Privacy Policy

Thank you for your visit and your interest in the online offering available at https://www.dogs-heaven.com. When you use the websites and the functions offered within this domain, it is necessary that personal data concerning you are processed to a certain extent.

Birgitta Ornau
Seitzstraße 18 RG
80538 Munich

Email: [email protected]

We use cookies and web storage technologies on our websites to enable user navigation and the implementation of certain functionalities. Information is stored on your end device depending on the purpose of use either for the duration of the session or beyond and is accessed accordingly. Some elements of our websites require that the calling browser can also be identified after a page change, so that storage is strictly necessary. Other elements, in turn, are not strictly necessary, so that cookies and web storage technologies are only set with your consent.

Details about the necessary (essential) and optional (Marketing and Functional) technologies we use can be viewed and changed in our consent banner, which can be accessed under "Cookies” at the bottom of this page. The legal bases are either Article 6 paragraph 1 letter f GDPR, insofar as the use of the technology is strictly necessary to enable functionality — in this case our legitimate interest lies in providing the function — or your consent pursuant to Article 6 paragraph 1 letter a GDPR, which you may withdraw at any time.

On our websites we use a consent management platform (consent or cookie banner). The processing in connection with the use of the consent management platform as well as the logging of the settings you have made is carried out on the basis of Article 6 paragraph 1 letter f GDPR, in our legitimate interest to deliver our content according to your preferences and to be able to prove your consent(s) granted. Your settings made, the consents granted thereby as well as parts of your usage data are stored in a cookie. This ensures that it remains available for subsequent page requests and that your consents can continue to be traced.

The provider Shopware AG acts for us as a strictly instruction-bound service provider (processor). A data processing agreement pursuant to Article 28 GDPR has been concluded.

Within the scope of providing the shop, we use technical functions and content from third-party providers. This includes, among other things, services for protection against attacks. Accessing our pages results in content from the third-party providers being reloaded, who provide these functions and content. As a result, the third-party provider receives the information that you have accessed our page as well as the usage data technically required in this context. We have no influence on further data processing by the third-party provider.

Integration is carried out on the basis of Article 6 paragraph 1 letter f GDPR and in the interest of protecting and designing our websites.

In our consent banner, which can be accessed under "Privacy settings” at the bottom of this page, we name the specific third-party providers with whom we cooperate if they use cookies or similar technologies. These can be found under the category "Essential".

If data are processed outside the EU or the EEA in this context, an adequate level of data protection is ensured either on the basis of an adequacy decision or on the basis of EU standard contractual clauses.

We use technical functions and content from third-party providers in our shop if you consent to this. This includes, among other things, services for visitor measurement. Accessing our pages results in content from the third-party providers being reloaded, who provide these functions and content. As a result, the third-party provider receives the information that you have accessed our page as well as the usage data technically required in this context. We have no influence on further data processing by the third-party provider.

The purpose of using the services is the appealing and informative design of our websites. Integration is carried out on the basis of your consent, which you can withdraw at any time with effect for the future by accessing "Privacy settings" at the bottom of this page and changing your selection.

In our consent banner, which can be accessed under "Privacy settings” at the bottom of this page, we name the specific third-party providers with whom we cooperate. These can be found under the category “Functional“.

If data are processed outside the EU or the EEA in this context, an adequate level of data protection is ensured either on the basis of an adequacy decision or on the basis of EU standard contractual clauses. Otherwise, the legal basis is your explicit consent pursuant to Article 49 paragraph 1 letter a GDPR. However, it should be noted that in this case, due to the lower level of data protection, data access — possibly without legal remedies — cannot be ruled out.

We use marketing services on our websites, such as cross-device tracking technologies, so that targeted advertising can be displayed to you on other internet pages based on your visit to our websites and so that we can recognize how effective our advertising measures were.

Data processing is carried out on the basis of your consent, provided that you have given your consent via our consent banner. Your consent is voluntary and can be withdrawn at any time by accessing the link "Privacy settings“ at the bottom of this page and changing your selection in the category “Marketing”.

When you visit our websites, it is possible that the third-party providers named in the consent banner retrieve recognition features for your browser or your end device (e.g. a so-called browser fingerprint), evaluate your IP address, store or read recognition features on your end device (e.g. cookies) or obtain access to individual tracking pixels.

The individual features may be used by the third-party providers to recognize your end device on other internet pages. We may commission the placement of advertising with the corresponding third-party providers that is based on the pages visited with us.

If you log in to the third-party provider using your own user data, the respective recognition features of different browsers and end devices may be linked with each other. If the third-party provider has created its own feature for the laptop, desktop PC or the smartphone or tablet you use, these individual features can be assigned to each other as soon as you use a service of the third-party provider with your login data. In this way, the third-party provider can also control our advertising campaigns in a targeted manner across different end devices.

In our consent banner, which can be accessed under "Privacy settings” at the bottom of this page, we name the specific third-party providers with whom we cooperate for advertising purposes. These can be found under the keyword "Marketing".

If data are processed outside the EU or the EEA in this context, an adequate level of data protection is ensured either on the basis of an adequacy decision or on the basis of EU standard contractual clauses. Otherwise, the legal basis is your explicit consent pursuant to Article 49 paragraph 1 letter a GDPR. However, it should be noted that in this case, due to the lower level of data protection, data access — possibly without legal remedies — cannot be ruled out.

On our websites you have the option to set up a personalized user account in order to store information in a restricted-access area for faster purchasing in the future, manage it, view your orders placed and use certain functions, such as remembering products.

The creation of a user account is generally not mandatory for the use of our online offering and is therefore voluntary for you as a service. Further information on this can be found in our General Terms and Conditions. For the initial registration we first require the following information from you:

- First and last name
- Email address
- Password (hashed)

If you place orders via your user account, it is necessary that, in addition to the aforementioned information, we collect the details from you described in more detail under the section "Orders". Where applicable, we collect further information, such as your order history, in order to make it available to you in your user account.

We process your personal data in this context on the basis of Article 6 paragraph 1 letter b GDPR in order to provide the service requested by you. If you voluntarily provide us with additional data, such as your date of birth, your telephone number or a wish list, the legal basis for their processing is your consent pursuant to Article 6 paragraph 1 letter a GDPR, which may be withdrawn at any time with effect for the future.

You can view and change your data and individual information at any time in your user account. If you have forgotten your password, you can use a password reset function provided by us so that we send you a link by email to assign a new password. We point out that deletion initiated by you in the user account does not automatically lead to all your details being deleted by us, as certain information is subject to retention obligations if you have, for example, ordered goods from us in the past. Please also note the section “Archiving”.

General

You can purchase our products online by entering the information marked as mandatory fields in the order form either as a guest or, where applicable, via your user account.

As a rule, the following personal data are collected from you:
- Salutation
- Your first and last name
- Where applicable, first and last name of a different recipient
- Your address
- Where applicable, a different delivery address
- Where applicable, details of the delivery branch
- Your email address
- Where applicable, date of birth

When ordering goods, for the purpose of processing the purchase contract we will transmit your first name, last name, your address and information about the items ordered by you to our logistics service providers for shipping. In addition, we use your email address to confirm the order as well as to send the corresponding invoice.

The legal basis for the processing of your personal data is the necessity for the performance of the contract with you and the provision of the service pursuant to Article 6 paragraph 1 letter b GDPR. If you voluntarily transmit further data to us, the legal basis for their processing is your consent pursuant to Article 6 paragraph 1 letter a GDPR, which may be withdrawn at any time with effect for the future.

Where applicable, we also record via which advertising link you came to us. Processing is based on our legitimate interest pursuant to Article 6 paragraph 1 letter f GDPR in evaluating our advertising measures. The processing of data of persons who did not place the order (e.g. delivery recipients) is carried out on the basis of our legitimate interest pursuant to Art. 6 paragraph 1 letter f GDPR in carrying out the delivery or processing the order.

In connection with our websites we use the service providers Matomo, GA4 and Klaviyo. The service providers support us in determining from which countries our websites are accessed by determining the geolocation of the IP location using the IP address. Data processing serves our legitimate interest pursuant to Article 6 paragraph 1 letter f GDPR in verifying and implementing country restrictions in the event of the sale of digital items (downloads). Furthermore, processing serves our legitimate interest pursuant to Article 6 paragraph 1 letter f GDPR in statistical evaluation of from which countries our websites are accessed.

The service providers act for us in accordance with Article 28 GDPR as processors bound by instructions. Data processing may also take place outside the EU or the EEA (in particular in the USA). An adequate level of data protection is ensured due to the certification of the service provider under the adequacy decision for the USA (EU-U.S. Data).

Within our cashback program, customers are rewarded for successful referrals. If a new customer places an order via your personal referral code or link, you will receive 5% of the order value credited as cashback — and this over a period of 24 months for all subsequent orders. Your referral receives in return a one-time 10% discount on the first order. The accumulated cashback balance can be converted into a voucher from €5 onwards, which can be redeemed with your next order (excluding subscription orders).

The legal basis for the processing of your personal data is the necessity for the performance of the contract with you pursuant to Article 6 paragraph 1 letter b GDPR. If you voluntarily transmit further data to us, the legal basis for their processing is your consent pursuant to Article 6 paragraph 1 letter a GDPR, which may be withdrawn at any time with effect for the future. The processing of data of third parties (e.g. recipients of gifts) is carried out on the basis of our legitimate interest pursuant to Art. 6 paragraph 1 letter f GDPR in providing the voucher.

You have the option to make payments via the service PayPal (Europe) S.à r.l. et Cie. If you select this option, you will be redirected directly to PayPal at the end of the ordering process. PayPal processes only the data relevant for invoicing. This includes your master data, such as name and address, bank details (such as account number or credit card number) and information about your order, i.e. the invoice amount. The data are processed exclusively by PayPal. We do not process the above-mentioned data. We only receive information as to whether the payment was successful or not. Data processing serves the performance of the contract pursuant to Article 6 paragraph 1 letter b GDPR. PayPal acts as its own controller within the meaning of the GDPR during the payment process. Under certain circumstances PayPal may transmit the data to credit agencies for the purpose of identity and creditworthiness checks. Please also note that PayPal may transfer data to countries outside the EU or the EEA. Information on the basis of data transfers as well as further data protection information can be found in PayPal’s privacy policy. To activate PayPal parcel tracking, we transmit a corresponding tracking link to PayPal.

You also have the option to make a payment by credit card. We aim to make credit card payments secure and smooth. For payment by credit card it is necessary to transmit the relevant data to our acquirer PayPal in order to execute the payment. Data processing serves the purpose of performing the contract. The legal basis is therefore Article 6 paragraph 1 letter b GDPR. If the payment method credit card payment is selected, authentication is required, i.e. it must be ensured that the authorized credit card holder initiated the payment. For this purpose, the transmission of certain data listed below is required. The procedure therefore also serves the implementation of strong customer authentication pursuant to Directive EU 2015/2366 (PSD 2) or the Payment Services Supervision Act; the legal basis is therefore also Art. 6 paragraph 1 letter c GDPR in conjunction. Furthermore, the procedure serves fraud prevention pursuant to Article 6 paragraph 1 letter f GDPR, i.e. the legitimate interest.

The following data are transmitted to the card network used by you: payment amount, currency, website accessed and whether it was accessed successfully, credit card number, expiry date, name of the card holder, information about your internet browser (e.g. IP address, Java enabled, language, color depth, screen size, time zone), information about the invoice recipient (email address). Automated authentication or risk assessment takes place. A possible effect may be that authentication is not successful and the selected payment method cannot be used in the specific case.

For the processing of direct debit collections and credit payouts, we transmit your bank details, your name as well as amount and document number to the independently responsible Novalnet and Frink AB. If you settle your invoice by bank transfer, we receive your name, your bank details, the reference provided by you and the amount from Frink AB. The legal basis for data processing is the performance of the contract with you pursuant to Art. 6 para. 1 letter b GDPR.

When paying using the payment method “direct debit”, the purchase price claim is assigned via Novalnet AG as the payment institution to SVEA GmbH (hereinafter referred to as “SVEA”). The data required for payment processing is transmitted to SVEA. The data transmission serves, among other things, the purpose that SVEA can carry out an identity and creditworthiness check to process your purchase with the selected payment method. Processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR based on the legitimate interest in offering various payment methods as well as the legitimate interest in protection against payment default. You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you based on Art. 6 para. 1 lit. f GDPR by notifying us. You can find SVEA’s privacy policy here: https://www.svea-germany.de/datenschutzhinweise. If you would like to receive information about the use of your personal data, you can contact [email protected] at any time. The provision of the data is required for concluding the contract using the payment method you selected. Failure to provide the data means that the contract cannot be concluded using the desired payment method.

If, as part of ordering goods, you select a payment method with which we provide advance performance and therefore bear an economic risk, such as payment on account or by direct debit, we will carry out a credit check with the credit agency Novalnet before granting the selected payment method in order to protect against payment defaults.

In doing so, we transmit your name, your billing address and, if applicable, a different delivery address to the credit agency and receive a probability value for risk assessment calculated using a mathematical-statistical method to predict risk or fulfilment probabilities.

Novalnet processes the received data and also uses it for profiling purposes (scoring) to provide its contractual partners in the European Economic Area and Switzerland as well as, if applicable, further third countries (provided an adequacy decision of the European Commission exists) with information including for assessing the creditworthiness of natural persons. Further information about Novalnet’s activities can be found in its information sheet or online at https://www.svea-germany.de/datenschutzhinweise. Based on the probability value received from Novalnet as well as the shopping cart size and selected items, an individual decision is made regarding approval or rejection of the selected payment method.

The legal basis for the credit check is Article 6 paragraph 1 letter f GDPR and our legitimate interest in avoiding payment defaults due to credit risk.

The data exchange with Novalnet also serves to fulfil legal obligations for conducting creditworthiness checks (§§ 505a and 506 German Civil Code). The probability value is additionally stored by us for a limited period on the basis of Article 6 paragraph 1 letter f GDPR in order to consider the result for your future purchases.

Regardless of the selected payment method, individual orders are manually reviewed by our employees if they show suspicious fraud characteristics, such as simultaneous ordering of multiple goods to the same address using different customer accounts.

Furthermore, we reserve the right to review orders and subsequent returns to determine whether excessive/disproportionate returns occur that indicate fraudulent intent (return fraud). These processing activities are carried out on the basis of Article 6 paragraph 1 letter f GDPR in the legitimate interest of fraud prevention and assessing whether a contract conclusion can be offered. Our legitimate interest lies in protecting our company from fraudulent behaviour and harmful business activities.

If you revoke a contract concluded with us pursuant to your right of withdrawal or for other reasons, we will refund payments made via the same payment method used for the original transaction, unless expressly agreed otherwise with you.

If you return goods to us, we process personal data from you via our return form. The legal basis for processing is Article 6 paragraph 1 letter b GDPR.

In the event of outstanding due payments, we will, after reminder, transmit information about the open claim to a debt collection service provider for enforcement of our payment claim. The legal basis for this is Article 6 paragraph 1 letter f GDPR. Our legitimate interest is that the outstanding claim is settled. For this purpose, we use the assistance of an independently responsible debt collection company.

Further information about the activities of Novalnet AG and its data processing can be found in its privacy policy online.

You have the possibility to rate our products and write a review on our websites. For this, we first require the information marked as mandatory fields. Your contribution will be published on our website after manual approval. We kindly ask you to remain objective and to stay on topic. Furthermore, please do not include personal data of third parties or explicitly promotional content. Contributions containing personal data of third parties or explicitly promotional content will be rejected and deleted.

The legal basis for processing (mandatory fields) is Article 6(1)(f) GDPR. Our legitimate interest is to enable public opinion sharing. Additionally, you can decide whether to provide us with further data (optional fields). This information is voluntary and not required for publishing your contribution. We process your voluntary information based on your consent, which can be revoked at any time.

When you register for the Cashback customer loyalty program, the data protection provisions of the loyalty program apply. You can access these here or find them in your contract documents.

We will use your first and last name as well as your email address after a purchase to send you promotional content via email regarding products and services similar to those you have previously purchased. The legal basis for this is Article 6(1)(f) GDPR in conjunction with §7(3) UWG, as we have a legitimate interest in commercially addressing our customers.

You can object to the processing of your personal data for the aforementioned purpose at any time by using the unsubscribe link included in every email or via the settings in your user account, without incurring any costs other than the transmission costs at basic rates.

To ensure the proper implementation of your objection and to make sure you do not receive promotional emails for similar products after a purchase in the future, we will transfer the relevant data, including your email address and the block marker, to a suppression list based on Article 6(1)(f) GDPR until you request the removal of the block. Please note that due to the joint responsibility of the aforementioned companies, this may also result in inclusion in a company-wide suppression list.

You can sign up for a newsletter via our websites at any time, independently of a purchase, through which we send you personalized advertising, information on promotions and offers for products in our online shop, as well as customer surveys.

To provide content that is interesting and personalized for you, we also evaluate your newsletter usage. Each email contains small image files (pixels) that are loaded when the images are displayed, enabling us to determine when the newsletter was opened. Additionally, link clicks are tracked to optimize the email content.

To ensure proper registration, we use a double-opt-in procedure. This means that after signing up, you receive an email with a confirmation link that you must click to finalize your subscription. For sending our newsletter, we record, in addition to your email address, your IP address, date, and time of registration/confirmation to document your consent.

The legal basis for sending the newsletter and the associated newsletter tracking is your consent according to Article 6(1)(a) GDPR, which you can revoke at any time with future effect by using the unsubscribe link in every email.

Furthermore, your subscription information is processed based on Article 6(1)(f) GDPR in our legitimate interest to demonstrate proper consent collection.

We regularly conduct customer surveys to optimize our service. For some of these surveys, we use strictly controlled service providers. The collected data comes from the respective questionnaire (e.g., information on your satisfaction and interests) and is analyzed for us. Processing is based on your consent, which can be revoked at any time, according to Article 6(1)(a) GDPR.

You can contact us or our customer service by email. Any data collected during communication will be used exclusively to process your request. Data provided in connection with contact will also be stored and used solely for these purposes. When you contact our customer service, they may access your customer data if necessary to assist you.

Data processing is based on Article 6(1)(f) GDPR. Our legitimate interest is to respond to your request promptly and comprehensively. If the inquiry is related to concluding a contract, the legal basis for processing is Article 6(1)(b) GDPR.

We delete your data once it is no longer required and no legitimate interests or statutory retention obligations prevent deletion.

We provide forms on our websites through which you can contact us. To use these forms, we first require the information marked as mandatory fields. We process the data based on Article 6(1)(f) GDPR to handle your request. Additionally, you may provide further information voluntarily, which is not required to process your request. Voluntary data is processed based on your revocable consent. If third-party data is requested, we process it based on Article 6(1)(f) GDPR to fulfill your request.

Your data is processed only for the specified purposes. We delete the data once it is no longer necessary and no legal retention obligations prevent deletion. We have concluded a data processing agreement with this service provider according to Article 28 GDPR. Data processing may take place outside the EU or EEA (especially in the USA). An adequate level of data protection is ensured due to the provider's certification under the EU-U.S. Data Privacy Framework.

To protect our forms from automated requests, we use Google reCAPTCHA. You may be asked to complete tasks or click checkboxes. The user inputs and possibly mouse movements are used to determine whether the input comes from a human or an automated program.

As this function is provided by a third party, loading the Captcha may result in content being loaded and Google receiving information that you accessed our site as well as the technical usage data necessary in this context. We have no influence on further data processing by Google. Integration is based on Article 6(1)(f) GDPR in our legitimate interest to protect against spam and abuse. Data processing may occur outside the EU or EEA (especially in the USA), with an adequate level of protection ensured by Google’s certification under the EU-U.S. Data Privacy Framework.

We use various IT service providers to deliver the services described above. The legal bases for processing were mentioned in the descriptions of the respective services, unless stated otherwise below.

Our websites are hosted by the service provider Timme. We have concluded a data processing agreement with this provider according to Article 28 GDPR, obliging them to process data under our instructions.

When you access our websites, the following information is automatically sent from your browser to our web server to deliver the requested content:

- IP address
- Date and time of access
- Request (method, requested file, protocol version)
- Name of the accessed page
- Status code returned by the web server (e.g., successful)
- Amount of data transmitted
- Browser type and version
- Operating system
- Device used
- Referrer URL (previously visited page)
- If applicable, order data
- If applicable, search queries

The legal basis for processing this data is Article 6(1)(f) GDPR. Processing serves our legitimate interest in providing website content and ensuring device- and browser-optimized display.

We store this information for seven days in log files to detect, limit, and eliminate attacks on our websites. We reserve the right to retain the log files longer if evidence suggests unauthorized access (e.g., hacking attempts or DDoS attacks).

Legal basis is Article 6(1)(f) GDPR. Our overriding legitimate interest is ensuring the proper functioning of our websites.

Our website uses Cloudflare services for encrypted internet data transmission (SSL), optimization of global website performance via a Content Delivery Network (CDN), and improved security and protection against cyber attacks through a Web Application Firewall (WAF). The website and other access points to our servers are monitored against Distributed Denial of Service (DDoS) attacks. Cloudflare offers its services by analyzing web traffic in real time and automatically filtering harmful data. Cloudflare collects "logs" containing a visitor's IP address and metadata about the visit (e.g., date/time of request, requested action, etc.).

Data processing is based on our legitimate interest according to Article 6(1)(f) GDPR for website security. We have a data processing agreement with the provider according to Article 28 GDPR, obliging them to process data under our instructions.

For sending email advertising, customer communication, and push notifications, we use the services of Shopware, Mateo, and Klaviyo. We have a data processing agreement with these providers according to Article 28 GDPR, obliging them to process data under our instructions.

We also use these services in conjunction with emails. Processing takes place on servers in data centers in Europe. An adequate level of data protection is ensured due to Microsoft certification under the EU-U.S. Data Privacy Framework.

To display Trusted Shops services (e.g., quality seal, collected reviews) as well as to offer Trusted Shops products to buyers after an order, Trusted Shops widgets are integrated on this website. This serves to safeguard our overriding legitimate interests in optimal marketing through enabling a secure purchase in accordance with Article 6(1)(f) GDPR. The Trustbadge and the services advertised with it are an offering of Trusted Shops AG ("Trusted Shops"), with whom we are jointly responsible for data protection under Article 26 GDPR. In the context of these privacy notices, we inform you below about the essential contractual contents according to Article 26(2) GDPR.

Within the framework of the joint responsibility between us and Trusted Shops, please primarily contact Trusted Shops for data protection questions and to assert your rights using the contact options provided in Trusted Shops’ online privacy information. Regardless, you can always contact the controller of your choice. Your request will then, if necessary, be forwarded to the other responsible party for response.

The Trustbadge is provided by a U.S. Content Delivery Network (CDN) provider. An adequate level of data protection is ensured by an adequacy decision of the EU Commission, which can be accessed here for the USA. Service providers from the USA are generally certified under the EU-U.S. Data Privacy Framework. If service providers used are not certified under the adequacy decision, standard contractual clauses have been concluded as a suitable safeguard.

When the Trustbadge is called, the web server automatically stores a so-called server log file, which also contains your IP address, date and time of the access, data volume transferred, and the requesting provider (access data) and documents the access. The IP address is anonymized immediately after collection, so that the stored data cannot be linked to you personally. The anonymized data is used in particular for statistical purposes and for error analysis. The legal basis for data processing is the legitimate interest pursuant to Article 6(1)(f) GDPR in the fundamental provision of the Trustbadge.

After order completion, order information (order total, order number, if applicable purchased product) as well as your email address hashed via a cryptographic one-way function are transmitted to Trusted Shops. The legal basis is Article 6(1)(f) GDPR. This serves to check whether you are already registered for services with Trusted Shops and is therefore necessary for the fulfillment of our and Trusted Shops’ overriding legitimate interests in providing buyer protection linked to the specific order and the transactional review services according to Article 6(1)(f) GDPR. If this is the case, further processing takes place according to the contractual agreement between you and Trusted Shops. If you are not yet registered for the services, you will subsequently have the opportunity to do so for the first time. Further processing after registration also follows the contractual agreement with Trusted Shops. If you do not register, all transmitted data will be automatically deleted by Trusted Shops and any personal reference is then no longer possible.

Trusted Shops uses service providers in the areas of hosting, monitoring, and logging. The legal basis is Article 6(1)(f) GDPR for the purpose of ensuring smooth operation. Processing may occur in third countries (USA and Israel). An adequate level of data protection is ensured by an adequacy decision of the EU Commission. Service providers from the USA are generally certified under the EU-U.S. Data Privacy Framework. If service providers used are not certified under the adequacy decision, standard contractual clauses have been concluded as a suitable safeguard.

We record your purchase data in our accounting software. The purpose of data processing is the management of our business processes according to our legitimate interest pursuant to Article 6(1)(f) GDPR.

Furthermore, we store pseudonymized purchase data in a so-called data warehouse database. This serves business management. The legal basis for this is Article 6(1)(f) GDPR. Our legitimate interest lies in controlling and ensuring the profitability of our webshop.

It is also possible that we share pseudonymized personal purchase data with auditing firms. The auditing firms act in this context as independent entities. The transmission is based either on a legal obligation under Article 6(1)(c) GDPR in conjunction with § 316 HGB.

Under special circumstances, we may also transfer your personal data to further recipients. If these are service providers acting as processors for us, a corresponding contract pursuant to Article 28 GDPR exists, which obliges them to process data according to our instructions. In case of a statutory obligation pursuant to Article 6(1)(c) GDPR in conjunction with the respective relevant obligation or the necessity to safeguard a legitimate interest pursuant to Article 6(1)(f) GDPR, data may also be passed on to affected persons according to Art. 4 No. 1 GDPR as well as independent entities, such as law enforcement authorities or external legal counsel. The transfer of personal data only occurs, and only to the extent, as permitted by the respective legal basis.

Unless otherwise stated elsewhere, your personal data will be deleted as soon as the purpose of data processing no longer applies and no legitimate interests or other (legal) retention reasons prevent deletion. Retention obligations requiring us to retain data arise from accounting regulations (§ 257 HGB) and tax regulations (§ 147 AO and § 14b UStG). According to these regulations, business communications and accounting records (e.g., invoices) must be retained for up to 10 years. As far as we no longer need this data for providing services to you, the data will be blocked. This means that the data may then only be used for accounting and tax purposes.

As a data subject, you have the right to obtain information about the personal data concerning you processed by us in accordance with Article 15 GDPR. In case of incorrect data, you can request rectification and, if applicable, completion of incomplete personal data according to Article 16 GDPR. If the requirements are met, you also have the right to deletion, if the requirements of Article 17 GDPR apply, to restriction of processing, if the requirements of Article 18 GDPR are given, and in certain cases, according to Article 20 GDPR, the right to data portability.

If your data is processed according to Article 6(1)(f) GDPR to safeguard our legitimate interests, you have the right to object to the processing at any time for reasons arising from your particular situation. We will then no longer process your personal data, unless demonstrably compelling legitimate reasons for processing exist that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims. You can exercise your right to object without providing reasons if the data processing is based on legitimate interests for the purposes of direct marketing.

If your consent forms the basis for data processing, you are entitled under Article 7(3) GDPR to withdraw your given consent at any time for the future. Processing that took place before the withdrawal is not affected.

Furthermore, as a data subject, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection regulations. The right to lodge a complaint can be exercised particularly with a supervisory authority in the member state of your habitual residence, workplace, or the location of the alleged infringement.

If you exercise a data subject right with us, we process your data to handle and respond to your request and to document the same. Data processing is based on Article 6(1)(c) GDPR in conjunction with Article 12(3) and the respective asserted data subject right(s).

If necessary, we may request further personal data from you for identity verification if there are reasonable doubts about your identity. The identity verification is carried out based on our legal obligation under Article 6(1)(c) GDPR in conjunction with Article 12(6) GDPR as well as Article 5(2) GDPR.

Your data may be forwarded by us to external service providers to implement the rights you assert, e.g., IT service providers who assist us in data processing. If this involves processing on behalf of the controller according to Article 28 GDPR, the service providers are strictly bound by instructions and contractually obligated. If necessary, we will also forward your request to our data protection officer. Processing of your personal data is based on Article 6(1)(f) GDPR in our legitimate interest to ensure proper handling and response to your request.

In the event of an audit by a competent data protection authority, we are obliged under Article 6(1)(c) GDPR in conjunction with Article 58 GDPR to provide your data if such proof is requested as part of the supervisory review. We store your data for documentation purposes for 3 years after responding to your request. Retention for this period is based on our legitimate interest in being able to demonstrate the implementation of our obligations in case of audits by the supervisory authority and is supported by Article 6(1)(f) GDPR in conjunction with § 41 Federal Data Protection Act, Article 83(5)(b) GDPR, § 31 Act on Regulatory Offenses.

You can contact the following for any questions regarding the processing of your personal data and the exercise of your rights:

Contact for data protection inquiries:
[email protected]