Type of data processed:
- Inventory data (e.g. names, addresses)
- Contact details (e.g. e-mail, phone numbers)
- Content data (e.g. text input, photos, videos)
- Contract data (e.g. object of the contract, term, customer category)
- Payment details (e.g. bank details, payment history)
- Use data (e.g. websites visited, interest in content, access times)
- Meta data/communications data (e.g. device information, IP addresses)
Processing special categories of data (Article 9 Paragraph 1 of the GDPR):
- No special categories of data are processed.
Categories of data subjects:
- Website visitors and users
We will hereinafter also refer to data subjects collectively as ‘users’.
Purpose of processing:
- To make the website, its content and functions available.
- To fulfil contractual performance, provide services and for customer care.
- To respond to contact requests and communication with users.
- For marketing, advertising and market research.
Relevant legal bases
In accordance with Article 32 of the GDPR, taking into account the state of technological knowledge, implementation costs and the type, scope, circumstances and purposes of processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons, we take appropriate technical and organisational measures to ensure a level of security appropriate to the risk; these measures particularly include securing the confidentiality, integrity and availability of data through controls for physical access to data, as well as access, input, sharing, securing availability and separation that relate to it. We have also established a procedure that ensures that data subject rights are observed, data is deleted and threats to data are responded to. Furthermore, we already observe the protection of personal data in the development and/or selection of hardware, software and processes, taken into consideration in accordance with the principle of data protection using technology design and data protection by default (Article 25 of the GDPR).
Security measures particularly include the encrypted transmission of data between your browser and our server.
Working with contract processors and third parties
If, within the context of processing, we disclose data to other persons or companies (contract processors or third parties), send such data to these parties or otherwise grant them access to data, this is exclusively based on a statutory permission (e.g. if the data must be shared with third parties in order to fulfil a contract, for example a payment service provider pursuant to Article 6 Paragraph 1 Letter b of the GDPR), if you have provided your consent, if a legal obligation provides for this, or if this is based on our legitimate interests (e.g. when using contractors, web hosts, etc.).
If we engage third parties to process data based on a ‘contract processing contract’, this is based on Article 28 of the GDPR.
Transfers to third countries
If we process data in a third country (i.e. outside Switzerland, the European Union [EU] or the European Economic Area [EEA]), or if this takes place as part of us engaging third-party services or as part of the disclosure or transfer of data to third parties, this only takes place in order to fulfil our (pre-)contractual duties based on your consent, a legal obligation or our legitimate interests. Subject to statutory or contractual permissions, we only process data in a third country, or allow data to be processed in a third country if the particular conditions of Article 44 et seq. of the GDPR have been met. This means that processing takes place based on certain guarantees, for example, such as the officially recognised level of data protection in accordance with the EU (e.g. through the ‘Privacy Shield’ for the USA) or in compliance with officially recognised special contractual obligations (‘standard contractual clauses’).
Data subject rights
You have the right to request confirmation of whether your data is processed and to request information about this data, other information and copies of data in accordance with Article 15 of the GDPR.
In accordance with Article 16 of the GDPR, you also have the right to request that your data is completed or that incorrect data is rectified.
In accordance with Article 17 of the GDPR, you have the right to request that your data is immediately erased, or alternatively, that data processing is restricted in accordance with Article 18 of the GDPR.
You have the right to request that your data that you have provided to us is sent to you in accordance with Article 20 of the GDPR, and/or that it is transferred to another controller.
Pursuant to Article 77 of the GDPR, you also have the right to submit a complaint to the relevant supervisory authorities.
Right of withdrawal
You have the right to withdraw consent with future effect, pursuant to Article 7 Paragraph 3 of the GDPR.
Right to object
Pursuant to Article 21 of the GDPR, you can object to the future processing of your data at any time. You can object to processing particularly for the purposes of direct marketing.
Providing contractual services
We process inventory data (e.g. names and addresses, user contact details), contract data (e.g. services used, names of contact persons, payment information) for the purposes of fulfilling our contractual obligations and services pursuant to Article 6 Paragraph 1 Letter b of the GDPR. Information marked as mandatory in online forms is required in order to conclude the contract.
When placing orders via our online shop, a user account is automatically set up, which in particular allows you to see your orders. The required mandatory information is shown to users when registering. User accounts are not public and cannot be indexed by search engines. If a user deletes its user account, data that corresponds to the user account is deleted, subject to a retention requirement for reasons pertaining to commercial law or tax law, pursuant to Article 6 Paragraph 1 Letter c of the GDPR. Users are obligated to secure their data if termination occurs before the end of the contract. We are entitled to irretrievably delete all of the data saved about the user for the contractual term.
The IP address and the time of each user action is saved as part of registration and re-registration, as well as the use of our online services. Storage is based on our legitimate interests, as well as protecting the user from misuse and other unauthorised use. Data is not generally shared with third parties unless this is required in order to enforce claims, or if there is a legal obligation to do so pursuant to Article 6 Paragraph 1 Letter c of the GDPR.
We process user data (e.g. the website visited, interest in our products) and content data (e.g. contact form or user profile content) in a user profile for advertising purposes, in order to display information such as product instructions based on the services used.
Data is deleted once guarantee obligations and comparable obligations come to an end, where the requirement of retaining the data is reviewed every three years; with respect to statutory archiving obligations, data is deleted once they come to an end, and information in the customer account remains intact until it is deleted.
If we make an advance payment (e.g. when purchasing through SEPA/LSV), we reserve the right to obtain an ID check and credit check for the purposes of assessing credit risk based on mathematical, statistical procedures from specialist service providers (credit reference agencies), in order to protect legitimate interests.
As part of the credit check, we send the following personal customer data (name, postal address, information about the type of contract) to the following credit reference agency:
We process the information received by the credit reference agency about the statistical probability of a default on payment as part of a proper discretionary decision concerning the justification, implementation and termination of the contractual relationship. We reserve the right to refuse payment on account or another type of advance payment if the credit check comes back negative.
In accordance with Article 22 of the GDPR, the decision of whether we make an advance payment is made solely on the basis of an automated decision on a case-by-case basis, where our software generates this using the information provided by the credit reference agency.
If we obtain explicit consent from you, the legal basis for the credit check and the transmission of customer data to credit reference agencies is Article 6 Paragraph 1 Letter a, 7 of the GDPR. If consent is not obtained, our legitimate interests in the reliability of your payment obligations are based on Article 6 Paragraph 1 Letter f of the GDPR.
When you contact us (by e-mail at [email protected] or via Chat), user information is processed in order to process the contact request and to resolve it, pursuant to Article 6 Paragraph 1 Letter b of the GDPR.
User information may be stored in our customer relationship management system (‘CRM system’) or a comparable request management system.
We use ‘HappyFox’ help desk software from the provider HappyFox Inc (47 Discovery, Ste 170, Irvine, CA 92618, USA) on the basis of our legitimate interests (efficient and quick processing of user requests). In this regard, we have concluded a contract with ‘standard contractual clauses’, through which HappyFox is obligated to comply with the EU data protection level to process user data, and shall only do so in accordance with our instructions. Furthermore, HappyFox is certified under the Privacy Shield agreement, which provides an additional guarantee of complying with European data protection law https://www.privacyshield.gov/participant?id=a2zt0000000PCp7AAG&status=Active.
We delete requests if they are no longer required. We review whether they are still required every two years; we permanently store requests from customers who have a customer account and refer to the deletion of requests via the customer account. If there are statutory retention requirements, data is deleted when such periods come to an end.
Collecting access data and log files
Based on our legitimate interests within the meaning of Article 6 Paragraph 1 Letter f. of the GDPR, we collect data that relates to each time the server, on which this service is located, is accessed (‘server log files’). Access data includes the name of website accessed, the file, date and time of access, the volume of data transferred, notification of successful access, browser type including version, user operating system, referrer URL (the site previously visited), IP address and requesting provider.
For security reasons (e.g. to clarify any misuse or fraud proceedings), log file information is stored for a maximum of seven days and is then deleted. Data that must be stored for the purpose of providing evidence must be excluded from erasure until each incident has been resolved.
Google is certified under the Privacy Shield Agreement, which provides an additional guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google uses this information on our behalf to evaluate how users use our website, to compile reports about the activities within our website and to provide other services associated with the use of this website and internet use. In doing so, pseudonym user profiles may be created based on the processed data.
We use Google Analytics to only display adverts from Google and its partners through advertising services to users who have also shown an interest in our website or who have certain characteristics (e.g. interest in certain topics or products, determined based on the websites visited) that we send to Google (‘remarketing’, or ‘Google Analytics audiences’). By using remarketing audiences, we can also ensure that our adverts correspond with users’ potential interests and are not harassing.
We only use Google Analytics if IP anonymisation activated. This means that users’ IP addresses are truncated by Google within the European Union Member States or in other signatory states to the Agreement on the European Economic Area. A full IP address is only sent to a Google server in the USA and truncated there in exceptional cases.
The IP address sent from the user’s browser will not be merged with other Google data. The user can prevent cookies from being saved by changing the respective browser settings; the user can also prevent the data generated by the cookie relating to its use of the website from being captured and processed by Google by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
You can find more information about how Google uses data, settings and how to object on Google’s web pages: https://policies.google.com/technologies/partner-sites (‘How Google uses information from sites or apps that use our services’), https://policies.google.com/technologies/ads ‘Advertising’), https://adssettings.google.com/authenticated (‘Control the information Google uses to show you ads’).
Google remarketing/marketing services
We use the marketing and remarketing service (‘Google marketing services’) from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (‘Google’) on the basis of our legitimate interests (i.e. interests in analysing, optimising and economically operating our website within the meaning of Article 6 Paragraph 1 Letter f of the GDPR).
Google is certified under the Privacy Shield Agreement, which provides an additional guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google marketing services allow us to display adverts for and on our website in a targeted way to only show users adverts that potentially relate to their interests. If a user is shown adverts for products in which it has shown interest in on other websites, for example, this is known as ‘remarketing’. For these purposes, when accessing our website and other websites on which Google marketing services is active, code is directly run by Google and ‘(re)marketing tags’ (hidden images or code, also known as ‘web beacons’) are integrated into the web pages. They are used to store an individual cookie, i.e. a small file, on the user’s device (comparable technologies can be used instead of cookies). Cookies can be placed on devices by various different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com and googleadservices.com. This file records which websites the user has visited, which content it was interested in and what offers it clicked on; as well as technical information about the browser and operating system, referring web pages, the time of the visit and other information about the use of the website. Users’ IP addresses are also collected, whereby we also use Google Analytics to communicate that the IP address is truncated within the European Union Member States or in other signatory states to the Agreement on the European Economic Area and only sent to a Google server in the USA in full and truncated there in exceptional cases. The IP address is not merged with user data within the scope of any other Google services. Google may link the above-mentioned information to such information from other sources. If the user then visits other websites, adverts may be shown that are tailored to the user’s interests.
User data is processed in a pseudonymised way as part of Google marketing services. This means that Google does not store and process user names and e-mail addresses, for example, but processes the relevant data relating to cookies within a pseudonymised user profile. From Google’s perspective, this means that adverts are not managed and shown to a specific identified person, but to a cookie-owner, regardless of who the cookie-owner is. This does not apply if a user explicitly permits Google to process data without pseudonymisation. The information collected about the user by Google marketing services is sent to Google and stored on Google servers in the USA.
The online advertising program ‘Google AdWords’ is included in the Google marketing services we use. For Google AdWords, each AdWords customer receives a different ‘conversion cookie’. Cookies can therefore not be kept track of via the AdWords customer’s website. The information obtained by the cookie is used to compile conversion statistics for AdWords customers who have opted for conversion tracking. AdWords customers can find out the total number of users who have clicked on their adverts and have been directed to the page that has a conversion tracking tag. However, they do not receive any information that can personally identify the user.
Furthermore, we may use ‘Google Tag Manager’ to integrate Google analysis and marketing services into our website and to manage these.
If you would like to object to Google marketing services adverts that are based on interests, you can use Google’s settings and opt-out options: https://adssettings.google.com/authenticated.
Facebook and Facebook marketing services
Within the scope of our website, and based on our legitimate interests in analysing, optimising and economically operating our website and these purposes, we use ‘Facebook Pixel’ from the social network Facebook, which is operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you reside in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Facebook’).
Facebook is certified under the Privacy Shield Agreement, which provides an additional guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
By using Facebook Pixel, Facebook is firstly able to determine that our website visitors fall into a specific target group for displaying adverts (‘Facebook ads’). Accordingly, we use Facebook Pixel to only display Facebook ads shown by us to Facebook users who have also shown an interest in our website or who have certain characteristics (e.g. interest in certain topics or products, determined based on the websites visited) that we send to Facebook (‘Custom Audiences’). By using Facebook Pixel, we can also ensure that our Facebook ads correspond with users’ potential interests and are not harassing. By using Facebook Pixel, we can also determine the effectiveness of Facebook adverts for statistical and marketing purposes, whereby we see whether users have been redirected to our website after clicking on a Facebook advert (‘Conversion’).
You can object to Facebook Pixel collecting and using your data to display Facebook ads. To change what types of adverts are shown to you on Facebook, you can access Facebook’s page that relates to this and follow the instructions on changing your settings for use-based adverts: https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. The settings do not differ from platform to platform, i.e. apply to all devices, e.g. desktop computers or mobile devices.
To prevent your data from being collected by Facebook Pixel on our website, please click on the link in the next section. Note: If you click on the link, an ‘opt-out’ cookie will be stored on your device. If you delete the cookies stored by this browser, you must click on the link again. In addition, opt-out only applies to the browser you use, and only to our web domain from which the link was clicked on.
We use Friendify to reward customers with gifts and vouchers for referrals. Using this technology, customers can refer friends and acquaintances to our online shop (by e-mail, SMS, Facebook, Twitter or via a link), and are gifted a pair of socks for successful referrals.
Awin components have been integrated into this website for controller processing. Awin is a German affiliate network that provides affiliate marketing. Affiliate marketing is a web-based form of marketing that allows commercial website operators, the ‘merchants’ or ‘advertisers’, to display adverts that mostly generate money through click or sales commission on third-party websites, i.e. sales partners, also known as ‘affiliates’ or ‘publishers’. The merchant distributes advertising material, i.e. an advertising banner or other suitable means of internet advertising, via the affiliate network, which is integrated into its own website or advertised through other channels, such as keyword advertising or e-mail marketing.
The operating company of Awin is Awin AG, Eichhornstraße 3, 10785 Berlin, Germany.
Awin places cookies on the data subject’s IT system. We have explained what cookies are above. Awin’s tracking cookie does not store any personal data. Only the affiliate’s ID number, i.e. the ID number for the partner communicating with potential customers, is stored, together with the reference number for the website visitor and the advert clicked on. The purpose of storing this data is for the merchant and affiliate to be able to process commission payments, which takes place via the affiliate network, i.e. Awin.
Data subjects can prevent cookies from being stored by our website, as outlined above, at any time, by changing the settings for the web browser they use, thus permanently objecting to cookies being stored. If the settings are changed for the web browser used, this also prevents Awin from storing a cookie on the data subject’s IT system. Cookies already stored by Awin can also be deleted from your web browser or other software programs at any time.
You can access Awin’s data protection regulations at https://www.awin.com/gb/legal/privacy-policy.
Our websites use ‘re-targeting technologies’. We use these technologies to design the website in a way that is more interesting to you. This technology allows us to show you personalised adverts from our partners on the website. We believe that displaying personalised adverts that are based on interests are more interesting to you than an advert that does not have any personal relevance to you. This advertising material is integrated into our partners’ website using cookie technology and an analysis of previous use behaviour. This type of advertising is completely anonymous. No personal data is stored and no user profile is linked to your personal data.
You can prevent re-targeting at any time by rejecting or deactivating the related cookies in the web browser’s menu list (please see more about this under ‘Cookies’), or by using an opt-out process via the following website: https://site.adform.com/privacy-center/platform-privacy/opt-out/.
We inform you about the content of our newsletter, as well as the registration, mailing and statistical evaluation processes, in addition to your rights to object, in the notes below. By subscribing to our newsletter, you are declaring that you agree to receiving newsletters and that you agree to the processes outlined.
Newsletter content: We only send newsletters, e-mails and other electronic communications with advertising content (hereinafter ‘newsletters’) with the recipient’s consent, or if we are legally permitted to do so. If newsletter content is specifically described when registering, this is binding for the user’s consent. Our newsletters may also contain information about our products, offers, special offers and company.
Double opt-in and recording: Newsletter registration follows a ‘double opt-in’ process. This means that once you have registered, you then receive an e-mail that asks you to confirm your registration. This confirmation is necessary so that it is not possible to register using someone else’s e-mail address. Newsletter registrations are recorded to be able to evidence that the registration process followed legal requirements. This includes storing the time of registration and confirmation, as well as the IP address. Changes to the data stored about you by the mailing service provider are also recorded.
Mailing service provider: Newsletters are sent using ‘MailChimp’, a newsletter mailing platform from the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The mailing service provider’s data protection provisions can be viewed here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, which provides an additional guarantee of complying with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).
Based on the information available to it, the mailing service provider may use this data in a pseudonymised format, i.e. without being able to allocate it to the user, to optimise or improve its own services, e.g. for technically optimising the mailing of, and display of, newsletters, or for statistical purposes to determine in which countries recipients are based. However, the mailing service provider does not use our newsletter recipients’ data to send messages itself, nor does it share such data with third parties.
Registration data: You only need to provide your e-mail to register for newsletters.
Performance measurement - newsletters contain ‘web beacons’, i.e. a pixel-size file that is retrieved from the mailing service provider’s server when opening the newsletter. When the newsletter is opened, technical information is initially collected, such as information about the browser and your system, as well as your IP address and the time of access. This information is used to technically improve services based on technical data or target groups and their reading behaviour, using their place of access (determined using the IP address) or time of access. Statistical surveys also include determining whether the newsletter has been opened, when it was opened, and what links were clicked on. This information can even be assigned to individual newsletter recipients for technical reasons. However, it is not our intention, nor that of our mailing service provider, to monitor individual users. Evaluations are also used to identify the reading habits of our users and to adapt our content for them, or to send different content based on our users’ interests.
Newsletters are sent and performance measured based on the recipient’s consent pursuant to Article 6 Paragraph 1 Letter a, Article 7 of the GDPR.
The registration process is recorded based on our legitimate interests pursuant to Article 6 Paragraph 1 Letter f of the GDPR, and serves as evidence of consent to receive newsletters.
Unsubscribe/withdraw - you can unsubscribe from receiving our newsletter at any time, i.e. withdraw your consent. You can find a link to unsubscribe from the newsletter at the end of each newsletter. If the user has only subscribed to the newsletter and then unsubscribes, the user’s personal data will be deleted.
Integrating third-party services and content
We use content and service offerings from third-party providers on our website based on our legitimate interests (i.e. interests in analysing, optimising and economically operating our website within the meaning of Article 6 Paragraph 1 Letter f of the GDPR) to integrate their content and services, such as videos or fonts (hereinafter referred to collectively as ‘content’). This presupposes that the third-party providers of this content use the users’ IP address, as it would not be possible to send content to their browsers without an IP address. The IP address is therefore required in order to display this content. We endeavour to use only use such content where the respective providers solely use the IP address to supply content. Third-party providers may also use ‘pixel tags’ (hidden images, also known as ‘web beacons’) for statistical or marketing purposes. Information such as the visitor traffic for this website’s pages can be evaluated using ‘Pixel tags’. Pseudonym information can also be stored in cookies on the user’s device and may contain technical information about the browser and operating system, referring web pages, the time of the visit and other information about the use of the website, etc., and be linked to such information from other sources.
The following description gives an overview of third-party providers as well as their content and links to their privacy policies, which contain other notes on data processing and opt-out options that may already be outlined here:
- If our customers use third-party payment services (e.g. PayPal), the terms and conditions and privacy policies for the respective third-party providers apply, which are available on the respective websites or from the transaction applications.