Privacy Policy

Privacy Policy Buddy&Selly Buy

The controller responsible for data processing is

Reverse-Retail GmbH
Schnackenburgallee 41a
22525 Hamburg
E-Mail: datenschutz@buddyandselly.com

Thank you for your interest in our online shop. The protection of your privacy is very important to us. Below we inform you in detail about the handling of your data.

1. Access data and hosting

You can visit our website without providing any personal information. Each time a website is accessed, the web server only automatically saves a so-called server log file, which contains, for example, the name of the requested file, your IP address, the date and time of the access, the amount of data transferred and the requesting provider (access data) and documents the access. This access data is analyzed exclusively for the purpose of ensuring trouble-free operation of the site and improving our offer. This serves to safeguard our legitimate interests, which predominate in the context of a weighing of interests, in a correct presentation of our offer in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR. All access data will be deleted no later than one month after the end of your visit to the site.

1.1 Hosting

The services for hosting and displaying the website are partly provided by our service providers as part of processing on our behalf. Unless otherwise stated in this privacy policy, all access data and all data collected in the forms provided on this website will be processed on their servers. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy policy.

1.2 Content delivery network

We use a content delivery network (CDN) for some services to reduce loading times. This service delivers content, such as large media files, via regionally distributed servers of external CDN service providers. As a result, access data is processed on the service providers' servers. Our service providers work for us as part of an order processing.

Our service providers are based and/or use servers in countries outside the EU and the EEA. The European Commission has not issued an adequacy decision for these countries.

Our cooperation with them is based on the European Commission's standard data protection clauses.

If you have any questions about our service providers and the basis of our cooperation with them, please use the contact options described in this privacy policy.

2. Data processing for contract processing and for establishing contact

2.1 Data processing for contract execution

For the purpose of contract processing (including inquiries about and processing of any existing warranty and service disruption claims as well as any statutory updating obligations) in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR, we collect personal data if you voluntarily provide it to us as part of your order. Mandatory fields are marked as such, as in these cases we absolutely need the data to process the contract and we cannot send the order without it. Which data is collected can be seen from the respective input forms.

Further information on the processing of your data, in particular on the transfer to our service providers for the purpose of order, payment and shipping processing, can be found in the following sections of this privacy policy. After completion of the contract, your data will be restricted for further processing and deleted after expiry of the retention periods under tax and commercial law in accordance with Art. 6 para. 1 sentence 1 lit. c GDPR, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

Merchandise management system

We use merchandise management systems from external service providers to process orders and contracts. Our service providers work for us within the framework of order processing. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy policy.

2.2 Customer account

If you have given your consent to this in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR by deciding to open a customer account, we will use your data for the purpose of opening a customer account and storing your data for further future orders on our website. Deletion of your customer account is possible at any time and can be done either by sending a message to the contact option described in this privacy policy or via a function provided for this purpose in the customer account. After deletion of your customer account, your data will be deleted unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

2.3 Making contact

As part of our customer communications, we collect personal data in order to process your requests in accordance with Art. 6 (1) 1 lit. b GDPR if you voluntarily provide it to us when you contact us (e.g. using a contact form, live chat tool or email). Mandatory fields are marked as such because we absolutely need the data in these cases to process your contact request. The data collected can be seen from the respective input forms. After your request has been fully processed, your data will be deleted, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) 1 lit. a GDPR or we reserve the right to further data use that is permitted by law and about which we inform you in this statement.

3. Data processing for the purpose of delivery

In order to fulfill the contract in accordance with Article 6 (1) sentence 1 b GDPR, we will pass on your data to the shipping service provider commissioned with the delivery, insofar as this is necessary for the delivery of the ordered goods. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this data protection declaration.

Data transfer to shipping service providers for the purpose of dispatch notification

If you have given us your express consent to do so during or after your order, we will, on the basis of this consent and in accordance with Art. 6 (1) 1 lit. a GDPR, pass on your e-mail address and telephone number to the selected shipping service provider so that they can contact you before delivery to announce or coordinate the delivery.

You can revoke your consent at any time by sending a message to the contact option described in this data protection declaration or directly to the shipping service provider at the contact address listed below. After revocation, we will delete the data you have provided for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use the data in a manner that goes beyond this, which is permitted by law and about which we inform you in this declaration. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this data protection declaration.

DHL Paket GmbH
Sträßchensweg 10
53113 Bonn
Germany

United Parcel Service Deutschland S.à r.l. & Co. OHG
Görlitzer Straße 1
41460 Neuss
Germany

4. Data processing for payment processing

We work with the following partners to process payments in our online store: technical service providers, credit institutions, payment service providers.

4.1 Data processing for transaction processing

Depending on the selected payment method, we provide the data necessary for the processing of the payment transaction to our technical service providers, who work for us as part of an order processing, or to the commissioned credit institutions or to the selected payment service provider, insofar as this is necessary to process the payment. This serves the fulfillment of the contract in accordance with Art. 6 Para. 1 S. 1 lit. b DSGVO. In some cases, the payment service providers collect the data necessary for the processing of the payment themselves, e.g. on their own website or via a technical integration in the ordering process. In this respect, the privacy policy of the respective payment service provider applies.

If you have any questions about our payment processing partners and the basis of our cooperation with them, please use the contact option described in this privacy policy.

4.2 Data processing for the purpose of fraud prevention and optimization of our payment processes

If necessary, we provide our service providers with further data, which they use together with the data necessary for processing the payment as our processors for the purpose of fraud prevention and the optimization of our payment processes (e.g. invoicing, processing of disputed payments, accounting support). In accordance with Art. 6 para. 1 sentence 1 lit. f GDPR, this serves to safeguard our legitimate interests in our protection against fraud and efficient payment management, which predominate in the context of a balancing of interests.

4.3 Payment in installments option

When you select the installment payment option and give the necessary consent under data protection law in accordance with Art. 6 (1) (a) GDPR, personal data (first name, last name, address, email, telephone number, date of birth, IP address, gender) together with the data necessary for the transaction processing (product, invoice amount, due dates, total amount, invoice number, taxes, currency, order date and order time) for the purposes of processing this payment method to our partner Mollie BV, Keizersgracht 126, 1015CW Amsterdam, Netherlands.

To verify the customer's identity and creditworthiness, our partner carries out queries and requests information from publicly accessible databases and credit reference agencies. The providers from whom information and, where applicable, creditworthiness information is obtained on the basis of mathematical-statistical procedures, as well as further details on the processing of your data after transmission to our partner Mollie BV, can be found in Mollie BV's data protection declaration, which you can access here: https://www.mollie.com/privacy

Our partner Mollie BV uses the information obtained about the statistical probability of a payment default to make a balanced decision on the establishment, execution or termination of the contractual relationship. You have the option of contacting our partner Mollie BV to express your point of view and contest the decision. The consent to the transfer of data provided during the ordering process can be revoked at any time, even without stating reasons, with effect for the future.

5. Advertising by e-mail, post

5.1 Email newsletter with registration and newsletter tracking

If you subscribe to our newsletter, we will use the data required for this or separately provided by you to regularly send you our email newsletter based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can unsubscribe from the newsletter at any time, either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. After unsubscribing, we will delete your email address from the list of recipients, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

We would like to point out that we evaluate your user behavior when sending the newsletter. For this purpose, we also analyze your interaction with our newsletter by measuring, storing and evaluating opening rates and click rates for the purpose of designing future newsletter campaigns ("newsletter tracking").

For this analysis, the emails sent contain single-pixel technologies (e.g. so-called web beacons, tracking pixels) that are stored on our website. In particular, we link the following "newsletter data" for the evaluations the page from which the page was requested (so-called referrer URL), the date and time of the request, the description of the type of web browser used, the IP address of the requesting computer, the e-mail address, the date and time of registration and confirmation and the one-pixel technologies with your e-mail address or IP address and, if applicable, an individual ID. Links contained in the newsletter may also contain this ID.

  • the page from which the page was requested (so-called referrer URL),
  • the date and time of the request,
  • the description of the type of web browser used,
  • the IP address of the requesting computer,
  • the email address,
  • the date and time of registration and confirmation

and the single-pixel technologies with your email address or your IP address and, if applicable, an individual ID. Links contained in the newsletter may also contain this ID.

If you do not wish to receive newsletter tracking, you can unsubscribe from the newsletter at any time as described above.

The information will be stored for as long as you are subscribed to the newsletter.

5.2 Newsletter dispatch

The newsletter and the newsletter tracking described above may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please contact us at the address provided in this privacy policy.

The newsletter and the newsletter tracking described above may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please contact us using the contact details provided in this data protection declaration.

Our service providers are based in and/or use servers in the following countries for which the European Commission has determined by decision that they provide an adequate level of data protection: United Kingdom, Ireland, Canada, USA.

5.3 Sending evaluation requests by email

If you have given us your express consent to this during or after your order in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, we will use your email address to request a review of your order via the review system we use. This consent can be revoked at any time by sending a message to the contact option described in this privacy policy or via a link provided for this purpose in the evaluation request.

The rating requests may also be sent by our service provider Trusted Shops AG Subbelrather Str. 15C, 50823 Cologne ("Trusted Shops").

We receive information on the respective status from Trusted Shops (e.g. whether the evaluation request has been sent and whether it has been received) as part of the sending of evaluation requests. This is done in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR to fulfill our legitimate interest in receiving information about the review invitations in order to make any necessary optimizations based on this and to fulfill the legitimate interest of Trusted Shops in being able to offer this service.

We are jointly responsible with Trusted Shops for sending rating requests and for collecting and displaying rating and status information.

As part of the joint responsibility between us and Trusted Shops, please contact Trusted Shops if you have any data protection questions or to assert your rights. You can find contact details for Trusted Shops here. Further information on data protection can be found via the following link here. Irrespective of this, you can always contact us using the contact options described in this data protection declaration. If necessary, your request will be forwarded to the other responsible party for answering.

5.4 Postal advertising and your right to object

In addition, we reserve the right to use your first and last name and your postal address for our own advertising purposes, e.g. to send you interesting offers and information about our products by post. This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in a promotional approach to our customers in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR. You can object to the storage and use of your data for these purposes at any time by sending a message to the contact option described in this privacy policy.

After you have withdrawn your consent, we will delete your address from the recipient list, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) sentence 1 lit. a GDPR or we reserve the right to use the data for other purposes that are permitted by law and about which we inform you in this declaration.

The advertising mailings are provided by a service provider on our behalf as part of a processing operation, to which we forward your data for this purpose. If you have any questions about our service providers and the basis of our cooperation with them, please contact us using the contact details provided in this data protection declaration.

6. Cookies and other technologies

6.1 General information

In order to make visiting our website attractive and to enable the use of certain functions, we use technologies on various pages, including so-called cookies. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted again at the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your end device and enable us to recognize your browser on your next visit (persistent cookies).

Privacy protection for end devices

When using our online offer, we use absolutely necessary technologies in order to be able to provide the expressly requested telemedia service. The storage of information in your end device or access to information that is already stored in your end device does not require consent in this respect.

For functions that are not absolutely necessary, the storage of information in your end device or access to information that is already stored in your end device requires your consent. We would like to point out that if you do not give your consent, parts of the website may not be fully usable. Any consent you have given will remain in place until you adjust or reset the respective settings on your device.

Any downstream data processing by cookies and other technologies

We use technologies that are absolutely necessary for the use of certain functions of our website (e.g. shopping cart function). These technologies collect and process the IP address, time of visit, device and browser information as well as information about your use of our website (e.g. information about the contents of the shopping cart). In the context of a balancing of interests, this serves overriding legitimate interests in an optimized presentation of our offer in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR.

We also use technologies to fulfill the legal obligations to which we are subject (e.g. to be able to prove consent to the processing of your personal data) as well as for web analysis and online marketing. Further information on this, including the respective legal basis for data processing, can be found in the following sections of this privacy policy.

You can find the cookie settings for your browser under the following links

Cookie settings

Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

If you have consented to the use of the technologies in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, you can revoke your consent at any time by sending a message to the contact option described in the privacy policy. Alternatively, you can also visit the following link: https://www.buddyandselly.com. If you do not accept cookies, the functionality of our website may be restricted.

6.2 Cookiebot Consent Management Platform

We use Cookiebot on our website to inform you about the cookies and other technologies we use on our website, and to obtain, manage and document your consent to the processing of your personal data by these technologies, where required. This is necessary pursuant to Art. 6 Sect. 1 Clause 1 lit. c GDPR to fulfill our legal obligation pursuant to Art. 7 Sect. 1 GDPR to be able to provide evidence of your consent to the processing of your personal data, to which we are subject. Cookiebot is a service provided by Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, which processes your data on our behalf.

After you have submitted your cookie declaration on our website, Cookiebot's web server stores your anonymized IP address, the date and time of your declaration, browser information, the URL from which the declaration was sent, information on your consent behavior, and an anonymous random key. In addition, a cookie is used that contains the information about your consent behavior and the key. Your data will be deleted after twelve months unless you have expressly consented to further use of your data in accordance with Art. 6 (1) 1 lit. a GDPR or we reserve the right to further data use that is permitted by law and about which we inform you in this statement.

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection by decision USA.

The adequacy decision for the USA applies as the basis for third country transfers, insofar as the respective service provider is certified. Until certification by our service providers, the data transfer continues to be based on this basis: standard data protection clauses of the European Commission.

7. Use of cookies and other technologies

We use the following cookies and other third-party technologies on our website. Unless otherwise stated for the individual technologies, this is done on the basis of your consent in accordance with Art. 6 (1) 1 lit. a GDPR. After the purpose and end of our use of the respective technology, the data collected in this context will be deleted. You can revoke your consent at any time with effect for the future. Further information on your revocation options can be found in the section “Cookies and other technologies”. Further information, including the basis of our cooperation with the individual providers, can be found under the individual technologies. If you have any questions about the providers and the basis of our cooperation with them, please use the contact option described in this data protection declaration.

7.1 Use of Google services

We use the following technologies from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The information automatically collected by Google technologies about your use of our website is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there. Unless otherwise stated for the individual technologies, the data processing is carried out on the basis of an agreement concluded for the respective technology between jointly responsible parties in accordance with Art. 26 GDPR. Further information about data processing by Google can be found in the privacy policy of Google.

Further information about data processing by Google can be found in Google's privacy policy. Our service providers are located and/or use servers in countries outside the EU and the EEA for which the European Commission has determined an adequate level of data protection by decision.

Our service providers are located and/or use servers in countries outside the EU and the EEA. There is no adequacy decision from the European Commission for these countries. Our cooperation with them is based on standard data protection clauses of the European Commission.

Google Analytics

For the purpose of website analysis, Google Analytics collects data (IP address, time of visit, device and browser information as well as information about your use of our website) are automatically collected and stored for the purpose of website analysis, from which user profiles are created using pseudonyms. For this purpose cookies may be used for this purpose. If you visit our website from the EU, your IP address will be stored on a server located in the EU to derive location data and then deleted immediately before the traffic is forwarded to other Google servers for processing. Data processing is carried out on the basis of an agreement on order processing by Google.

Google Maps

For the visual presentation of geographical information, Google Maps collects data about your use of the Maps functions, in particular the IP address and location data, transmits it to Google and then processes it. We have no influence on this subsequent data processing.

Google reCAPTCHA

Google reCAPTCHA collects data (IP address, time of visit, browser information and information about your use of our website) and analyzes your use of our website using JavaScript and cookies to protect against misuse of our web forms and spam from automated software (so-called bots). In addition, other cookies stored in your browser by Google services are analyzed. No personal data is read or saved from the input fields of the respective form.

Google Tag Manager

Google Tag Manager allows us to manage various codes and services on our website. When implementing the individual tags, Google may also process personal data (e.g. IP address, online identifiers (including cookies)). Data processing is carried out on the basis of an agreement on order processing by Google.

By using the Google Tag Manager, various services/technologies can be integrated.

If you do not wish to use individual tracking services and have therefore deactivated them, the deactivation remains in place for all affected tracking tags that are integrated by the Google Tag Manager.

7.2 Use of Facebook services

Use of Facebook Pixel

We use the Facebook Pixel as part of the technologies of Meta Platforms Ireland Ltd, Block J, Serpentine Avenue, Dublin 4, Ireland ("Facebook (by Meta)" or "Meta Platforms Ireland") described below. The Facebook Pixel automatically collects and stores data (IP address, time of visit, device and browser information as well as information about your use of our website based on events specified by us, such as visiting a website or subscribing to a newsletter), from which usage profiles are created using pseudonyms. As part of the so-called extended data matching, information is also collected and stored in hashed form for matching purposes, which can be used to identify individuals (e.g. names, email addresses and telephone numbers). For this purpose, a cookie is automatically set by the Facebook pixel when you visit our website, which automatically enables your browser to be recognized by means of a pseudonymous cookie ID when you visit other websites. Facebook (by Meta) will merge this information with other data from your Facebook account and use it to compile reports on website activity and to provide other services related to website activity, in particular personalized and group-based advertising.

The information automatically collected by Facebook (by Meta) technologies about your use of our website is usually transferred to a server of Meta Platforms, Inc., 1601 Willow Road, Menlo Park, California 94025, USA and stored there. Further information about data processing by Facebook can be found in Facebook's privacy policy (by Meta).

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection by decision USA, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.

The adequacy decision for the USA applies as the basis for third country transfers, provided that the respective service provider is certified.

Our service providers are located and/or use servers in these countries Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, Mexico. There is no adequacy decision by the European Commission for these countries. Our cooperation with you is based on these guarantees: standard data protection clauses of the European Commission.

Facebook analyses

As part of the Facebook Business Tools, statistics on visitor activity on our website are created from the data collected with the Facebook Pixel about your use of our website. Data processing is carried out on the basis of an agreement on order processing by Facebook (by Meta). Their analysis serves to optimize the presentation and marketing of our website.

Facebook Ads (advertising manager)

We use Facebook Ads to advertise this website on Facebook (by Meta) and on other platforms. We determine the parameters of the respective advertising campaign. Facebook (by Meta) is responsible for the exact implementation, in particular the decision on the placement of the ads with individual users. Unless otherwise specified for the individual technologies, data processing is carried out on the basis of an agreement between joint controllers in accordance with Art. 26 GDPR. The joint controllership is limited to the collection of data and its transmission to Meta Platforms Ireland. Subsequent data processing by Meta Platforms Ireland is not covered by this.

Based on the statistics generated via Facebook Pixel about visitor activities on our website, we operate group-based advertising on Facebook (by Meta) via Facebook Custom Audience by determining the characteristics of the respective target group. Facebook (by Meta) acts as our processor within the scope of the extended data comparison (see above) that takes place to determine the respective target group.

Based on the pseudonymous cookie ID set by Facebook Pixel and the data collected about your usage behavior on our website, we operate personalized advertising via Facebook Pixel Remarketing.

We use Facebook Pixel Conversions to measure your subsequent usage behavior for web analysis and event tracking if you have reached our website via a Facebook Ads ad. Data processing is carried out on the basis of an agreement on order processing by Facebook (by Meta).

7.3 Other providers of web analytics and online marketing services

Use of Criteo for online marketing

We advertise this website in search results and on third-party websites via our advertising partner Criteo SA, 32 Rue Blanche, 75009 Paris, France ("Criteo"). When you visit our website, a retargeting cookie is automatically set by Criteo or its partner, which enables interest-based advertising by means of a pseudonymous cookie ID and based on the pages you visit. The data processing takes place on the basis of an agreement between jointly responsible parties in accordance with Art. 26 GDPR. We determine the parameters of the respective advertising campaign. Criteo is responsible for the exact implementation (e.g. the decision on the placement of the individual ads). The data automatically collected by Criteo (IP address, time of visit, device and browser information as well as information about your use of our website) may be merged by Criteo with information from other sources and transmitted to Criteo advertising partners.

Our service providers are located and/or use servers in countries outside the EU and the EEA for which the European Commission has determined an adequate level of data protection by decision.

Our service providers are located and/or use servers in countries outside the EU and the EEA. There is no adequacy decision from the European Commission for these countries. Our cooperation with them is based on standard data protection clauses of the European Commission.

8. Integration of the Trusted Shops Trustbadge/other widgets

If you have given your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, Trusted Shops widgets are integrated on this website to display Trusted Shops services (e.g. seal of approval, collected reviews) and to offer Trusted Shops products to buyers after an order.

The Trustbadge and the services advertised with it are an offer from Trusted Shops AG, Subbelrather Str. 15C, 50823 Cologne ("Trusted Shops"), with whom we are jointly responsible under data protection law in accordance with Art. 26 GDPR. As part of this data protection notice, we inform you below about the main contents of the contract in accordance with Art. 26 para. 2 GDPR.

Within the framework of the joint responsibility existing between us and Trusted Shops AG, please contact Trusted Shops in the event of data protection issues and to assert your rights using the contact options provided in the data protection information. Irrespective of this, you can always contact the controller of your choice. If necessary, your request will then be forwarded to the other responsible party for a response.

8.1 Data processing when integrating the Trustbadge/other widgets

The Trustbadge is provided by a US CDN provider (Content Delivery Network). An adequate level of data protection is ensured in each case by an adequacy decision of the EU Commission, which can be accessed here for the USA. Service providers used from the USA are generally certified under the EU-U.S. Data Privacy Framework (DPF). Further information can be found here. If the service providers used are not certified under the DPF, standard contractual clauses have been concluded as a suitable guarantee.

When the Trustbadge is accessed, the web server automatically saves a so-called server log file, which also contains your IP address, the date and time of access, the amount of data transferred and the requesting provider (access data) and documents the access. The IP address is anonymized immediately after collection so that the stored data cannot be assigned to your person. The anonymized data is used in particular for statistical purposes and for error analysis.

8.2 Data processing after order completion

If you have given your consent, the Trustbadge accesses the order information stored in your end device (order total, order number, product purchased if applicable) and e-mail address after the order has been completed and your e-mail address is hashed using a cryptological one-way function. The hash value is then transmitted to Trusted Shops with the order information in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

This serves to check whether you are already registered for Trusted Shops services. If this is the case, further processing will be carried out in accordance with the contractual agreement concluded between you and Trusted Shops. If you are not yet registered for the services or do not give your consent to automatic recognition via the Trustbadge, you will then be given the opportunity to register manually for the use of the services or to complete the protection as part of your existing user contract.

For this purpose, the Trustbadge accesses the following information, which is stored in the end device you are using, after you have completed your order:

Order amount, order number and e-mail address. This is necessary so that we can offer you buyer protection. The data will only be transmitted to Trusted Shops if you actively decide to take out buyer protection by clicking on the correspondingly labeled button in the so-called Trustcard. If you decide to use the services, the further processing is based on the contractual agreement with Trusted Shops in accordance with Art. 6 para. 1 lit. b GDPR in order to complete your registration for buyer protection and to secure the order and, if necessary, to be able to send you evaluation invitations by e-mail afterwards.

Trusted Shops uses service providers in the areas of hosting, monitoring and logging. The legal basis is Art. 6 para. 1 lit. f GDPR for the purpose of ensuring trouble-free operation. Processing may take place in third countries (USA and Israel). An appropriate level of data protection is ensured in each case by a adequacy decision of the EU Commission, which is available here for the USA and here for Israel. Service providers from the USA are generally certified under the EU-U.S. Data Privacy Framework (DPF). Further information can be found here. If the service providers used are not certified under the DPF, standard contractual clauses have been concluded as a suitable guarantee.

9. Social Media

Our online presence on Facebook (by Meta), Instagram (by Meta), YouTube, Pinterest, LinkedIn

If you have given your consent to the respective social media operator in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on the above-mentioned social media, from which user profiles are created using pseudonyms. These can be used, for example, to place advertisements within and outside the platforms that presumably correspond to your interests. Cookies are generally used for this purpose. For detailed information on the processing and use of data by the respective social media operator as well as a contact option and your rights and settings options for protecting your privacy, please refer to the providers' data protection notices linked below. If you still need help in this regard, you can contact us.

Facebook (by Meta) is a service provided by Meta Platforms Ireland Ltd, Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta Platforms Ireland"). The information automatically collected by Meta Platforms Ireland about your use of our online presence on Facebook (by Meta) is usually transferred to a server of Meta Platforms, Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. Data processing in the context of a visit to a Facebook (by Meta) fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information (information on Insights data) can be found here.

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection by decision USA, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.

The adequacy decision for the USA applies as the basis for third country transfers, provided that the respective service provider is certified. Certification is available.

Our service providers are located and/or use servers in these countries: Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, Mexico. There is no adequacy decision by the European Commission for these countries. Our cooperation with you is based on these guarantees: Standard data protection clauses of the European Commission.

Instagram (by Meta) is an offer of Meta Platforms Ireland Ltd, Block J, Serpentine Avenue, Dublin 4, Ireland ("Meta Platforms Ireland") The information automatically collected by Meta Platforms Ireland about your use of our online presence on Instagram is usually transmitted to a server of Meta Platforms, Inc, 1601 Willow Road, Menlo Park, CA 94025, USA, Menlo Park, California 94025, USA and stored there. Data processing in the context of a visit to an Instagram (by Meta) fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 GDPR. Further information (information on Insights data) can be found here.

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection by decision USA, Canada, Japan, South Korea, New Zealand, United Kingdom, Argentina.

The adequacy decision for the USA applies as the basis for third country transfers, provided that the respective service provider is certified. Certification is available.

Our service providers are located and/or use servers in these countries Australia, Hong Kong, India, Indonesia, Malaysia, Singapore, Thailand, Taiwan, Brazil, Mexico. There is no adequacy decision by the European Commission for these countries. Our cooperation with you is based on these guarantees:

European Commission standard data protection clauses.

YouTube is a service provided by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The information automatically collected by Google about your use of our online presence on YouTube is generally transmitted to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there.

Our service providers are located and/or use servers in countries outside the EU and the EEA for which the European Commission has determined an adequate level of data protection by decision.

Our service providers are located and/or use servers in countries outside the EU and the EEA. There is no adequacy decision by the European Commission for these countries. Our cooperation with them is based on standard data protection clauses of the European Commission.

Pinterest is a service provided by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland ("Pinterest"). The information automatically collected by Pinterest about your use of our online presence on Pinterest is usually transferred to a server of Pinterest, Inc, 505 Brannan St., San Francisco, CA 94107, USA and stored there.

Our service providers are located and/or use servers in countries outside the EU and the EEA for which the European Commission has determined an adequate level of data protection by decision.

Our service providers are located and/or use servers in countries outside the EU and the EEA. There is no adequacy decision by the European Commission for these countries. Our cooperation with them is based on standard data protection clauses of the European Commission.

LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland ("LinkedIn"). The information automatically collected by LinkedIn about your use of our online presence on LinkedIn is usually transferred to a server of LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and stored there.

Our service providers are located and/or use servers in the following countries for which the European Commission has determined an adequate level of data protection by decision USA.

The adequacy decision for the USA applies as the basis for third country transfers, insofar as the respective service provider is certified. Until certification by our service providers, the data transfer continues to be based on this basis: standard data protection clauses of the European Commission.

10. contact options and your rights

10.1 Your rights

As a data subject, you have the following rights

(✓) in accordance with Art. 15 GDPR, the right to request information about your personal data processed by us to the extent specified therein; in accordance with Art. 16 GDPR, the right to request the immediate correction of incorrect or incomplete personal data stored by us;

(✓) in accordance with Art. 17 GDPR, the right to request the erasure of your personal data stored by us, unless further processing is necessary

to exercise the right to freedom of expression and information
for compliance with a legal obligation;
for reasons of public interest or
is necessary for the establishment, exercise or defense of legal claims;

(✓) in accordance with Art. 18 GDPR, the right to demand the restriction of the processing of your personal data, insofar as

the accuracy of the data is disputed by you
the processing is unlawful, but you oppose the erasure of the data
we no longer need the data, but you need it for the establishment, exercise or defense of legal claims, or you have objected to the processing pursuant to Art. 21 GDPR

(✓) in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller

(✓) in accordance with Art. 77 GDPR, the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.

Right to object

Insofar as we process personal data as explained above in order to safeguard our legitimate interests, which outweigh your interests, you can object to this processing with effect for the future. If the processing is carried out for direct marketing purposes, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you only have the right to object if there are grounds relating to your particular situation.

After exercising your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or if the processing serves the establishment, exercise or defense of legal claims.

This does not apply if the processing is for direct marketing purposes. In this case, we will no longer process your personal data for this purpose.

10.2 Contact options

If you have any questions about the collection, processing or use of your personal data, information, correction, restriction or deletion of data and revocation of any consent given or objection to a specific use of data, please contact our company data protection officer.

Use of data, please contact our company data protection officer./p>

Data protection officer:

Buddy&Selly GmbH
Schnackenburgallee 41a
22525 Hamburg
Germany
datenschutz@buddyandselly.com

Privacy policy created with the Trusted Shops legal text editor

Privacy Policy Selling

Introduction

With the following privacy policy, we would like to inform you about the types of personal data (hereinafter also referred to as “data”) that we process, for what purposes and to what extent. The privacy policy applies to all personal data processing carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).

The terms used are not gender-specific.

Controller

Reverse-Retail GmbH
Schnackenburgallee 41a
22525 Hamburg
Telephone: +49 (0)40-284 67680
Email: info@buddyandselly.com

Contact details for the data protection officer
datenschutz@buddyandselly.com

Overview of processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

Inventory data.
Payment data.
Location data.
Contact data.
Content data.
Contract data.
Usage data.
Meta/communication data.

Categories of data subjects

Customers.
Employees.
Interested parties.
Communication partners.
Users.
Business and contractual partners.

Purposes of processing

Provision of contractual services and customer service.
Contact requests and communication.
Security measures.
Direct marketing.
Reach measurement.
Tracking.
Office and organizational procedures.
Conversion measurement.
Managing and responding to inquiries.
Content Delivery Network (CDN).
Feedback.
Marketing.
Profiles with user-related information.
Provision of our online services and user-friendliness.
Information technology infrastructure.

Relevant legal bases

The following is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases apply in individual cases, we will inform you of these in the data protection declaration.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and pre-contractual requests (Art. 6 (1) 1 (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – The processing is necessary to fulfill a legal obligation to which the controller is subject.
Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – The processing is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail.

In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. These include, in particular, the law for the protection against misuse of personal data in data processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes and for transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of the employment relationship (Section 26 BDSG), in particular with regard to the establishment, execution or termination of employment relationships and the consent of employees. In addition, the data protection laws of the individual federal states may apply.

Security measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as the access, input, disclosure, security of availability and its separation. Furthermore, we have set up procedures to ensure that data subjects' rights are exercised, that data is deleted and that we respond to data being compromised. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes, in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

TLS encryption (https): We use TLS encryption to protect your data transmitted via our online services. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.

Transfer of personal data

As part of our processing of personal data, it may be necessary to transfer the data to other departments, companies, legally independent organizational units or persons, or to disclose it to them. The recipients of this data may include, for example, service providers contracted to carry out IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

Data transfer within the group of companies: We may transfer personal data to other companies within our group of companies or grant them access to this data. If this transfer is carried out for administrative purposes, the transfer of the data is based on our legitimate business and commercial interests or if it is necessary to fulfill our contractual obligations or if the consent of the data subjects or legal permission has been obtained.

Data processing in third countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transmission of data to other persons, bodies or companies, this will only take place in accordance with the legal requirements.

Subject to express consent or contractually or legally required transmission, we process or allow the data to be processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, if certifications or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).

Deletion of data

The data processed by us will be deleted in accordance with the legal requirements as soon as the permissions granted for processing are revoked or other permissions cease to apply (e.g. if the purpose for processing this data no longer applies or if it is not required for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing is limited to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or that must be stored to assert, exercise or defend legal claims or to protect the rights of another natural or legal person.

As part of our data protection information, we may provide users with further information on the deletion and storage of data that specifically applies to the respective processing procedure.

Use of cookies

Cookies are small text files or other storage notes that store information on end devices and read information from end devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the contents accessed or the functions used of an online offer. Cookies can also be used for different purposes, e.g. for the functionality, security and convenience of online offers and to create analyses of visitor flows.

Notes on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, except where this is not required by law. In particular, consent is not required if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e. our online service) that they have expressly requested. The revocable consent is clearly communicated to the users and contains the information on the respective cookie use.

Notes on the legal basis under data protection law: The legal basis under data protection law on which we process users' personal data using cookies depends on whether we ask users for their consent. If users consent, the legal basis for processing your data is the declared consent. Otherwise, the data processed using cookies is processed on the basis of our legitimate interests (e.g. in the commercial operation of our online offer and improvement of its usability) or, if this is done in the context of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We will explain the purposes for which we process cookies in the course of this data protection declaration or in the context of our consent and processing procedures.

Storage duration: With regard to the storage duration, the following types of cookies are distinguished:

Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (e.g. browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after the end device has been closed. This means, for example, that the login status can be saved or preferred content can be displayed directly when the user revisits a website. Likewise, the user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information about the type and duration of storage of cookies (e.g. when obtaining consent), users should assume that cookies are permanent and that the storage period can be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw the consent they have given at any time and also object to the processing in accordance with the legal requirements in Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g. by disabling the use of cookies (although this may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be declared via the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.

Further information on processing, procedures and services:

Processing of cookie data on the basis of consent: We use a cookie consent management procedure in which the consent of users to the use of cookies and the processing and providers mentioned in the cookie consent management procedure can be obtained and managed and revoked by users. The declaration of consent is stored so that the request does not have to be repeated and so that the consent can be proven in accordance with the legal obligation. The storage can be done on the server side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) in order to be able to assign the consent to a user or their device. Subject to individual information about the providers of cookie management services, the following information applies: The duration of the storage of the consent can be up to two years. A pseudonymous user identifier is created and stored with the time of consent, information on the scope of consent (e.g. which categories of cookies and/or service providers) as well as the browser, system and end device used.

Business services

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”) in the context of contractual and comparable legal relationships as well as associated measures and in the context of communication with the contractual partners (or pre-contractual), e.g. to answer inquiries.

We process this data in order to fulfil our contractual obligations. These include, in particular, the obligations to provide the agreed services, any updating obligations and remedies in the event of breaches of warranty and other breaches of performance. In addition, we process the data to protect our rights and for the purpose of the administrative tasks associated with these obligations, as well as for company organization. In addition, we process the data on the basis of our legitimate interests in proper and business management and security measures to protect our contractual partners and our business operations from misuse, endangering your data, secrets, information and rights (e.g. for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the limits of applicable law, we only disclose the data of contractual partners to third parties to the extent necessary for the aforementioned purposes or to fulfill legal obligations. The contractual partners will be informed about further forms of processing, e.g. for marketing purposes, within the scope of this data protection declaration.

We will notify the contractual partners which data is required for the aforementioned purposes before or during data collection, e.g. in online forms, by means of special labeling (e.g. colors) or symbols (e.g. asterisks or similar), or in person.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e., in principle after the expiry of 4 years, unless the data is stored in a customer account, e.g., as long as it must be kept for legal archiving reasons. The legal retention period for tax-related documents, as well as for account books, inventories, opening balance sheets, and annual financial statements, the work instructions and other organizational documents and accounting records required to understand these documents, is ten years, and for received commercial and business letters and reproductions of sent commercial and business letters, six years. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statement or the management report was prepared, the commercial or business letter was received or sent, or the accounting document was created, and the recording was made or the other documents were created.

Insofar as we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms apply in the relationship between the users and the providers.

Processed data types: inventory data (e.g. names, addresses, telephone numbers); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); contract data ( e.g. subject matter of the contract, purchased items, customer category); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Data subjects: Customers; prospective customers; business and contractual partners.
Purposes of processing: Provision of contractual services and customer support; Security measures; Contact requests and communication; Office and organizational procedures; Managing and responding to inquiries.
Legal basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate interests (Article 6 (1) (f) GDPR).

Further information on processing, procedures and services:

Customer account: We create a customer account for contractual partners. The customer accounts are not public and cannot be indexed by search engines. If customers have terminated their customer account, the data relating to the customer account will be deleted, subject to their retention being required for legal reasons. It is the customer's responsibility to back up their data when they have terminated their customer account; legal basis: performance of a contract and prior requests (Art. 6 (1) (b) GDPR).

Purchases and e-commerce: We process our customers' data in order to enable them to sell goods to us and related services, as well as to pay for them. If necessary for the execution or cancellation of a purchase, we use service providers, in particular postal, freight and shipping companies, to carry out the transaction for our customers. We use the services of banks and payment service providers to process payment transactions. Legal basis: Performance of a contract and prior requests (Art. 6 (1) (b) GDPR).

Providers and services used in the course of business activities

In the course of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (“services”) in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organization.

Processed data types: inventory data (e.g. names, addresses); payment data (e.g. bank details, invoices, payment history); contact data (e.g. e-mail, telephone numbers); content data (e.g. text input, photographs, videos); contract data (e.g. contract object, duration, customer category).
Data subjects: customers; prospective customers; users (e.g. website visitors, users of online services); business and contractual partners.
Purposes of processing: provision of contractual services and customer support; office and organizational procedures.
Legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Provision of online services and web hosting

We process user data in order to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

Types of data processed: Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses); Content data (e.g. text input, photographs, videos).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); Security measures; Content Delivery Network (CDN).
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing, procedures and services:

Provision of online services on rented storage space: To provide our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also known as a “web host”); legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Collection of access data and log files: Access to our online services is logged in the form of so-called “server log files”. The server log files may include the address and name of the accessed websites and files, the date and time of access, the amount of data transferred, a notification of successful access, the browser type and version, the user's operating system, the referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure the utilization of the servers and their stability; Legal basis: Legitimate interests (Art. 6 sec. 1 p. 1 lit. f) GDPR); Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.
Cloudflare:

Contact and request management

When contacting us (e.g. via contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed as far as this is necessary to answer the contact requests and any requested measures.

Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Data subjects: Communication partners.
Purposes of processing: contact requests and communication; managing and responding to inquiries; feedback (e.g. collecting feedback via online form); provision of our online services and user-friendliness.
Legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); performance of a contract and prior requests (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing, procedures and services:

Contact form: When users contact us using our contact form, email or other means of communication, we process the data provided to us in this context in order to deal with the matter in question; legal basis: performance of a contract and prior requests (Art. 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).

Newsletter and electronic notifications

We send newsletters, e-mails and other electronic notifications (hereinafter “newsletters”) only with the consent of the recipients or a legal permission. Insofar as the contents of a newsletter are specifically described in the context of registration, they are decisive for the consent of the users. In addition, our newsletters contain information about our services and us.

To subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name so that we can address you personally in the newsletter, or to provide further information if this is necessary for the purposes of the newsletter.

Double opt-in procedure: Registration for our newsletter is always done using a so-called double opt-in procedure. This means that after registration you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with someone else's e-mail address. Registrations for the newsletter are logged in order to be able to prove that the registration process meets legal requirements. This includes storing the login and confirmation times as well as the IP address. Likewise, changes to your data stored with the delivery service provider are logged.

Deletion and restriction of processing: We may store the unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove a previously given consent. The processing of this data is limited to the purpose of a possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a block list for this purpose alone.

The logging of the registration process is based on our legitimate interests for the purpose of proving that it has been properly carried out. Insofar as we commission a service provider to send e-mails, this is done on the basis of our legitimate interests in an efficient and secure sending system.

Processed data types: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); meta/communication data (e.g. device information, IP addresses); usage data (e.g. websites visited, interest in content, access times).
Data subjects: communication partners.
Purposes of processing: direct marketing (e.g. by email or post).
Legal basis: consent (Art. 6 (1) (a) GDPR); legitimate interests (Art. 6 (1) (f) GDPR).
Opt-out: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options given above, preferably email.

Further information on processing, procedures and services:

Measurement of opening and click rates: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server when the newsletter is opened or, if we use a mailing service provider, from their server. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of the retrieval, are initially collected. This information is used for the technical improvement of our newsletter based on the technical data or the target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of the opening rates and the click rates as well as the storage of the measurement results in the profiles of the users as well as their further processing take place on the basis of a consent of the users. Unfortunately, it is not possible to separately revoke the performance measurement; in this case, the entire newsletter subscription must be canceled or objected to. In this case, the stored profile information will be deleted; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

KlickTipp: How do we use Klick-Tipp?

(1) In our online communication with you, we use the services of KLICK-TIPP LIMITED, 15 Cambridge Court, 210 Shepherds Bush Road, London W6 7NJ, United Kingdom. The representative of KLICK-TIPP LIMITED within the meaning of Article 27 DSGVO is Waterton Knowledge Center WKC UG, Friedrichstr. 53a, 15537 Erkner, represented by Ulf Castelle. We obtain these services through a main contractual relationship with Digistore24 GmbH, St.-Godehard-Straße 32, 31139 Hildesheim. Digistore24 is a reseller that procures products or services, such as Klick-Tipp, and sells them to buyers without significant further processing. With Klick-Tipp itself, we have additionally concluded an order processing agreement within the meaning of Article 28 GDPR. This ensures that we have full control over the personal data processed there and that Klick-Tipp implements our instructions in a mirror-image manner.

(2) We store your contact data with Klick-Tipp and, if necessary, process the data that we process using the online marketing tools described in more detail in this data protection declaration. This is because these providers are fully integrated into Klick-Tipp via a secure interface. Therefore, it is possible that Klick-Tipp takes note of this data, although, as mentioned above, Klick-Tipp has no right of its own to use this data and is completely subject to our instructions.

(3) Furthermore, Klick-Tipp allows us to link your personal data with so-called tags. Klick-Tipp distinguishes between two types of tags: SmartTags: When a contact registers using a registration form, they automatically receive a tag with the name of the relevant registration form. In addition, Klick-Tipp automatically sets the tags “email received”, “email opened”, “email clicked” and “email viewed in browser”. Manual tags: In addition to SmartTags, manual tags can be created. For example, you can tag contacts as “customer” or, even more specifically, as “bought product B”.

(4) You can find details about these and other features we use at Klick-Tipp in the Klick-Tipp manual.

(5) You can find Klick-Tipp's privacy policy here.

(6) You can find Klick-Tipp's anti-spam policy here.

Web analysis, monitoring and optimization

The web analysis (also referred to as “reach measurement”) is used to evaluate the flow of visitors to our online offering and may include behavior, interests or demographic information about visitors, such as age or gender, as pseudonymous values. With the help of the reach analysis, we can, for example, recognize at what time our online offering or its functions or content are most frequently used or invite reuse. We can also identify which areas require optimization.

In addition to web analysis, we can also use test procedures to test and optimize different versions of our online offering or its components.

Unless otherwise stated below, profiles, i.e. data combined into a usage process, can be created for these purposes and information can be stored in a browser or in a terminal device and read from it. The information collected includes, in particular, the websites visited and the elements used there, as well as technical information such as the browser and computer system used and information on times of use. If users have given their consent to the collection of their location data to us or to the providers of the services we use, location data may also be processed.

The users' IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as e-mail addresses or names) is stored in the context of web analysis, A/B testing and optimization, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.

Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles); Targeting (e.g. interest/behavioural profiling, use of cookies); Provision of our online services and usability.
Security measures: IP masking (pseudonymization of the IP address).
Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing, procedures and services:

Google Analytics: web analysis, reach measurement and measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) DSGVO); website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google. com/privacy; Data processing agreement: https://business.safety.google/adsprocessorterms; Standard contractual clauses (safeguarding the level of data protection when processing data in third countries): https://business.safety.google/adsprocessorterms; Opt-out: opt-out plugin: https:// tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertisements: https://adssettings.google.com/authenticated; Further information: https://privacy.google.com/businesses/adsservices (types of processing and processed data).

Google Analytics in consent mode: In consent mode, Google processes personal data of users for measurement and advertising purposes, depending on the consent of the users. Consent is obtained from users as part of our online services. If user consent is completely absent, the data will only be processed at an aggregated level (i.e. not assigned to individual users and summarized). If consent only covers statistical measurement, no personal data of users will be processed for ad placement or measuring advertising success (so-called “conversion”); legal bases: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); website: https://support.google.com/analytics/answer/9976101?hl=de.

Online marketing

We process personal data for online marketing purposes, which may include, in particular, the marketing of advertising space or the presentation of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (so-called “cookie”) or similar procedures are used, by means of which the information relevant to the user for the presentation of the aforementioned content is stored. This information may include, for example, content viewed, websites visited, online networks used, but also communication partners and technical information such as the browser used, the computer system used and information on times of use and functions used. If users have consented to the collection of their location data, this data can also be processed.

The IP addresses of users are also stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of the online marketing process, but pseudonyms. This means that we, as well as the providers of the online marketing process, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or by similar means. These cookies can later generally be read on other websites that use the same online marketing process, analyzed for content display purposes, supplemented with additional data and stored on the server of the online marketing process provider.

In exceptional cases, clear data can be assigned to the profiles. This is the case, for example, if users are members of a social network that uses our online marketing process and the network links the profiles of users with the aforementioned information. Please note that users can make additional agreements with the providers, e.g. by giving their consent during registration.

We only have access to summarized information about the success of our advertisements. However, we can use so-called conversion measurements to check which of our online marketing methods have led to a so-called conversion, i.e. for example, to the conclusion of a contract with us. The conversion measurement is used solely to analyze the success of our marketing measures.

Unless otherwise stated, we ask you to assume that cookies used are stored for a period of two years.

Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Affected persons: Users (e.g. website visitors, users of online services).
Purposes of Processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Targeting (e.g. profiling based on interests and behavior, use of cookies); Marketing; Profiles with user-related information (Creating user profiles); Conversion tracking (Measurement of the effectiveness of marketing activities).
Security Measures: IP masking (pseudonymization of the IP address).
Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
Opt-out: We refer to the data protection notices of the respective providers and the options for objection (so-called “opt-out”) provided by the providers. If no explicit opt-out option has been specified, there is the option of disabling cookies in your browser settings. However, this may limit the functionality of our online services. We therefore recommend the following additional opt-out options, which are offered collectively for each respective area: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-regional: https://optout.aboutads.info.

Further information on processing, procedures and services:

Google Ads and conversion tracking: We use the online marketing process “Google Ads” to place ads in the Google advertising network (e.g., in search results, in videos, on websites, etc.) so that they are displayed to users who have a presumed interest in the ads (so-called “conversion”). Furthermore, we measure the conversion of the ads. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page with a so-called “conversion tracking tag”. However, we ourselves do not receive any information that can be used to identify users; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://marketingplatform.google.com; Privacy Policy: https://policies.google.com/privacy; Further information: types of processing and processed data: https://privacy.google.com/businesses/adsservices; data processing conditions between controllers and standard contractual clauses for third country data transfers: https://business.safety.google/adscontrollerterms.

Application process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information provided there.

In principle, the required information includes personal details such as name, address, a means of contact and proof of the qualifications required for a position. We will be happy to provide additional information on request.

If provided, applicants can send us their applications using an online form. The data is encrypted and transmitted to us using state-of-the-art technology. Applicants can also send us their applications by email. However, please note that emails are generally not sent encrypted over the internet. As a rule, emails are encrypted during transmission, but not on the servers from which they are sent and received. We therefore cannot accept any responsibility for the transmission of the application between the sender and its receipt on our server.

For the purposes of searching for, submitting and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us regarding the method of submitting their application or to send us their application by post.

Processing of special categories of data: Insofar as special categories of personal data within the meaning of Art. 9 (1) GDPR (e.g. health data, such as severely disabled status or ethnic origin) are requested from applicants as part of the application process so that the controller or the data subject can exercise the rights arising from labor law and social security and social protection law and fulfill their obligations in this regard, their processing is carried out in accordance with Art. 9 Para. 2 lit. b. DSGVO, in the case of the protection of vital interests of the applicants or other persons in accordance with. Art. 9 para. 2 lit. c. DSGVO or for purposes of health care or occupational medicine, for the assessment of the employee's ability to work, for medical diagnostics, for care or treatment in the health or social field or for the administration of systems and services in the health or social field in accordance with. Art. 9 para. 2 lit. h. DSGVO. In the case of a notification of the special categories of data based on voluntary consent, their processing is carried out on the basis of Art. 9 para. 2 lit. a. DSGVO.

Deletion of data: In the case of a successful application, the data provided by the applicants can be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicants' data will be deleted. Applicants' data will also be deleted if an application is withdrawn, which applicants are entitled to do at any time. Subject to a justified withdrawal by the applicant, the deletion will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and fulfil our obligations to provide evidence under the regulations for the equal treatment of applicants. Invoices for any reimbursement of travel expenses will be archived in accordance with tax regulations.

Processed data types: inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. text input, photographs, videos); applicant data (e.g. personal information, postal and contact addresses, the documents belonging to the application and the information contained therein, such as cover letter, curriculum vitae, certificates, as well as further information provided by applicants with regard to a specific job or voluntarily, regarding their person or qualifications).
Data subjects:
Purposes of processing: application process (establishment and possible subsequent execution as well as possible subsequent termination of the employment relationship).
Legal basis: application process as a pre-contractual or contractual relationship (Art. 6 (1) (b) GDPR).

Presence on social networks (social media)

We maintain an online presence on social networks and, in this context, process user data in order to communicate with active users on these networks or to provide information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The user profiles can in turn be used to place advertisements inside and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behavior and the interests of the users are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (in particular if the users are members of the respective platforms and are logged in to them).

For a detailed description of the respective forms of processing and the options for objection (opt-out), we refer to the data protection declarations and information provided by the operators of the respective networks.

We would also like to point out that requests for information and the assertion of data subject rights can be most effectively asserted with the providers. Only the providers have access to the user data and can take appropriate measures and provide information directly. However, if you do need help, you can contact us.

Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of Processing: contact requests and communication; Feedback (e.g. collecting feedback via online form); Marketing.
Legal Basis: Legitimate Interests (Article 6(1) sentence 1f) GDPR).

Further information on processing, procedures and services:

Instagram: social network; service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); website: https://www.instagram.com; privacy policy: https://instagram.com/about/legal/privacy.

Facebook pages: Profiles within the Facebook social network – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content that users view or interact with, or the actions they take (see “Things you and others have done and provided” in the Facebook Data Policy: https://www.facebook. com/policy), as well as information about the devices used by the users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, known as “Page Insights”, to page administrators so that they can understand how people interact with their pages and the content associated with them. We have entered into a special agreement with Facebook (“Information on Page Insights”, https://www.facebook.com/legal/terms/page_controller_addendum), which specifically addresses the security measures that Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e., users can, for example, address requests for information or deletion directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 sec. 1 p. 1 lit. f) GDPR); Website: https://www.facebook.com ; Privacy Policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (Safeguarding the level of data protection when processing data in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Joint controllership agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. The joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, in particular with regard to the transmission of the data to the parent company Meta Platforms, Inc. in the USA (on the basis of the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).

Pinterest: social network; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal basis: Legitimate Interests (Art. 6 (1) (f) GDPR); Website: https://www.pinterest.com; Privacy Policy: https://about.pinterest.com/de/privacy-policy; Additional Information: Pinterest Data Exchange Addendum (ANNEX A): https://business.pinterest.com/de/pinterest-advertising-services-agreement/.

Plugins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as “third-party providers”). These may be, for example, graphics, videos or city maps (hereinafter uniformly referred to as “content”).

The integration always requires that the third-party providers of this content process the IP address of the users, since without the IP address they would not be able to send the content to their browser. The IP address is therefore required for the presentation of these contents or functions. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include, but is not limited to, technical information about the browser and operating system, referring web pages, time of visit, and other information regarding the use of our online services.

Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses); Inventory data (e.g. names, addresses); Contact data (e.g. e-mail, phone numbers); Content data (e.g. text input, photographs, videos); Location data (Information on the geographical position of a device or person).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and user-friendliness.
Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO).

Further information on processing operations, procedures and services:

Google Maps: We integrate maps from the “Google Maps” service provided by Google. The data processed may include, in particular, users' IP addresses and location data; service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO); website: https://mapsplatform.google.com/; privacy policy: https://policies.google.com/privacy.
YouTube videos: video content; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; legal basis: legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO); website: https://www.youtube.com; privacy policy: https://policies.google. com/privacy; Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Settings for the display of advertising: https://adssettings.google.com/authenticated.

Rights of data subjects

As a data subject, you have various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

Right to object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right to revoke consent: You have the right to revoke consent at any time.
Right of access: You have the right to request confirmation as to whether the data in question is being processed and to request information about this data, as well as further information and a copy of the data in accordance with legal requirements.
Right to rectification: You have the right, in accordance with legal requirements, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
Right to erasure and restriction of processing: You have the right, in accordance with the law, to demand that data concerning you be deleted immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the law.
Right to data portability: You have the right to receive the data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format or to demand its transmission to another controller in accordance with the legal requirements.
Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the member state in which you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you believe that the processing of your personal data violates the GDPR.

Amendments and updates to the data protection declaration

We ask you to regularly review the content of our data protection declaration. We will amend the data protection declaration as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or any other individual notification.

Please note that the addresses and contact information for companies and organizations that we provide in this data protection declaration may change over time and we ask you to check the information before contacting us.

 

As of December 2022