X-Bionic Privacy Policy

Data Protection Information
for x-bionic.com and x-socks.com


We, X-Technology Swiss R&D AG, provide our website through the web addresses x-bionic.com and x-socks.com.

In context with our website and the services provided on our website, we process personal data.

The protection of personal data is important to us. We process personal data only in accordance with the applicable data protection requirements, in particular the General Data Protection Regulation (GDPR).

In Section A of this Data Protection Information we provide you with information about the controller responsible for the processing of your personal data and the controller’s data protection officer.

In Section B you find information about the processing of your personal data.

In Section C you find more detailed information on the use of cookies or similar technologies.

In Section D you further find information on your rights regarding the processing of your personal data.

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation. You will find more detailed information about this in Section E.

TABLE OF CONTENTS

  1. Information on the controller 3
  2. Identity and contact details of the controller 3
  3. Contact details of the controller’s data protection officer 3
  4. Information on the processing of personal data 4
  5. Informational use of our website 4
  6. Use of web analysis technologies 10

III. Use of conversion tracking technologies 14

  1. Use of remarketing technologies 19
  2. Use of the Facebook Pixel 25
  3. Use of the personalised email newsletter 31

VII. Use of online contact forms 36

VIII. Use of the chat function 40

  1. Use of the online shop and membership in our X-Owners Club 44
  2. Information on the use of cookies or similar technologies 61
  3. General information on cookies 62
  4. Management of the cookies used on our website 63

III. Cookies used on our website 64

  1. Information on the rights of data subjects 67
  2. Right of access 68
  3. Right to rectification 68

III. Right to erasure (”right to be forgotten”) 68

  1. Right to restriction of processing 68
  2. Right to data portability 69
  3. Right to object 69

VII. Right to withdraw consent 69

VIII. Right to lodge a complaint with a supervisory authority 70

  1. Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information 71
  2. Effective date of and changes to this Data Protection Information 72

Information on the controller

Identity and contact details of the controller

X-Technology Swiss R & D AG

c/o TP Sports GmbH & Co. KG

Lilienthalallee 40

80939 München


Email: office@x-technology.com

Phone: +49 89 37959607

Contact details of the controller’s data protection officer 

X-Technology Swiss R & D AG

c/o TP Sports GmbH & Co. KG

Lilienthalallee 40

80939 München

Data Protection Officer

Email: datenschutzbeauftragter@x-technology.com

Phone: +49 89 37959607

Information on the processing of personal data 

Informational use of our website

When the use of our website is purely informational, certain information is sent to the web server of our website from your device for technical reasons, for example your IP address. We process this information in order to provide our website content requested by you (if applicable, including external plug-ins that are embedded on certain pages of our website) and to ensure the security of the IT infrastructure used to provide our website. 

For so called ”load balancing”, the requests of different users of our website are distributed to different web servers. Information about the assignment to a specific web server is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during your visit to our website in order to ensure the best possible performance of the provision of the content of our website that you have accessed by distribution to different web servers.

In order to provide the search functions of our website, we process data that you enter into search forms on our website in order to provide you with search results for the search terms that you have entered.

In order to provide the language selection function of our website, information about your language selection is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during your visit to our website in order to provide you with the content of our website in the language you have selected.

In order to provide the data protection setting functions for our website (e.g. for granting or withdrawing consent for the use of certain cookie-based technologies), information about your data protection settings is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during your visit to our website in order to take account of your data protection settings when using our website.

You receive more detailed information on this below:

Details on the personal data which are processed

Categories of personal data processed 

Personal data included in the categories 

Sources of the data

Obligation of the data subject to provide the data 

Storage duration

HTTP Data

Protocol data which accrue when visiting our website via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons:

These include IP address, type and version of your internet browser, operating system used, site accessed, last site accessed before visiting the site (referrer URL), date and time of visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the content of our website requested by you.

The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Load Balancing Data

Data used to control load balancing for the website:

This includes information about the assignment to a specific web server that is used for load balancing.

This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot perform load balancing. This means that the content of our website that you access may be provided more slowly.

We process the data only temporarily for the period of the visit of our website.

(You can find information on the validity period of the cookies stored on your device in Section C.III.)

Search Function Data

Data that accrue by using the search functions of our website:

These include all information that you enter as search terms in the respective search form on our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot use the search functions of our website.

The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Language Selection Data

Data that accrue when the language selection function of our website is used:

These include the language you have selected.

This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the language selection function of our website. This means that we cannot provide the requested contents of our website in the language of your choice.

We process the data only temporarily for the period of the visit of our website.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Data Protection Setting Data

Data on data protection settings you have made for our website:

This includes information on whether you have given your consent and, if so, what consent you have given at what time.

This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot take your consents for our website into account. This means that we may not be able to provide you with certain functions of our website that require consent.

We process the data only temporarily for the period of the visit of our website.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)


Details on the processing of the personal data

Purpose of processing the personal data 

Categories of personal data processed

Automated decision-making

Legal basis and, where applicable, legitimate interests

Recipient

Provision of content of our website requested by the user:

For this purpose, data are temporarily processed on our web server.

For embedding external plug-ins:

For certain pages of our website, providing our website also includes embedding external plug-ins into our website which are necessary for the relevant page. This applies to embedding Google Maps into our Google Maps-based store locator and embedding YouTube videos on certain pages. In these cases, the provider of the plug-in, Google, can (comparable to accessing an external website via a link) in particular receive your IP address and the address (URL) of the page on our website in which the plug-in is embedded. The provider of the plug-in can also receive information from any cookies of the relevant provider stored in your internet browser.  You can find further information on the processing of personal data by Google in Google’s privacy policy at: 

https://www.google.com/policies/privacy/

HTTP Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the content of our website requested by the user.

Hosting Provider

For embedding external plug-ins:

Plug-in Provider

Ensuring the security of the IT infrastructure used for the provision of our website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored in log files on our web server and automatically evaluated.

HTTP Data

Search Function Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is ensuring the security of the IT infrastructure used for the provision of our website, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks).

Hosting Provider

Load balancing in the provision of the content of our website accessed by the user:

In order to ensure that our website is provided with the best possible performance, several different servers may be used for load balancing, to which the requests of different users of our website are distributed (so-called ”load balancing“).

In order to be able to always assign your requests to the same server within a browser session, we store the information about the assignment of your device to a specific server used for load balancing in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read while visiting our website.

HTTP Data

Load Balancing Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the best possible performance of the provision of the content of our website requested by the user.

Hosting Provider

Providing the search functions of our website:

For this purpose, data are temporarily processed on our web server. 

HTTP Data

Search Function Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the search functions of our website requested by the user.

Hosting Provider

Provision of data protection setting functions for our website:

Certain features of our website (e.g. the use of certain cookie-based technologies) require your consent.

We provide data protection setting functions for our website to enable you to give and, if necessary, withdraw your consent.

For this purpose, information about your consent is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during your visit to our website in order to determine whether you have given your consent and, if so, what consents you have given.

HTTP Data

Data Protection Setting Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of data protection setting functions for our website. 

Hosting Provider

Data Protection Setting Function Provider

Provision of the language selection function of our website:

When you visit our website, we determine whether you have already selected a particular language version of our website in order to provide you with the content of our website requested by you in the language which you have selected, if applicable.

For this purpose, information about your language selection is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during your visit to our website to determine which language you have selected.

HTTP Data

Language Selection Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the contents of our website accessed by the user in the language selected by the user.

Hosting Provider


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Hosting Provider:

Google Ireland Limited,

Gordon House, Barrow Street,

Dublin 4, Ireland

Processor

The data will be stored and processed in Europe (Ireland, France). However, for maintenance purposes, Google employees can access these data from the following third countries outside of the EU and therefore process them:

Switzerland

United Kingdom

Canada

India

USA

For Switzerland (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518), the United Kingdom (https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en) and Canada (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002), the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR.

For transfers of personal data to India and the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For such transfers of personal data Google uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Plug-in Provider:

Google Ireland Limited,

Gordon House, Barrow Street,

Dublin 4, Ireland

Controller

The provider to whom we transmit personal data or who collects it via our website is based in the EU.

This provider may transfer data to third countries, in particular the USA, under its own responsibility. We have no knowledge of this. For information on the processing of personal data by Google, please refer to the privacy policy of Google at https://www.google.com/policies/privacy/.

-

Use of web analysis technologies

Upon your consent, we use so-called ”web analysis technologies“ on our website.

Web analysis enables the collection and evaluation of information about the activities of users of our website. The information obtained serves us to improve our website and to better achieve the goals of our website (e.g. increase in page views).

This also includes carrying out so-called ”A/B tests“ (also known as ”split testing“), in which we test different display versions of the website against each other. This involves collecting, evaluating and comparing details of usage behaviour in different display versions.

When you visit our website, the web analysis tool used collects information about your use of our website and stores it in a device-related profile. In order to be able to assign this information to your device, your device is assigned a unique ID which is linked to the device-related profile. This ID is stored in cookies (🡪 Section C ) on your device. During your visit to our website, your device can be recognised there on the basis of the ID assigned to it.

You will find more detailed information on this in the following:

Details on personal information which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of data

Obligation of the data subject to provide the data 

Storage duration

Web Analysis HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when using the web analysis tool used on our website:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit. 

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out a web analysis.

IP anonymisation is activated on our website for the use of the web analysis tool. This means that the IP address transmitted via the browser for technical reasons is anonymised before being stored by shortening the IP address (by deleting the last octet of the IP address).

Moreover we only process the protocol data temporarily for the duration of the visit to our website.

Web Analysis Device Data

Data that is assigned to your device by the web analysis tool used on our website: 

This includes a unique ID to (re)identify your device. It also includes certain parameters relevant for web analysis.

This data is stored in cookies on your device (🡪 Section C) and can be read when visiting our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out a web analysis. 

We store the unique ID for the duration of your consent.

We only process parameters relevant for web analysis temporarily for the period of your visit to our website.

We delete this data when you withdraw your consent.

(For information on the period of validity of the cookies stored on your device, please refer to Section C.III.)

Web Analysis Profile Data

Data generated by the web analysis tool used on our website and stored in a device-related profile:

This includes data about the use of our website, in particular page visits, frequency of visits and time spent on the pages visited.

This is also included the unique ID assigned to your device.

Generated by us

-

We store the unique ID for the duration of your consent.

We store information about the use of our website for a period of 12 months from collection.

We delete this data when you withdraw your consent. 


Details on the processing of personal data

Purpose of the processing of personal data 

Categories of personal data processed

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Web Analysis:

Web analysis enables the collection and evaluation of information about the activities of users of our website.

When you visit our website, the web analysis tool used by us collects information about your use of our website and stores it in a device-related profile. In order to be able to assign this information to your device, a unique ID is assigned to your device, which is linked to the device-related profile. This ID is stored in cookies (🡪 Section C) on your device. During your visit of our website, your device can be recognised there on the basis of the ID assigned to it.

The aim of the analysis is to examine where the users of our website come from, which areas of our website are visited and how often and for how long which page and categories are viewed. The information obtained is used to improve our website and to better achieve the goals of our website (e.g. increase in page views).

Web Analysis HTTP Data

Web Analysis Device Data

Web Analysis Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Web Analysis Provider

A/B tests based on web analysis:

Web analysis also includes the performance of so-called ”A/B tests“ (also called ”split testing“), in which we test different display variants of our website against each other. This test method gives us the opportunity to automatically display different versions of a particular page to different users of the website. In doing so, details of user behaviour in different display variants are collected, evaluated and compared (e.g. evaluation of which display variant of our newsletter registration form is used to subscribe to the newsletter more often).

Web Analysis HTTP Data

Web Analysis Device Data

Web Analysis Profile Data 

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Web Analysis Provider


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Web Analysis Provider: 

Google Ireland Limited

Gordon House, Barrow Street,

Dublin 4, Ireland

Processor

Switzerland

United Kingdom

Canada

India

USA

For Switzerland (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518), the United Kingdom (https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en) and Canada (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002), the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR.

For transfers of personal data to India and the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For such transfers of personal data Google uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de 

Use of conversion tracking technologies

Upon your consent, we use so-called ”conversion tracking technologies“ on our website.

”Conversions“ are user activities on our website as determined by us. ”Conversion tracking” is a process that tracks what happens after you interact with our ads on search engines or other websites. For example, we can see whether you have subsequently taken a particular action on our website.

If our ads are displayed to you in search engines or on other websites or if you interact with our ads, information about this may be collected (if applicable, depending on your consent to the respective website operator) and stored in a device-related profile. In order to be able to assign this information to your device, a unique ID can be assigned to your device (if applicable, depending on your consent to the respective website operator), which is linked to the device-related profile. This ID can be stored in cookies (🡪 Section C) on your device (possibly depending on your consent to the respective website operator). If you subsequently visit our website, the information stored in these cookies can be read. In this way, your device can be recognised by the ID and, on the basis of this ID, the information stored in the device-related profile about the view of our ads can be retrieved and additional data can be stored. This allows us to collect information about the use of our website, in particular the ”conversions“ triggered by you.

This allows us to observe which keywords, ads, ad groups and campaigns lead to the user actions we want. We can also understand how our return on investment (ROI) is generated and make more informed decisions about our advertising expenses. We can also automatically optimise our advertising campaigns according to our business goals.

We are jointly responsible for the use of conversion tracking technology on our website with the respective provider of this technology Google Ireland Limited and Microsoft. For information on the processing of personal data by Google and Microsoft, please refer to the respective data protection information of the provider: https://www.google.com/policies/privacy/ and https://privacy.microsoft.com/en-us/privacystatement, respectively. 

You will find more detailed information on this in the following:

Details on personal information which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of data

Obligation of the data subject to provide the data 

Storage duration

Conversion HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the conversion tracking tool used on our website is used:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out any conversion tracking.

So-called IP anonymization is activated on the websites for the use of the web analysis tool. This means that the IP address transmitted by the browser for technical reasons is anonymized by shortening the IP address (by deleting the last octet of the IP address) before it is stored. We only process Conversion HTTP Data for the duration of your visit to the websites.

Conversion Device Data

Data that can be assigned to your device (if applicable, depending on your consent to the respective website operator) when our ads are displayed to you in search engines or on other websites or when you interact with our ads:

This includes a unique ID to (re)identify your device.

This data may be stored in a cookie (🡪 Section C) on your device (if applicable, depending on your consent to the relevant website operator) when our ads are displayed to you on search engines or on other websites or when you interact with our ads. When you visit our website, the information stored in this cookie (🡪 Section C) can be read.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out any conversion tracking.

We store the unique ID for the duration of your consent. We only process parameters relevant for web analysis for a short time during your visit to the websites. We delete this data when you revoke your consent.

(For information on the validity period of the cookies stored on your device, see Section C.III.).

Conversion Profile Data

Data that can be collected and stored in a device profile (possibly depending on your consent to the relevant website operator) when you are presented with or interact with our ads on search engines or other websites:

This includes the unique ID assigned to your device as well as information about our ads that are displayed to you on search engines or on other websites or with which you have interacted.

Conversion tracking service provider that collects the data on the relevant search engine or other website

-

We store the unique ID for the duration of your consent. We store information about the use of the websites for a period of 90 days from the date of collection. We delete this data when you revoke your consent.

Data generated by the conversion tracking tool used on our website and added to the profile when you visit our website:

This includes information about the use of our website, in particular the ”conversions“ triggered by you.

Generated by us

-


Details on the processing of personal data

Purpose of the processing of personal data 

Categories of personal data processed

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Conversion tracking:

”Conversions”„ are user activities on our website as determined by us. ”Conversion tracking is a process that tracks what happens after our ads are presented to you on search engines or other websites, or after you interact with our ads on search engines or other websites. For example, we can see whether you have subsequently taken a particular action on our website. 

If our ads are displayed to you in search engines or on other websites or if you interact with our ads, information about this may be collected (if applicable, depending on your consent to the respective website operator) and stored in a device-related profile. In order to be able to assign this information to your device, a unique ID can be assigned to your device (if applicable, depending on your consent to the respective website operator), which is linked to the device-related profile. This ID can be stored in cookies (🡪 Section C) on your device (if applicable depending on your consent to the respective website operator). When you subsequently visit our website, the information stored in these cookies can be read. In this way, your device can be recognised by means of the ID and, on the basis of this ID, the information stored in the device-related profile about accessing  our ads can be retrieved and additional data can be stored. This allows us to collect information about the use of our website, in particular the ”conversions” triggered by you.

This allows us to observe which keywords, ads, ad groups and campaigns lead to the user actions we want. We can also understand how our return on investment (ROI) is generated and make more informed decisions about our advertising expenses. We can also automatically optimise our advertising campaigns according to our business goals.

Conversion HTTP Data

Conversion Device Data

Conversion Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Conversion Tracking Provider


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Conversion Tracking Provider:

Google Ireland Limited

Gordon House, Barrow Street,

Dublin 4, Ireland

(Jointly with us) Controller

Switzerland

United Kingdom

Canada

India

USA

For Switzerland (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518), the United Kingdom (https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en) and Canada (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002), the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR.

For transfers of personal data to India and the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For such transfers of personal data Google uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Conversion Tracking Provider:

Microsoft Ireland Operations Limited

One Microsoft Place, South County Business Park, Leopardstown

Dublin 18, Ireland

(Jointly with us) Controller

Personal data collected by Microsoft may be stored and processed in your region, in the United States, and in any other country (inside and outside the EU/EEA) where Microsoft or its affiliates, subsidiaries, or service providers operate facilities. Microsoft maintains major data centres in Australia, Austria, Brazil, Canada, Finland, France, Germany, Hong Kong, India, Ireland, Japan, Korea, Luxembourg, Malaysia, the Netherlands, Singapore, South Africa, the United Kingdom and the United States. Typically, the primary storage location is in the Microsoft’s customer’s (i.e. our) region or in the United States, often with a backup to a data centre in another region. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem.

For some of these third countries, the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR. You can view these at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

For transfers of personal data to countries for which no such adequacy decision exists, such as India and the USA, Microsoft generally uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Use of remarketing technologies

Upon your consent, we use so-called ”remarketing technologies“ on our website.

”Remarketing“ (or ”retargeting“) means that we can specifically re-address users who have already interacted with our website, for example with ads in search engines or on other websites that participate in the same advertising network as us.

When you visit our website, information about your use of our website is collected and stored in a device-related profile. In order to associate this information with your device, your device is assigned a unique ID that is linked to the device-related profile. This ID is stored in cookies (🡪 Section C) on your device. If you subsequently use search engines with the same device or visit other websites that participate in the same advertising network, your device can be recognised there on the basis of the ID assigned to it (possibly subject to your consent to the respective operator of the website) and on the basis of this ID the stored information about the use of our website, including the assignment of your device-related profile to certain advertising segments, can be retrieved. In this way, the provider of the remarketing tool we use can present our ads to you there specifically.

When you visit the respective search engines or other websites that participate in the same advertising network, information about your use of the search engine or other website may be collected and added to your device-related profile (if applicable, depending on your consent to the respective website operator) in order to enable better a personalisation and an optimisation of the display of different ads.

Based on the information stored in your device-related profile, we and the provider of the remarketing tool used by us can personalise our ads specifically for you.

Based on the information stored in your device-related profile, the provider of the remarketing tool used by us also determines billing-relevant circumstances of the ad placement in order to be able to bill us for its services.

We are jointly responsible for the use of remarketing technology on our website with the respective provider of this technology, Google Ireland Limited and Microsoft Bing. For information on the processing of personal data by Google and Microsoft, please refer to the respective data protection information of the provider: https://www.google.com/policies/privacy/ and https://privacy.microsoft.com/en-us/privacystatement, respectively.

You will find more detailed information on this in the following:

Details on personal information which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of data

Obligation of the data subject to provide the data 

Storage duration

Remarketing HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the remarketing tool used on our website is used:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), certain user-related data (e.g., age, gender, interests), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out any remarketing.

The storage duration and user activity reset rules apply to both event-level and user-level data stored in Google Analytics. However, certain user-related data, such as age, gender, or interests, are deleted by default when the respective user has been inactive for 6 months (for a Universal Analytics property) or 2 months (for a Google Analytics 4 property).

Retention of user-level data, including conversions, will be stored for a maximum of 14 months. For all other event data, this will stored for 14 months.

For Bing search queries, Bing de-identifies stored queries by removing the entirety of the IP address after 6 months, and cookie IDs and other cross-session identifiers that are used to identify a particular account or device after 18 months.

Remarketing Device Data

Data assigned to your device by the remarketing tool used on our website:

This includes a unique ID to (re)identify your device.

This data is stored in a cookie on your device (🡪 Section C) and can be read when you visit our website. These cookies can also be read (if applicable, depending on your consent to the respective operator of a search engine or other website) if you use search engines or visit other websites that participate in the same advertising network with the same device.

Generated by us

-

(For information on the validity period of the cookies stored on your device, see Section C.III.).

Remarketing Profile Data

Data generated by the remarketing tool used on our website and stored in a device-related profile:

This includes the unique ID assigned to your device as well as information about the use of our website, in particular page views, frequency of views and time spent on viewed pages.

This also includes the results of the evaluation of this information, in particular the allocation of your profile to certain advertising segments.

Remarketing service provider that collects the data on our website 

-

The storage duration and user activity reset rules apply to both event-level and user-level data stored in Google Analytics. However, certain user-related data, such as age, gender, or interests, are deleted by default when the respective user has been inactive for 6 months (for a Universal Analytics property) or 2 months (for a Google Analytics 4 property).

Retention of user-level data, including conversions, will be stored for a maximum of 14 months. For all other event data, this will stored for 14 months.

For Bing search queries, Bing de-identifies stored queries by removing the entirety of the IP address after 6 months, and cookie IDs and other cross-session identifiers that are used to identify a particular account or device after 18 months.

Data generated by the remarketing tool used on our website and added to the profile when you visit search engines or other websites participating in the same advertising network.

This includes information about your use of that search engine or other website and information about the ads you are presented with or with which you have interacted there.

Remarketing service provider that collects the data on search engines or other websites

-


Details on the processing of personal data

Purpose of the processing of personal data 

Categories of personal data processed

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Remarketing:

”Remarketing“ (or ”retargeting“) means that we can retarget users who have already interacted with our website, for example with ads in search engines or on other websites.

When you visit our website, information about your use of our website is collected and stored in a device-related profile. In order to be able to assign this information to your device, your device is assigned a unique ID which is linked to the device-related profile. This ID is stored in cookies (🡪 Section C) on your device. If you subsequently, with the same device, use search engines or visit other websites that participate in the same advertising network, your device can be recognised there on the basis of the ID assigned to it (if applicable depending on your consent to the respective website operator) and on the basis of this ID the stored information about the use of our website, including the assignment of your device-related profile to certain advertising segments, can be retrieved. In this way, the provider of the remarketing tool we use can present our ads to you there specifically.

Remarketing HTTP Data

Remarketing Device Data

Remarketing Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Remarketing Provider

Profile enrichment by the provider of the remarketing tool used by us:

When you visit search engines or other websites that participate in the same advertising network, the provider of the remarketing tool used by us may add information about your use of that the respective search engine or other website and information about the ads you are presented with or have interacted with there to the device-related profile in order to enable better personalisation.

In addition, the enrichment of profiles enables the provider of the remarketing tool used by us to optimise the displaying of various ads for us and other companies for which it displays ads (e.g. controlling the frequency with which certain ads are displayed).

Remarketing Device Data

Remarketing Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Remarketing Provider

Personalisation of ads:

We and the provider of the remarketing tool used by us personalise our ads specifically for you on the basis of your device-related profile, in particular on the basis of your use of our website.

For this purpose, we analyse the information stored in your profile and on this basis assign your profile to certain advertising segments.

Remarketing Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Remarketing Provider

Determination of billing-relevant circumstances of the ad placement by the provider of the remarketing tool used by us:

The information stored in your device-related profile is also used by the provider of the remarketing tool we use to evaluate the ads displayed to your device that lead to our website via the provider in order to bill us for its services. For the purpose of billing us, the provider must determine the number of visits to our website via these ads and other circumstances relevant for billing (in particular the purchases made through it).

Remarketing Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Remarketing Provider


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Remarketing Provider 

Google Ireland Limited

Gordon House, Barrow Street,

Dublin 4, Ireland

(Jointly with us) Controller

Switzerland

United Kingdom

Canada

India

USA

For Switzerland (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518), the United Kingdom (https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en) and Canada (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002), the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR.

For transfers of personal data to India and the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For such transfers of personal data Google  uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de 

Microsoft Ireland Operations Limited

One Microsoft Place, South County Business Park, Leopardstown

Dublin 18, Ireland

(Jointly with us) Controller

Personal data collected by Microsoft may be stored and processed in your region, in the United States, and in any other country (inside and outside the EU/EEA) where Microsoft or its affiliates, subsidiaries, or service providers operate facilities. Microsoft maintains major data centres in Australia, Austria, Brazil, Canada, Finland, France, Germany, Hong Kong, India, Ireland, Japan, Korea, Luxembourg, Malaysia, the Netherlands, Singapore, South Africa, the United Kingdom and the United States. Typically, the primary storage location is in the Microsoft’s customer’s (i.e. our) region or in the United States, often with a backup to a data centre in another region. The storage location(s) are chosen in order to operate efficiently, to improve performance, and to create redundancies in order to protect the data in the event of an outage or other problem.

For some of these third countries, the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR. You can view these at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

For transfers of personal data to countries for which no such adequacy decision exists, such as India and the USA, Microsoft generally uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Use of the Facebook Pixel

Upon your consent, we will use the so-called ”Facebook Pixel”. For this purpose, cookies provided by Facebook (🡪 Section C) are being used.

The ”Facebook Pixel“ enables Facebook to collect information about the activities of users of our website. The information gained is used to evaluate the effectiveness of our Facebook ads and to form target audiences for our Facebook ads. In addition, Facebook may use the information for its own purposes or for the purposes of third parties, for example for creating target groups for other advertisement clients.

By integrating the ”Facebook Pixel“ we enable Facebook to collect personal data. Facebook is responsible for collecting and processing this data and we are jointly responsible with Facebook to a certain extent. Facebook provides us with evaluations or further information based on the collected data only in aggregated, anonymised form. We cannot associate the information provided to us with any natural person. We have no knowledge of the details of the processing of personal data within Facebook's area of responsibility. For information about Facebook's processing of personal information, please see Facebook's Privacy Policy: https://www.facebook.com/about/privacy/.

You will find more detailed information on the use of the ”Facebook Pixel” in the following:

Details on personal information which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of data

Obligation of the data subject to provide the data 

Storage duration

Facebook Pixel HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the Facebook Pixel on our website is used:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible.

We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

Facebook Pixel Device Data

Data that is assigned to your device by Facebook Pixel:

These includes a unique ID to re(identify) recognising returning visitors. 

This data is stored in a cookie on your device (🡪 Section C) and can be read when you visit our website. These cookies can also be read (if applicable, depending on your consent to Facebook) if you visit the Facebook website or another website that uses the Facebook pixel with the same device.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible or only possible to a limited extent.

We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Facebook Pixel Event Data

Data that Facebook collects through the Facebook Pixel, which is matched with the unique visitor ID of the respective visitor, stored in the Facebook Pixel Device Data:

These include actions that take place on our website (so-called ”events“). These include, for example, completing a purchase, a registration, the addition of payment information, initiating the checkout process, adding objects to the shopping basket, adding them to wish lists, performing searches, and viewing content. 

This also includes information related to the actions recorded in each case (so-called ”parameters“). These include, for example, the value and currency in which purchases are made. 

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, the functioning of the Facebook Pixel is impossible or only possible to a limited extent.

We do not collect or store this data ourselves.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

Facebook Pixel Analysis Data

Data that Facebook generates based on the information collected by the Facebook Pixel, which is matched with the unique visitor ID of the respective visitor, stored in the Facebook Pixel Device Data:

These include information about the effectiveness of Facebook ads and user association to target groups for Facebook ads.

Facebook may use the information collected to generate additional information for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by Facebook.

Independently generated by Facebook

-

Facebook provides us with evaluations or further information based on the collected data only in aggregated, anonymised form. We cannot associate the information provided to us with any natural person.

Facebook is responsible for the collection and processing of this data. We have no knowledge of the storage duration. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.


Details on the processing of personal data

Purpose of the processing of personal data 

Categories of personal data processed

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Evaluation of the effectiveness of our Facebook ads and creating of target groups for our Facebook ads:

The ”Facebook Pixel“ records actions that users perform on our website (e.g. completing a purchase) and reports these actions to Facebook.

Based on the information collected by Facebook, Facebook provides us with aggregated, anonymised measurement results for our Facebook ads. In particular, this enables us to know whether users who receive our Facebook advertisements execute certain actions on our website, such as making a purchase (so-called ”conversions“).

In addition, Facebook will allow us to reach people who have visited our website or performed a specific action on our website on the basis of information collected by Facebook, again via Facebook and to optimise our types of target groups (”audiences“).

In addition, Facebook enables us to create similar target groups (”lookalike audiences“) for us based on the information collected by Facebook in order to reach people with our Facebook advertisements who have similar characteristics as the users of our website.

Facebook provides us with evaluations or further information based on the collected data only in aggregated, anonymous form. We cannot associate the information provided to us with any natural person. Facebook is responsible for the collection and processing of personal data. We have no knowledge of the details of the processing of data in Facebook's area of responsibility. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

In order to reidentify you on our website (if applicable, depending on your consent to Facebook) as well as on the website of Facebook and possibly on other websites that use the Facebook pixel, cookies (🡪 Section C) are stored on your device and read by Facebook.

Facebook Pixel HTTP Data

Facebook Pixel Device Data

Facebook Pixel Event Data

Facebook Pixel Analysis Data

We do not make automated decisions in our area of responsibility.

We have no knowledge of the details of the processing of data in Facebook's area of responsibility, in particular of any automated decision-making.

Legal basis for the enablement of collecting personal data through our website by Facebook:

Art. 6 (1) (a) GDPR (consent)

We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in Facebook's area of responsibility, in particular of the legal basis used by Facebook for the processing.

Facebook

Evaluation of activities of users of our website for use for Facebook's own purposes or for the purposes of third parties:

Facebook may also use the information collected via ”Facebook Pixel“ for its own purposes or for the purposes of third parties, for example to create target groups for other advertisement clients.

Facebook is responsible for the collection and processing of personal data. We have no knowledge of the details of the processing of data in Facebook's area of responsibility. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

In order to reidentify you on our website (if applicable, depending on your consent to Facebook)as well as on the website of Facebook and possibly on other websites that use the Facebook pixel, cookies (🡪 Section C) are stored on your device and read by Facebook.

Facebook Pixel HTTP Data

Facebook Pixel Device Data

Facebook Pixel Event Data

Facebook Pixel Analysis Data

We do not make automated decisions in our area of responsibility.

We have no knowledge of the details of the processing of data in Facebook's area of responsibility, in particular of any automated decision-making.

Legal basis for the enablement of collecting personal data through our website by Facebook:

Art. 6 (1) (a) GDPR (consent).

We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in Facebook's area of responsibility, in particular of the legal basis used by Facebook for the processing.

Facebook


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Facebook:

Meta Platforms Ireland Ltd.

4 Grand Canal Square, Grand Central Harbour

Dublin D02, Ireland

Controller regarding the collection and processing of personal data through the Facebook Pixel

The provider to whom we transmit personal data or who collects it via our website is based in the EU.

This provider may transfer data to third countries, in particular the USA, under its own responsibility. We have no knowledge of this. For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

For some of these third countries, the European Commission may have issued adequacy decisions pursuant to Art. 45(3) GDPR. In other cases, Facebook may use the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de


Details on joint responsibility 

For certain processing activities in the context of the use of the marketing technology “Facebook Pixel” we are jointly responsible with Meta Platforms Ireland Ltd.

You will find more detailed information on this in the following:

Joint controllers

Agreement between joint controllers

Facebook:

Meta Platforms Ireland Ltd.

4 Grand Canal Square, Grand Central Harbour

Dublin D02, Ireland

We have entered into a joint controllership agreement with Meta Platforms Ireland Ltd. (Art. 26 GDPR).

The agreement provides that each controller in its area of responsibility shall comply with the legal obligations applicable to it under the GDPR. This means, in particular, that each controller ensures for the processing operations in its area of responsibility the rights of the data subject in accordance with Art. 12 to 23 of the GDPR and complies with the information obligations in accordance with Art. 13 and 14 of the GDPR.

Under this agreement, we are required to inform you of the following:

  • The contact details of Meta Platforms Ireland Ltd. as well as the contact details of its data protection officer can be found in its privacy policy (https://de-de.facebook.com/about/privacy/).
  • Further information on how Meta Platforms Ireland Ltd. processes personal data, including information on the legal basis of the processing and how to exercise data protection rights against the relevant provider, can also be found in its privacy policy.
  • With regard to the data stored by Meta Platforms Ireland Ltd. after joint processing, Meta Platforms Ireland Ltd. is responsible for safeguarding the data subjects’ rights pursuant to Art. 15-20 GDPR.

For information on the processing of personal data by Facebook, please refer to the privacy policy of Meta at https://de-de.facebook.com/about/privacy/.

We will be happy to provide you with the essence of the agreement between us and the additional controllers upon request (contact details 🡪 Section A.I.).


Use of the personalised email newsletter

On our website we offer you the possibility to register for our personalised email newsletter. When you subscribe to the email newsletter, certain information is collected, such as your email address. We process this information to confirm your subscription and to provide the personalised email newsletter. We also store and use this information for evidence purposes for the possible assertion, exercise or defence of legal claims.

When using the newsletter subscription and unsubscription form from our newsletter on our website, certain information is sent from your device to the web server of our website for technical reasons, for example your IP address. We process this information to provide the newsletter subscription and unsubscription form on our website and to ensure the security of the IT infrastructure used to provide the newsletter subscription and unsubscription form.

In order to provide the newsletter subscription and unsubscription form, information on the respective form session is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the newsletter subscription and unsubscription form in order to maintain the respective form session.

Upon your consent for this, we also analyse the usage behaviour of newsletter subscribers in our newsletter and create usage profiles when using pseudonyms for the purpose of personalising the newsletter.

You will find more detailed information on this below: 

Details on personal data which are processed 

Categories of personal data processed 

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Newsletter Form HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the subscription and unsubscription form for our newsletter on our website is accessed:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the newsletter subscription and unsubscription form.

The Data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Newsletter Form Device Data

Data that is assigned to your device, when using the form to subscribe to and unsubscribe from the newsletter on our website:

These include a unique ID for the form session (so-called ”session ID“) and the expiry date of the respective session.

This data is stored in cookies on your device (🡪 Section C) and can be read during the use of the newsletter subscription and unsubscription form on our website.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the newsletter subscription and unsubscription form.

We process the data only temporarily for the period the newsletter subscription and unsubscription form is used.

(You can find more information on the validity period of the cookies used in Section C.III.)

Newsletter Subscription Data

Data we collect during the subscription for the newsletter:

These include the following mandatory information: Email address, first name, last name.

These include the following optional information: Country, gender, date of birth, phone number, language preference, interests.

Newsletter subscribers

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the mandatory information is not provided, we cannot provide you with a newsletter.

We store these data as long as you are registered for our newsletter. 

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribed and in the event of any legal disputes until such have been concluded. 

Newsletter Opt-In Data

Protocol data which accrue during subscription and unsubscription of the newsletter:

These include date and time of subscription to the newsletter, date and time when registration notification is sent in the double opt-in procedure, date and time of the confirmation of the registration in the double opt-in procedure as well as the IP address of the device used for the confirmation, date and time of any possible unsubscription from newsletter. 

Newsletter subscribers

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide you with a newsletter.

We store these data as long as you are registered for our newsletter. 

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you unsubscribed and in the event of any legal disputes until such have been concluded.

Newsletter Tracking Pixel Data

Protocol data accrued via the Hypertext Transfer Protocol (Secure) (HTTP(S)) via the tracking pixels contained in the newsletter when our newsletter is accessed:

Tracking pixels are small graphics in HTML emails that allow a log file to be recorded and a log file analysis of access to these emails.

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

Newsletter subscribers

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot carry out any analysis of newsletter usage behaviour. 

We only store these data as long as you are registered for our newsletter. 

Newsletter Profile Data

Data in usage profiles that we create by analysing usage behaviour regarding the newsletter, using pseudonyms:

These include data about the use of the newsletter, in particular, access, access frequency and time spent in accessed newsletters.

Generated by us

-

We only store these data as long as you are registered for our newsletter. 


Details on the processing of personal data

Purpose of the processing of personal data 

Categories of personal data processed 

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Provision of the newsletter subscription and unsubscription form on our website:

For this purpose, HTTP Data are processed temporarily on our web server. 

For this purpose, HTTP data is temporarily processed on our web server.

In addition, information on the respective form session is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the newsletter subscription and unsubscription form in order to maintain the respective form session.

Newsletter Form HTTP Data

Newsletter Form Device Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the content of our website requested by the user. 

Hosting Provider

Email Newsletter Provider

Ensuring the security of the IT infrastructure used for the provision of the form, in particular for the detection, elimination and conclusive documentation of disruptions (e.g. DDoS attacks):

For this purpose, Data are temporarily stored and evaluated in log files on our web server.

Newsletter Form HTTP Data

Newsletter Form Device Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is ensuring the security of the IT infrastructure used to provide the form, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).

Hosting Provider

Email Newsletter Provider

”Double opt-in” procedure to confirm the subscription:

For this we send an email message requesting confirmation to the email address provided when registering for the newsletter. Any subscription only becomes effective when the subscriber has confirmed the email address by accessing the confirmation link in the email. 

Newsletter Subscription Data

Newsletter Opt-In Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the legally secure documentation of your consent to the newsletter.

Email Newsletter Provider

Sending of the newsletter to the newsletter subscriber:

We use the optional information provided during subscription for personalising the newsletter and for a targeted selection of information relevant for the recipient. 

Newsletter Subscription Data

Newsletter Opt-In Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent)

Email Newsletter Provider

Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims

Newsletter Subscription Data

Newsletter Opt-In Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the assertion, exercise or defence of legal claims. 

Email Newsletter Provider

Assertion, exercise or defence of legal claims, including cooperation with external lawyers

Newsletter Subscription Data

Newsletter Opt-In Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the assertion, exercise or defence of legal claims.

Courts

Lawyers 

Analysis of the usage behaviour of newsletter subscribers and creation of usage profiles using pseudonyms for the purposes of personalising the newsletter

Newsletter Subscription Data

Newsletter Opt-In Data

Tracking Pixel Data

Newsletter Profile Data

No automated decision-making takes place.

Art. 6 (1) (a) GDPR (consent).

Email Newsletter Provider


Details on the recipients of personal data and the transfer of personal data to third countries and/or international organisations

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Hosting Provider

The Rocket Science Group LLC d/b/a Mailchimp

675 Ponce de Leon Ave NE

Suite 5000

Atlanta, GA 30308 USA

Processor

Mailchimp’s headquarters are in the United States and their servers are also located in the United States. This means data they process may be transferred to, stored, or processed in the United States. In addition, they leverage third-party vendors (sub-processors) who process personal data for us and their servers may be located outside of the EU/EEA.

You can view the full list of sub-processors below, along with details of their location. 

 

Entity

Location

Akamai

Massachusetts, USA

Amazon

Washington, USA

CodeScience

Tennessee, USA

E-Hawk

New York, USA

El Camino

California, USA

Finc3

Hamburg, Germany

Fivetran

California, USA

Google

California, USA

Looker

California, USA

Percona

North Carolina, USA

R.R. Donnelley

Illinois, USA

SC Wedis Company SRL

Târgu Mureș, Romania

Slack

California, USA

SmartyStreets

Utah, USA

TaskUs

USA and Greece

TaxJar

Massachusetts, USA

Two Bulls

New York, USA

Tyrannosaurus Tech

Georgia, USA

Vextras LLC

Tennessee, USA

Zendesk

California, USA

For transfers of personal data to the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For the transfer of personal data to Mailchimp, we use the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Any onward transfer by Mailchimp to its sub-processors in third countries is also based on these Standard Data Protection Clauses.

Lawyers

Controller

There is no transfer to third countries and/or international organisations

-

Courts

Controller

There is no transfer to third countries and/or international organisations

-

Use of online contact forms

We offer you the possibility on our website to contact us using contact forms. We process the information provided by you in the contact forms to process your request. Where applicable, we also store and use the information for evidence purposes for any assertion, exercise or defence of legal claims or in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations. 

When the contact forms on our website are used certain information is sent from your device to the web server of our website for technical reasons, for example your IP address. We process this information in order to provide the contact forms on our website and to ensure the security of the IT infrastructure used to provide the contact forms.

In order to provide the contact forms on our website, information on the respective contact form session is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the contact forms in order to maintain the respective contact form session.

When using our contact forms, you may also have the option to subscribe to our email newsletter. You can find details on this in 🡪 Section B.VI.

You will find more detailed information on the processing of personal data in the context of the use of our online contact forms below:

Details on personal data which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Contact Form HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the contact forms on our website are accessed:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the requested website content.

The data are stored in server log files in a form allowing the identification of the data subject for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Contact Form Device Data

Data that is assigned to your device when using the contract forms:

This includes a unique ID for the contact form session (so-called ”session ID“) and the expiry date of the respective session.

This data is stored in cookies on your device (🡪 Section C) and can be read during the use of the contact forms.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the contact forms on our website.

We process the data only temporarily for the period the contact form on our website is used.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Contact Form Data

Data you provide us with in contact forms on our website:

These include the information you provide to us in the relevant contact form. In particular this could include your name, date of birth, address, telephone number, email address and the content of your request. 

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot process your request. 

The data are stored until your request has been dealt with. 

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)) (HGB).


Details on the processing of the personal data 

Purpose of the processing of personal data 

Categories of personal data processed 

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Provision of the contact forms on our website:

For this purpose data are processed temporarily on our web server. 

For this purpose, in addition, information on the respective contact form session is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the contact form in order to maintain the respective contact form session. 

Contact Form HTTP Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the content on our website requested by the user.

Hosting Provider

Ensuring the security of the IT infrastructure used for the provision of the contact forms, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored and evaluated in log files on our web server.

Contact Form HTTP Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is ensuring the security of the IT infrastructure used to provide the contact forms, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).

Hosting Provider

Processing of your request

Contact Form Data

No automated decision-making takes place.

If your request concerns a contract to which you are party or the performance of pre-contractual measures:

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Otherwise:

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

In this case, our legitimate interest is the processing of your request. 

-

Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims

Contact Form Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is assertion, exercise or defence of legal claims. 

-

Assertion, exercise or defence of legal claims, including cooperation with external lawyers

Contact Form Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is assertion, exercise or defence of legal claims.

Courts

Lawyers

Storage of data in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations:

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – AO), Sec. 257 German Commerical Code (Handelsgesetzbuch– HGB)).

Contact Form Data

No automated decision-making takes place.

Art. 6 (1) (c) GDPR (compliance with a legal obligation).

-


Details on the recipients of persona data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Hosting Provider:

Zendesk Inc.

989 Market St

San Francisco, CA 94103, USA

Processor

Zendesk stores personal data about Website Visitors and Subscribers within the EEA, the United States and in other countries and territories. To facilitate their global operations, they may transfer and access such personal data from around the world, including from other countries in which the Zendesk Group has operations. 

For some of these third countries, the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR. You can view these at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

For transfers of personal data to countries for which no such adequacy decision exists, such as the USA, Zendesk relies either on its Binding Corporate Rules pursuant to Art. 46(2)(b), 47 GDPR (for transfers between Zendesk entities; the Binding Corporate Rules can be accessed at https://d1eipm3vz40hy0.cloudfront.net/pdf/Zendesk-BCR-Processor-Policy-2022.pdf) or such transfers by us or Zendesk may be based on the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Lawyers

Controller

There is no transfer to third countries and/or international organisations

-

Courts

Controller

There is no transfer to third countries and/or international organisations

-

Use of the chat function

On our website, we offer you the possibility to contact us via a chat function. We process the information you provide during the dialogue with our chat function in order to deal with your request. Possibly, we also store and use the information for evidence purposes for the possible assertion, exercise or defence of legal claims or for the fulfilment of legal, in particular commercial and tax law, retention obligations.

When using the chat function, certain information is sent from your device to the web server of our chat function for technical reasons, for example your IP address. We process this information to provide the chat function on our website and to ensure the security of the IT infrastructure used to provide the chat function.

To provide the chat function on our website, information about the respective chat session is stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the chat function in order to maintain the respective chat session.

You will find more detailed information on this in the following:

Details on personal data which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Chat Function HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the chat function is called up on our website are accessed:

These include IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the chat function.

The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Chat Device Data

Data that is assigned to your device when using the chat function:

This includes a unique ID for the contact form session (so-called ”session ID“) and the expiry date of the respective session.

This data is stored in cookies on your device (🡪 Section C) and can be read during the use of the chat function.

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the chat function.

We process the data only temporarily for the period the chat function on our website is used.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Chat Data

Data that you provide to us in dialogue with our employee:

This may in particular include the following information: Name, address, telephone number, email address and the content of your request. 

User of our website

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot use them to process your request. 

We store the data until your request has been dealt with. 

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)) (HGB).

Data that our employee communicates to you in dialogue through our chat function:

This may include the following information in particular: Answers to your request.

Generated by us

-


Details on the processing of the personal data 

Purpose of the processing of personal data 

Categories of personal data processed 

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Provision of the chat function on our website:

For this purpose, data are processed temporarily on the web server of our chat function. 

For this purpose, information on the respective chat session is also stored in cookies (🡪 Section C) on your device. The cookies and the information stored in them can be read during the use of the chat function in order to maintain the respective chat session.

Chat Function HTTP Data

Chat Device Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the chat function.

Chat Function Provider

Ensuring the security of the IT infrastructure used for the provision of the chat function, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored and evaluated in log files on the web server of our chat function.

Chat Function HTTP Data

Chat Device Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is ensuring the security of the IT infrastructure used to provide the chat function, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).

Chat Function Provider

Processing of your request

Chat Data

No automated decision-making takes place.

If your request concerns a contract to which you are party or the performance of pre-contractual measures:

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Otherwise:

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

In this case, our legitimate interest is the processing of your request. 

Chat Function Provider

Storage and processing for evidence purposes for any assertion, exercise or defence of legal claims

Chat Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is assertion, exercise or defence of legal claims. 

-

Assertion, exercise or defence of legal claims, including cooperation with external lawyers

Chat Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (Pursuing legitimate interests under balancing of interests):

Our legitimate interest is assertion, exercise or defence of legal claims.

Courts

Lawyers

Storage of data for the fulfilment of legal, in particular commercial and tax law, retention obligations: Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – AO), Sec. 257 German Commerical Code (Handelsgesetzbuch– HGB)).

Chat Data

No automated decision-making takes place.

Art. 6 (1) (c) GDPR (compliance with a legal obligation)

-


Details on the recipients of persona data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Chat Function Provider

Zendesk Inc.

989 Market St

San Francisco, CA 94103, USA

Processor

Zendesk stores personal data about Website Visitors and Subscribers within the EEA, the United States and in other countries and territories. To facilitate their global operations, they may transfer and access such personal data from around the world, including from other countries in which the Zendesk Group has operations. 

For some of these third countries, the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR. You can view these at https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

For transfers of personal data to countries for which no such adequacy decision exists, such as the USA, Zendesk relies either on its Binding Corporate Rules pursuant to Art. 46(2)(b), 47 GDPR (for transfers between Zendesk entities; the Binding Corporate Rules can be accessed at https://d1eipm3vz40hy0.cloudfront.net/pdf/Zendesk-BCR-Processor-Policy-2022.pdf) or such transfers by us or Zendesk may be based on the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Lawyers

Controller

There is no transfer to third countries and/or international organisations

-

Courts

Controller

There is no transfer to third countries and/or international organisations

-


Use of the online shop and membership in our X-Owners Club

On our website you have the possibility to use our online shop. We process personal data of users of our online shop for the following purposes:

  • Provision of our online shop for informational use
  • Creation of a customer account for the use of our online shop as a registered customer and provision of the customer account functions (“X-Owners Club”) on our website
  • Provision of the social login function
  • Provision of our shopping cart function
  • Provision of the product filter function
  • Performance of steps prior to entering into a contract and performance of purchase agreements concluded via the online shop
  • Sending invitations for exclusive events and for participating on promotional and limited offers
  • Registration of products not purchased on our website to activate the warranty
  • Administration of member points
  • Sending emails with product recommendations for own similar products
  • Sending advertisement by post to holders of a customer account as well as to customers of our online shop
  • Conduction of a credit check for purchases on account
  • Administration of our purchase price claims in our internal debtor management system
  • Recovery of our purchase price claims
  • Rescission of purchase agreements in the event of revocation or other reasons for withdrawal
  • Storage for evidence purposes for any assertion, exercise or defence of legal claims
  • Assertion, exercise or defence of legal claims
  • Storage in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations
  • Ensuring the security of the IT infrastructure used for the provision of the online shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks)

In order to make the shopping cart, the login to the ”X-Owners Club” and the product filter function available to you on our website, information necessary for these functions are stored in cookies (🡪 Section C). The cookies and the information stored in them can be read during your visit to our website in order to provide you with the relevant function.

When ordering in our online shop and registering for our X-Owners Club, you may also have the option to subscribe to our email newsletter. You can find details on this in 🡪 Section B.VI.

You receive more detailed information on the processing of personal data in the context of the use of the online shop and the membership in our X-Owners Club below:

Details on personal data which are processed

Categories of personal data processed 

Personal data included in the categories

Sources of the data

Obligation of the data subject to provide the data

Storage duration

Online Shop HTTP Data

Protocol data which accrue via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons when the online shop on our website is accessed:

This includes IP address, type and version of your internet browser, operating system used, site accessed, site accessed before visiting the site (referrer URL), date and time of the visit.

User of the online shop

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot provide the content of our website which you requested.

The data are stored in server log files for a maximum period of 7 days, unless a security-relevant event occurs (e.g. a DDoS attack). 

If there is a security-relevant event, server log files are stored until the security-relevant event has been eliminated and completely resolved.

Registration Data

Data that you provide to us in the relevant registration form on our website in order to register for the online shop for the first time (opening a customer account). 

These include the following mandatory information: email address, password

Additionally, these include the following optional information: Title, first name, last name

User of the online shop at registration

The provision of the information marked as mandatory during the registration process is a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the mandatory information is not provided, a registration is not possible.

We store these data for evidence purposes for the assertion, exercise or defence of any legal claims. Beyond this, we also store these data for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Additional Customer Account Data

Data that you can add to your customer account:

These include alternative delivery addresses or payment methods (e.g. credit card data).

User of the online shop

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot store this data in your customer account for later use. This means that you must provide this data separately if you wish to use certain functions (e.g. specifying the alternative delivery address during a specific order process).

We store these data for evidence purposes for the assertion, exercise or defence of any legal claims. Beyond this, we also store these data an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Login Data

Data that accrue when logging into your customer account:

This includes your email address and your password.

This also includes a unique ID for the session in which you are logged into your customer account (so called ”session ID”) as well as the expiry date of the relevant session. This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our online shop. 

User of the online shop

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot enable you to log into the customer section. 

We process the data only temporarily for the period that you are logged into your customer account. 

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Social Login Data

User ID, first and last name, gender and e-mail address as stored in the Facebook or Google user account.

Additionally, for each new login via Facebook or Google: access token (unique ID for the session in which you are logged into your customer account, so-called “session ID”). The access token is stored in cookies on your device (→ Section C.III.) and can be read while you are using our website.

When logging in via Facebook or Google, Facebook or Google may grant us access to further data (e.g. the profile picture) depending on the individual settings in the Facebook or Google account. We have no influence on this. We do not store or use this additional data.

Facebook or Google

-

We process the data only temporarily for the period that you are logged into your customer account. 

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Shopping Cart Data

Data that accrue when using the shopping cart function:

This includes information on the products which you place in the shopping cart (e.g. article description, article number, quantity, size, colour, price, currency.)

This also includes a unique ID for the shopping cart session (so called ”session ID”) as well as the expiry date of the relevant session. This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our website.

User of the online shop

The provision of the data is a requirement necessary to enter into a purchase agreement. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot use the shopping card function. This means that you cannot purchase items via our online store. 

We process the data only temporarily for the period the shopping cart function is used.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Contact Data

Data that you provide us within the ordering process to contact you to process your order:

This includes title, first name, last name, address (billing address), telephone number, email address.

User of the online shop

If you are logged into your customer account when using the online shop, this data will be taken from your customer account.

The provision of the data is a requirement necessary to enter into a purchase agreement. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot purchase any items via our online shop.

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Shipping Data

Data that you provide us with in the ordering process for shipping your ordered items:

This includes the chosen shipping method and, if applicable, the delivery address entered that differs from the billing address.

User of the online shop

If you are logged into your customer account when using the online shop, this data will be taken from your customer account.

The provision of the data is a requirement necessary to enter into a purchase agreement. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot purchase any items via our online shop.

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Payment Data

Data that you provide to us as part of the ordering process for the payment of your ordered items:

This includes the chosen payment method and, depending on the chosen payment method, further information that must be provided for the respective payment method (e.g. bank details, credit card numbers).

User of the online shop

If you are logged into your customer account when using the online shop, you may use data for select payment methods which you previously stored in your customer account.

The provision of the data is a requirement necessary to enter into a purchase agreement. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot purchase any items via our online shop.

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Order Data

Information about your order:

This includes information about the purchased items (item name, item number, quantity, size, colour, price, currency, order number), store version used, date and time of purchase, status of your order.

Generated by us

-

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so, in particular commercial and tax law document retention obligations exist. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

If you have a customer account, we also store this data for the purpose of providing the customer account functions for 5 years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded.

Transactional Email Data

Data from transaction emails which we send for the (return) processing of your order (e.g. order receipt confirmation):

This includes the content and time of the transaction emails.

Generated by us

-

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Debtor Data

Data that we process for the administration of our purchase price claims in our internal debtor management system:

This includes information on current open items, incoming payments, transaction identifiers of our payment service providers, dunning levels, on-going debiting processes and returns.

Payment service provider

Debt collection service provider

Generated by us

-

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Creditworthiness Data

Information about the creditworthiness of our customers:

This includes creditworthiness information provided by credit agencies and information generated by us on the timely settlement of our claims.

Credit agencies

Generated by us

-

We store the data until the complete handling of your order, i.e. until shipping of the ordered items.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Product Filter Data

Data that accrue when using the product filter function:

These include the product filters set by you.

This also includes a unique ID for the product filter session (so called ”session ID”) as well as the expiry date of the relevant session. This data is stored in cookies on your device (🡪 Section C) and can be read during your visit to our website.

User of the online shop

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, you cannot use the product filter function on our website.

We process the data only temporarily for the period the product filter function is used.

(You can find more information on the validity period of the cookies stored on your device in Section C.III.)

Advertising Management Data

Information regarding consents you gave for advertisement purposes as well as information regarding your potential objections to advertisements:

These include date and time of the consent, the IP-address of the device used to give consent, date and time of any withdrawal of consent or of an objection against the processing of personal data for advertisement purposes.

User of the online shop

The provision of the data is not a statutory or contractual requirement, or a requirement necessary to enter into a contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot process your consents to and /or objections regarding advertisements. 

We store the data as long as we have your consent or as long as we carry out advertising activities without your consent based on the information we provided to you on the respective advertisement. 

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you withdrew your consent or in which we stopped the respective advertising activity and in the event of any legal disputes until such have been concluded.

Additionally, this includes documentation on the information we provided to you on a consent and/or on advertisement we carry out without your consent. 

Generated by us

-

Warranty Data

Data that you provide us with for registering products not purchased through us:

These include: identification number of the product, model name, article number and time of purchase.

User of the online shop

The provision of the data is a requirement to enter into a warranty contract. There is no obligation of the data subject to provide the data.

If the data is not provided, we cannot offer an extended warranty for products not purchased through us.

We process the data until expiration of the warranty period.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).

Member Points Data

Information about the member points you may receive as a registered customer and how those member points are used:

This includes information about the number of member points, details about transactions with these points (time and date of changes in the number of member points), information about vouchers or other benefits generated from member points and their use for payment of orders.

Generated by us

-

We process the data at least until the deletion of your account.

In addition, we store these data for evidence purposes for the assertion, exercise or defence of any legal claims for an interim period of three years commencing at the end of the year in which you provide the data to us and in the event of any legal disputes until such have been concluded. 

We also store this data to the extent that statutory obligations to do so exist, in particular commercial and tax law document retention obligations. Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – (AO), Sec. 257 German Commerical Code – (HGB)).


Details on the processing of the personal data 

Purpose of the processing of personal data 

Categories of personal data processed 

Automated decision-making 

Legal basis and, where applicable, legitimate interests

Recipient

Provision of our online shop for informational use:

For this purpose HTTP data are processed temporarily on our web server. 

Online Shop HTTP Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of our online shop requested by the user for informational use.

Hosting Provider

Creation of a customer account for the use of our online shop as a registered customer and provision of the customer account functions (“X-Owners Club”) on our website:

This includes the provision of the login to the customer account (“X-Owners Club”) and the storage of contact information, addresses and payment information stored by the customer in the customer account for the use of the online shop. If the customer is logged into the customer account when using the online shop, the information required for the order is prefilled with the information stored in the customer account in order to make the ordering process in the online shop as convenient as possible for the customer. 

This also includes the display of details of the orders made in the online shop for a period of 36 months starting with the date of the order. In particular this includes the respective processing and delivery status and details of the ordered items.

Information on the relevant session in which you are logged into your customer account is stored in cookies on your device (🡪 Section C). The cookies and the information stored in them can be read during your use of our online shop in order to maintain the relevant session.

Online Shop HTTP Data

Registration Data

Additional Customer Account Data

Login Data

Social Login Data

Order Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract).

Hosting Provider

Provision of the social login function:

As an alternative to logging in via our website, you can register for and log into a customer account on our website via your Facebook account or your Google account.

By using the login button via Facebook or Google, you can log in to Facebook or Google and grant us access to certain information from your Facebook or Google account (the details of this can be accessed in the context of the social login function) and thus register for and log in to the customer account.

In this case, Facebook or Google also creates an "access token", which we store in a cookie in your browser (→ Section C). The cookies and the information stored in them can be read while using our website. Each time you access our website, we use the access token to check with Facebook whether you are still logged in.

Registration Data

Social Login Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party).

Hosting Provider

Facebook or Google

Provision of our shopping cart function:

For this purpose Information on the relevant shopping cart session is stored in cookies on your device (🡪 Section C). The cookies and the information stored in them can be read during your use of our online shop in order to maintain the relevant shopping cart session.

Online Shop HTTP Data

Shopping Cart Data

No automated decision-making takes place.

As far as the placing into the shopping cart is used to entering into a contract:

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract)

Otherwise:

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the functions of our online shop requested by the user.

Hosting Provider

Provision of the product filter function:

When you return to our website, we determine whether you have already selected product filters in our online shop and display further pages of our online shop according to your selection. 

For this purpose Information on the relevant product filter session is stored in cookies on your device (🡪 Section C). The cookies and the information stored in them can be read during your use of our online shop in order to maintain the relevant product filter session.

Online Shop HTTP Data

Product Filter Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the provision of the functions of our online shop requested by the user.

Hosting Provider

Performance of steps prior to entering into a contract and performance of purchase agreements concluded via the online shop:

This includes in particular the receipt of your order, the handling of the payment, the shipping of the ordered items and the sending of transaction emails to inform you about the status of your order.

If you have a customer account for our online shop and are logged into the customer account during the ordering process, the information required for the order is pre-filled with the information stored in the customer account in order to make the ordering process in the online shop as convenient as possible for you.

Online Shop HTTP Data

Shopping Cart Data

Contact Data

Shipping Data

Payment Data

Order Data

Transactional Email Data

For customers which are logged into their customer account, additionally:

Registration Data

Additional Customer Account Data

Login Data

Social Login Data

Member Points Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract)

Hosting Provider

Email Provider

Payment Provider

Shipping Provider

Billing Provider

ERM Provider

Registration of products not purchased through us to activate the warranty:

In your customer account, you have the ability to register your products not purchased through us in order to activate the manufacturer’s warranty.

Contact Data

Login Data

Social Login Data

Warranty Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract)

Hosting Provider

Administration of member points:

When using your customer account, with every order you place through our online shop, you have the ability to collect points for exclusive rewards.

Contact Data

Member Points Data

Order Data

No automated decision-making takes place.

Art. 6 (1) (b) GDPR (performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract)

Hosting Provider

Sending advertisement by post to holders of a customer account as well as to customers of our online shop:

If you have created a customer account in our online shop or have made an order as a ”guest“, we may send you interesting offers and information about our products by post, unless you have objected.

We may use your year of birth as well as information about your previous orders to design the content of this advertisement based on your interests.

Registration Data

Contact Data

Order Data

Advertising Management Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the promotion of our products to holders of a customer account as well as to customers of our online shop. 

Hosting Provider

Email Provider

Administration of our purchase price claims in our internal debtor management system 

Contact Data

Debtor Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is administering our purchase price claims orderly.

Hosting Provider

Recovery of our purchase price claims

Contact Data

Debtor Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the recovery of our purchase price claims.

Debt Collection Service Provider

Rescission of purchase agreements in the event of revocation or other reasons for withdrawal:

For the refund of the purchase price we use the same payment method that you used for the payment of the purchase price.

Contact Data

Shipping Data

Payment Data

Order Data

Transactional Email Data

Debtor Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the rescission of purchase agreements

Hosting Provider

Email Provider

Storage for evidence purposes for any assertion, exercise or defence of legal claims

Contact Data

Shipping Data

Payment Data

Order Data

Transactional Email Data

Debtor data

Advertising Management Data

Warranty Data

Member Points Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the assertion, exercise or defence of legal claims. 

Hosting Provider

Assertion, exercise or defence of legal claims, including the cooperation with external lawyers

Contact Data

Shipping Data

Payment Data

Order Data

Transactional Email Data

Debtor data

Advertising Management Data

Warranty Data

Member Points Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is the assertion, exercise or defence of legal claims. 

Courts

Lawyers

Storage in order to meet statutory document retention obligations, in particular commercial and tax law document retention obligations:

Depending on the document type, commercial and tax law document retention obligations of six or ten years can exist (Sec. 147 German Fiscal Code (Abgabenordnung – AO), Sec. 257 German Commerical Code (Handelsgesetzbuch– HGB)).

Contact Data

Shipping Data

Payment Data

Order Data

Transactional Email Data

Debtor Data

Warranty Data

Member Points Data

No automated decision-making takes place.

Art. 6 (1) (c) GDPR (compliance with a legal obligation)

Hosting Provider

Ensuring the security of the IT infrastructure used for the provision of the online shop, in particular for the detection, elimination and conclusive documentation of incidents (e.g. DDoS attacks):

For this purpose, data are temporarily stored and evaluated in log files on our web server.

Online Shop HTTP Data

Login Data

No automated decision-making takes place.

Art. 6 (1) (f) GDPR (pursuing legitimate interests under balancing of interests):

Our legitimate interest is ensuring the security of the IT infrastructure used to provide the online shop, in particular to identify, eliminate and preserve evidence of disruptions (e.g. DDoS attacks).

Hosting Provider


Details on the recipients of persona data and the transfer of personal data to third countries and/or international organisations 

Recipient

Recipient’s role

Transfers to third countries and/or international organisations

Adequacy decision or appropriate or suitable safeguards for transfers to third countries and/or international organisations 

Hosting Provider:

Google Ireland Limited,

Gordon House, Barrow Street,

Dublin 4, Ireland

Processor

The data will be stored and processed in Europe (Ireland, France). However, for maintenance purposes, Google employees can access these data from the following third countries outside of the EU and therefore process them:

Switzerland

United Kingdom

Canada

India

USA

For Switzerland (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000D0518), the United Kingdom (https://ec.europa.eu/info/files/decision-adequate-protection-personal-data-united-kingdom-general-data-protection-regulation_en) and Canada (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002), the European Commission has issued adequacy decisions pursuant to Art. 45(3) GDPR.

For transfers of personal data to India and the USA, the European Commission has not issued any adequacy decisions pursuant to Art. 45(3) GDPR. For such transfers of personal data Google uses the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Email Provider:

The Rocket Science Group LLC d/b/a Mailchimp

675 Ponce de Leon Ave NE. Suite 5000

Atlanta, GA 30308 USA

Processor

Mailchimp’s headquarters are in the United States and their servers are also located in the United States. This means data they process may be transferred to, stored, or processed in the United States. In addition, they leverage third-party vendors (sub-processors) who process personal data for us and their servers may be located outside of the EU/EEA.

You can view the full list of sub-processors they use below, along with details of their location. 

 

Entity

Location

Akamai

Massachusetts, USA

Amazon

Washington, USA

CodeScience

Tennessee, USA

E-Hawk

New York, USA

El Camino

California, USA

Finc3

Hamburg, Germany

Fivetran

California, USA

Google

California, USA

Looker

California, USA

Percona

North Carolina, USA

R.R. Donnelley

Illinois, USA

SC Wedis Company SRL

Târgu Mureș, Romania

Slack

California, USA

SmartyStreets

Utah, USA

TaskUs

USA and Greece

TaxJar

Massachusetts, USA

Two Bulls

New York, USA

Tyrannosaurus Tech

Georgia, USA

Vextras LLC

Tennessee, USA

Zendesk

California, USA

For transfers of personal data to the USA, the European Commission has not issued any adequacy decision pursuant to Art. 45(3) GDPR. For the transfer of personal data to Mailchimp, we use the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Any onward transfer by Mailchimp to its sub-processors in third countries is also based on these Standard Data Protection Clauses.

Payment Provider:

Stripe Payments Europe Ltd,

185 Berry St 550,

San Francisco, CA 94107, USA

Controller

USA

For transfers of personal data to the USA, the European Commission has not issued any adequacy decision pursuant to Art. 45(3) GDPR. For the transfer of personal data to Stripe Payments Europe Ltd, we use the Standard Data Protection Clauses by the European Commission in the sense of Art. 46(2)(c) GDPR. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Billing Provider:

Salesforce, Inc.

Salesforce Tower 415 Mission Street 3rd fl

San Francisco, CA 94105, USA 

Processor

USA

For transfers of personal data to the USA, the European Commission has not issued any adequacy decision. For the transfer of personal data to Salesforce, Inc., we use the Standard Data Protection Clauses by the European Commission. These can be accessed under:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de

Shipping Provider:

Debby Line Logistic

Via Friuli, 13

31038 Padernello TV, Italy

Controller

There is no transfer to third countries and/or international organisations

-

Lawyers

Controller

There is no transfer to third countries and/or international organisations

-

Courts

Controller

There is no transfer to third countries and/or international organisations

-

Information on the use of cookies or similar technologies

We use cookies in connection with our website and the offers made on our website. In doing so, we use the processing and storage functions of your device’s browser and collect information from the memory of your device’s browser. 

You will find more detailed information on this in the following.

General information on cookies

Cookies are small text files with information that can be placed on a user’s device through its browser when a website is visited. When the relevant website is visited again with the same device, the cookie and the information it contains can be retrieved. 

First-party and third-party cookies

Depending on where a cookie comes from, a distinction can be made between first-party cookies and third-party cookies: 

First-party cookies

Cookies that are placed and accessed by the operator of the website as the controller or by a processor engaged by the controller

Third-party cookies

Cookies that are placed and accessed by controllers other than the operator of the website that are not processors engaged by the operator of the website


Transient and persistent cookies

A distinction can be made between transient and persistent cookies depending on how long they remain active: 

Transient cookies

(Session cookies)

Cookies that are automatically deleted when you close your browser

Persistent cookies

Cookies that remain stored on your device for a certain period of time after the browser is closed


Consent-free cookies and cookies requiring consent

Users’ consent is required for some cookies depending on their function and purpose of use. Thus, a distinction can be made between cookies that require users’ consent and those that do not:

Consent-free cookies

Cookies that have as their sole purpose to transmit a message using an electronic communication network

Cookies that are necessary so that the party offering a service that has been expressly requested by a participant or user can provide this service (”strictly necessary cookies”)

Cookies requiring consent

Cookies for all purposes of use other than the aforementioned

Management of the cookies used on our website

Granting and withdrawing consents to the use of cookies in the data protection settings of our website

If consent is necessary for the use of certain cookies, we only use these cookies if you have previously granted your consent to this. You can find information as to whether the use of a particular cookie requires consent in the information on the cookies used on our website in Section C.III. of this Data Protection Information.

When you first visit our website, we display a pop-up for data protection settings. In the data protection settings, you can give consent for the use of cookies that require consent and the processing of your personal data enabled thereby. However, you can also continue to use our website without consent. In this case, we will only use cookies for which consent is not required.

You can access the data protection settings of our website at any time via the link “Privacy Setting” contained in the footer of our website. In the data protection settings, you can withdraw or re-grant the consents you have given at any time. 

We store whether and, if applicable, which consents you have given in the form of a (strictly necessary) cookie (so-called ”data protection settings cookie“) on your device. The data protection setting cookie has a limited validity period of 12 months. After the expiration of the validity period, or if you delete the data protection settings cookie manually beforehand, we will display the banner for data protection settings for our website again the next time you visit our website.

You cannot deactivate cookies that are strictly necessary in the data protection settings of our website. However, you can generally deactivate these cookies in your browser at any time.

Managing cookies using browser settings

You can also manage the use of cookies in your browser’s settings. Different browsers have different ways to configure cookie settings. You can find more extensive information on this, for example at http://www.allaboutcookies.org/manage-cookies/

However, we would like to point out that some functions of our website may not work properly or at all if you deactivate cookies in general in your browser.

Cookies used on our website

The following cookies may be used on our website:

Name

First-party / third-party

Purpose of use and content

Effective term

Consent necessary?

Load Balancing Cookies 

Load Balancing

First party

This cookie is strictly necessary to control load balancing for our website (🡪 Section B.I).

This cookie saves the unique ID of one of the different servers on which our website is running, in order to assign your visit to the same server for the entire browser session.

Transient

No

Language selection Cookies

Language

First party

This cookie is strictly necessary to provide the language selection function of our website (🡪 Section B.I).

This cookie saves information on your language selection (e.g. ”DE” for the German language version) in order to provide you with the content of our website accessed by you in the language which you have selected for the entire browser session.

Transient

No

Data Protection Settings Cookies

CookieConsent

First-party

This cookie is strictly necessary to provide the data protection settings function for our website (🡪 Section B.I).

This cookie stores information about whether and, if so, which consents you have given and when, in order to possibly activate the respective processing activities and cookies requiring consent in accordance with your consent and in order to be able to determine whether we require renewed consent from you in the event of changes to processing activities and cookies requiring consent.

Persistent:
12 months

No

Web analytics cookies (for the web analysis tool Google Analytics)

These cookies are used by the web analysis tool Google Analytics to record and analyse the usage behaviour on our website, in order to improve our website (🡪 Section B.III.).

_ga

First party

This cookie contains a unique visitor ID and is used to distinguish different users from each other.

Persistent:
2 years

Yes

_gid

First party

This cookie contains a unique visitor ID and is used to distinguish different users from each other.

Persistent:
24 hours

Yes

_gac

First party

This cookie is used to measure the user activities and the performance of our advertising campaigns.

Persistent:
6 months

Yes

_gclxxx

First party

This cookie measures performance and user activties.

Persistent:
90 days

Yes

OptimizelyEnduserID 

First party

This cookie compares alternatives and optimizes our website performance.

Persistent:
730 days

Yes

__utmb

First party

This cookie stores the time and date when a visitor enters a site in order to log how long each visitor stays at a website, i.e. when the visit begins and when it ends. 

Transient

Yes

__utmc

First party

This cookie stores the moment in time when a visitor leaves a site in order to log how long each visitor stays at a website, i.e. when the visit begins and when it ends. 

Persistent:
30 minutes

Yes

Conversion tracking-cookies (for the Conversion tracking-tool Google Analytics)

These cookies are used by the conversion tracking tool Google Analytics for conversion tracking. (🡪 Section B.IV )

_ga

First party

This cookie contains a unique visitor ID and is used to distinguish different users from each other.

Persistent:
2 years

Yes

_gid

First party

This cookie contains a unique visitor ID and is used to distinguish different users from each other.

Persistent:
24 hours

Yes

_gac

First party

This cookie is used to measure the user activities and the performance of our advertising campaigns.

Persistent:
6 months

Yes

_gclxxx

First party

This cookie measures performance and user activties.

Persistent:
90 days

Yes

OptimizelyEnduserID 

First party

This cookie compares alternatives and optimizes our website performance.

Persistent:
730 days

Yes

__utmb

First party

This cookie stores the time and date when a visitor enters a site in order to log how long each visitor stays at a website, i.e. when the visit begins and when it ends. 

Transient

Yes

__utmc

First party

This cookie stores the moment in time when a visitor leaves a site in order to log how long each visitor stays at a website, i.e. when the visit begins and when it ends. 

Persistent:
30 minutes

Yes

Contact Form Cookies

__zlcmid

Third party

This cookie is strictly necessary to provide the contact form on our website (🡪 Section B.VII).

This cookie saves a unique ID for the contact widget authentication in order to maintain the respective contact form session until expiration.

Persistent:
365 days

Yes

Chat function cookies

__zlcmid

Third party

This cookie is strictly necessary to provide the chat function on our website (🡪 Section B.VIII).

This cookie saves a unique ID for the contact widget authentication in order to maintain the respective contact session until expiration.

Persistent:
365 days

Yes

Online shop cookies

xb_auth_prod_session

First party

This cookie is strictly necessary to enable the log in to a user account for our online shop (🡪 Section B.IX).

This cookie saves a unique ID in order to clearly identify the respective user within a session in the user account, i.e. until the end of the validity period of the login cookie or until the login cookie is deleted by clicking on ”Logout“.

Transient

No

x-bionic-shop

First party

This cookie is strictly necessary to provide the shopping cart function (🡪 Section B.IX).

This cookie saves a unique ID in order to uniquely assign the respective user within his session the shopping cart to the user.

Transient

No


Information on the rights of data subjects 

As a data subject, you have the following rights with regard to the processing of your personal data:

  • Right of access (Art. 15 GDPR) 
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (”right to be forgotten”) (Art. 17 GDPR) 
  • Right to restriction of processing (Art. 18 GDPR) 
  • Right to data portability (Art. 20 GDPR) 
  • Right to object (Art. 21 GDPR)
  • Right to withdraw consent (Art. 7 (3) GDPR) 

You may contact us for the purpose of exercising these rights using the contact information in Section A.

Where applicable, you find information on any specific modalities and mechanisms which facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, in the information on the processing of personal data in Section B of this Data Protection Information.


You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

Below you find more detailed information on your rights with regard to the processing of your personal data:

Right of access 

As a data subject, you have a right to obtain access and information under the conditions provided in Art. 15 GDPR. 

This means in particular that you have the right to obtain confirmation from us as to whether we are processing your personal data. If so, you also have the right to obtain access to the personal data and the information listed in Art. 15 (1) GDPR. This includes information regarding the purposes of the processing, the categories of personal data that are being processed and the recipients or categories of recipients to whom the personal data have been or will be disclosed (Art. 15 (1) (a), (b) and (c) GDPR).

You can find the full extent of your right to access and information in Art. 15 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to rectification 

As a data subject, you have the right to rectification under the conditions provided in Art. 16 GDPR.

This means in particular that you have the right to receive from us without undue delay the rectification of inaccuracies in your personal data and completion of incomplete personal data.

You can find the full extent of your right to rectification in Art. 16 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to erasure (”right to be forgotten”)

As a data subject, you have a right to erasure (”right to be forgotten”) under the conditions provided in Art. 17 GDPR.

This means that you have the right to obtain from us the erasure of your personal data and we are obliged to erase your personal data without undue delay when one of the reasons listed in Art. 17 (1) GDPR applies. This can be the case, for example, if personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed (Art. 17 (1) (a) GDPR).

If we have made the personal data public and are obliged to erase it, we are also obliged, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of those personal data (Art. 17 (2) GDPR). 

The right to erasure (”right to be forgotten”) does not apply if the processing is necessary for one of the reasons listed in Art. 17 (3) GDPR. This can be the case, for example, if the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims (Art. 17 (3) (b) and (e) GDPR).

You can find the full extent of your right to erasure (”right to be forgotten”) in Art. 17 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to restriction of processing 

As a data subject, you have a right to restriction of processing under the conditions provided in Art. 18 GDPR.

This means that you have the right to obtain from us the restriction of processing if one of the conditions provided in Art. 18 (1) GDPR applies. This can be the case, for example, if you contest the accuracy of the personal data. In such a case, the restriction of processing lasts for a period that enables us to verify the accuracy of the personal data (Art. 18 (1) (a) GDPR).

Restriction means that stored personal data are marked with the goal of restricting their future processing (Art. 4 (3) GDPR).

You can find the full extent of your right to restriction of processing in Art. 18 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to data portability

As a data subject, you have a right to data portability under the conditions provided in Art. 20 GDPR.

This means that you generally have the right to receive your personal data with which you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us if the processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out by automated means (Art. 20 (1) GDPR).

You can find information as to whether an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible (Art. 20 (2) GDPR).

You can find the full extent of your right to data portability in Art. 20 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to object 

As a data subject, you have a right to object under the conditions provided in Art. 21 GDPR.

At the latest in our first communication with you, we expressly inform you of your right, as a data subject, to object.

More detailed information on this is given below:

Right to object on grounds relating to the particular situation of the data subject

As a data subject, you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 (1) (e) or (f), including profiling based on those provisions.

You can find information as to whether an instance of processing is based on Art. 6 (1) (e) or (f) GDPR in the information regarding the legal basis of processing in Section B of this Data Protection Information.

In the event of an objection relating to your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

You can find information as to whether and to what extent personal data are processed for direct marketing purposes in the information regarding the legal basis of processing in Section B of this Data Protection Information.

If you object to processing for direct marketing purposes, we no longer process your personal data for these purposes.

You can find the full extent of your right to objection in Art. 21 GDPR, which can be accessed using the following link: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

Right to withdraw consent

Where an instance of processing is based on consent pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, as a data subject you have the right to withdraw your consent at any time pursuant to Art. 7 (3) GDPR,. The withdrawal of your consent does not affect the legitimacy of the processing that occurred based on your consent until the withdrawal. We inform you of this before you grant your consent.

You can find information as to whether an instance of processing is based on Art. 6 (1) (a) or Art. 9 (2) (a) GDPR in the information regarding the legal basis of processing in Section B of this Data Protection Information.

Right to lodge a complaint with a supervisory authority

As a data subject, you have a right to lodge a complaint with a supervisory authority under the conditions provided in Art. 77 GDPR.

A list of each supervisory authority with links can be found at the website of the German Federal Commissioner for Data Protection and Freedom of Information: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

Information about the technical terms of the General Data Protection Regulation used in this Data Protection Information

The technical terms relating to data protection used in this Data Protection Information have the meaning used in the General Data Protection Regulation. 

The full scope of the definitions of the General Data Protection Regulation can be found in Art. 4 GDPR, which can be downloaded from the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

You will find more detailed information on the most important technical terms of the General Data Protection Regulation used in this Data Protection Information below:

  • ”Personal data” means any information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • ”Data Subject” means the respective identified or identifiable natural person, to which the personal Data refers to;
  • ”Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • ”Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • ”Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • ”Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • ”Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • ”Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • ”International organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
  • ”Third country” means a country which is not a member state of the European Union (”EU”) or the European Economic Area (”EEA”);
  • ”Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Effective date of and changes to this Data Protection Information

The effective date of this Data Protection Information is June 2023.

It may be necessary to modify this Data Protection Information due to technical developments and/or amendment of statutory or official requirements. 

An up-to-date version of this Data Protection Information can be retrieved at any time at https://www.x-bionic.com/shop/overview/privacy