Privacy Statement

Data protection declaration

Welcome to our website. Below you will find our data protection declaration:

Contents

I. General information

  1. Contact details of the person responsible
  2. contact data of our data protection officer

II. Specific information regarding the processing of personal data

  1. Visiting our website
  2. Cookies
  3. Execution of contracts.
  4. Contact form, e-mail, fax or telephone contact
  5. Customer account
  6. Live-Help/Chat.
  7. Direct Marketing
  8. Newsletter.
  9. YouTube.
  10. Blog.
  11. Google AdWords.
  12. Microsoft Bing Ads
  13. Twitter Ads.
  14. Google Analytics.
  15. IntelliAd.
  16. Visual Website Optimizer (VWO)
  17. Facebook-, Instagram-, YouTube-, Twitter-, Google+ Buttons.
  18. Facebook-Tracking
  19. Cloudflare
  20. Single Sign-On and Payment-Services
  21. Mixpanel
  22. Customer support tools

III. Rights of the data subject.

  1. Right to information according to Art. 15 GDPR
  2. Right to correction in accordance with Art. 16 GDPR
  3. The right to cancellation in accordance with Art. 17 GDPR 24
  4. Right to limitation of processing in accordance with Art. 18 GDPR. 25
  5. Right to information in accordance with Art. 19 GDPR 25
  6. Right to Data Transferability Art. 20 GDPR. 25
  7. Right of objection according to Art. 21 GDPR. 26
  8. Automated decisions in individual cases incl. profiling according to Art. 22 GDPR 26
  9. Right of appeal to a supervisory authority pursuant to Art. 77 GDPR 27
  10. Right to an effective judicial remedy under Article 79 of the GDPR 27

I. General information

1. Contact details of the person responsible

Name: orderbird AG

Str.: Ritterstraße 12-14, Aufg. 3

Postcode, City: 10969 Berlin

Phone: 030 208 983 098

Fax.: 0321 214 681 89

Email: [email protected]

2. Contact data of our data protection officer

Name: kedapro UG (haftungsbeschränkt)

Str.: Adlerstraße 63

Postcode, City: 40211 Düsseldorf

Tel.: +49 (211) 93 67 22 66

Email: [email protected]

II. Specific information regarding the processing of personal data

1. Visiting our website

a) Purpose of data processing

Every time a user accesses a page of our website and every time a file stored on the website is accessed, access data about this process is stored in a log file. Each data record consists of:

(1) the page from which the file was requested,

(2) the name of the file,

(3) the date and time of the request,

(4) the amount of data transferred,

(5) the access status (file transferred, file not found, etc.),

(6) a description of the type of operating system and web browser used, (7) referrer URL, (8) Host name of the accessing computer, (9) the client IP address. We use this data to operate our website, in particular to determine the utilization of the website as well as malfunctions of the website and to make adjustments or improvements. The client IP address is used for the purpose of transmitting the requested data; it will be made anonymous by deleting the last digit block (Ipv4) or the last octet (Ipv6) once the technical requirement no longer applies.

b) Duration of storage

The data is stored each time a user accesses a page of our website and each time our website is accessed and is deleted as soon as it is no longer required for the purpose of collection, which is the case at the latest three months after the website visit.

c) Legal basis

The temporary storage of the aforementioned data is carried out on the legal basis of Art. 6 para. 1 letter f of the General Data Protection Regulation (hereinafter "GDPR"). The legitimate interest lies in the provision of our website and the examination of misuse.

d) Possibility of objection and elimination

By refraining from using our website, the data subject may object to the processing and, subject to the conditions described in more detail in the "Rights" section below, request the deletion of data collected with regard to him by means of an informal request.

2. Cookies

a) Purpose of data processing

In order to make a visit to our website and the order process technically possible, we transfer so- called cookies to the end device of the person concerned. Cookies are small text files that can be used to identify the end device of the person concerned, usually by collecting the name of the domain from which the cookie data was sent, information about the age of the cookie and an alphanumeric identifier. By storing the cookie on the device used - without interfering with the operating system - it is recognized again and enables us to make any settings available immediately. We use this information to adapt our website and services offered to your needs and to accelerate the access to our website.

b) Duration of storage

The storage period of the various cookies varies, but does not exceed two years. They are stored on your local device, not on our server, so the actual deletion time depends on how your browser software is configured. Please refer to the operating instructions of your browser software to find out how you can delete cookies set by us on specific occasions or automatically.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 para. 1 lit. f GDPR. The legitimate interest for the setting of cookies is on the one hand to be able to optimize the quality of our website through an analysis of user behaviour and on the other hand to enable the visit of our website; in particular, some functions on our website cannot be used without cookies, because otherwise the user and his settings already made would not be recognized when changing pages, language settings would be lost and searches could not be executed. Furthermore, the data is stored on the legal basis of Art. 6 para. 1 lit. b GDPR for the execution of possible contracts with the visitor.

d) Possibility of objection and elimination

The person concerned can block the use of cookies in the terminal device used or delete them after use. Under certain circumstances, however, individual functions of our website may not be usable. How cookies can be blocked and cookies that have already been saved can be deleted is detailed in the instructions of your browser software.

3. Execution of contracts

a) Purpose of data processing

Name, address, bank details, e-mail address, telephone number and the client IP address at the time of placing a customer order are collected, stored and processed for the purpose of establishing or executing a contract with the visitor, which includes in particular the billing and processing of the contract.

The personal data will only be passed on to third parties if this is necessary for the execution of the contract, for example when commissioning a mail order company or using a payment service provider.

b) Duration of storage

The data will be deleted as soon as they are no longer necessary for the purposes for which they were collected or otherwise processed. This period is five years for personal data subject to § 147 AO (Abgabenordnung, German Fiscal Code) and ten years for personal data subject to § 257 HGB (Handelsgesetzbuch, German Commercial Code). The periods begin at the end of the calendar year in which the data was collected.

c) Legal basis

The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b and lit. c GDPR in order to fulfil the obligations arising from contracts and to provide the services required for the execution of the contract.

d) Possibility of objection and elimination

Since we are bound by statutory retention periods and the data must be stored and processed for contract execution, an objection or deletion is not possible.

4. Contact form, e-mail, fax or telephone contact

a) Purpose of data processing

A contact form is available on the website. The person concerned can contact us electronically and we can process the request. The following data is collected and stored: name, address, e-mail address, telephone number, date and time of the request and the description of the request.

A user can contact us by e-mail, fax or telephone. We store the data transmitted to us and provided by the person concerned for processing the request. These data are name, address, e-mail address, telephone and/or fax number, date and time of the inquiry and the description of the request, if necessary contract data, if the inquiry takes place in the context of a contract admission or - completion.

The data will not be passed on to third parties. They are used to process the contact request of the person concerned.

b) Duration of storage

As soon as the data is no longer necessary to achieve its purpose, it is deleted, which is the case when the conversation has been completed and the facts have been clarified and there are no contractual or tax retention periods to the contrary. This period is five years for personal data subject to § 147 AO and ten years for personal data subject to § 257 HGB. The periods begin at the end of the calendar year in which the data was collected.

c) Legal basis

The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b GDPR as part of a contract initiation or fulfilment or in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest of the responsible person is to be able to process the contact request and to prevent misuse of the contact request.

d) Possibility of objection and elimination

The person concerned has the right to object to the storage at any time. The data stored for the operation is then deleted. If a contract has been concluded, the above explanations regarding the "execution of contracts" shall apply.

5. Customer account

a) Purpose of data processing

The person concerned can register a customer account with us by providing personal data that is transmitted to us. The data entered in the input mask or otherwise collected is stored. These are name, e-mail address, IP address, date and time of registration. Registration is necessary to provide certain content and services and also serves to establish and fulfil our contract with the person concerned.

b) Duration of storage

As soon as the data are no longer necessary to achieve the purpose, they are deleted. If you register without concluding another contract, this is the case if the registration is deleted or the data is changed. In the case of a registration, which leads to a further contract conclusion, the data are deleted as soon as the legal and tax-legal defaults permit a deletion of contract data. This period is five years for personal data subject to § 147 AO and ten years for personal data subject to § 257 HGB. The periods begin at the end of the calendar year in which the data was collected.

c) Legal basis

The aforementioned data is stored pursuant to Art. 6 para. 1 lit. b GDPR in the context of contract fulfilment or initiation or pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest is to be able to provide certain content and services for the benefit of the user.

d) Possibility of objection and elimination

The person concerned has the option of deleting the registration or adapting the data at any time. The account will be deleted or changed by notifying the contact named under S. I. There is no possibility of objection or removal of the registration and the data if the registration was used to establish or execute a contractual relationship; only the account can be deleted here. The account will be deleted using the above steps.

6. Live-Help/Chat

a) Purpose of data processing

A user can also contact us via chat. We store the data transmitted to us and provided by the person concerned for processing the request. These data are name, e-mail address, date and time of the

inquiry and the description of the request, if necessary contract data, if the inquiry takes place in the context of a contract admission or - completion.

The data will not be passed on to third parties. They are used to process the contact request of the person concerned.

b) Duration of storage

As soon as the data is no longer necessary to achieve the purpose, it is deleted, which is the case when the conversation has been completed and the facts have been clarified and there are no contractual or tax retention periods to the contrary. This period is five years for personal data subject to § 147 AO and ten years for personal data subject to § 257 HGB. The periods begin at the end of the calendar year in which the data was collected.

c) Legal basis

The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b GDPR as part of a contract initiation or fulfilment or in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest of the responsible person is to be able to process the contact request and to prevent misuse of the contact request.

d) Possibility of objection and elimination

The person concerned has the right to object to the storage at any time. The data stored for the operation is then deleted. If a contract has been concluded, the above explanations regarding the keyword "execution of contracts" shall apply.

7. Direct Marketing

a) Purpose of data processing

We will use the data received from the data subject in connection with the sale of a product or service for direct advertising for our services and products. In the case of email addresses, this only applies to similar goods or services of our own and if the person concerned has not objected to their use, which is pointed out during data collection (among other things herewith); in addition, the possibility of objection is pointed out for each use.

b) Duration of storage

As soon as the data are no longer necessary to achieve the purpose, they will be deleted, which is the case if the person concerned has objected to direct advertising or if the time lapse after the last

advertising measure requires this with reference to the right of objection, which is the case after twelve months after the last advertising measure.

c) Legal basis

The legal basis for advertising after a purchase of goods or use of services is Art. 6 para. 1 lit. f GDPR. Direct advertising for sales promotion is of legitimate interest.

d) Possibility of objection and elimination

The person concerned can object to the use at any time for the future without incurring any costs other than the transmission costs according to the basic tariffs.

8. Newsletter

a) Purpose of data processing

It is possible to subscribe to a newsletter. If the person concerned registers for our newsletter, the data stored regarding the person concerned during registration will be transmitted to us from the input mask. This is your e-mail address, name, IP address, time and date of registration. The data collected is required in order to be able to send the newsletter.

b) Duration of storage

The data will be deleted as soon as the data is no longer necessary to achieve the purpose and the person concerned has unsubscribed from the newsletter. According to this, they are stored for ten years from the last newsletter dispatch for the purpose of proof in the event of queries regarding existing consents, taking into account the statute of limitations.

c) Legal basis

The aforementioned data will only be stored on the legal basis of Art. 6 para. 1 lit. a GDPR with prior consent within the framework of the notification. A possible revocation of the consent at any time does not affect the legality of the processing of personal data based on the consent until revocation.

d) Possibility of objection and elimination

The use of the data to subscribe to the newsletter can be revoked at any time with effect for the future by unsubscribing from the newsletter without incurring any costs other than the transmission costs according to the basic rates. This can be done by informal request to us. If the person concerned wishes to unsubscribe from the newsletter, he or she will find a correspondingly marked link in each newsletter, for example, which he or she only has to click on.

9. YouTube

a) Purpose of data processing

We use the YouTube embedding function to display and play videos of the provider "YouTube", YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, which is represented by Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

When a YouTube video page is accessed, a connection is established to YouTube's servers, which is assigned to the user's personal profile and informs them of the pages visited on the website when they are logged in with their YouTube account. You can prevent this by logging out of your YouTube account beforehand.

b) Duration of storage

Information on data protection and the storage of personal data at "YouTube" can be found in the provider's data protection declaration at https://www.google.de/intl/de/policies/privacy.

c) Legal basis

The use of YouTube serves to protect our legitimate interest in an appealing presentation of our website in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR.

d) Possibility of objection and elimination

At https://adssettings.google.com/authenticated you will find an opt-out function.

10. Blog

a) Purpose of data processing

In our blog, in which we publish various articles on topics related to our business, a user can make public comments.

These are published under the name specified. User name and e-mail address are required, all other information is voluntary. Furthermore, the IP address is stored.

The storage is necessary in order to be able to defend us against liability claims in cases of possible publication of illegal content. We need your e-mail address in order to contact you if a third party should object to your comment as unlawful.

b) Duration of storage

The data is stored with each user comment and deleted as soon as it is no longer required for said purposes, which is the case at the latest three months after the publication of the comment.

c) Legal basis

The aforementioned data is stored in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest lies in the provision of our blog and in order to prevent misuse of the comment function.

d) Possibility of objection and elimination

The person concerned has the right to object to the storage at any time. The data stored for the operation is then deleted.

11. Google AdWords

a) Purpose of data processing

We use Google Adwords to draw attention to our products and services on external websites. For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our website via a Google ad, Google Adwords stores a cookie on your device. These cookies usually expire after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt- out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.

These cookies enable Google to recognize your internet browser. If a user visits certain pages of an Adwords customer's website and the cookie stored on their terminal has not yet expired, Google and the customer can recognize that the user has clicked on the ad and has been redirected to this page. Each Adwords customer is assigned a different cookie. Cookies cannot therefore be traced via the websites of Adwords customers.

We do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Google. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence on the extent and the further use of the data which are raised by the use of this tool by Google and inform you therefore according to our knowledge: By the integration of AdWords conversion Google receives the information that you visited the appropriate part of our Internet appearance or clicked an advertisement of ours. If you are registered with a Google service, Google may associate your visit with your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may obtain and store your IP address.

For more information about Google AdWords' privacy policy, please visit the following web address

https://policies.google.com/technologies/ads?hl=en

b) Duration of storage

The cookie is valid for 30 days and will be deleted after expiration if you do not delete it yourself - for example by suitable settings of your browser or manually.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.

d) Possibility of objection and elimination

You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

12. Microsoft Bing Ads

a) Purpose of data processing

We use the conversion tracking technology "Bing Ads" from Microsoft (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA) to draw attention to our products and services on external websites. For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our website via a Bing ad, Bing Ads stores a cookie on your end device. These cookies usually expire after 180 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.

These cookies enable Microsoft to recognize your internet browser. If a user visits certain pages of a Bing Ads customer's website and the cookie stored on their end device has not expired, Microsoft and the customer may recognize that the user has clicked on the ad and has been redirected to this page. Each Bing Ads customer is assigned a different cookie. Cookies can therefore not be traced via the websites of Bing Ads customers.

We do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Microsoft. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective. We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Microsoft server. We have no influence on the extent and further use of the data collected by Microsoft through the use of this tool and therefore inform you according to our level of knowledge: By integrating Bing Ads Conversion, Microsoft receives the information that you have called the corresponding part of our Internet presence or clicked on an advertisement from us. If you are registered with a Microsoft service, Microsoft may associate your visit with your account. Even if you are not registered with Microsoft or have not logged in, it is possible that the provider may obtain and store your IP address.

For more information about Microsoft Bing Ads' privacy policy, please visit: https://privacy.microsoft.com/de-de/privacystatement

b) Duration of storage

The cookie is valid for 180 days and will be deleted after expiration if you do not delete it yourself - for example by suitable settings of your browser or manually.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.

d) Possibility of objection and elimination

You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

13. Twitter Ads

a) Purpose of data processing

We use Twitter's conversion tracking technology "Twitter Ads" (Twitter, Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) to draw attention to our products and services on external websites. For this purpose, we use ad server cookies, through which certain parameters for measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our website via a Twitter Ad, Twitter Ads stores a cookie on your device. These cookies usually expire after 30 days and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt- out information (mark that the user no longer wishes to be addressed) are usually stored as analysis values.

These cookies enable Twitter to recognize your internet browser. If a user visits certain pages of a Twitter Ads customer's website and the cookie stored on their device has not yet expired, Twitter and the customer can recognize that the user has clicked on the ad and has been redirected to this page. Each Twitter Ads customer is assigned a different cookie. Cookies can therefore not be traced via the websites of Twitter Ads customers.

We do not collect and process any personal data in the aforementioned advertising measures. We only receive statistical evaluations from Twitter. On the basis of these evaluations we can recognize which of the used advertising measures are particularly effective.

We do not receive any further data from the use of advertising material; in particular, we cannot identify users on the basis of this information.

Due to the marketing tools used, your browser automatically establishes a direct connection to the Twitter server. We have no influence on the extent and the further use of the data that is collected through the use of this tool by Twitter and therefore inform you according to our level of knowledge: By integrating Twitter Ads, Twitter receives the information that you have called the corresponding part of our Internet presence or clicked on an advertisement from us. If you are registered with a Twitter service, Twitter can assign your visit to your account. Even if you are not registered on Twitter or have not logged in, there is a possibility that the provider may obtain and store your IP address.

b) Duration of storage

The cookie is valid for 30 days and will be deleted after expiration if you do not delete it yourself - for example by suitable settings of your browser or manually.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.

d) Possibility of objection and elimination

You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

14. Google Analytics

a) Purpose of data processing

The client IP address is collected for use of the Google Analytics service. This website uses Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files which are stored on the end device of the person concerned and which enable an analysis of the use of the website. The information generated by the cookie about the use of this website is usually transferred to a Google server in the USA and stored there. However, due to the activation of IP anonymisation on this website, Google will reduce the IP address of the person concerned within Member States of the European Union or in other signatory states to the Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate the use of the website, to compile reports on the website activities and to provide the website operator with further services associated with the use of the website and the Internet. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data.

b) Duration of storage

As soon as the data are no longer necessary to achieve the purpose, they will be deleted, which is the case when the anonymisation within the European Union has been completed. This takes less than a second.

The data sent by us and linked with cookies, user IDs (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

For more information, please visit https://www.google.com/analytics/terms/de.html and https://policies.google.com/?hl=en.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 para. 1 lit. f GDPR. The legitimate interest lies in the fact that we are able to analyse the use of the website by all users in its entirety without drawing conclusions about the behaviour of identifiable persons; this enables us to optimise our website and our offers.

d) Possibility of objection and elimination

The person concerned can prevent the storage of cookies by a corresponding setting of the browser software; however, we point out to the person concerned that in this case not all functions of this website may be used in full. Furthermore, the person concerned can prevent the collection of data generated by the cookie and related to the use of the website (including the IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link[http://tools.google.com/dlpage/gaoptout?hl=en].

15. IntelliAd

a) Purpose of data processing

We use the intelliAd analysis service of intelliAd Media GmbH from Munich as a web analysis service with bid management. Cookies are used to enable statistical analysis of the use of this website by those affected. Cookies are small text files that are stored by the Internet browser on the user's terminal device. However, intelliAd's cookies do not contain any information that makes it possible to identify a user.

An automatic shortening of the IP address prevents intelliAd from accessing the unabridged IP address, which thus prevents personal reference.

b) Duration of storage

As soon as the data are no longer necessary to achieve the purpose, they are deleted, which is the case when anonymisation has taken place. For technical reasons, this process takes less than one second.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG. The legitimate interest is that we are able to analyse the surfing behaviour of non-identifiable users; this enables us to optimise our website and our offers.

d) Possibility of objection and elimination

You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

16. Visual Website Optimizer (VWO)

a) Purpose of data processing

We use the web analysis service of Visual Website Optimizer, which is operated by Wingfy Software Pvt Ltd, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, New Delhi 110034, India. The service sends information to our server in order to understand how the user moves on the website (e.g. which links he clicks and how he moves the mouse) and how changes to the website, such as the design, the navigation elements, individual input forms, affect the usage behaviour (such as the length of stay and use of elements) of those affected. Cookies, i.e. small text files that are stored by the Internet browser on the user's terminal device, are used to recognize the user. For this purpose, Visual Website Optimizer collects the IP addresses, but pseudonymizes them immediately after collection in order to exclude a reference to those affected. Further information can be found at https://vwo.com/ privacy-policy/.

b) Duration of storage

As soon as the data are no longer necessary to achieve the purpose, they are deleted, which is the case when the pseudonymisation has taken place. For technical reasons, this process takes less than one second.

c) Legal basis

The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG. The legitimate interest is that we are able to analyse the surfing behaviour of non-identifiable users; this enables us to optimise our website and our offers.

d) Possibility of objection and elimination

You can block the use of cookies; the corresponding steps can be found in the instructions for your browser software.

17. Facebook-, Instagram-, YouTube-, Twitter-, Google+ Buttons

a) Purpose of data processing

We do not collect any personal data through buttons on social networks. Nevertheless, we explain the technical background for the sake of completeness. We only use disabled buttons from Facebook, Instagram, Twitter, Google+ and YouTube social networks. This means that no data is transmitted to these networks. By clicking on the buttons, the person concerned decides to activate them and thus establish a connection to the servers of the operators of the social networks and thus to transmit data to the servers of the social networks in accordance with the agreement concluded by the person concerned with the social network. Activation leads to access to social network content. The type, purpose and scope of data collection and use can be found in the corresponding data protection declarations of the social networks.

After a second click on the button the user can send his recommendation to the social networks. If the person concerned wishes to recommend several pages, the consent is required on each page. If the person concerned wants the social network to have permanent access to his data, the person concerned can permanently activate the buttons. For this purpose, the appropriate check mark can be placed under a gear icon with the result that the selected button is always directly active.

b) Duration of storage

Duration of storage is based on the specifications of the operators of the social networks.

c) Legal basis

The operators of the social networks inform those affected about the legal basis.

d) Possibility of objection and elimination

Via the gear icon, via which the person concerned has activated the social media buttons, he can later also change his consent again and deactivate the buttons.

18. Facebook-Tracking

a) Purpose of data processing

We use tracking technology from Facebook Inc. based in the USA on our website. Your IP address is transmitted to the external provider at the time of your visit, the browser used, the operating system used and the page you have requested. In addition to us, Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland is responsible for data processing.

At the same time, a cookie is set that enables us to track how you have found our website - possibly via advertisements placed by us on Facebook, but also by other means. At the same time it is recorded whether our advertising measure has led to the conclusion of a contract (so-called conversion).

The collection of this data is necessary in order to be able to track the effectiveness of our advertising measures and to enable Facebook to bill us for our advertising measures. In addition, the data is used to link the information that the local website has been visited to your Facebook profile if you are a Facebook customer and log in there during or after your visit to our website. Facebook uses this procedure to determine your interests and preferences in order to present you with tailor-made advertising.

The data collected in this respect is only made available to us by Facebook in anonymous form; we do not store any personal data in this context. If, according to Facebook, data is also transmitted to the USA, this is done on the basis of the so-called Privacy Shield Agreement.

b) Duration of storage

According to Facebook, the data collected in this way is stored for a period of 90 days. After 90 days, the data will be made anonymous so that it can no longer be associated with you.

c) Possibility of revocation and removal

You can object to the collection of data by deactivating the use of cookies in your browser settings. However, we would like to point out that this may impair the functionality of our website.

19. Cloudflare

a) Purpose of data processing

To protect the website against denial-of-service attacks, we use the services of the US provider cloudflare Inc.

We entered a data processing agreement with this service provider, which is Privacy Shield certified, so that it is ensured that the data processed there for us is in safe hands. The transmitted data are IP address, browser type, operating system used and the file called up in each case.

b) Duration of storage

The data will be deleted immediately after the page is accessed; the data will only be logged by us as described in the section "Visiting our website".

c) Legal basis

The storage of the aforementioned data is based on Article 6 para. 1 lit f GDPR ("legitimate interest"). The legitimate interest lies in maintaining the deliverability of our website and secure operation.

d) Possibility of objection and elimination

The person concerned can stop the data processing by stopping the use of our website.

20. Single Sign-On and Payment-Services

a) Purpose of data processing

We use the following third-party tools to simplify ordering and payment processing:

  • PayPal, an offer by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L- Luxembourg;
  • Sofort, an offer by Sofort GmbH, München, Theresienhöhe 12, 80339 München.

When calling up the shopping cart, these providers use scripts integrated in our website to check whether the user is a customer of the respective provider and logged in there. This is done by matching any cookies stored by the provider in the user's browser.

For this purpose, the IP address, browser used, operating system and the page requested in each case are transmitted to the third party provider. We only collect data when a customer of a provider uses the service of the third party and arranges for the personal data stored there - namely the order and billing address - to be transmitted to us and, if necessary, for the payment process to be

processed in accordance with the user conditions of the service with which the customer has a contractual relationship.

b) Duration of storage

For our part, only the data that is transferred to us by the third party provider on behalf of the customer for the purpose of executing the contract will be processed. In this respect, the information on the duration of storage as stated above for the keyword "performance of the contract" applies.

Insofar as the third party providers process data on behalf of the customer, the storage period results from the data protection regulations of the respective provider to which reference is made here.

c) Legal basis

The legal basis for processing is Art. 6 para. 1 lit b GDPR, insofar as the data is used to process contracts via our website. As far as payment services are concerned, the storage is also based on Art. 6 para. 1 lit c GDPR, as the data collected in this way is of tax relevance and thus necessary to fulfil our tax obligation. Processing is also based on Article 6 (1) (e) GDPR because it serves our legitimate interest in enabling customers of the relevant service providers to use the services of their contractual partners and to ensure fast and pleasant contract execution.

d) Possibility of objection and elimination

Since we are bound by statutory retention periods and the data must be stored and processed for contract execution, an objection or deletion is not possible.

21. Mixpanel

a) Purpose of data processing

We evaluate the behaviour of visitors to our website in order to be able to make predictive product recommendations during the course of the visit. If you register for our newsletter, the selection of the contents presented in it is also based on the evaluation of previous visits and purchases. At the same time, we use the information - for example about canceled orders - to improve our interaction with our users. We use the services of the business-analytics service provider Mixpanel, with whom we have concluded an order processing agreement. As far as data is transferred to the headquarters of the order processor in the USA, this is done in compliance with the requirements of the EU-US Privacy Shield Agreement. The collected data includes the IP address, browser type and operating system of the user as well as the accessed file(s) and, if you have provided us with this information within the

scope of an order or by registration for our newsletter, name, address, e-mail address and telephone number.

b) Duration of storage

Mixpanel stores the data on our behalf for a maximum period of one year since the last visit to our site; we ensure that older data records are deleted or made anonymous by transmitting deletion requests via the "Engage API" provided by Mixpanel.

c) Legal basis

The legal basis is our legitimate interest in providing our customers with an offer that is effectively tailored to their needs, Art. 6 para. 1 lit. e GDPR.

d) Possibility of objection and elimination

You can object to the processing by ticking "Yes, I would like to opt out" under this link (https://mixpanel.com/optout/) and clicking on the button marked "SAVE". This stores a cookie on your end device that prevents data from being collected. Please note that you must use the opt-out option again after you have deleted your cookies or because of the settings of your browser. Please refer to your browser's operating instructions for further information.

22. Customer support tools

a) Purpose of data processing

We use tools from Intercom, Inc. and Zendesk, Inc. based in the USA to communicate with our customers. During the use the name, the connection identifier of the customer (telephone number, e- mail address etc.), as well as the communication content are raised by the service provider. These process the data on the basis of an order processing agreement concluded with us. The data is also collected and stored by us for the purpose of future direct advertising; in this respect, reference is made to our explanations on the keyword "direct marketing". As far as data is transferred to the headquarters of the order processor in the USA, this is done in compliance with the requirements of the EU-US Privacy Shield Agreement.

b) Duration of storage

The data will be stored for the duration of the contractual relationship with our customer, in the case of non-customers until the completion of the communication process, unless it is stored for a longer period for the purpose of direct advertising. If the data is relevant to tax or commercial law, the data

is stored in accordance with § 147 AO for a period of ten years, in accordance with § 257 HGB for a period of five years, beginning at the end of the year of data collection.

c) Legal basis

The data is collected and stored for the purpose of executing or initiating contracts, Art. 6 para. 1 lit. b GDPR, for compliance with our tax and commercial storage regulations, Art. 6 para. 1 lit. c GDPR and due to our legitimate interest in easy access to our customers and efficient organisation and processing of enquiries, Art. 6 para. 1 lit. e GDPR.

d) Possibility of objection and elimination

If there are no legal storage obligations, you can object to the processing in accordance with the conditions summarised below under the keyword "rights" and, if necessary, demand deletion of stored data. An informal notification is sufficient for this purpose.

III. Rights of the data subject

If personal data are processed by the user on our website, the person concerned has the following rights against the person responsible in accordance with the GDPR.

1. Right to information according to Art. 15 GDPR

The person concerned has the right to the following information:

(a) processing purposes;

(b) the categories of personal data being processed;

(c) the recipients or categories of recipients to whom the personal data have been or are still being disclosed, in particular recipients in third countries or international organisations;

d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;

(e) the existence of a right of rectification or deletion of personal data concerning him or of a restriction on processing by the controller or of a right of opposition to such processing;

(f) the existence of a right of appeal to a supervisory authority;

(g) where the personal data are not collected from the data subject, all available information on the origin of the data;

(h) the existence of automated decision-making, including profiling in accordance with Article 22(1) and (4) GDPR, and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

(i) where personal data are transferred to a third country or international organisation, the data subject shall have the right to be informed of the appropriate guarantees in accordance with Article 46 GDPR in relation to the transfer.

We provide the data subject with a copy of the personal data that is the subject of the processing. For all other copies requested by the data subject, the data processor may charge an appropriate fee on the basis of the administrative costs.

2. Right to correction in accordance with Art. 16 GDPR

The data subject shall have the right to request the controller to rectify any inaccurate personal data concerning him/her without delay. Taking into account the purposes of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

3. The right to cancellation in accordance with Art. 17 GDPR

The data subject has the right to require the data controller to delete personal data concerning him/her without delay and the data controller is obliged to delete personal data without delay if one of the following reasons applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

b) the data subject withdraws his/her consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing;

(c) the data subject opposes processing in accordance with Article 21(1) GDPR and there are no overriding legitimate grounds for processing or the data subject opposes processing in accordance with Article 21(2) GDPR;

d) the personal data have been processed unlawfully;

(e) the deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject;

f) the personal data was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.

4. Right to limitation of processing in accordance with Art. 18 GDPR

The data subject has the right to require the controller to restrict processing if one of the following conditions is met:

(a) the accuracy of the personal data is disputed by the data subject for a period which enables the data controller to verify the accuracy of the personal data,

(b) the processing is unlawful and the data subject refuses to delete the personal data and instead requests that the use of the personal data be restricted;

(c) the data controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the purpose of asserting, exercising or defending claims; or

d) the data subject has lodged an objection to the processing pursuant to Art. 21 para. 1 GDPR, as long as it is not yet clear whether the legitimate reasons of the data subject outweigh those of the data processor.

5. Right to information in accordance with Art. 19 GDPR

If the data subject has claimed from the data processor a correction with regard to his personal data in accordance with Art. 16 GDPR, a deletion Art. 17 para. 1 GDPR or a restriction on processing in accordance with Art. 18 GDPR, and if the data processor has informed all recipients to whom the data subject's personal data have been disclosed of the data subject's request (unless this was impossible or disproportionate), the data subject has the right to be informed by the data processor about the recipients.

6. Right to Data Transferability Art. 20 GDPR

The data subject has the right to receive the personal data concerning him/her that he/she has provided to a controller in a structured, current and machine-readable format and he/she has the right to transmit this data to another controller without our interference, provided that

a) processing is based on consent pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and

(b) processing is carried out by means of automated methods.

The rights and freedoms of other persons must not be affected by this.

When exercising the right to data transferability pursuant to paragraph 1, the data subject has the right to request that the personal data be transferred directly by us to another data controller, insofar as this is technically feasible.

The exercise of the right to data transferability does not affect the right to cancellation pursuant to Art. 17 GDPR. The right to transferability shall not apply to processing necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

7. Right of objection according to Art. 21 GDPR

The data subject has the right to object at any time to the processing of personal data concerning him/her on the basis of Article 6(1)(e) or (f) of the GDPR for reasons arising from his particular situation; this also applies to profiling based on these provisions.

We no longer process personal data unless we can prove compelling grounds for processing that outweigh the interests, rights and freedoms of the data subject or the processing serves to assert, exercise or defend legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him/her for the purposes of such advertising, including profiling in so far as it is related to such direct marketing. If the data subject objects to the processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

The data subject may revoke his/her consent at any time. However, the collection and processing that has taken place up to this point remains legal.

8. Automated decisions in individual cases incl. profiling according to Art. 22 GDPR

The data subject shall not be subject to a decision based exclusively on automated processing - including profiling - which has legal effect against him or significantly impairs it in a similar manner.

This does not apply if the decision

a) is necessary for the conclusion or performance of a contract between the party concerned and us,

(b) is admissible under Union or Member State law to which we are subject and that law contains appropriate measures to safeguard the rights, freedoms and legitimate interests of the person concerned; or

c) with the express consent of the data subject.

These decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the data subject.

In the cases referred to in points a) and c), we shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a person on our part, to state his own position and to challenge the decision.

9. Right of appeal to a supervisory authority pursuant to Art. 77 GDPR

Without prejudice to any other administrative or judicial remedy, any data subject shall have the right of appeal to a supervisory authority, in particular in the Member State of his place of residence, his place of employment or the place of suspected infringement, if the data subject considers that the processing of personal data concerning him or her is contrary to this Regulation.

10. Right to an effective judicial remedy under Article 79 of the GDPR

Without prejudice to any available administrative or extrajudicial remedy, including the right of appeal to a supervisory authority under Article 77 GDPR, any data subject shall have the right to an effective judicial remedy if he considers that his rights under this Regulation have been infringed as a result of processing of his personal data in breach of the GDPR. Any action against us or against a processor shall be brought in the courts of the Member State in which we or the processor have a place of business. Alternatively, such actions may also be brought before the courts of the Member State in which the person concerned is resident, unless we or the processor is an authority of a Member State which has acted in the exercise of its sovereign powers