Vendosoft

DATA PROTECTION

This Privacy Policy describes how we collect, use and process your personal data and how we comply with our legal obligations to you in doing so. The protection of your data is important to us. We have therefore made it our business to handle your data responsibly, to protect it and to keep it safe.

Of course, we comply with the legal provisions of the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Telecommunications Digital Services Data Protection Act (TDDDG) and other applicable data protection regulations.

This Privacy Policy applies to the personal data of visitors to our website – customers, suppliers, applicants and possible other persons – and informs you as a user about the nature, scope and purpose of the collection and use of personal data by us as the responsible provider on this website.

The controller responsible for processing your personal data on these web pages is

VENDOSOFT GmbH
represented by its managing director Björn Franz Anton Orth

Billerberg 10
82266 Inning a. Ammersee
Germany

info@vendosoft.eu

In derogation from this, the controller of the website www.vendosoft.at is:

VENDOSOFT GmbH & Co.KG
represented by Vendosoft Verwaltungs Gmbh, which is represented by its managing director Björn Franz Anton Orth

Mentlgasse 1
6020 Innsbruck
Austria

I. General information on data processing

  • Scope & purpose of the processing of personal data
    We process your personal data as a user of this website only to the extent that this is necessary for the provision of a functional website and our content and services.
  • Legal basis for the processing of personal data
    Insofar as we obtain consent from you for processing operations of personal data, Art. 6(1), Art. 6(1)(1)(a) GDPR is the legal basis. If the processing of your data is necessary for the performance of a contract to which you are a party, Art. 6(1), Art. 6(1)(1)(b) GDPR is the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures. Insofar as processing of your personal data is necessary for compliance with a legal obligation to which we are subject, Art. 6(1), Art. 6(1)(1)(c) GDPR is the legal basis. If the processing is necessary to protect a legitimate interest of our company or a third party and your interests, fundamental rights and freedoms do not outweigh the former interest, Art. 6(1)(1)(f) GDPR serves as the legal basis for the processing.

Handling personal data
Personal data pursuant to Art. 4(1) GDPR is “any information relating to an identified or identifiable natural person”. An identifiable natural person is one who can be identified, directly or indirectly, in particular via association to an identifier such as a name, an identification number, location data, online identifier or one or more specific characteristics which are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data that we process
This personal data is collected, used and/or shared by us if this is permitted by law or if you as a user consent to the data collection.

  • Customer data:
    We use personal information about prospects and customers to ensure that the contractual agreements between us can be properly implemented (e.g. for the transmission of offers, execution of deliveries, etc.) and to ensure a smooth business relationship. For this purpose, we use the following categories of personal data:
    • First and last name
    • Business email address
    • Business phone number
    • Position in the company
    • Business address
    • Bank details
  • Supplier data:
    We use personal data from our suppliers mainly to ensure that the contractual agreements between us can be properly implemented and thus a smooth business relationship is possible, and also to ensure compliance with legal requirements. For this purpose, we use the following categories of personal data:
    • First and last name
    • Business email address
    • Business phone number
    • Position in the company
    • Business address
    • Bank details
  • Applicant data:
    The reason for using personal information about applicants is to assess whether your application to VENDOSOFT GmbH fits the requirements of our vacant positions. All the information we have about you, your skills and your goals will help us to offer you a customised job offer. For this purpose, we use the following categories of personal data:

    • Contact details in your application profile (this includes in particular first and last name, country, email, phone number)
    • Information from application forms (this includes in particular salary requirements, your motivation, details of disability if applicable (only if relevant to the advertised position)
    • Application documents (this includes in particular CV, cover letter, career development data, qualifications and language skills);
    • Results of online procedures (this includes in particular video interviews)
    • References that you provide to us
  • Access data/server log files
    In the case of merely informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. Access data includes:
    • Name of the retrieved web page
    • File, date and time of retrieval
    • Volume of data transferred
    • Report of successful retrieval
    • Browser type and version
    • Operating system of the user
    • Referrer URL (the previously visited page)
    • (Shortened) IP address
    • Requesting provider

We use this log data only for technically necessary statistical evaluations for the purpose of the operation, security and optimisation of our website. However, we reserve the right to subsequently review the log data if there are concrete indications giving rise to a justified suspicion of unlawful use.

Disclosure of personal data:
We may disclose your personal information to the following categories of people, as appropriate and in accordance with local laws and regulations:

  • External service providers who perform services on our behalf (including lawyers, auditors and accountants),
  • Providers of services contracted externally and storage providers with whom a corresponding data processing agreement pursuant to Art. 28 GDPR is in place (including email delivery services, lettershops, telemarketing providers, IT service providers). In particular, we use the following service providers:
         Service provider Service Country of domicile
         mwbsc GmbH Web design Germany
         IT-Beratung Ralf Bub GmbH Hosting, Wawi, Webshop Germany
         CleverReach GmbH & Co.KG Newsletter service Germany
  • In addition, we may transfer data to public bodies and institutions if there is a legal or official obligation to do so.
  • Other data recipients may include those entities for which you have given us your consent to transfer data. You will find further information on this in the following data protection information.

Protection of personal data:
We take all reasonable and appropriate measures to protect the personal information we store from misuse, loss or unauthorised access. This applies to internal storage on our systems, includes securing our systems against external access and extends to the secure transfer of data to the above-mentioned third parties.

II. Contact us

When contacting us (for example, via the contact form, the callback service or by email), your information will be stored for the purpose of processing the request and in the event that follow-up questions arise. In particular, your contact details and the content you provide in the message will be processed. For inquiries regarding contracts, Art. 6(1)(1(b) GDPR is the legal basis for the processing. For other inquiries, the processing is based on our legitimate interest in providing a possibility to contact you at any time as well as the processing of your inquiries Art. 6(1)(1)(f) GDPR. In addition, the date and time of contact and, in the case of contact and offer forms, your IP address are also processed. This processing is based on our legitimate interest pursuant to Art. 6(1)(1)(f) GDPR to carry out an abuse control of our contact options. The personal data will only be stored as long as it is necessary for the processing of the contact request.

III. Advertising

  1. Existing customers
    We have an essential legitimate interest in using the data of our existing customers for marketing purposes for our own goods or services that are similar to the goods and services already purchased. We collect the following data from our existing customers for our own marketing purposes: First name, last name, email address, phone number (business).

The legal basis for the use of personal data for marketing purposes is Art. 6(1)(1)(f) GDPR.

  1. Advertising with consent
    If you are not an existing customer of ours or if we advertise goods and services that do not originate from us or are not similar to goods or services you have already purchased from us, we will process your data for marketing purposes only on the basis of your express consent to these purposes pursuant to Art. 6(1)(1)(a) GDPR.

Reference to the right to object
You can object to the use of your personal data for the aforementioned advertising purposes at any time, at no cost and with effect for the future, by using the contact options given above.

If you object, your data will be blocked for further data processing for advertising purposes. Please note that in exceptional cases, advertising material may still be sent for a brief period after receipt of your objection. This happens for technical reasons due to the necessary lead time in the selection process and does not mean that we have not implemented your objection.

Newsletter subscription
When you fill out our newsletter web form and submit it, by clicking the “Send” button below, you consent to the data you entered being transmitted to us. We use the above-mentioned service provider dskom GmbH as a processor for this purpose. For this purpose, we use the what is known as the “double opt-in” procedure. First you will receive an email with a confirmation link. Only after clicking this link will you be registered to our newsletter. The data entered will be stored and used exclusively to process your request. Specifically, this means sending you a monthly email newsletter that includes our “offer of the month”. Your email address will be transmitted to our service provider for dispatch of the newsletter (see “Data transfer”).

You have the right to revoke your consent to the storage, processing and use of your data at any time with effect for the future by sending a message by email to e.g.

Data deletion and storage duration
Your personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this is provided for by law or other legal provisions that are binding on us. Data will also be blocked or deleted if a storage period prescribed by the aforementioned legal provisions expires, unless there is a need to continue storing the data for the conclusion or fulfillment of a contract. Applicant data will be deleted no later than six months after the end of the application process if no employment relationship has been established with us.

3. Advertising with customer reviews

We include customer reviews on Google on our websites. For this purpose we use the service Trustindex.io by the provider Trustindex Ltd. For more information, please visit https://www.trustindex.io/terms-and-conditions-and-privacy-policy/. The reviews are taken from our public Google profile with no changes. No filtering or weighting is performed. The publication includes the date of your rating, your name (possibly also company name, photo/logo) as well as your review and the review text. Your public review can only be changed via your own Google profile.

IV. Data transfer to Third Countries

In the course of our business, we may also transfer your personal data to recipients in countries outside the European Economic Area (“Third Countries”) that do not have the same level of data protection as your home country. If this is the case and the EU Commission has not issued an adequacy decision for the Third Country pursuant to Art. 45 GDPR (e.g. in the case of the USA), we take additional precautions to ensure an adequate level of data protection for data transfers to these Third Countries. In particular, insofar as we transfer personal data to Third Countries, we comply with applicable data protection requirements and take appropriate security measures to ensure that your personal data is protected and secure, in particular by agreeing to EU standard contractual clauses, which are available here. Nevertheless, it is possible that authorities in the respective Third Country may access your data without you becoming aware of this and without you having an effective remedy at law. If a transfer on the basis of such guarantees is not possible, we will obtain your express consent with separate reference to existing risks of the transfer in accordance with Article 49(1)(a) GDPR. If you would like more information about these security measures, please feel free to contact us using the methods below.

V. Cookies and tracking technologies

In addition to the previously mentioned data, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive by the browser you are using and allow us as the entity that set the cookie to receive certain information. Cookies cannot execute programs or transfer viruses to your computer. Their purpose is to make the Internet offer more user-friendly and effective as a whole. In addition to cookies, we also use other tracking and analysis tools to improve our online offering and our marketing measures (hereinafter referred to collectively as “Cookies”).

We use different types of Cookies on our website:

  • Technically necessary cookies
  • Functional cookies
  • Marketing cookies
  • Statistics cookies

Some of these Cookies are technically necessary for the operation of our website, whereas other Cookies are used to improve our website. The use of technically necessary cookies is based on Art. 6(1)(1)(f) GDPR and section 25(2)(1) TDDDG. Non-essential cookies are only set if you have given your consent for their use (Art. 6(1)(a) GDPR, section 25 (1) TDDDG) or have clicked “Agree” within our consent management tool. Your consent includes the storage of the cookie on your terminal device, the transmission of the information collected by cookies and the associated processing of personal data. You can change the settings made at any time by clicking the “Reject” button. This allows you to revoke any consent granted with effect for the future. You can find more information about the cookies and tracking technologies used within our consent management tool under “More information” as well as in our Privacy Policy.

Some of these cookies transmit personal data to companies in the USA. If you consent to the use of such cookies in detail or click on ‘Accept all cookies’, you consent to the processing of your personal data in the USA on the basis of the adequacy decision pursuant to Art. 45 GDPR of the EU Commission. According to the European Court of Justice, US laws do not guarantee an adequate level of data protection. In particular, your data may be accessed by US authorities without your knowledge and without you having an effective remedy at law.

You can configure your browser settings according to your preferences and for example refuse to accept third-party cookies or all cookies. We would like to point out that you may then not be able to use all the functions of this website. For more information on how to prevent the use of third-party cookies and other tracking technologies, please refer to the following sections on the services used.

You can also restrict or completely prevent the setting of cookies through appropriate browser settings or arrange for the automatic deletion of cookies when closing the browser window.

Information on how to delete cookies in the most commonly used browsers or change the settings related to cookies can be found here:

The provision of personal data is neither legally nor contractually obligatory and is not required for the conclusion of a contract. However, failure to do so may result in you not being able to use our website or not being able to use it to its full extent.

Google Analytics
With your consent pursuant to Art. 6(1)(a) GDPR, we use cookies from third-party providers to learn more about your browsing behaviour (web tracking). This website uses functions of the web analysis service Google Analytics. The provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The parent company of Google Ireland Limited is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Setting the cookie enables Google to analyse the use of our website. Each time one of the individual pages of this website operated by the controller and on which a Google Analytics component has been integrated, the respective Google Analytics component causes the Internet browser on the Data Subject’s end device to transmit data to Google for the purpose of online analysis after consent has been granted.

Data including the following is collected as part of this technical procedure:

  • Your IP address (in shortened form)
  • Your user behaviour
  • Your approximate location
  • The pages you visit

The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The information generated by the cookies about your use of this website is usually also transmitted to a Google server in the USA and stored there. The EU Commission has confirmed the adequacy of the level of data protection for the EU-U.S. Data Privacy Framework, under which Google LLC is certified. This means that the transfer to the USA is permitted in accordance with Art. 45 GDPR.

The storage time depends on the settings used (properties). If the new Google Analytics 4 properties are used, the storage period of your user data is limited to 14 months. For Universal Analytics properties, the default retention period is 26 months.

We may also restart the retention period with each of your visits to our website, provided that you revisit it within the original retention period.

For more information on how Google Analytics handles user data, please see Google’s privacy policy: https://support.google.com/analytics/answer/6004245

You can revoke your consent without giving reasons at any time with effect for the future by opening our consent management tool and changing your selection there.

In addition, you can prevent the storage of cookies by making a corresponding setting in your browser software; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

You have the option to deactivate the settings for personalised advertising at https://support.google.com/ads/answer/2662922?hl=en.

In addition, you can prevent the processing of your data by Google by downloading and installing the browser plug-in offered at the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Furthermore, you can prevent the collection of your data by Google Analytics by clicking the following link. This sets an opt-out cookie that prevents future collection of your data when you visit this website: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

We have concluded a data processing contract with Google and implement the strict requirements of European data protection law when using Google Analytics. More information on the “Data Processing Addendum” concluded between us and Google can be found here: https://support.google.com/analytics/answer/3379636?hl=de&utm_id=ad

Google is entitled to engage subcontractors within the scope of this data processing. A list of subcontractors used by Google can be found at: https://privacy.google.com/businesses/subprocessors/

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects, among other things, your location, search history and YouTube history, as well as demographic data (visitor data). This data can be used for personalised advertising with the help of Google Signals. If you have a Google account, the visitor data from Google Signals will be linked to your Google account and used for personalised advertising messages. The data is also used to create anonymised statistics on the user behaviour of our users.

Google Tag Manager
We use the Google Tag Manager on our website. Google Tag Manager is a solution from the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which allows us to manage website tags via an interface. The legal basis for the processing of your personal data in the context of the use of Google Tag Manager is your consent within the meaning of Art. 6 (1)(1)(a) GDPR. Google Tag Manager is not a cookie in the strict sense, but provides for the immediate triggering of other tags, which in turn may collect data that it does not access. However, when a tag is triggered, Google may process personal data, such as the IP address or online identifiers. It cannot be ruled out that this information will also be transmitted by Google to a server in a Third Country. According to the European Court of Justice, US laws do not guarantee an adequate level of data protection. In particular, your data may be accessed by US authorities without your knowledge and without you having an effective remedy at law. The transfer of your data to Google’s servers in the USA is permitted on the basis of the adequacy decision made by the EU Commission with regard to the EU-U.S. Data Privacy Framework, under which Google LLC is certified, in accordance with Art. 45 GDPR.

The Google Tag Manager itself does not store any data. The retention period of your data depends on the cookies and tools deployed by Google Tag Manager.

For more information about privacy and security when using Google Tag Manager, please visit https://support.google.com/tagmanager/answer/9323295 and https://policies.google.com/privacy?hl=en

You can revoke your consent without giving reasons at any time with effect for the future by opening our consent management tool and changing your selection there.

We have concluded an order processing contract with Google and implement the strict requirements of European data protection law when using Google Tag Manager. Google processes the data on our behalf to trigger stored tags and display services on our website. More information on the “Data Processing Addendum” concluded between us and Google can be found here: https://business.safety.google/adsprocessorterms/

Google is entitled to engage subcontractors within the scope of this data processing. A list of subcontractors used by Google can be found at: https://privacy.google.com/businesses/subprocessors/

Google reCaptcha
With your consent pursuant to Art. 6)(1)(1)(a) GDPR, we use Google reCAPTCHA on our website. Google reCAPTCHA is a solution from the provider Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, which serves to ensure that entries made on our website are actually made by real persons and not by bots, spam software or other abusive applications. Google reCAPTCHA analyses the usage behaviour on our website on the basis of various characteristics in order to determine, on the basis of a score created from this, whether the usage is made by a human user. Google reCAPTCHA is integrated via an interface to Google services. Consequently, it cannot be excluded that Google transmits the collected information to a Third Country. Furthermore, Google reCAPTCHA may set cookies that are stored on your device and allow an analysis of the websites you visit. Finally, what are termed WebBeacons – small pixels or graphics – are also used within the scope of Google reCAPTCHA. The information generated by the cookie, if applicable in connection with the WebBeacon, about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. According to the European Court of Justice, US laws do not guarantee an adequate level of data protection. In particular, your data may be accessed by US authorities without your knowledge and without you having an effective remedy at law. The transfer of your data to Google’s servers in the USA is permitted on the basis of the adequacy decision made by the EU Commission with regard to the EU-U.S. Data Privacy Framework, under which Google LLC is certified, in accordance with Art. 45 GDPR.

You can revoke your consent without giving reasons at any time with effect for the future by opening our consent management tool and changing your selection there.

We have concluded a data processing contract with Google and implement the strict requirements of European data protection law when using Google reCAPTCHA. Google processes the data on our behalf to trigger stored tags and display services on our website. More information on the “Data Processing Addendum” concluded between us and Google can be found here: https://cloud.google.com/terms/data-processing-terms and here https://cloud.google.com/terms/sccs/eu-c2p.

Google is entitled to engage subcontractors within the scope of this data processing. A list of subcontractors used by Google can be found at: https://cloud.google.com/terms/subprocessors.

Hotjar
With your consent pursuant to Art. 6(1)(1)(a) GDPR, we use the tracking and analysis services of Hotjar to better understand the needs of our users and to optimise the offer and experience on this website. Hotjar is a service provided by Hotjar Limited, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta. Using Hotjar’s technology gives us a better understanding of our users’ experiences (e.g. how much time users spend on which pages, which links they click, what they like and don’t like, etc.) and this helps us tailor our offering to our users’ feedback. Hotjar works with cookies and other technologies to collect data about our users’ behaviour and about their terminal devices.

In the process, the following data may be processed and stored by Hotjar:

  • IP address of the device (collected and stored only in anonymised form during your website use),
  • screen size,
  • device type (unique device identifiers),
  • information about the browser used,
  • location (country only),
  • preferred language for viewing our website.

Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually prohibited from selling the data collected on our behalf.

Hotjar stores the data collected by Hotjar for 365 days.

You can revoke your consent to the setting of cookies without giving reasons at any time with effect for the future by opening our consent management tool and changing your selection there.

When visiting a Hotjar-based website, you can prevent Hotjar from collecting your information at any time by going to our opt-out page at https://www.hotjar.com/legal and clicking the option to disable Hotjar.

For more information, see the “about Hotjar” section at https://help.hotjar.com/hc/en-us/categories/115001323967-About-Hotjar.

Matelso
With your consent pursuant to Art. 6(1)(1)(a) GDPR, we use a service provide by Matelso GmbH, Heilbronner Straße 150, 70191 Stuttgart, Germany on our website. This is a tool for tracking telephone calls, which uses cookies to analyse and evaluate user behaviour. For this purpose, Matelso integrates telephone numbers on our website that enable us to carry out further evaluations of the retrieval behaviour of our website visitors. If you call on a number operated for us by Matelso, in particular the telephone number of the caller, the called number, the date, the time and the duration of the call are stored. We also link this data to the associated address record if we are able to do so on the basis of existing customer information.

In addition, the following data is also processed when Matelso is used:

  • the website from which you came to our website (referrer URL),
  • remote user agent,
  • document path
  • browser information
  • cookie IDs

As part of this phone tracking, personal data is transmitted to servers of Matelso and stored there. We have concluded an data processing agreement with Matelso in accordance with Art. 28 GDPR. The relevant information is processed by Matelso in accordance with our instructions and stored only on servers in the EU. Your data will be deleted as soon as it no longer needs to be processed for the purposes for which it was collected.

You can also prevent the aforementioned personal from being collected and shared as well as processed by suppressing your phone number before calling us or by calling from an anonymous phone number. In addition, you can install a JavaScript blocker, such as www.noscript.net or www.ghostery.com, to prevent the collection of other website analytics data. Further information on data protection when using Matelso can be found via the following links: https://knowledge.matelso.com/en/matelso-cookies and https://www.matelso.com/en/privacy-statement.

You can revoke your consent to the setting of cookies without giving reasons at any time with effect for the future by opening our consent management tool and changing your selection there.

VI. Contractual services in connection with online store

We process your personal data only to the extent necessary to process your orders in the online store or in the context of your contact.

We only ever process the personal data that you provide us with, such as your name, contact details, payment data and order data.

The data processing is carried out for the purpose of contract fulfillment as well as the implementation of pre-contractual measures on the legal basis of Art. 6(1(1)(b) GDPR. In order to process your email address in the event of a purchase via our websites/apps, we are also legally required by the German Civil Code (BGB) to send an electronic order confirmation (Art. 6(1(1)(c) GDPR).

In order to afford you the greatest possible convenience, we offer you the permanent storage of your personal data in a password-protected customer account/user account.

A customer account needs to be set up for an order to be placed and is based on your consent as defined under Art. 6(1)(1)(a) GDPR. No new data entry needs to be input after a customer account is set up. In addition, you can view and change the data stored about you in your customer account at any time.

In addition to the data requested when placing an order, you must enter a password of your choice to set up a customer account. This is used together with your email address to access your customer account. Please treat your personal access data confidentially and in particular do not make it accessible to unauthorised third parties. You may delete your customer account at any time. Please note, however, placing an order with us does not mean that the data visible in the customer account will be deleted at the same time. Your data will be deleted automatically after expiry of the retention obligations to which we are subject under commercial and tax law. The legal basis for this data processing is Art. 6(1)(1)(c) GDPR and Art. 6(1)(1)(f) GDPR.

If we do not use your data for advertising purposes, we store the data collected for the handling of the contract until the expiry of the statutory or potential contractual warranty and guarantee rights. After expiry of this period, we shall retain the information concerning the contractual relationship required by commercial and tax law for the periods determined by law. During this period, the data will only be processed again in the event of a review by the tax authorities.

VII. Payment provider

We only transmit data to third parties in connection with the order for the purpose of payment processing.

If you do not wish to do so, you can also choose purchase on account as a payment method at any time; in this case, we do not transmit any data to subsequent payment service providers.

PAYPAL
PayPal is an online payment service provider. Payments are processed via what are known as PayPal accounts, which are virtual private or business accounts. In addition, PayPal offers the possibility to process virtual payments via credit cards or as a SEPA direct debit if a user does not hold a PayPal account. A PayPal account is managed via an email address. PayPal allows you to initiate online payments to third parties or receive payments as well. PayPal also assumes fiduciary functions and offers buyer protection services.

The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.

If the Data Subject selects “PayPal Plus” as a payment option during the ordering process in our online store, Data Subject’s data is automatically transmitted to PayPal. By selecting this payment option, the Data Subject consents to the transmission of personal data required for payment processing.

The personal data transmitted to PayPal usually comprises first name, last name, address, email address, IP address, phone number or other data necessary for payment processing. Personal data related to the respective order is also required for the processing of the purchase contract.

The purpose of transmitting the data is payment processing and fraud prevention. The transmission is based on the fulfillment of the contract pursuant to Art. 6(1)(1)(b) GDPR and, if personal data is also transmitted, on the basis of our legitimate interests in secure payment processing and fraud prevention pursuant to Art. 6)(1)(1)(f) GDPR.

PayPal may transmit the personal data exchanged between PayPal and us to credit reporting agencies. The purpose of this transmission is to check identity and creditworthiness. The controller in this case is PayPal.

PayPal may share personal data with affiliated companies and service providers or subcontractors to the extent necessary to fulfill its contractual obligations or to process the data on its behalf.

You may revoke your consent to the handling of personal data at any time vis-à-vis PayPal. A revocation does not affect personal data that has to be processed, used or transmitted for (contractual) payment processing.

PayPal’s applicable privacy policy can be found at https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

VIII. Your rights

When your personal data is processed, you have the following rights, which we are happy to inform you about below.

Right to Information
Upon request, we will confirm whether personal data concerning you is being processed. If this is the case, you have a right to be informed about the following information:

  • the purpose(s) of the data processing
  • the categories of data processed
  • if applicable, the recipients or categories of recipients to whom data is disclosed due to legal obligations or contractual relationships; in particular in the case of recipients in Third Countries
  • the planned storage duration, or if this is not possible, the criteria for determining the duration
  • the existence of a right to rectification or erasure of personal data concerning them, or to restriction of processing by us or a right to object to such processing;
  • the existence of a right to complain to the supervisory authority if the personal data is not collected from the Data Subject: All available information about the origin of the data
  • if the personal data has not been collected from you directly, any available information about the origin of the data
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved and the scope and intended effects of such processing for the Data Subject
  • in case of transfer to a Third Country or to an international organisation, about the appropriate safeguards in connection with the transfer

Upon request, you will receive a copy of the data collected from and processed concerning you. This is done free of charge in all cases.

Right to rectification
You have the right to request the rectification of inaccurate personal data concerning you without delay. You have the right to request the completion of incomplete personal data – also by means of a supplementary declaration, taking into account the purposes of the processing.

Right to erasure (so-called right to be forgotten)
Upon request or after fulfillment or termination of the contract with us, your personal data will be deleted immediately, unless this conflicts with storage or documentation obligations (e.g. from commercial and tax law) or the safeguarding of the legitimate interests of the controller is at risk.

A claim for erasure exists under the following conditions:

  • The personal data was collected or otherwise processed for purposes for which it is no longer needed.
  • You revoke your consent on which the processing was based pursuant to Art. 6 (1)(1)(a) GDPR or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
  • You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or an objection to the processing has been lodged pursuant to Article 21(2) GDPR.
  • The personal data has been processed unlawfully.
  • The deletion of the personal data is necessary for compliance with a legal obligation under European Union or Member State law to which the controller is subject.
  • The personal data was collected in relation to information society services offered pursuant to Art. 8(1) GDPR (consent was given by a child)

Right to restriction of processing (blocking)
Under the following conditions, you have the right to request the restriction of processing, i.e. the blocking of your personal data, for processing:

  • You dispute the accuracy of the personal data for a period of time that allows us to verify the accuracy of the personal data.
  • The processing is unlawful, you object to the erasure of the personal data and request instead the restriction of the use of the personal data.
  • The controller no longer requires the personal data for the purposes of processing, but you need it to establish, exercise or defend legal claims.
  • You have objected to the processing pursuant to Article 21(1) GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh those of the user.

Right to data portability
Upon request, your data can be provided in a structured, common and machine-readable format for you and then a service provider to enable rapid transmission. This applies in any case insofar as the processing is based on consent pursuant to Art. 6(1)(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(1)(b) GDPR and the processing is carried out with the aid of automated processes.

Right to object
You also have the right to object to the processing of your personal data. If the processing is carried out for the purpose of direct advertising (e.g. newsletters), this right exists at any time.
Otherwise, you may also have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you. This applies only insofar as the processing is carried out on the basis of Art. 6(1)(1)(e) or (f) GDPR (performance of a task carried out in the public interest or protection of legitimate interests by the controller).
In order to exercise this right of objection, you can also send us an message in any form via the above-mentioned contact options, stating your intention to object.

Right of Cancellation
Under Art. 7(3) GDPR, you have the right to withdraw your consent at any time and without giving reasons. Your revocation is only effective for the future. The revocation of your consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the point of the revocation.

Right to lodge a complaint with the supervisory authority
If you are of the opinion that there has been a breach of data protection regulations, you have the right to lodge a complaint with the competent supervisory authority. For example, for us this is the Bavarian State Office for Data Protection Supervision.

If you wish to revoke, delete, change, rectify or update your data, please let us know – for example, via the contact channels you can find at the beginning of this privacy statement.

IX. Changes

We reserve the right to adapt security and data protection measures as far as this becomes necessary due to technical or legal developments. In these cases, we will also adapt these notes accordingly. Therefore, please heed the current version of our privacy policy.

X. Definitions

For a better understanding, we would like to provide you with the definitions under the GDPR here below, as far as they are relevant for our privacy notices.

Supervisory authority “Supervisory Authority” means an independent governmental body established by a Member State pursuant to Article 51 of the GDPR.
Processor A natural or legal person, authority, institution or other body which processes personal data on behalf of the controller.
Third party Third party means a natural or legal person, public authority, agency or other body other than the Data Subject, the controller, the processor and the persons authorised to process the personal data under the direct responsibility of the controller or the processor.
Restriction of processing Restriction of processing is the marking of stored personal data with the aim of limiting its processing in the future (in the sense of blocking)
Consent Consent shall mean any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Recipient Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
Personal data means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”). an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Put simply, personal data consists of individual details about the personal or factual circumstances of an identified or identifiable natural person, i.e. not legal entities, such as a GmbH. Personal data primarily includes information such as the name, address, email address and also the IP address.

Profiling Profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movement.
Pseudonymisation Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Last revised: July 2024