Privacy policy

General Information about the Processing of your Data

We are legally obliged to inform you about the processing of your personal data (hereinafter referred to as “data”) when you use our website. This data protection notice informs you about the details of the processing of your data and your legal rights in this regard. For terms such as “personal data” or “processing”, the legal definitions in Art. 4 GDPR apply. We reserve the right to amend the privacy policy with effect for the future, in particular in the event of further development of the website, the use of new technologies or changes to the legal basis or the corresponding case law.

Scope of Application

The privacy policy applies to the website https://boodies.de/. It does not extend to any linked websites or internet presences of other providers.

Controller

Responsible for the processing of personal data within the scope of this privacy policy is:

sprd.net AG

Auguststraße 11

10117 Berlin

Tel.: +49 (0) 341 25 049 946

E-mail: info@boodies.de

Questions about Data Protection

If you have any questions about data protection with regard to our company or our website, you can contact our data protection officer:

Fresh Compliance GmbH

Schönhauser Allee 43a

10435 Berlin

E-mail: dsb@freshcompliance.de

Security

We have taken comprehensive technical and organizational precautions to protect your personal data from unauthorized access, misuse, loss and other external interference. To this end, we regularly review our security measures and adapt them to the state of the art.

Your Rights

You have the following rights with regard to the personal data concerning you, which you can assert against us:

Right to information: You can request information in accordance with Art. 15 GDPR about your personal data that we process.
Right to rectification: If the information concerning you is not (or no longer) accurate, you can request a rectification in accordance with Art. 16 GDPR. If your data is incomplete, you can request that it be completed.
Right to erasure: You can request the erasure of your personal data in accordance with Art. 17 GDPR.
Right to restriction of processing: In accordance with Art. 18 GDPR, you have the right to request that the processing of your personal data be restricted.
Right to object to processing: You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) GDPR pursuant to Article 21(1) GDPR. In this case, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. Further processing will also take place if the processing serves the assertion and exercise of or defence against legal claims (Art. 21 para. 1 GDPR). You also have the right to object at any time to the processing of your personal data for the purpose of direct marketing in accordance with Art. 21 para. 2 GDPR; this also applies to any profiling, insofar as it is associated with such direct marketing. We draw your attention to the right to object in this privacy policy in connection with the respective processing.
Right to withdraw your consent: If you have given your consent for processing, you have the right to withdraw your consent in accordance with Art. 7 para. 3 GDPR.
Right to data portability: You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format (‘data portability’) and the right to transmit this data to another controller if the requirements of Art. 20 para. 1 lit. a, b GDPR are met (Art. 20 GDPR).

You can assert your rights by notifying us using the contact details provided in the “Controller” section or by contacting the data protection officer named by us in the “Questions about Data Protection” section.

If you believe that the processing of your personal data violates data protection law, you also have the right to lodge a complaint with a data protection supervisory authority of your choice in accordance with Art. 77 GDPR. This also includes the data protection supervisory authority responsible for the controller:

Sächsische Datenschutz- und Transparenzbeauftragte, Postfach 110132, 01330 Dresden (postal address) or Devrientstraße 5, 01067 Dresden (visitor address), telephone: 0351/85471-101, e-mail: post@sdtb.sachsen.de, https://www.datenschutz.sachsen.de/

Use of our Website, Access Data

In principle, you can use our website for purely informational purposes without disclosing your identity. When accessing the individual pages of the website in this sense, only access data is transmitted to our web space provider so that the website can be displayed to you. The following data is processed:

browser type/version of the browser,
operating system used,
language and version of the browser software,
date and time of the request,
host name of the accessing end device,
IP address,
content of the request (specific web page),
access status/HTTP status code,
the page from which you are visiting us,
Referrer URL (previously visited website),
a message about the successful retrieval,
transferred data volume.

The temporary processing of this data is necessary to technically enable the course of a website visit and delivery of the website to your end device. The access data is not used to identify individual users and is not merged with other data sources. Further storage in log files takes place in order to ensure the functionality of the website and the security of the information technology systems. The legal basis for processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interests lie in ensuring the functionality of the website and the integrity and security of the website. Storing access data in log files, in particular the IP address, for a longer period of time enables us to recognise and prevent misuse. This includes, for example, defence against requests that overload the service or possible bot use. The access data is deleted as soon as it is no longer required to fulfil the purpose for which it was processed. In the case of the collection of data for the provision of the website, this is the case when you end your visit to the website. The log data is always stored directly and only accessible to administrators and deleted after seven days at the latest. After that, they are only available indirectly via the reconstruction of backup tapes and are permanently deleted after a maximum of four weeks.

You can object to the processing. You have the right to object on grounds relating to your particular situation. You can send us your objection using the contact details provided in the ‘Controller’ section.

End Device Information

In addition to the aforementioned access data, technologies are used when using the website that store information in your end device (e.g. desktop PC, laptop, tablet and smartphone) or access information that is already stored in your end device. These technologies may include cookies, pixels, LocalStorage, SessionStorage, IndexedDB or browser fingerprinting technologies. These technologies can be used to recognise you across devices and websites.

In accordance with Section 25 (1) TDDDG, we generally require your consent to use these technologies. According to Section 25 (2) TDDDG, such consent is only not required if the technologies either enable the transmission of a message via a public telecommunications network or if they are absolutely necessary to provide a telemedia service expressly requested by you.

Technically necessary End Device Information

Some elements of our website serve the sole purpose of transmitting a message (Section 25 (2) No. 1 TDDDG) or are absolutely necessary to make our website or individual functionalities of our website available to you (Section 25 (2) No. 2 TDDGG):

Language settings,
user preferences,
items in the shopping basket,
online forms.

The elements are deleted after storage is no longer required.

You can prevent processing by making the appropriate settings in your browser software. In the case of elements whose storage duration is not limited to the session, you can delete the elements in the settings of your browser software after your session has expired.

Technically not necessary End Device Information

We also use elements on the website that are not technically necessary. We only use these technologies with your consent in accordance with the legal requirements. You can find information on the individual technologies and functions under ‘Learn more’ within the consent management platform (‘Pandectes’) and categorised according to the individual functions in the following information..

Consent Management Platform ‘Pandectes’

We use a consent tool on our website to request consent for the processing of your device information and personal data using cookies or other tracking technologies. This gives you the option of consenting to or rejecting the processing of your device information and personal data using cookies or other tracking technologies for the purposes listed in the consent tool. Such processing purposes may include the integration of external elements, integration of streaming content, statistical analysis, reach measurement, individualised product recommendations or individualised advertising.

You can give or refuse your consent for all processing purposes or give or refuse your consent for individual purposes.

You can also change the settings you have made at a later date. The purpose of integrating the consent tool is to allow users of our website to decide on the setting of cookies and similar functionalities and to offer the option of changing settings that have already been made as part of the further use of our website.

In the course of using the consent tool, we process personal data and information about the end devices used. The information about the settings you have made is also stored on your device.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with Art. 7 para. 1 GDPR. Art. 7 para. 1 GDPR, insofar as the processing serves to fulfil the legally standardised obligations to provide evidence for the granting of consent. Otherwise, Art. 6 para. 1 sentence 1 lit. f) GDPR is the relevant legal basis. Our legitimate interests in the processing lie in the storage of user settings and preferences in relation to the use of cookies and the evaluation of consent rates.

The user settings made are stored until they are no longer required for the purposes for which they were collected, unless you yourself delete the information about your user settings in the terminal device capacities provided for this purpose beforehand.

You can object to the processing if the processing is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. You have the right to object on grounds relating to your particular situation. You can send us your objection using the contact details provided in the ‘Controller’ section.

The recipients of the personal data processed in this context are the provider of the consent management platform we use:

Pandectes, Pudisoo küla, Männimäe/1, 74626, Kuusalu vald, Estland with regard to the consent management platform; further information can be found here: https://pandectes.io/privacy-policy/

Contacting our Company/Customer Service

When you contact our company, e.g. by telephone, e-mail, WhatsApp or via the contact form or chatbot on the website, the personal data you provide will be processed by us in order to answer your enquiry. We coordinate customer enquiries and optimise the processes for a targeted and rapid response (e.g. by sending automated e-mails) as part of our customer service management.

In order to process enquiries via the contact form, you must provide a name, valid e-mail address, telephone number, subject, status and message. At the time the message is sent to us, your IP address and the date and time of registration are also processed.

The chatbot is based on artificial intelligence. You are not communicating with one of our employees. The chatbot will respond as accurately as possible in its function as a virtual assistant. The chat is made available via a widget. To enable the chat to be used, a cookie is set in the user's browser (see section ‘End device information’). The cookie is only filled with data when the chat is used. Some of the data mentioned under ‘Use of our website’ is processed.

The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR or Art. 6 para. 1 sentence 1 lit. b) GDPR if the contact is aimed at concluding a contract or is related to this. If the enquiry is aimed at concluding a contract or is in connection with an order placed, the provision of your data is required and mandatory. If the data is not provided, it will not be possible to conclude or execute a contract or process the enquiry.

The other data processed during the sending process of the contact form serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Our legitimate interests lie in responding to your contact enquiries via the channels provided by us.

We delete the data collected when you contact us after processing is no longer necessary - usually two years after the end of communication - or, if necessary, restrict processing to compliance with existing mandatory statutory retention obligations.

You can object to the processing if it is based on Art. 6 para. 1 sentence 1 lit. f) GDPR. You have the right to object on grounds relating to your particular situation. You can send us your objection using the contact details provided in the ‘Controller’ section.

We use external service providers for the internal processing and administration of contact and for the provision of our other channels:

Zendesk, Inc. (Zendesk GmbH c/o TaylorWessing, Neue Schönhauser Str. 3-5, 10178 and Zendesk, Inc., San Francisco, 989 Market St, USA; hereinafter: ‘Zendesk’) to integrate a chat window, which you can use to send us a message. You have the opportunity to receive further information about our company and ask specific questions. The information provided via the chat is processed. ‘Zendesk’ uses cookies and similar tracking technologies to enable you to use the chat. Some of the data mentioned under the section ‘Use of our website’ is transmitted to ‘Zendesk’. We use ‘Zendesk’ to be able to communicate with you better and more easily. We delete the data arising in this context after the processing is no longer necessary or restrict the processing to compliance with the existing mandatory statutory retention obligations. The legal basis for the use of ‘Zendesk’ is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interests in the use of ‘Zendesk’ lie in offering an optimised and speedy response to your questions and providing information about your request. ‘Zendesk’ also processes some of your data in the USA. The EU Commission has issued an adequacy decision for the USA. Zendesk, Inc. is certified under this. In addition, we have concluded standard contractual clauses with ‘Zendesk’ to commit Zendesk, Inc. to an appropriate level of data protection. You can view these at https://www.zendesk.de/blog/eu-us-data-transfers-after-schrems-ii/. Further information on data protection and the storage period can be found at https://www.zendesk.de/company/agreements-and-terms/privacy-notice/.
WhatsApp LLC. (1601 Willow Road Menlo Park, California 94025, USA) in the context of using WhatsApp to contact us. The provider processes the data required for the use of the app, in particular to ensure access to the Internet. This includes: IP address, date and time of the server request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific app function), access status, amount of data transferred in each case, app from which the request comes, device type, operating system used and its interface (Android or IOS), language and version of the operating system, device identifiers. We do not process any user data in this context. This processing is the sole responsibility of WhatsApp LLC. (1601 Willow Road Menlo Park, California 94025, USA) is responsible for this processing. Further information on data protection can be found at: https://www.whatsapp.com/legal/updates/privacy-policyeea?lang=de.
Engaige Technologies BV., Eendrachtsweg 22a, 3012 LB, Rotterdam, Netherlands, whose intelligent chatbot with the included knowledge database we have integrated into our website. The provider is the recipient of the anonymised data that you enter in the chat window. The data is not stored. You can find more information on data protection at: https://www.letsengaige.com/privacy-statement

Online Shop

If you wish to place an order in our online shop, it is necessary and mandatory for the initiation and conclusion of the contract that you provide personal data such as your first and last name, your address and your e-mail address. The mandatory information required for order and contract processing is marked separately; further information is provided voluntarily. We process your data for order processing and will forward payment data in particular to the payment service provider you have selected or to our house bank for this purpose. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of your data is necessary and mandatory for the conclusion or performance of the contract. If you do not provide your data, it will not be possible to conclude and/or fulfil the contract. To prevent unauthorised third parties from accessing your personal data, the order process on the website is encrypted using SSL technology.

We pass on your personal data to the shipping service provider selected by us for the purpose of sending your order to the shipping address you have specified.

longer necessary or restrict processing if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we restrict the processing and reduce the processing to compliance with existing legal obligations..

Shop System 'Shopify'

We process your data to process orders via the store system “Shopify” of the provider “Shopify” (Shopify International Ltd. c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32. Ireland and Shopify, Inc, 151 O'Connor Street, Ground floor, Ottawa, ON K2P 2L8, Canada; hereinafter: “Shopify”), so that the data provided in the context of the order, such as first and last name, address, e-mail address and information from your shopping cart are also processed by “Shopify”. The legal basis for the use of “Shopify” is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interests in the use of “Shopify” lie in offering customer-friendly and fast order processing. The data processed in this context will be deleted as soon as it is no longer required for the purpose of processing. “Shopify” also processes your data in Canada. The legal basis for the transfer to Canada is the adequacy decision of the EU Commission. Further information on the purpose, scope of processing and data transfer to third countries by "Shopify" can be found at https://www.shopify.de/legal/datenschutz and https://help.shopify.com/de/manual/privacy-and-security/privacy/international-data-transfers/onward-transfers.

We use external service providers for the internal processing and administration of your order and shipping:

Hive (Hive Technologies GmbH, Bouchéstraße 12, 12435 Berlin) to process and fulfill orders by packing and shipping goods to our customers. For this purpose, Hive processes your first and last name, your delivery address, your e-mail address and the respective goods-related information.
DHL (DHL Paket GmbH, Sträßchenweg 10, 53113 Bonn) to carry out the shipment. The provider is the recipient of your first and last name and your delivery address.

Payment Processing

We offer various payment methods on our website. After selecting one of the payment methods offered, the payment data provided by you (e.g. as part of the order process/transfer) will be processed together with information about your order as well as first and last name, purpose of use, order/invoice number for the purpose of payment processing. In order to be able to allocate your payment, we process your delivery/invoice address, e-mail address and the selected payment method. If the data required for payment processing is transmitted, this is done using the secure “SSL” procedure.

We sometimes use external payment service providers to process payments, unless you have selected the “Prepayment” payment method. Further information on these payment service providers can be found in the section “Payment service providers”.

The legal basis for processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of your payment data is necessary and mandatory for the conclusion or execution of the contract. If the payment data is not provided, it will not be possible to conclude and/or execute the contract using the selected payment method.

We delete the data arising in this context after storage is no longer required, or restrict processing if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we restrict processing and reduce processing to compliance with existing legal obligations.

Identity and Credit Check

Depending on the selected payment method, an identity or credit check is carried out. During the credit check, mathematical-statistical procedures are used to calculate a rating with regard to the probability of non-payment (so-called calculation of a “scoring” value). The payment service provider bases its decision on the provision of the respective payment methods on the calculated scoring value. The calculation of a scoring value is based on recognized scientific procedures.

The identity or credit check is carried out by the payment service provider we use. You can find more information in the “Payment service provider” section.

The legal basis for the credit check is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interests lie in the prevention of fraud and the avoidance of default risks (e.g. if we make advance payments for the payment method you have chosen) as well as in the avoidance of misuse of data. The information collected can be used to identify potentially harmful or illegal activities. In addition, we can check whether the data you have provided is correct and whether the order actually originated from you.

We delete the data arising in this context after storage is no longer required, or restrict processing if there are statutory retention obligations. Due to mandatory commercial and tax regulations, we are obliged to store your address, payment and order data for a period of up to ten years. Two years after termination of the contract, we will restrict processing and reduce processing to compliance with existing legal obligations.

Payment Service Provider:

Shopify Payments

Via the payment service “Shopify Payments” (Shopify International Ltd. Attn: Data Protection Officer c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32. Ireland and Shopify Inc. ATTN: Chief Privacy Officer, 151 O'Connor Street, Ground floor, Ottawa, ON K2P 2L8, Canada) we integrate the payment methods “Apple Pay”, “Google Pay”, “Klarna (Pay Later)”, “Shop Pay” and “Credit Card”. If you select one of these payment methods, the payment data you provide during the booking process, along with information about your purchase, will be forwarded to “Shopify Payments” for the purpose of payment processing. The processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of the payment data is necessary and mandatory for the conclusion or execution of the contract. If the payment data is not provided, it will be impossible to conclude and/or execute the contract with the payment methods mentioned. Shopify" also processes your data in Canada. The legal basis for the transfer to Canada is the adequacy decision of the EU Commission. Further information on the purpose, scope of processing and data transfer to third countries by “Shopify” can be found at https://www.shopify.de/legal/datenschutz and https://help.shopify.com/de/manual/privacy-and-security/privacy/international-data-transfers/onward-transfers.

Shop Pay: The “Shop Pay” function from the provider “Shopify” is available to you via Shopify Payments. If you use “Shop Pay”, ‘Shopify’ stores your payment data, e-mail address, cell phone number and information about payments made and orders from other online stores that use “Shop Pay”. The processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. b) GDPR. The provision of the payment data is necessary and mandatory for the conclusion of the contract or the execution of the payment with “Shop Pay”. Failure to provide the payment data will make it impossible to execute the contract with the payment method mentioned. “Shopify” also processes your data in third countries, such as Canada and the USA. The legal basis for the transfer to Canada is the adequacy decision of the EU Commission. Further information on the purpose, scope of processing and data transfer to third countries by “Shopify” can be found at https://help.shopify.com/de/manual/your-account/privacy/GDPR/gdpr-faq#stimmt-shopify-standardvertragsklauseln-zu.
Apple Pay: If you select the “Apple Pay” payment method, the provider Apple Distribution International Limited (HOLLYHILL INDUSTRIAL ESTATE CORK, T23 YK84, Ireland) and Apple, Inc. (Cupertino, CA 95014, USA) will also process your data, possibly also in the USA. The EU Commission has issued an adequacy decision for the transfer of data to the USA. We have concluded so-called standard data protection clauses with the provider in order to oblige the provider to an appropriate level of data protection. You can obtain a copy of the standard data protection clauses by contacting Apple Ltd.
Google Pay: If you select the “Google Pay” payment method, the provider Google Ireland Ltd (Gordon House, Barrow Street, Dublin 4, Ireland) and Google, LLC (1600 Amphitheatre Parkway Mountain View, CA 94043, USA) will also process your data, in some cases also in the USA. The EU Commission has issued an adequacy decision for the transfer of data to the USA. In addition, so-called standard contractual clauses have been concluded with Google, LLC in order to oblige Google, LLC to an appropriate level of data protection. You can obtain a copy of the standard contractual clauses at https://cloud.google.com/terms/sccs.
Klarna (Pay Later): In the event that you choose the payment method “Pay later” with the payment provider “Klarna”, we will forward the data you provide to Klarna Bank AB (publ) (Sveavägen 46, 111 34 Stockholm, Sweden; hereinafter: ‘Klarna’ and “Invoice”) for the purpose of payment processing. We assign the purchase price claim to Klarna. Klarna will send you a payment instruction and you will pay your order directly to Klarna. Klarna carries out an identity and credit check to ensure that the data provided is correct. Klarna also wants to make sure that the order really comes from you.
Credit card payment: For the purpose of payment processing, we pass on the payment data required for the credit card payment (card number, cardholder, expiry date, CVV) to the credit institution commissioned with the payment or to the payment and invoicing service provider commissioned by us, if applicable.
PayPal: If you select the “PayPal” payment method, you will be redirected to the website of the provider PayPal (Europe) S.à.r.l. et Cie, S.C.A., (22-24 Boulevard Royal, L-2449 Luxembourg). To pay, you must log into your “PayPal” account. The payment data stored there will also be processed. The provider may also process data within other PayPal companies, e.g. PayPal Holdings, Inc. (2211 North First Street - 95131 San José, California, USA).

The provider also processes your data in the USA. The EU Commission has issued an adequacy decision for data transfer to the USA. In addition, standard data protection clauses have been concluded with PayPal Holdings, Inc. in order to oblige PayPal Holdings, Inc. to an adequate level of data protection. You can view a copy of the standard data protection clauses at “PayPal” at https://www.paypal.com/de/smarthelp/contact-us/privacy.

Further information on data processing by “PayPal” can be found here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

Marketing by E-mail

Advertising to Existing Customers

We reserve the right to use the e-mail address provided by you as part of your order via our online store in accordance with the statutory provisions in order to send you interesting offers from our portfolio, in particular fashion items, as well as requests for customer feedback and opinion and market research surveys by e-mail during or following your order, unless you have already objected to this processing of your e-mail address.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. Our legitimate interests in the aforementioned processing lie in increasing and optimizing our services, sending direct advertising and ensuring customer satisfaction.

We delete your data when you end the usage process.

We use external marketing service providers to send advertising to existing customers. You can find more information about these in the “Marketing service providers” section.

We would like to point out that you can object to the receipt of direct advertising and processing for the purpose of direct advertising at any time without incurring any costs other than the transmission costs according to the basic rates. You have a general right to object without giving reasons (Art. 21 (2) GDPR). To do this, click on the unsubscribe link in the respective e-mail or send us your objection to the contact details given in the “Controller” section.

Newsletter and other electronic Advertising

You have the option of being informed by e-mail about products that are available again and new product launches as well as subscribing to our newsletter by e-mail, which we use to inform you regularly about the following content Interesting offers from our portfolio, especially fashion items as well as requests for customer feedback and opinion and market research surveys.

To receive the newsletter and other electronic advertising, you must provide your e-mail address for the newsletter. We process this data for the purpose of sending the newsletter and for as long as you have subscribed to the newsletter.

You can revoke your consent at any time, either by clicking directly on the unsubscribe link in the newsletter or by sending us a message using the contact details provided under “Controller”. This will not affect the lawfulness of the processing carried out on the basis of your consent up to the time of your withdrawal.

Double opt-in procedure

In order to document your newsletter registration and prevent the misuse of your personal data, registration for our e-mail newsletter takes place in the form of the so-called double opt-in procedure. After entering the data marked as mandatory, we will send you an e-mail to the e-mail address you have provided, in which we ask you to expressly confirm your subscription to the newsletter by clicking on a confirmation link. In doing so, we process your IP address, the date and time of registration for the newsletter and the time of your confirmation.

In this way, we ensure that you really want to receive our e-mail newsletter..

We are legally obliged to prove your consent to the processing of your personal data in connection with the registration for the newsletter (Art. 7 para. 1 GDPR). Due to this legal obligation, data processing is carried out on the basis of Art. 6 para. 1 sentence 1 lit. c) GDPR. You are not obliged to provide your personal data during the registration process. However, if you do not provide the required personal data, we may not be able to process your subscription in full or at all. If you do not confirm your newsletter subscription within 24 hours, we will block the information transmitted to us and delete it automatically after one month at the latest.

After your confirmation, your data will be processed for as long as you have subscribed to the newsletter.

Blocking List

If you unsubscribe by withdrawing your consent or objecting to the receipt of advertising from existing customers, we will process your data, in particular your e-mail address or mobile phone number, to ensure that you do not receive any further newsletters or other electronic advertising from us. For this purpose, we add your e-mail address or mobile phone number to a so-called “blocking list”, which prevents you from receiving any further newsletters from us. The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. c) GDPR in order to comply with our obligations to provide evidence, otherwise Art. 6 para. 1 sentence 1 lit. f) GDPR. In this case, our legitimate interests consist in complying with our legal obligations to reliably stop sending you newsletters or other electronic advertising. .

Hosting

We use external hosting services from the provider STRATO AG (Pascalstr. 10, 10587 Berlin, Germany), which serve to provide the following services: Infrastructure and platform services, computing capacity, storage resources and database services, security and technical maintenance services. For these purposes, all data - including the access data mentioned under “Use of our website” - that is required for the operation and use of our website is processed. The legal basis for the processing is Art. 6 para. 1 sentence 1 lit. f) GDPR. We use external hosting services to ensure the efficient and secure provision of our website.

Content Delivery Network

“Shopify” uses a content delivery network (CDN) from the following provider::

Cloudflare Germany GmbH (Rosental 7, 80331 München) and Cloudflare, Inc. (101 Townsend St., San Francisco, CA 94107, USA); this service provider processes some of your data in the USA. There is an adequacy decision by the EU Commission for data transfer to the USA. Cloudflare, Inc. is certified under this. In addition, “Shopify” has concluded so-called standard contractual clauses with Cloudflare, Inc. in order to oblige Cloudflare, Inc. to an adequate level of data protection. You can view a copy of the standard contractual clauses at https://www.cloudflare.com/cloudflare-customer-dpa/. Further information on data protection and the storage period can be found at: https://www.cloudflare.com/de-de/privacypolicy/.

Assertion, exercise or defense of legal claims

We may process personal data for the assertion, exercise or defense of legal claims (e.g. in the case of outstanding claims) as long as it is legally required or necessary for these purposes. The legal basis for processing is Art. 6 para. 1 lit. c) GDPR and Art. 6 para. 1 lit. f) GDPR. In these cases, we have a legitimate interest in the assertion of or defense against claims. We delete the data processed in this context after storage is no longer necessary or restrict processing if there are statutory retention obligations.

Recipients in these cases may be:

Lawyer
Credit agencies and debt collection service providers (e.g. Verband der Vereine Creditreform e.V., Hammfelddamm 13, D-41460 Neuss)

Compliance with other legal Obligations and Duties to protect

We may also process personal data to comply with other legal obligations, in particular if we have an enforceable official or court order or we are required to do so by law, as long as we are obliged to do so. The legal basis in these cases is Art. 6 para. 1 sentence 1 lit. c) GDPR. If it is necessary to process personal data in order to protect the vital interests of the data subject or another natural person, we process this data in accordance with Art. 6 para. 1 sentence 1 lit. d) GDPR for as long as the processing is necessary for this purpose.

Integration of third-party Content

YouTube Videos

We use plug-ins on the website from the video platform “YouTube.de” or “YouTube.com”, a service of YouTube, LLC (head office at 901 Cherry Avenue, San Bruno, CA 94066, USA; hereinafter: “YouTube”), for which ‘Google’ (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland and Google, LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA; hereinafter: “Google”) is the controller within the meaning of data protection law. By processing data through the plug-ins, we pursue the purpose of integrating visual content (“videos”) that we have published on “Youtube.de” or “Youtube.com” on this website. The videos are all integrated in “extended data protection mode”, i.e. no data about you as a user is transmitted to “YouTube” if you do not play the videos. When you play videos on our website, “YouTube” receives the information that you have accessed the corresponding subpage of our website. In addition, some of the data mentioned under the section “Use of our website” is transmitted to “Google”. This takes place regardless of whether “YouTube” provides a user account that you are logged in to or whether no user account exists. If you are logged in to “Google”, your data will be assigned directly to your account. If you do not wish your data to be associated with your YouTube profile, you must log out before activating the button. “YouTube” stores your data as usage profiles and processes them for the purposes of advertising, market research and/or the needs-based design of its website, regardless of whether you have a user account with “Google”. With regard to the storage of and access to information in your terminal device, the legal basis is Section 25 (1) TDDDG; the legal basis for further processing is Art. 6 (1) sentence 1 lit. a) GDPR. “Google” also processes some of the data in the USA. The EU Commission has issued an adequacy decision for data transfer to the USA. In addition, so-called standard contractual clauses have been concluded with Google, LLC in order to oblige Google, LLC to an adequate level of data protection. You can obtain a copy of the standard contractual clauses at https://cloud.google.com/terms/sccs. Your data in connection with YouTube will be deleted after 24 months at the latest. Further information on the purpose and scope of processing by “YouTube” and the storage period at “YouTube” or ‘Google’ can be found in “Google's” privacy policy at https://policies.google.com/privacy.

You can withdraw your consent to processing at any time by clicking on the “Learn more” button in the Consent Tools. The legality of the processing remains unaffected until the revocation is exercised.

Services for statistical, analytical and marketing Purposes

We use third-party services for statistical, analytical and marketing purposes. This enables us to provide you with a user-friendly, optimized use of the website. The third-party providers use cookies, pixels, browser fingerprinting or other tracking technologies to control your services. We will inform you below about the services of external providers currently used on our website as well as about the respective processing in individual cases and about your existing revocation options.

Shopify Analytics

We also use the “Shopify Analytics” tool from “Shopify” (Shopify International Ltd. Attn: Data Protection Officer c/o Intertrust Ireland, 2nd Floor 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32. Ireland and Shopify Inc. ATTN: Chief Privacy Officer, 151 O'Connor Street, Ground floor, Ottawa, ON K2P 2L8, Canada) that use so-called “cookies” or other tracking technologies that are stored on your end device. With the help of cookies, “Shopify” processes the information generated about the use of our website by your end device - e.g. that you have accessed a certain web page - and processes, among other things, the data mentioned in the section “Use of our website”, in particular your IP address, browser information, the previously visited website and the date and time of the server request, for the purpose of statistical analysis of website use for troubleshooting and to improve our store. For this purpose, it can also be determined whether different end devices belong to you or your household. "Shopify will process this information for the purpose of evaluating your use of the website, compiling reports on website activity for us and, where we indicate otherwise, providing us with other services relating to website activity and internet usage. With regard to the storage of and access to information in your terminal device, your consent is the legal basis pursuant to Section 25 (1) TDDDG; for further processing, your consent is also the legal basis pursuant to Art. 6 (1) sentence 1 lit. a) GDPR.

“Shopify” also processes your data in Canada. The legal basis for the transfer to Canada is the adequacy decision of the EU Commission. Further information on the purpose, scope of processing and data transfer to third countries by “Shopify” can be found at https://www.shopify.de/legal/datenschutz and https://help.shopify.com/de/manual/privacy-and-security/privacy/international-data-transfers/onward-transfers.

You can withdraw your consent to processing at any time by clicking the “Learn more” button in the Consent Tools. The legality of the processing remains unaffected until the revocation is exercised.

Meta Pixel / Meta Conversions API

On our website we use the analysis functions of “Meta” (provider is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, and Meta Platforms Inc. 1601 Willow Rd, Menlo Park, California, USA; hereinafter: “Meta”). For this purpose, we use the so-called Meta Pixel and the Meta Conversions API to analyze the use of our website and Internet presence, e.g. in social networks such as Meta and Instagram, the interactions made by users on our website and Internet presence and the reach measurement of our advertisements. The Meta Conversions API, an application programming interface, helps us to transmit and analyze marketing information and parameters of website visitors' interactions with our website directly to Meta's servers. We use these findings to optimize our marketing and advertising campaigns and to form target groups, especially of Meta users, to whom we can display interest-based advertisements. Your browser automatically establishes a direct connection to Meta's server with the help of meta pixels, which are graphics that are also integrated into our website, are automatically loaded when you visit our website and enable user behavior to be tracked. By integrating the Meta pixels, Meta processes the information generated about the use of our website by your end device - e.g. that you have accessed a certain web page - and processes, among other things, the data mentioned in the section “Use of our website”, in particular IP address, browser information, the Meta ID, end device ID, language settings, date and time of the server request and event data such as page views, button views and other interactions for the purpose of analyzing our website and Internet presence, analyzing user interactions and measuring the reach of our advertisements. For these purposes, it can also be determined whether different end devices belong to you or your household. The information obtained with the help of the Meta pixel is used solely for statistical purposes, is transmitted to us anonymously by Meta as statistics and does not provide any information about the person of the user. If you are registered with a Meta service, Meta can assign the information collected to your account or to you as a user. Even if a user is not registered with Meta or is not logged in, it is possible for Meta to obtain and process the IP address and other identifying features. With regard to the storage of and access to information in your terminal device, your consent is the legal basis pursuant to Section 25 (1) TDDDG; for further processing, your consent is also the legal basis pursuant to Art. 6 (1) sentence 1 lit. a) GDPR. Meta also processes some of the data in the USA. There is an adequacy decision by the EU Commission for data transfer to the USA. Meta Platforms, Inc. is certified under this. In addition, standard data protection clauses have been concluded with Meta Platforms, Inc. in order to commit Meta Platforms Inc. to an appropriate level of data protection. You can request a copy of the standard data protection clauses from Meta at https://www.facebook.com/help/contact/341705720996035. The storage period of the information in the meta-cookies is 90 days. You can find more information on data protection and the storage period at Facebook at: https://www.facebook.com/privacy/explanation and https://www.facebook.com/policies/cookies/.

When you use the Meta Business Tools, your personal data (“Business Tool Data”) will be processed by both us and Meta. The processing of personal data described above in connection with the use of Meta Business Tools and the processing of your hashed contact information and event data in particular, i.e. information that arises in connection with the analysis of your interactions with our website or Internet presence, is carried out under joint responsibility in accordance with Art. 26 GDPR, whereby the responsibility for fulfilling data protection obligations under the GDPR may vary depending on the processing phase. The purposes of the processing are to optimize the respective marketing campaigns and analyses, in particular the comparison with Meta user IDs for the targeted display of advertisements, for the implementation of which we use the Meta Business Tools as a means.

We have entered into a joint controllership agreement with Meta in accordance with Art. 26 para. 1 sentence 2 GDPR and have determined who fulfills the applicable obligations under the GDPR for each processing phase:

As BWH, we are the independent controller for the processing of the personal data processed in the business tools used for the purposes of carrying out analyses, measuring reach and creating campaign reports and comparing them with user IDs, including combining them with the event data determined.
Furthermore, Meta is an independent controller pursuant to Art. 4 No. 7 GDPR, in particular for any downstream processing of personal data contained in the Meta Business Tools.

You can assert your rights as a data subject both against us and against Meta. We and Meta will inform each other immediately of all rights exercised by data subjects. We will provide each other with all information necessary to respond to the respective requests of data subjects. Irrespective of the responsibility for the respective processing phase in connection with the use of Meta Business Tools, we will provide the data subjects with the necessary information in accordance with Articles 13 and 14 of the GDPR and Art. 26 para. 2 GDPR free of charge within the framework of this data protection information in a precise, transparent, comprehensible and easily accessible form in clear and simple language. We and Meta will provide each other with all necessary information from their respective areas of responsibility.

The legal basis for joint processing is your consent in accordance with Section 25 (1) TDDDG and for further processing Art. 6 (1) sentence 1 lit. a) GDPR. Further information on processing, in particular in the context of joint responsibility with Meta, can be found a https://www.facebook.com/legal/terms/businesstools_jointprocessing and https://www.facebook.com/legal/terms/businesstools/preview?_rdr and https://www.facebook.com/about/privacy. The agreement concluded with Meta regarding joint responsibility in connection with the Meta business tools can be found at https://www.facebook.com/legal/controller_addendum abrufen.

TikTok Ads

The tracking technology of “TikTok” (TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland and TikTok, Inc., 5800 Bristol Parkway, Suite 100, Culver City, CA 90230, USA; hereinafter: “TikTok”) is integrated on the website. TikTok uses technologies such as “tracking pixels” (“TikTok pixels”), ‘cookies’ and “device fingerprinting” to collect information about usage behavior on our website. This allows users of the website and users of TikTok to be shown interest-based advertisements when visiting the TikTok social network. With the help of TikTok pixels (small graphics that are also integrated on our website and that are automatically loaded when our website is accessed and enable user behavior to be tracked), the user's browser automatically establishes a direct connection with the TikTok server. By integrating the TikTok pixels, TikTok uses the information generated by cookies about the use of our website by the user's device - e.g. that a specific web page has been accessed - and processes access data, in particular the IP address, browser information, the previously visited website and the date and time of the server request, for the purpose of displaying personalized advertisements across devices. We can determine how successful the individual advertising measures are in relation to the advertising campaign data. These advertising materials are delivered by TikTok via so-called ad servers. For this purpose, we use ad server cookies, through which certain parameters for measuring reach - e.g. display of the ads, duration of viewing or clicks by users - can be measured. If users are registered with a TikTok service, TikTok can also assign the information collected to the respective TikTok account of the user. With regard to the storage of and access to information in your end device, your consent is the legal basis in accordance with § 25 para. 1 TDDDG; for further processing, your consent is also the legal basis in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. TikTok also processes your data in the USA. Standard contractual clauses have been concluded with TikTok, Inc. in order to commit TikTok, Inc. to an appropriate level of data protection. You can request a copy of the standard contractual clauses at https://privacytiktok.zendesk.com/hc/en-us/requests/new or, in the case of data transfers between two data controllers, at https://ads.tiktok.com/i18n/official/policy/controller-to-controller. Further information on data protection and the storage period at TikTok can be found at: https://www.tiktok.com/legal/privacy-policy?lang=de.