal basis for processing personal data
If we obtain the consent of a data subject for processing personal data, the legal basis for processing such personal data is Art. 6 para. 1 let. a) EU General Data Protection Regulation (hereinafter "GDPR"). If we process personal data that are necessary to perform a contract to which the data subject is a party, the legal basis for processing such personal data is Art. 6 para. 1 b) GDPR. The same applies if processing personal data is necessary to perform pre-contractual measures. If processing personal data is necessary to perform a legal obligation of our company, the legal basis for such data processing is Art. 6 para. 1 c) GDPR. If processing personal data is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh that legitimate interest, the legal basis for such data processing is Art. 6 para. 1 let. f) GDPR.
3. Erasure of data and duration of data storage
Personal data of a data subject will be erased or blocked as soon as they are no longer needed for the purposes for which they are stored. Data may also be blocked if provided for by EU or national regulations, laws, or other provisions to which the controller is subject. Data will also be blocked or erased if recordkeeping obligations under the aforementioned norms expire, unless continued storage of such data is necessary to enter into or perform a contract.
III. Making available the Website and creating log files
Description and extent of data processing
When our Website is accessed, our system will automatically collect data and information from the computer system of the terminal device accessing the Website.
In this connection the following data will be collected for a limited time period:
(1) visited website
(2) quantity of data transmitted
(3) information about the type and version of the browser used,
(4) the operating system of the user,
(5) the IP address of the user,
(6) the date and time of access, and
(7) the websites from which the system of the user arrived on our Website
Such data will be stored in log files of our system. Such data are needed only to analyze any malfunctions and will be erased at the latest within thirty days. The legal basis for temporarily storing data in log files is Art. 6 para. 1 let. f) GDPR. Temporary storage of the IP address for the system is necessary for making the Website available to the terminal device of the user. For this purpose the IP address of the user must be stored for the duration of the session. Data are stored in log files to ensure the functionality of our Website. In addition, such data are used to optimize the Website and to ensure the security of our IT systems. Data will not be analyzed for marketing purposes in this connection, and we will draw no inferences as to your identity. The aforementioned purposes also provide the basis of our legitimate interest in data processing within the meaning of Art. 6 para. 1 let. f) GDPR. Collecting data to make available the Website and storing data in log files is necessary for operating the Website. Consequently, users have no right to object to the collection or use of such data for the aforementioned purposes.
IV. User Account – fulfillment of orders – additional services
If you set up an account with us, we will process the following information from you:
- e-mail address
- phone numbers
If you place an order from your account, perform a payment or receive customer services we will process the following information from you:
- e-mail address
- phone numbers
- other details like product, size, price
- payment informations comprising credit/debit card’s number, holder’s name and CVV
Your data are processed for the purpose of processing the service-contract in accordance with Art. 6 para. 1 lit. b GDPR. Customer data may be stored in a customer relationship management system ("CRM system") or a comparable customer data system.
We will also process the following information from you for the purpose of quality monitoring of our services; administer, maintain and optimise our platform and our services; performing fraud and credit checks; carry on research, analysis, enquiries and surveys on your use of our website; advertising and retarget advertising of our and our Vendors’ products and services and for the purpose of producing aggregated statistic reports:
- e-mail address
- contact history
- order history (anonymized)
- device information
- cookie identifiers
Your data are processed for the purpose of processing the service-contract in accordance with Art. 6 para. 1 lit. f GDPR.
With your consent we will also process the following information from you for the purpose of managing our loyalty/reward programmes; providing you with personalised recommendations and enhancing your experience:
- e-mail address
- phone number
- date of birth
- purchase history
- browsing history and behavior
- device information
- shopping preferences
- cookie identifiers
- internal identifiers
- spent tier level and wealth;
Your data are processed on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR.
V. Online presence in social media
We maintain an online presence on social networks and platforms to communicate with clients, interested parties, and users who are active on those networks, and to be able to inform clients, interested parties, and users of our services.
Our Website, therefore, links to the website of Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S.A., or, if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, ("Facebook"). Otherwise, no data are exchanged with Facebook on our Website.
Our Website and App also connect to the website of Instagram Inc., 181 South Park Street Suite 2 San Francisco, CA 94107 United States.
Our Website and App also links to the website of Twitter, operated by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, U.S.A. or, if you reside in the EU, Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland.
We also link to the website of LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter "LinkedIn").
You can find a list of the cookies we use with a description [HERE ].
VII. Analytics, Processing and Marketing Services
1. Google Analytics/Google TagManager/Google Adwords
On the basis of your consent (Art. 6 para. 1 let. a GDPR) we use web-analysis services from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, (“Google”).
Google is certified under the Privacy-Shield framework and hereby provides a guarantee to conform with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information as a commissioner to analyze the usage of our online-services, to issue a report about the activities within our online-services and to perform other services for us which are connected with the usage of our online-services and the internet. The processed data can be used to create pseudonymized user profiles.
We only use Google Analytics with activated IP-anonymization. That means, the user’s IP-address will be shortened by Google in the area of EU-member states or other contracting states of the Agreement on the European Economic Area. Only in exceptional cases the full IP-address will be transmitted to a Google server in the U.S.A. and shortened there.
We use “Google Tag Manager” to implement and manage Google analysis and marketing services.
The IP-address collected from the user will not be linked with other data from Google. Users can prevent the collection of information by cookies via his browser settings; further, users can prevent the collection of the data collected by the cookie with regards to their usage of the online-services and Google’s processing of this data by installing a browser-plugin which is available here: http://tools.google.com/dlpage/gaoptout?hl=de.
We use “Google Adwords” is a system that use to bid on certain keywords and for retargeting order for their clickable ads to appear in Google's search results.
Further information about Google’s usage of data, settings and the right to object can be found on Google’s websites:
https://www.google.com/intl/de/policies/privacy/partners (“how google uses information from sites or apps that use our services”),
http://www.google.com/policies/technologies/ads (“Data usage for advertising purposes”),
https://developers.google.com/analytics/devguides/collection/analyticsjs/enhanced-ecommerce (“enhanced ecommerce data for analytics purposes”)
On our website we offer payment via Stripe. This payment service is provided by Stripe Payments Europe, Ltd, a private limited company organized under the laws of Ireland with company number 513174 and offices at The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland (hereinafter "Stripe"). The transfer of your data to Stripe is based on Art. 6 para. 1 lit. b DSGVO (processing to fulfil a contract).
Google Firebase is a Google-backed application development software that enables developers to develop iOS, Android and Web apps. Firebase will be used for tracking analytics, reporting and fixing app crashes, creating marketing and product experiment. Third parties will have controlled access to this data only for analytical purposes.When customers use Firebase, Google is generally a data processor and processes personal data on their behalf.
The Firebase services that are used successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process:
Cloud Firestore, Cloud Functions for Firebase, Cloud Storage for Firebase, Firebase A/B Testing, Firebase Authentication, Firebase Cloud Messaging, Firebase Crash Reporting, Firebase Crashlytics, Firebase Dynamic Links, Firebase Hosting, Firebase In-App Messaging, Firebase Invites, Firebase Performance Monitoring, Firebase Platform, Firebase Predictions, Firebase Realtime Database, Firebase Remote Config, Firebase Test Lab, Google Analytics for Firebase, ML Kit for Firebase.
SendPulse is a newsletter service provider operated by SendPulse Inc., 19 Hill St Bernardsville NJ 07924 USA. The processing of personal data by SendPulse is covered by and is GRPR compliant. The use of SendPulse simplifies the processing of newsletters considerable and therefore represents a legitimate interest.
5. Hotjar Ltd
This website uses Hotjar, an analysis software of Hotjar Ltd. ("Hotjar") (http://www.hotjar.com, 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe). With Hotjar it is possible to measure and evaluate the usage behaviour on our website in the form of clicks, mouse movements, scroll heights, etc. The information generated by the tracking code and cookie is transmitted to and stored on the Hotjar servers in Ireland.
If you have allowed the use of hotjar’s cookies, the following information is collected:
- The IP address of your device (collected and stored in an anonymous format)
- Your e-mail address, including your first and last name, if you have provided it to us via our website.
- Screen size of your device
- Device type and browser information
- Geographical position (country only)
- The preferred language to display our website
In addition, the following data is logged on our server when Hotjar is used:
- Related domain
- Visited pages
- Geographical position (country only)
- The preferred language to display our website
- Date and time of access to the website
Hotjar will use this information for the purpose of evaluating your use of our website, compiling reports, and providing other services relating to website usage and internet evaluation of the website. Hotjar also uses third-party services such as Google Analytics and Optimizely to provide services. These third party companies may store information that your browser sends when you visit the website, such as cookies or IP requests. For more information on how Google Analytics and Optimizely store and use data, please refer to their respective privacy statements.
Apart from a cookie-opt in, you can also prevent Hotjar from collecting this information by clicking on the following link and following the instructions: https://www.hotjar.com/opt-out.
VIII. Contact form
When contacting us (e.g. via contact form, e-mail, telephone or social media), your data are processed for the purpose of processing the contact inquiry and processing it in accordance with Art. 6 para. 1 lit. b GDPR. Customer data may be stored in a customer relationship management system ("CRM system") or a comparable enquiry organisation.
Embedded on our website, users are given the opportunity to subscribe to our press release newsletter via a third party service provided by Sendpulse (SendPulse is a newsletter service provider operated by SendPulse Inc., 19 Hill St Bernardsville NJ 07924 USA). The input mask used for this purpose determines what personal data are transmitted, as well as when the newsletter is ordered by the controller.
We inform our investors and business partners regularly by means of a newsletter about regulatory and other news about our company or one of our subsidiaries. The newsletter may only be received by the data subject if
(1) the data subject has a valid e-mail address and
(2) the data subject registers for the newsletter shipping. A confirmation e-mail will be sent to the e-mail address registered by a data subject for the first time for newsletter shipping, for legal reasons, in the double opt-in procedure. This confirmation e-mail is used to prove whether the owner of the e-mail address as the data subject is authorized to receive the newsletter.
During the registration for the newsletter, our third party service also store the first name, last name, e-mail address. Furthermore, the IP address of the computer system assigned by the Internet service provider (ISP) and used by the data subject at the time of the registration, as well as the date and time of the registration.
The collection of this data is necessary in order to deliver an accurate service and understand the (possible) misuse of the e-mail address of a data subject at a later date, and it therefore serves the aim of the legal protection of the controller.
The personal data collected as part of a registration for the newsletter will only be used to send our newsletter. In addition, subscribers to the newsletter may be informed by e-mail, as long as this is necessary for the operation of the newsletter service or a registration in question, as this could be the case in the event of modifications to the newsletter offer, or in the event of a change in technical circumstances.
The legal basis for processing your data is Article 6 (1) lit. a GDPR. Since the newsletter service is provided by a third party, the third party Sendpulse will be processing the data.
There will be no transfer of personal data collected by the newsletter service to other third parties except Sendpulse which operates the service on behalf of us.
The subscription to our newsletter may be terminated by the data subject at any time. The consent to the storage of personal data, which the data subject has given for shipping the newsletter, may be revoked at any time. For the purpose of revocation of consent, a corresponding link is found in each newsletter. It is also possible to unsubscribe from the newsletter at any time directly our website.
X. Rights of data subjects
If we process your personal data, you will be a data subject within the meaning of the GDPR and you will have the following rights against the controller:
1. Right to information
You may demand that the controller confirm whether or not personal data about you are processed by us.
If we do process such data, you may demand the following information from the controller:
(1) the purposes for which your personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;
(4) how long we plan to store your personal data or, if that time period cannot be ascertained yet, the criteria used to determine how long we will store your personal data;
(5) whether you have a right to rectification or erasure of your personal data, a right to restricted processing by the controller, or a right to object to such processing;
(6) whether you have a right to lodge a complaint with a supervisory authority;
(7) any available information about the origin of data if they were not collected directly from the data subject; and
(8) whether your personal data will be transferred to any third country or international organization; in connection with such transfers you may demand to be informed of appropriate safeguards within the meaning of Art. 46 GDPR.
2. Right to rectification
You have a right against the controller to have incorrect personal data rectified and/or to have incomplete personal data completed if the personal data we process are incorrect or incomplete. The controller must rectify data without undue delay.
3. Right to restricted processing
Under the following conditions you may demand restricted processing of your personal data:
(1) if you dispute the correctness of your personal data for a time period that allows the controller to review whether your personal data are correct;
(2) if processing is unlawful and you decline to have your personal data erased and instead demand restricted use of your personal data;
(3) if the controller no longer needs your personal data for the purposes for which they are processed, but you need such data to assert, exercise, or defend legal rights or claims, or
(4) if you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and it has not yet been determined whether there are overriding legitimate reasons of the controller.
If processing of your personal data is restricted, such data may – except for their storage – be processed only with your consent, or to assert, exercise, or defend legal rights or claims, to protect the rights of another natural person or legal entity, or for reasons related to an important public interest of the European Union or any member state.
If processing of your personal data has been restricted under the aforementioned conditions, you will be notified by the controller before the restriction is lifted.
4. Right to erasure
a) Erasure obligation
You may demand that the controller erase your personal data without undue delay and the controller has an obligation to do so if one of the following reasons applies:
(1) your personal data are no longer needed for the purposes for which they were collected or are otherwise processed;
(2) you have revoked your consent on which the processing of your data is based in accordance with Art. 6 para. 1 let. a) or Art. 9 para. 2 let. a) GDPR, and there is no other legal basis for processing your personal data;
(3) you have objected to processing of your personal data in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for processing your personal data, or you object to processing in accordance with Art. 21 para. 2 GDPR;
(4) your personal data have been processed unlawfully;
(5) erasing your personal data is necessary to comply with a legal obligation under European law or member state law to which the controller is subject; or
(6) your personal data were collected with respect to offered information society services within the meaning of Art. 8 para. 1 GDPR.
b) Information to third parties
Where the controller has made personal data public and has an obligation under Art. 17, para. 1 to erase such personal data, the controller, taking into account available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing such personal data that the data subject has requested the erasure by such controllers of any links to, or copies or duplicates of, such personal data.
There is no right to erasure if processing personal data is necessary
(1) to exercise the right to freedom of expression and information;
(2) to comply with a legal obligation which requires processing of your personal data under EU or member state law to which the controller subject, or to perform a task that is in the public interest, or to exercise official authority vested in the controller;
(3) for reasons of the public interest in the area of public health within the meaning of Art. 9 para. 2 let. f) and i) and Art. 9 para. 3 GDPR; or
(4) to assert, exercise, or defend legal rights or claims.
5. Right to notification
If you have exercised your right to rectification, erasure, or restricted processing against the controller, the controller has an obligation to notify all recipients to whom your personal data have been disclosed of such rectification, erasure, or restricted processing, unless this proves impossible or would be associated with unreasonable expense.
You have a right to be informed of all such recipients by the controller.
6. Right to data portability
You have a right to receive personal data you have made available to the controller in a structured, standard, and machine-legible format. You also have the right to transfer your personal data to another controller without any interference by the controller to whom the personal data were made available, if
(1) processing is based on consent within the meaning of Art. 6 para. 1 let. a) GDPR or Art. 9 para. 2 let. a) GDPR or on a contract within the meaning of Art. 6 para. 1 b) GDPR, and
(2) data processing is automated.
In exercising the right to data portability you further have the right to have your personal data transferred directly from one controller to another controller, if and to the extent that this is technically feasible. No rights or freedoms of any other persons may be infringed thereby.
The right to data portability does not apply to processing of personal data that is necessary to perform a task that is in the public interest or to processing of personal data in the exercise of official authority vested in the controller.
7. Right of objection
You have the right for reasons related to your particular situation to object to processing of your personal data at any time based on Art. 6 para. 1 let. e) or f) GDPR; the same applies to any profiling based on the aforementioned provisions.
If you object, the controller will no longer process your personal data, unless the controller can show that there are compelling protected reasons for processing your personal data that override your interests, rights and freedoms, or if your data are processed to assert, exercise, or defend legal rights or claims.
If your personal data are processed for direct advertising purposes, you have a right to object to processing of your personal data for purposes of such advertising at any time; the same applies to any profiling associated with such direct advertising.
If you object to processing of your personal data for purposes of direct advertising, your personal data will no longer be processed for such purposes.
In connection with use of information society services you may exercise your right of objection – regardless of Directive 2002/58/EC – by using automated processes for which technical specifications are used. For this purpose you may send an email to our data protection officer.
8. Right to revoke consent to data processing
You have a right to revoke your consent to data processing at any time. If you exercise your right of revocation, the lawfulness of data processing that occurs before revocation based on your consent will remain unaffected.
9. Automated decision in a particular case, including profiling
You have a right not to be subjected to a decision that is made exclusively by means of automated processing – including profiling – if such a decision has legal consequences for you or otherwise substantially impairs your interests. This does not apply if the decision
(1) is necessary to enter into or perform a contract between you and the controller,
(2) is permitted under EU or member state law to which the controller is subject and such law provides for appropriate safeguards to protect your rights, freedoms, and legitimate interests, or
(3) is made with your express consent.
However, such decisions may not be made with respect to special categories of personal data within the meaning of Art. 9 para. 1 GDPR, unless Art. 9 para. 2 let. a) or g) GDPR applies and appropriate safeguards have been implemented to protect your rights, freedoms, and legitimate interests.
In cases 1) and 3) above the controller must implement appropriate safeguards to protect your rights, freedoms, and legitimate interests, which must include, at a minimum, a right to have a person acting on behalf of the controller take action, a right to present your own point of view, and a right to contest the decision.
10. Right to lodge complaint with supervisory authority
Without prejudice to any other available administrative or judicial remedies, you have a right to lodge a complaint with a supervisory authority, in particular a supervisory authority located in the member state of your habitual residence, at your workplace, or at the place of the purported infringement, if in your opinion the processing of your personal data violates the GDPR.
The supervisory authority where the complaint is lodged will then notify the complainant of the progress and outcome of the complaint, including judicial remedies available under Art. 78 GDPR.