Skip to main content
Close
Explore
close
Book a treatment
close

Data protection and privacy policy

This data protection and privacy contains comprehensive information on the processing of your personal data by Molecular Cosmetics GmbH, Königsallee 24, 40212 Düsseldorf, Germany (“we” and/or “controller” and/or “us”) pursuant to the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

Please read the data protection and privacy policy carefully.

Contents

Data protection and privacy policy. 1

1.    Name and contact details of controller. 3

2.    Contact details of data protection officer. 3

3.    Data processing and the purposes, legal bases, and legitimate interests associated with it; recipients. 3

3.1.        Data processing when our website is accessed. 3

3.1.1.    Log files. 3

3.1.2.    Cookies, tracking, social media plugins. 4

3.2.        Data processing within the scope of contracts. 4

3.2.1.    Establishment, performance, and/or termination of contract 4

3.2.2.    Customer account 5

3.2.3.    Payment 5

3.2.3.1.      Payment via PayPal 6

3.2.3.2.      Payment via Google Pay. 6

3.2.3.3.      Payment via Apple Pay. 7

3.2.3.4.      Payment via Klarna. 7

3.2.3.5.      Credit card payment 8

3.3.        Data processing for marketing purposes. 9

3.3.1.    Newsletter marketing. 9

3.3.2.    Giveaway offers. 9

3.4.        Use of Cookies. 9

3.4.1.    Cookies – General information. 9

3.4.2.    Individual cookie information. 10

3.5.        Contacting us. 10

3.6.        Data processing within the scope of social media pages. 11

3.6.1.    Details. 11

3.6.2.    Controller and assertion of rights. 11

3.6.3.    Legal basis. 11

3.6.4.    Term of storage. 11

3.6.5.    Social networks: details. 11

3.6.5.1.      Facebook. 12

3.6.5.2.      Google / YouTube. 12

3.6.5.3.      Twitter. 12

3.6.5.4.      Instagram.. 12

4.    Processors. 12

5.    Recipients outside the EU.. 12

6.    Rights of our users. 13

6.1.        Overview.. 13

6.2.        Right to object 13

6.3.        Right to withdraw consent 14

7.    Data security. 14

7.1.        Final remarks. 14

7.2.        How do I protect my account?. 14

7.3.        How do I create a strong password?. 14

7.4.        What else should I keep in mind?. 15

8.    Recipients of data 15

 

 

 

1.    Name and contact details of controller

This data protection and privacy policy applies to the processing of data by

Barbara Sturm Molecular Cosmetics GmbH, Königsallee 24, 40212 Düsseldorf, Germany
Phone: +49 211 8632003

e-mail address: [email protected]

represented by:

Dr. Barbara Sturm-Waldman

for the following website(s): https://en.drsturm.com

2.    Contact details of data protection officer

Our company data protection officer can be reached at

e-mail: [email protected]

3.    Data processing and the purposes, legal bases, and legitimate interests associated with it; recipients

3.1.  Data processing when our website is accessed

3.1.1. Log files

When our website is accessed, the Internet browser of the device you are using transmits information to the server of our website. This information is temporarily stored in so-called “log files.” The data sets stored in the process contain the following data:

·      Date and time of access,

·      Name of page accessed

·      IP address of requesting device,

·      Referrer URL (the originating URL from which you accessed our website),

·      Report of successful access,

·      Amount of data transferred,

·      Loading time, and

·      Information on the product and version of the browser used, along with the name of your access provider.

The legal basis for the processing of the IP address is point (f) of Article 6 (1) GDPR. Our legitimate interest lies in

·      Ensuring smooth establishment of a connection,

·      Ensuring comfortable and convenient use of our website, and

·      Analyzing and ensuring system security and stability.

We do not draw any inferences as to your identity in the process, nor would it be possible to do so using this information.

The data is stored and erased promptly after achieving the aforementioned purposes, but within seven days at the latest. Storage beyond that will occur only if the user’s IP address is erased or edited beforehand with the result that it is no longer possible to associate them with a specific person.

 

3.1.2. Cookies, tracking, social media plugins

Our website uses so-called cookies, tracking tools, targeting methods, and social media plugins. For information on the specific methods involved as well as on how your data is used for these purposes, please see the details provided in Sec. 3.4.

3.2.  Data processing within the scope of contracts

3.2.1. Establishment, performance, and/or termination of contract

If and when an order is placed, we process the information needed in order to enter into, perform, or terminate a contract with you.  This includes the following:

·      First and last name

·      Title/form of address

·      Address

·      E-mail address

·      Date of birth

·      Phone number

·      Customer number

·      Password (encrypted)

·      Billing and payment information (credit card numbers, bank details) and transaction IDs in connection with the order

·      Order information

·      Notifications and communication in relation to the order – shipping notification and invoice

If you would like a skin consultation, we also process the information you provide for this regarding your skin type, skin tone, skin concerns, number of skincare products, and age for this purpose.

To process an order via our website, the following data processing is also required:

·      We provide your payment details to payment service providers commissioned by us in order to process the payment(s). For further details, please see Sec. 3.2.3.

·      We share the information on your shipping address with logistics companies and shipping partners commissioned by us in order to carry out the shipping and delivery. We also share your e-mail address so that the delivery can be made at your desired time, where applicable. This data is erased (automatically) after the delivery is made.

For a list of the service providers we work with, please scroll to the last page.

When shipping goods, we use UPS and DHL as service providers to provide shipping notifications, shipping status and tracking numbers to our customers. To this end, the personal data necessary for the shipping notifications (name, address, order number, mobile number) are shared with UPS and DHL. For more information, please consult the data protection and privacy policy of UPS and DHL.

The legal basis for the data processing for the purpose of processing and delivering orders is point (b) of Article 6 (1) GDPR. You provide the data to us on the basis of the respective contractual relationship (e.g. maintaining your customer/user account, performing a purchase agreement, including delivery of goods and processing of payment) between you and us. When placing orders via our website, we are also obligated to process your e-mail address based on the provisions of the German Civil Code (BGB) because we are required to send you an electronic order confirmation (point (c) of Article 6 (1) GDPR). The legal basis for the data processing for purposes of scheduling within the scope of delivery is point (f) of Article 6 (1) GDPR. Our legitimate interest lies in being able to provide you with the greatest possible service within the scope of the delivery.

Customer data is typically erased automatically three years after the last order.
It will however not be erased, if there is still a legitimate interest in its processing (e.g. if the processing is necessary for the establishment, exercise, or defense of legal claims or for our own marketing purposes pursuant to Sec.
3.3) or if the storage of the data is required to satisfy the provisions on retention under commercial and tax law pursuant to point (c) of Article 6 (1) GDPR and Sec. 257 of the German Commercial Code (HGB) and Sec. 147 (2) of the German Fiscal Code (AO) (according to which we, for example, are required to retain e-mail communications with our customers for six years and invoices for ten years).

3.2.2. Customer account

To allow you to enjoy the greatest possible comfort and convenience, we offer you the option to store your personal data permanently in a password-protected customer account. If you have this kind of customer account, you are not required to enter your data again. You can also view and edit the data stored in your customer account at any time. We process the following data for this:

·      First and last name

·      Title/form of address

·      Address

·      E-mail address

·      Date of birth

·      Phone number – if an order is placed

·      Customer number – assigned by us

·      Password – encrypted

·      If and when an order is placed:

o  Billing and payment information (credit card numbers, bank details) is stored by the payment service provider

o  Transaction IDs associated with the order

Creating a customer account is voluntary. If you create a customer account, the data collected for this is processed based on point (b) of Article 6 (1) GDPR.

In addition to the data requested when you place an order, you also have to provide a password of your choice in order to set up a customer account. This password is used together with your e-mail address to allow you to access your customer account. Please keep your personal access details as confidential and do not make them accessible to any unauthorized third parties, in particular. You are also required to automatically log out before leaving our website; if you do not do so, you will automatically remain logged in.

The legal basis for this further processing of data is points (c) and (f) of Article 6 (1) GDPR.

You can delete your customer account at any time. However, please note that this does not automatically also erase the order data stored in the customer account if you have ever placed an order with us. In this case, the data will be erased in accordance with Sec. 3.2.1 hereof.

3.2.3. Payment

For payment processing purposes (i.e., making payments via methods such as credit card, PayPal or Klarna), we will process the personal data necessary to this end and share them with the payment service providers commissioned by us.

Depending on your desired payment method, the data required to process your payment is transferred to the chosen payment service provider. Further information on the payment methods and providers offered can be found below. Regardless of the payment method, all data is encrypted in transit.

To establish technical connections with payment service providers and to process payments, we use the service providers PayPal, Klarna, Stripe, Google Pay, and Apple Pay.

The legal basis for the processing of your data for payment processing is point (b) of Article 6 (1) GDPR, regardless of the payment method. For further details and legal bases, please see the information on the payment service providers used.

We are required to retain all data generated in the course of processing payments (payment documentation) for ten years, pursuant to Sec. 257 (1) HGB and Sec. 147 (2) AO. This period shall begin at the end of the year, in which the last order has been placed.

3.2.3.1.  Payment via PayPal

We offer the option to pay via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (“PayPal”).

If you select PayPal as the payment method, the payment information you enter will be shared with PayPal. This information is as follows:

·      First and last name

·      Title/form of address

·      Date of birth

·      Phone number

·      E-mail

·      IP address

·      Billing and shipping address

·      /Country

·      Order date

·      Amount paid

·      Browser, device used, IP address

The following PayPal-specific information is also processed:

·      PayPal PayerID

·      PayPal Shopper Status (whether you are a verified PayPal customer)

·      PayPal e-mail address (e-mail address that you use for PayPal payments)

Use of the PayPal payment service is voluntary. You can choose a different payment method. Processing of your data to carry out payments via PayPal takes place on the basis of point (b) of Article 6 (1) GDPR, in order to perform the contract. Beyond that, we have a legitimate interest in offering an effective and secure payment method (point (f) of Article 6 (1) GDPR).

3.2.3.2.  Payment via Google Pay

We offer the option to pay via Google Pay. The provider of this payment service is Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). If you choose to pay via Google Pay, the information you provide within the scope of the ordering process is transmitted to Google Pay, along with the information on your order. This information is as follows:

·      First and last name

·      Title/form of address

·      Date of birth

·      Phone number

·      E-mail

·      IP address

·      Billing and shipping address

·      Country

·      Date, time and amount of transaction

·      Seller’s location and description

·      Product description provided by the seller

·      Photos uploaded as part of the transaction

·      Name and email address of the seller/sender or buyer/recipient

·      Payment method

·      Reason for the transaction

·      The offer associated with the transaction

·      Browser, device used, IP address

Use of the Google Pay payment service is voluntary. You can choose a different payment method. Processing of your data to carry out payments with Google Pay takes place on the basis of point (b) of Article 6 (1) GDPR, in order to perform the contract. Beyond that, we have a legitimate interest in offering an effective and secure payment method (point (f) of Article 6 (1) GDPR).

3.2.3.3.  Payment via Apple Pay

We offer the option to pay via Apple Pay from Apple Distribution International, Hollyhill Industrial Estate, Hollyhill, Cork, Ireland (“Apple”). If you choose to pay via Apple Pay, the information you provide within the scope of the ordering process is transmitted to Apple Pay, along with the information on your order. This information is as follows:

·      First and last name

·      Title/form of address

·      Date of birth

·      Phone number

·      E-mail

·      IP address

·      Billing and shipping address

·      Country

·      Order date

·      Amount paid

·      Browser, device used, IP address, device-specific account number

Use of the Apple Pay payment service is voluntary. You can choose a different payment method. Processing of your data to carry out payments with Apple Pay takes place on the basis of point (b) of Article 6 (1) GDPR, in order to perform the contract. Beyond that, we have a legitimate interest in offering an effective and secure payment method (point (f) of Article 6 (1) GDPR).

3.2.3.4.  Payment via Klarna

We use services of the payment provider Klarna (Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden). This allows you to pay for your purchase by way of an immediate funds transfer, on credit, or in installments.

If you choose to pay via Klarna, the payment information you enter will be shared with Klarna. This information is as follows:

·      First and last name

·      Title/form of address

·      Date of birth

·      Phone number

·      E-mail

·      IP address

·      Billing and shipping address

·      Country

·      Order date

·      Amount paid

·      Browser, device used, IP address

To make it possible to settle the payment, your data will be shared with Klarna for purposes of checking your identity and creditworthiness, provided that you have expressly consented to this, pursuant to point (a) of Article 6(1) GDPR within the scope of the ordering process. A credit check is performed if you pay for your purchase on credit, via Klarna financing, or by immediate direct debit and you choose a Klarna Card. In the case of immediate funds transfers, no credit check is performed. For information on which credit bureaus may receive your information in this process, please visit https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies.

The credit report may include probability values (known as scores). To the extent that scores are included in the result of the credit check, they are based on a scientifically acknowledged mathematical and statistical method. Factors included in calculating the scores include, but are not limited to, address information. The information regarding the statistical likelihood of default is used by Klarna to make a balanced decision regarding establishing, performing, or terminating the contractual relationship.

You can withdraw your consent at any time by sending a notification to the controller or Klarna with future effect. However, Klarna may remain entitled to process your personal data to the extent necessary to process the payment according to the contract. You can obtain access to information on the personal data stored by Klarna at any time. If you wish to do this, please contact [email protected]. For further details, please consult the Klarna data protection and privacy policy here: https://www.klarna.com/de/datenschutz/.

The legal basis for the processing of your data to settle payments is point (b) of Article 6 (1) GDPR. Beyond that, we have a legitimate interest in offering an effective and secure payment method with Klarna (point (f) of Article 6 (1) GDPR). Klarna uses cookies to optimize the use of the Klarna checkout solution. Optimizing the checkout solution constitutes a legitimate interest within the meaning of point (f) of Article 6 (1) GDPR.

3.2.3.5.  Credit card payment

We offer the option to pay by credit card when placing an order with us. The legal basis for the data processing is point (b) of Article 6 (1) GDPR. We use the services of Stripe]in order to settle credit card payments.

If and when you make a credit card purchase, we process the following data and share them with Stripe to process the payment:

·      First and last name

·      Billing and shipping address

·      E-mail address

·      Order date

·      Payment amount

·      Country

·      Browser, device used, IP address

·      Credit card  number

We have a legitimate interest in offering an effective and secure payment method (point (f) of Article 6(1) GDPR). For further information on data protection and privacy by Stripe, please see https://stripe.com/en-de/privacy#translation.

Stripe reserves the right to perform a credit check based on mathematical-statistical methods in order to safeguard the legitimate interest in determining the User's ability to pay. The personal data necessary for a credit check and obtained in the course of payment processing may be transmitted by Stripe to selected credit agencies, which Stripe discloses to Users upon request. The credit report may contain probability values (so-called score values). Insofar as score values are included in the result of the credit report, these have their basis in a scientifically recognized mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. Stripe uses the result of the credit check with regard to the statistical probability of non-payment for the purpose of deciding on the authorization to use the selected payment method. You can object to this processing of your data at any time by sending a message to Stripe or the appointed credit agencies. However, Stripe may still be entitled to process your personal data if this is necessary to process payments in accordance with the contract.

 

3.3.  Data processing for marketing purposes

3.3.1. Newsletter marketing

It is possible to subscribe to our newsletter via our website. To ensure that no errors occur when entering your e-mail address, we use what is known as a “double opt-in” (DOI) process. This means that you enter your e-mail address in the subscription field first and give your consent to receive our newsletter. After that, we send a confirmation link to the address you provided. Your e-mail address is not included in our newsletter distribution list unless and until you click this confirmation link.

The legal basis for this data processing is point (a) of Article 6 (1) GDPR.

Where we are entitled to process your personal data for a specific purpose based on your consent, we will erase said data immediately if you withdraw your consent.

Note on right of withdrawal

You can withdraw your consent at any time with future effect by notifying [email protected] or using the unsubscribe option that appears at the end of every newsletter.

3.3.2. Giveaway offers

If you register for our giveaway offers, we use the data you provide during the specific registration process for the purpose of fulfilling the participation contract, particularly to notify winners and, where applicable, market our offerings and/or those of our giveaway partners. These are:

·      Name

·      Date of birth

·      Gender

·      Address

·      Social media information (interactions on our channels with Facebook, such as likes or posts)

For detailed information, please see the specific contest entry rules for the giveaway in question.

The legal basis for this data processing is points (a), (b), and (f) of Article 6 (1) GDPR.

Where we are entitled to process your personal data for a specific purpose based on your consent, we will erase said data immediately if you withdraw your consent. Please also see the specific contest entry rules for information on how long data is stored in the context of giveaways.

3.4.  Use of Cookies

3.4.1. Cookies – General information

When visiting our website, information is stored on your browser in the form of a cookie (a small text file). These cookies contain information on your use of the website (identification ID, visit date, etc.). By using cookies, we can make it easier for you to use our online offerings through various service functions (such as recognizing past visits), so we can customize our internet offerings toward your needs.

We use cookies to facilitate and improve the use of our website. Among other things, cookies enable us to make our website more user-friendly and effective for you by, for example, tracking your use of our website and determining your preferred settings (e.g. country and language settings). If third parties process information via cookies, they collect the information directly via your browser. However, cookies do not cause any damage to your end device. They cannot execute programs or contain viruses. Various types of cookies are used on our website, the type and function of which are explained below.

Necessary cookies: Some functions of our website cannot be offered without the use of technically necessary cookies, e.g. the shopping cart, country and language settings, cookies that store cookie-consent.

Cookies for statistics / marketing / social media purposes: Other cookies, on the other hand, enable us to perform various analyses. Thus, some cookies can recognize the browser you are using when you visit our website again and transmit various information to us. Social media cookies allow us to connect to your social networks and share content from our website within your networks.

Temporary cookies/session cookies: Our website uses so-called temporary cookies or session cookies, which are automatically deleted as soon as you close your browser. This type of cookie makes it possible to record your session ID. This allows various requests from your browser to be assigned to a common session and makes it possible to recognize your terminal device during subsequent visits to the website.

Permanent cookies: So-called permanent cookies are used on our website. Permanent cookies are cookies that are stored in your browser for a longer period of time and can transmit information. The respective storage period differs depending on the cookie. You can delete permanent cookies independently via your browser settings.

Third-party cookies: We use analytical cookies to monitor anonymized user behavior on our website. In addition, we use advertising cookies. These cookies allow us to track user behavior for advertising and targeted marketing purposes.

Browser settings configuration: Most web browsers are preset to automatically accept cookies. However, you can configure your respective browser to only accept certain cookies or not to accept cookies at all. However, we would like to point out that you may then no longer be able to use all the functions of our website.

You can also delete cookies already stored in your browser via your browser settings. Furthermore, it is possible to set your browser to notify you before cookies are stored. Since the various browsers may differ in their respective modes of operation, we ask you to refer to the respective help menu of your browser for the corresponding configuration options.

The deactivation of the use of cookies may require the storage of a permanent cookie on your computer. If you subsequently delete this cookie, you will have to deactivate it again.

Revocation: You can change or revoke your consent at any time from the cookie declaration on our website. Please provide your consent ID and date when contacting us regarding your consent.

Your consent applies to the following domains: de.drsturm.com.

You can find a list of cookie providers we are currently using, below, providing you with more information on the exact provider, the type of the cookie used, the exact cookie name, its operating mode, the operating duration, third party access possibilities as well as a link to the specific data protection policy of the respective cookie provider.

3.4.2. Individual cookie information

For more information, such as the type and functional duration of the individual cookies we use, please refer to our Consent Manager.

3.5.  Contacting us

If you wish to contact us, you can do so by e-mail or phone or, where applicable, by chat or mail. In this case, we will use the personal data that you voluntarily provide to us within this scope solely for the purpose of contacting you and processing your inquiry.

The legal basis for this data processing is point (b) of Article 6 (1) GDPR.

The data is erased as soon as the purpose of the contact has been fulfilled.

3.6.  Data processing within the scope of social media pages

We operate publicly accessible profiles on social networks. The specific social networks we use are stated below. Social networks like Facebook, Twitter, etc. can generally analyze your user behavior extensively if you visit their website or a website with integrated social media content (such as “Like” buttons or banner ads). Visiting our social media profiles triggers processing operations that are relevant from a data protection standpoint.

3.6.1. Details

If you are logged in to your social media account and visit our social media presence, the operator of the social media portal can associate the visit with your user account. Under some circumstances, however, your personal data may be collected even if you are not logged in or do not have an account with the social media portal in question. In this case, the data collection takes place, for example, via cookies that are stored on your device or via collection of your IP address. The operators of the social media portals can use the data collected in this way to create user profiles that store your preferences and interests. In this way, interest-based ads can be displayed to you within and outside the relevant social media presence. If you have an account with the relevant social network, the interest-based ads may be displayed on all devices on which you are or have been logged in. For details on this, please see the privacy policies of the relevant social media portals.

3.6.2. Controller and assertion of rights

If you visit one of our social media pages (e.g., Facebook), we, jointly with the operator of the social media platform, share responsibility for the data processing operations triggered on this visit as the controller. As a basic principle, you can assert your rights (access to information, rectification, erasure, restriction of processing, data portability, and lodging a complaint) toward us or the operator of the social media portal in question (e.g., toward Facebook). Please note that despite our joint status as controller, we do not have full influence over the social media portals’ data processing operations. Our options are primarily geared toward the relevant provider’s corporate policy.

3.6.3.Legal basis

Our social media pages are intended to provide an online presence as comprehensive as possible and permit effective sharing of information with users as well as communication with users. This constitutes a legitimate interest within the meaning of point (f) of Article 6 (1) GDPR. The analysis processes initiated by the social networks may be based on different legal bases, which the operators of the social networks are obligated to state (e.g., consent within the meaning of point (a) of Article 6 (1) GDPR).

3.6.4. Term of storage

The data collected directly by us via the social media presence is erased by our systems as soon as the purpose for storage thereof has ceased to apply, you request that we erase them, you withdraw your consent to storage, or the purpose of the data storage ceases to apply. Stored cookies remain on your device until you erase them. Required statutory provisions – particularly retention periods – are not affected by these provisions. We have no influence on the time period for which your data is stored by the operators of the social networks for their own purposes. For details regarding this, please seek information from the operators of the social networks directly (e.g., in their data protection and privacy policies; see below).

3.6.5. Social networks: details

We use the following social networks:   

3.6.5.1.  Facebook

The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. We have entered into an agreement with Facebook on joint status as controllers during the processing of data (controller addendum). This agreement stipulates for which data processing operations we are or Facebook is the controller when you visit our Facebook page. You can view this agreement here: https://www.facebook.com/legal/terms/page_controller_addendum. You can adjust your ad settings yourself in your user account. To do this, click this link and log in: https://www.facebook.com/settings?tab=ads.

For details, please see the Facebook privacy policy: https://www.facebook.com/about/privacy.

3.6.5.2.  Google / YouTube

The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. You can adjust your ad settings yourself in your user account. To do this, click this link and log in: https://adssettings.google.com/authenticated.

For details, please see the Google privacy policy: https://policies.google.com/privacy.

3.6.5.3.  Twitter

The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

You can adjust your Twitter privacy settings yourself in your user account. To do this, click this link and log in: https://twitter.com/personalization.

For details, please see the Twitter privacy policy: https://twitter.com/de/privacy.

3.6.5.4.  Instagram

The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA.

For details on how Instagram uses your personal data, please see the Instagram privacy policy: https://help.instagram.com/519522125107875 or alternatively http://instagram.com/about/legal/privacy.

4.    Processors

We use processors to process your data. A processor is a natural person or legal entity, government agency, institution, or other body that processes personal data on behalf of the controller initially responsible for the data processing. Processors do not use the data for their own purposes; instead, they carry out the data processing exclusively on the controller’s behalf.

For example, if you purchase an item from us, you, among other information, transmit your e-mail address, for the purpose of receiving an order confirmation.

That makes us the controller for this data processing. For the purpose of transmitting an order confirmation, your e-mail address is then transmitted to a service provider. This service provider then assumes responsibility for transmitting the order confirmation to you for the item purchased. To do this, the service provider processes your e-mail address on our behalf. A list of the processors we use is available here.

5.    Recipients outside the EU

The processing of the data normally takes place in Germany or Member States of the European Union. Where processing in third countries takes place in certain cases, this occurs only if the adequacy of the level of data protection in the third country has been confirmed by the European Commission in accordance with Article 45 GDPR, based on the EU standard contractual clauses, or if it has otherwise been ensured that the level of protection afforded to data at the recipient's end is adequate.

6.    Rights of our users

6.1.  Overview

If the relevant legal prerequisites are met, you have the following rights pursuant to the GDPR:

·      The right of access (Article 15 GDPR)

You can request access to the following information:

o  Which of your personal data we process

o  The purposes of processing

o  The category of the personal data

o  The categories of recipients to which or whom your data has been or is being disclosed

o  The planned duration of storage

o  The origin of your data, where has not been collected from you directly

 

·      The right to rectification of inaccurate data or to have incomplete data completed (Article 16 GDPR),

 

·      The right to erasure (Article 17 GDPR)

You have the right to request the erasure of your data. However, this right applies only to the extent that we are not obligated to continue to store the data based on statutory or contractual retention periods or other statutory obligations or rights.

·      The right to restriction of processing of your data (Article 18 GDPR)

Where you dispute the accuracy of your data, the processing is unlawful, but you do not wish your data to be erased, we no longer need the data as the controller, but you need them for the establishment, exercise, or defense of legal claims, or you have objected to the processing of your data pursuant to Article 21 GDPR, you can request restriction of processing of your data.

·      The right to data portability (Article 20 GDPR)

You have the right to receive selected data concerning you, that is stored by us in a commonly used and machine-readable format or to request that it is transmitted to another controller.

·      The right to lodge a complaint with a supervisory authority

To this end, you can always contact the supervisory authority in the place of your habitual residence, workplace or the location of our company’s registered office.

You can assert the rights listed above by contacting us at [email protected]

If you purchase products and/or services from partners via our website, the rights mentioned above apply accordingly toward our partners. If you wish to assert the aforementioned rights toward our partners, please simply contact the partner in question directly.

6.2.  Right to object

You have the right to object to the data processing, subject to the prerequisites detailed in Article 21 (1) GDPR, on grounds relating to your particular situation. To do this, the grounds must be of overriding importance (such as risk to life and limb).

This general right to object applies only to the purposes of processing as described in this data protection and privacy policy and the data processed on the basis of points (e) and/or (f) of Article 6 (1) GDPR.

6.3.  Right to withdraw consent

Where our data processing is based on consent granted by you, you have the right to withdraw your consent with future effect at any time. The consent is then deemed to no longer exist as of that point in time. The withdrawal of consent is not retroactive. The processing of data during the period when the consent applied is therefore not affected.

7.    Data security

To ensure secure transmission of personal data, we use the TLS 1.2 encryption protocol (RSA-2048 is used for the public key infrastructure as the underlying encryption method). This is a secure, tried and tested standard that is also used in online banking, for example. You can identify a secure SSL connection from various factors, including the “http” in the address bar of your browser being followed by an “s” (https://...) or the lock symbol in the lower part of your browser.

We also use suitable technical and organizational safeguards to protect your personal data that we store against manipulation, partial or complete loss, and unauthorized access by third parties. Our security measures are improved on an ongoing basis in line with technological progress.

7.1.  Final remarks

Hacking attacks, meaning unauthorized efforts to access personal information, are a part of the digital world which we live in today. This is an issue we have to face as a company, but it is also a problem for you to tackle as a private individual.

To do so, we invest a lot of resources in the security and monitoring of our systems. Ultimately, online purchases on our website involve the exchange of various personal data, which require protection.

You, too, can take a number of steps to protect yourself against unauthorized access by third parties to your information. To this end, we would like to provide you with the following information and tips:

7.2.  How do I protect my account?

Use secure passwords, and don’t share them with anyone. No one should know your password but you. You should have a separate password for each portal or provider. Check to see whether you might use the password you have chosen for our website for other sites as well. If so, we strongly urge you to change all your passwords immediately.

If you write down your passwords, make sure no one else has access to them.

 

7.3.  How do I create a strong password?

A secure password:

·      Is sufficiently long and consists of more than one word

·      Has a certain level of complexity

·      Is at least eight characters long

·      Is something only you know

·      Is easy to remember, in spite of being complex

Choose a password that is not easy to guess. Do not use your own name, the name of a family member, or any common everyday words. It is best to use a combination of capital and lowercase letters, numbers, and special characters.

7.4.  What else should I keep in mind?

If you access our website from a public computer, always be sure to log out after visiting our website.

If you receive unsolicited e-mails asking you to provide passwords for your customer account or payment details, ignore the e-mails and please contact us right away here. We will investigate these incidents.

8.    Recipients of data

Company

Location

of registered

office

Service

Processor

 

 

 

 

 

 

 

 

Google Analytics

Ireland

Web analytics

Facebook

Ireland

Advertising partner

Google

Ireland

Advertising partner

Google Cloud

Ireland

 

Braze

USA

e-mail service provider

Segment

USA

Customer data platform

Yusen Logistics

Germany

Shipping service provider

PDR

USA

Shipping service provider

IPT

Germany

 

Yukawa

Germany

 

NetSuite

USA

 

E2X

United Kingdom

 

Square

USA