Privacy policy

We take data protection seriously

Protecting your privacy when processing personal data is an important concern for us. When you visit our website, our web servers automatically store the IP address of your internet service provider, the website from which you visit us, the pages you visit on our site as well as the date and duration of your visit. This information is essential for the technical transmission of the website and for the secure operation of the server. These data are not evaluated on a personal basis.

If you send us data via the contact form, these data will be stored on our servers as part of data backup. We will use your data exclusively to process your request. Your data will be treated as strictly confidential. No transfer to third parties will take place.

1. Who is responsible for data processing and whom can you contact?

Controller:

Wardow GmbH,
Magdeburger Straße 5
14641 Wustermark
Phone: +49 (0)331 58291300
Email: service@wardow.com

The company data protection officer is:

Mr. Nico Becker
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
Email: anfragen@projekt29.de
Phone: +49 941 2986930

2. Personal data

Personal data are data about your person. These include your name, address and email address. You do not need to disclose any personal data to visit our website. In some cases, however, we require your name and address as well as other information in order to provide the requested service.

The same applies if we are to provide you with information material at your request or respond to your inquiries. In these cases, we will always notify you. We only store data that you have transmitted to us automatically or voluntarily.

When you use one of our services, we generally collect only the data necessary to provide you with our service. We may ask for additional information, but providing this is voluntary. Whenever we process personal data, we do so to provide you with our service or to pursue our commercial objectives.

3. Visiting the website

3.1. General use

When you visit our website, our web servers automatically store the IP address of your internet service provider, the website from which you visit us, the pages you visit on our site as well as the date and duration of your visit. Processing this information is essential for the technical transmission of the website, the convenient use of our services and the secure operation of the server. Our legitimate interest is based on Art. 6 (1) (f) GDPR.
An immediate inference to your identity is not possible based on this information and will not be made by us. The information is stored and automatically deleted once the purposes mentioned above have been fulfilled. Deletion periods are based on the necessity criterion.

3.2. Automatically stored data

Server log files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

• Date and time of the request
• Name of the requested file
• Page from which the file was requested
• Access status (file transferred, file not found, etc.)
• Browser and operating system used
• Full IP address of the requesting computer
• Transferred data volume

These data will not be merged with other data sources. Processing takes place in accordance with Art. 6 (1) (f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.
For technical security reasons, in particular to prevent attacks on our web server, we store this data temporarily. We cannot draw any conclusions about individual persons from this data. After seven days at the latest, the IP address is anonymised at domain level so that it is no longer possible to establish a personal reference. In anonymised form, the data may also be used for statistical purposes; no comparison with other data or transfer to third parties, even in extracts, will take place.

3.3. Contact

When contacting us (e.g. via contact form, email, phone or social media), we process the data provided by the requesting party insofar as this is necessary to respond to the contact requests and any requested measures. The response to contact inquiries within the framework of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre-)contractual inquiries and otherwise on the basis of our legitimate interest in responding to the inquiries.

• Types of data processed: master data (e.g. names, addresses), contact data (e.g. email, phone numbers), content data (e.g. entries in online forms)
• Data subjects: communication partners
• Purpose of processing: contact inquiries and communication
• Legal basis: performance of a contract and pre-contractual inquiries (Art. 6 (1) (b) GDPR), legitimate interests (Art. 6 (1) (f) GDPR)

Zendesk

We use the CRM system Zendesk to process user inquiries. The provider is Zendesk, Inc., 1019 Market Street, San Francisco, CA 94103, USA.

We use Zendesk to process your inquiries quickly and efficiently. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. You can submit inquiries by providing only your email address without giving your name. The messages sent to us remain with us until you request their deletion or the purpose for data storage ceases to apply (e.g. after your inquiry has been fully processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

Zendesk has Binding Corporate Rules (BCR) approved by the Irish Data Protection Authority. These are binding internal corporate rules that legitimise internal data transfers to third countries outside the EU and EEA. Details can be found here:
https://www.zendesk.com/blog/

If you do not agree with your inquiry being processed via Zendesk, you can alternatively contact us by email, phone or fax.

Further information can be found in Zendesk’s privacy policy:
https://www.zendesk.co.uk/company/agreements-and-terms

Our website also offers the option to send us messages via a chat window. The chat functions are provided by Zendesk. When you use this chat window, we store your chat messages along with your IP address. Providing your name is not required for the chat.

We have concluded a data processing agreement (DPA) with the provider mentioned above. This legally required contract ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

3.4 Cookies

Our website uses so-called cookies. Cookies are small data packets that do not cause any damage to your device. They are either temporarily stored for the duration of a session (session cookies) or permanently (persistent cookies) on your end device. Session cookies are automatically deleted at the end of your visit. Persistent cookies remain stored on your device until you delete them yourself or your web browser deletes them automatically.

Cookies may be set by us (first-party cookies) or by third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services provided by third parties within websites (e.g. cookies for processing payment services).

Cookies have different functions. Many cookies are technically necessary because certain website functions would not work without them (e.g. the shopping cart function or displaying videos). Other cookies may be used to analyse user behaviour or for advertising purposes.

Cookies required to carry out the electronic communication process, to provide certain functions you desire (e.g. shopping cart function) or to optimise the website (e.g. cookies for measuring the web audience) are stored on the basis of Art. 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in storing necessary cookies for the technically error-free and optimised provision of its services. Where consent to the storage of cookies and similar recognition technologies has been requested, processing is based exclusively on this consent (Art. 6 (1) (a) GDPR and § 25 (1) TTDSG); consent can be revoked at any time.

You can configure your browser to inform you about the use of cookies and allow cookies only in individual cases, to exclude the acceptance of cookies for specific cases or in general, and to activate the automatic deletion of cookies when closing the browser. Disabling cookies may limit the functionality of this website. You can find which cookies and services are used on this website in this privacy policy.

You can change your cookie settings at any time here: Cookie settings

4. OneTrust Consent Management Platform (CMP)

We use the OneTrust Consent Management Platform (CMP) on our website to inform you about the cookies and other technologies we use on our website, as well as to obtain, manage and document your consent to the processing of your personal data by these technologies, where required. This is necessary in accordance with Art. 6 (1) sentence 1 lit. c GDPR to fulfil our legal obligation under Art. 7 (1) GDPR to be able to prove your consent to the processing of your personal data. The OneTrust CMP used is provided by OneTrust LLC, 1200 Abernathy Rd NE, Building 600, Atlanta, GA 30328, USA, which processes your data on our behalf.

After you submit your cookie declaration on our website, the web server stores the following data: IP address, device information, browser information, selected language, the accessed website or its URL, date and time of your consent declaration, as well as information about your consent preferences.

Cookies containing information about your consent preferences are also used.

The data is stored in cookies and transmitted to OneTrust to manage and document your consents. Your data will be deleted after one year, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) sentence 1 lit. a GDPR or we reserve the right to use the data beyond this period, as permitted by law and as explained in this privacy policy.

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with OneTrust. This is a contract required by data protection law to ensure that OneTrust only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

5. Service optimisation

5.1 Platform

Shopify

We host our website with Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (“Shopify”).

Shopify is a tool for creating and hosting websites. When you visit our website, Shopify collects your IP address and information about the device and browser you use. Shopify also analyses visitor numbers, visitor sources and customer behaviour and creates user statistics. If you make a purchase on our website, Shopify also collects your name, email address, shipping and billing addresses, payment details and other data related to the purchase (e.g. phone number, amount spent, etc.). For analysis purposes, Shopify stores cookies in your browser.

Details can be found in Shopify’s privacy policy:
https://www.shopify.com/uk/legal/privacy

The use of Shopify is based on Art. 6 (1) lit. f GDPR. We have a legitimate interest in presenting our website as reliably as possible. If consent has been requested, the processing is based exclusively on Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

We have concluded a data processing agreement (DPA) in accordance with Art. 28 GDPR with the above-mentioned provider. This contract required by data protection law ensures that the provider processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or analytics tools and other technologies on our website. Google Tag Manager itself does not create user profiles, store cookies or perform independent analyses. It is only used to manage and deploy the tools integrated through it. However, Google Tag Manager collects your IP address, which may be transmitted to Google’s parent company in the United States.

The use of Google Tag Manager is based on Art. 6 (1) lit. f GDPR.

Google reCAPTCHA

We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on this website. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

The purpose of reCAPTCHA is to verify whether data entry on this website (e.g. in a contact form) is carried out by a human or by an automated program. reCAPTCHA analyses the behaviour of website visitors based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. reCAPTCHA evaluates various information (e.g. IP address, time spent on the website, or mouse movements) for analysis. The data collected during the analysis is transmitted to Google.

reCAPTCHA analyses run completely in the background. Website visitors are not informed that an analysis is taking place.

The storage and analysis of data is based on Art. 6 (1) lit. f GDPR. The website operator has a legitimate interest in protecting its web offerings against abusive automated spying and spam. If consent has been requested, processing is based exclusively on Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be revoked at any time.

Further information on Google reCAPTCHA can be found in Google’s privacy policy and terms of use:
https://policies.google.com/privacy and
https://policies.google.com/terms

Yotpo product reviews and loyalty program

We use the service Yotpo, provided by Yotpo Ltd., 33 West 19th Street, New York, NY 10011, USA (EU branch: Yotpo Germany GmbH, c/o Mindspace, Friedrichstraße 68, 10117 Berlin).

Yotpo is used on our website for two purposes:

1. Product reviews: To allow customers to leave product reviews and display them publicly. Yotpo processes personal data such as name, email address, submitted review and technical information (e.g. IP address, browser data) when submitting and moderating reviews.
   
   
2. Loyalty program: Through Yotpo we offer a customer loyalty program where points can be collected for certain actions (e.g. purchases, reviews, referrals). Yotpo processes registration and usage data for this program, including name, email address, customer number, order history and reward account.

The processing of your data takes place – depending on the context – based on:

• Art. 6 (1) lit. b GDPR, if you register for the loyalty program or submit a review as part of a contractual relationship,
• Art. 6 (1) lit. a GDPR, if you actively consent to participation or promotional use (e.g. email reminders to review),
• as well as Art. 6 (1) lit. f GDPR to improve our offering and customer satisfaction, if no consent is required.

Yotpo may transfer personal data to third countries such as the USA. Where such transfer occurs, Yotpo relies on appropriate safeguards under Art. 46 GDPR (e.g. EU standard contractual clauses) and – where applicable – the EU-U.S. Data Privacy Framework. A data processing agreement under Art. 28 GDPR has been concluded with Yotpo. Further information on data protection at Yotpo can be found at:
https://www.yotpo.com/privacy-policy/

Hightouch and Fivetran (data transport services)

We use the services Hightouch, offered by Hightouch, Inc., 548 Market St, PMB 69508, San Francisco, CA 94104-5401, USA, and Fivetran, operated by Fivetran Inc., 1221 Broadway, Floor 20, Oakland, CA 94612, USA, for data synchronisation and integration between different systems.
Both services are used exclusively for temporary and technical data transport, i.e. for transferring and transforming data between our internal systems (e.g. CRM, email marketing, DWH). Personal data is not permanently stored on the servers of these providers but only during the immediate technical processing.
The transfer may – especially with Hightouch and Fivetran – also occur to third countries outside the EU, such as the USA. In such cases, we ensure an adequate level of data protection by using EU standard contractual clauses under Art. 46 GDPR and – where applicable – the EU-U.S. Data Privacy Framework.
The legal basis for processing in the context of data transport via these tools is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in maintaining a secure, efficient and scalable data infrastructure.
We have concluded data processing agreements under Art. 28 GDPR with both providers.

Snowflake (data warehouse)

We use the cloud service Snowflake, provided by Snowflake Inc., 106 East Babcock Street, Suite 3A, Bozeman, MT 59715, USA, as a central data warehouse system for storing and analysing large amounts of data.
Structured data from various operational systems is consolidated in Snowflake to efficiently process it for internal analysis purposes (e.g. reporting, business intelligence, marketing analysis). Processing is carried out exclusively for internal business purposes and generally based on pseudonymised or aggregated data.

Legal basis:
The processing is based on our legitimate interest in efficient data storage and analysis pursuant to Art. 6 (1) lit. f GDPR. If personal data is processed and consent is required, this is based on Art. 6 (1) lit. a GDPR.

Data transfer:
Snowflake operates data centres within the EU (e.g. Frankfurt am Main) and ensures that customer data is processed in accordance with the requirements of the GDPR. However, it is not excluded that group-wide technical support may involve access from third countries (in particular the USA) in individual cases.
Snowflake participates in the EU-U.S. Data Privacy Framework and offers additional contractual safeguards, such as standard contractual clauses pursuant to Art. 46 GDPR, to ensure an adequate level of protection.

Further information on data processing by Snowflake can be found at:
https://www.snowflake.com/en/privacy-policy/

5.2 Newsletter

If you register for our newsletter, we use the data required for this or provided separately by you to regularly send you our email newsletter based on your consent pursuant to Art. 6 (1) sentence 1 lit. a GDPR. You can unsubscribe from the newsletter at any time either by sending a message to the contact option described below or via a link provided in the newsletter. After unsubscribing, we delete your email address from the recipient list unless you have expressly consented to further use of your data in accordance with Art. 6 (1) sentence 1 lit. a GDPR or we reserve the right to use the data beyond this period, as permitted by law and explained in this privacy policy.

Please note that we analyse your user behaviour when sending the newsletter. We also analyse your interaction with our newsletter by measuring, storing and evaluating open rates and click rates to design future newsletter campaigns (“newsletter tracking”).

For this analysis, the emails sent contain one-pixel technologies (e.g. so-called web beacons, tracking pixels) stored on our website. For the evaluations, we link the following “newsletter data”, in particular:

• the page from which the page was requested (so-called referrer URL)
• the date and time of the request,
• a description of the type of web browser used,
• the IP address of the requesting computer,
• the email address,
• the date and time of registration and confirmation

and the one-pixel technologies with your email address or your IP address and possibly an individual ID. Links contained in the newsletter may also include this ID.

If you do not wish newsletter tracking, you can unsubscribe from the newsletter at any time as described above.

The information is stored as long as you are subscribed to the newsletter.

The newsletter may also be sent by our service providers within the scope of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please contact the contact option described in this privacy policy.

6. Tools and services for analytics, statistics and marketing

6.1 Analytics and statistics

Google Analytics (4)

This website uses functions of the Google Analytics web analytics service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics allows the website operator to analyse the behaviour of website visitors. The website operator receives various usage data, such as page views, duration of stay, operating systems used and the user’s origin. These data are assigned to the respective device of the website visitor and compiled in a user ID.

We can also record your mouse and scroll movements and clicks with Google Analytics. Furthermore, Google Analytics uses various modelling approaches to supplement the collected data sets and applies machine learning technologies in data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transferred to a Google server in the USA and stored there. The use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission’s standard contractual clauses. Details can be found here: https://privacy.google.com/businesses

Google is also certified under the “EU-U.S. Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards when processing data in the USA. Any company certified under the DPF commits to comply with these standards.

Google Analytics e-commerce tracking

This website uses the “e-commerce tracking” function of Google Analytics. With the help of e-commerce tracking, the website operator can analyse the purchasing behaviour of website visitors to improve its online marketing campaigns. Information such as completed orders, average order values, shipping costs and the time from viewing a product to purchase is recorded. Google can combine this data under a transaction ID assigned to the respective user or device.

Lead Forensics

We use the Lead Forensics service, a web analytics service provided by Lead Forensics Group Ltd., 3000 Lakeside, North Harbour, Portsmouth, PO6 3EN, United Kingdom. Lead Forensics determines which companies visit our website based on IP addresses. Only company-related data is evaluated – such as company name, address, phone number and website visits, including date, duration and pages viewed. No personal data about individuals is processed unless it is directly and publicly linked to a company’s IP address.

The purpose is to analyse and optimise our B2B marketing and sales activities. The legal basis is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in economically marketing our services in the B2B sector. Lead Forensics does not use cookies and does not create user profiles. Processing takes place via servers in the EU and – where necessary – in the UK. There is an adequacy decision by the EU Commission under Art. 45 GDPR for data transfers to the UK.

A data processing agreement under Art. 28 GDPR has been concluded with Lead Forensics to ensure that your data is processed only according to our instructions and in compliance with applicable data protection regulations.

Further information on data protection at Lead Forensics can be found at:
https://www.leadforensics.com/privacy-and-cookies/

6.2 Advertising and Marketing

Braze

We use the Braze service on our website. The provider is Braze, Inc., 330 West 34th Street, 18th Floor, New York, NY 10001, USA (“Braze”) for newsletter marketing and push notifications. Braze processes user data such as email addresses, push tokens, interaction data and IP addresses in order to manage the sending of newsletters and push notifications and to analyse user interactions.

We have concluded a “Data Processing Agreement” with Braze under which Braze undertakes to protect our customers’ data, not to pass it on to third parties and, in the event of data transfers to the USA, to comply with the EU Standard Contractual Clauses in accordance with Art. 46 GDPR.

Braze is also certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an arrangement between the European Union and the USA designed to ensure compliance with European data protection standards when processing data in the USA. Any company certified under the DPF undertakes to comply with these data protection standards.

Data processing is based on your consent (double opt-in) pursuant to Art. 6 (1) lit. a GDPR, which you can revoke at any time with effect for the future. Existing customers may be informed about similar products and services within the framework of statutory provisions. You can revoke this at any time as well.

The newsletters contain a so-called “tracking pixel”, i.e. a one-pixel file that is retrieved from Braze’s server when the newsletter is opened. When this file is retrieved, technical information is initially collected, such as information about your browser and system, as well as your IP address and the time of retrieval. This information is used to improve the services technically on the basis of technical data or target groups and your reading behaviour based on the retrieval locations (which can be determined using the IP address) or access times.

Statistical analyses also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to individual newsletter recipients. However, it is neither our aim nor Braze’s to monitor individual users. The analyses help us to recognise the reading habits of our users and to adapt our content to them or to send different content according to our users’ interests.

Online access and data management in connection with newsletters: There are cases in which we direct newsletter recipients to Braze’s websites. For example, our newsletters contain a link that allows recipients to retrieve the newsletter online (e.g. in the event of display problems in the email program). Newsletter recipients can also manage their newsletter subscriptions and subscribe or unsubscribe from all or individual newsletters. Braze’s privacy policy is likewise only available on Braze’s website.

In this context, please note that cookies are used on Braze’s websites and that personal data may be processed by Braze, its partners and service providers (e.g. Google Analytics). We have no influence over this data collection. Further information can be found in Braze’s privacy policy. We also refer to the opt-out options for data collection for advertising purposes at
https://www.aboutads.info/choices/ and https://www.youronlinechoices.com (for the European area).

Trustpilot

We use the Trustpilot service, provided by Trustpilot A/S, Trommesalen 5, 3rd floor, 1614 Copenhagen, Denmark, for collecting and displaying user reviews. Participation in this review system is voluntary and requires prior registration with Trustpilot. If you participate in a review, your review will be published in accordance with Trustpilot’s terms both on our website and on Trustpilot’s platforms and, where applicable, those of its partners. The legal basis for the integration and disclosure is your express consent pursuant to Art. 6 (1) lit. a GDPR.
For the purpose of verifying and assigning your review, we transmit your email address, your name and an internal reference/booking number to Trustpilot. This transmission is carried out solely to invite you to leave a review and to ensure the authenticity of the review.
Further information on data protection at Trustpilot can be found at
https://uk.legal.trustpilot.com/end-user-privacy-terms and https://uk.legal.trustpilot.com/terms-of-use-for-consumers

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter certain search terms on Google (keyword targeting). Targeted advertisements can also be displayed based on user data available to Google (e.g. location data and interests) (audience targeting). As the website operator, we can evaluate these data quantitatively, for example by analysing which search terms led to the display of our ads and how many ads resulted in clicks.

The use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

For the USA, there is also an adequacy decision by the European Commission for companies certified under the Data Privacy Framework program. Google is certified accordingly and therefore meets the EU Commission’s requirements.

Google AdSense (non-personalised)

This website uses Google AdSense, a service for embedding advertisements. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

We use Google AdSense in “non-personalised” mode. In contrast to personalised mode, the ads are therefore not based on your past user behaviour and no user profile is created about you. Instead, so-called “context information” is used to select the advertising. The selected ads then depend, for example, on your location, the content of the website you are currently visiting or your current search terms. More about the differences between personalised and non-personalised targeting with Google AdSense can be found here:
https://support.google.com/adsense/answer

Please note that even when using Google AdSense in non-personalised mode, cookies or comparable recognition technologies (e.g. device fingerprinting) may be used. According to Google, these are used to combat fraud and abuse. The use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here:
https://privacy.google.com/businesses

You can adjust your ad settings yourself in your user account. To do so, click the following link and log in:
https://adssettings.google.com/authenticated

Further information on Google’s advertising technologies can be found here:
https://policies.google.com/technologies and https://policies.google.com/privacy

Google Ads Customer Match

We use Google Ads Customer Match lists as part of our Google advertising activities. For Customer Match, lists with hashed user data (e.g. names, email addresses, postal addresses, customer-specific identifiers) are uploaded to Google. Google then checks whether the transmitted user data matches existing Google customers. Target groups can be created from this and used for the delivery of ads/campaigns. After the Customer Match lists have been created, the hashed customer data are automatically deleted again. The providers do not gain access to new addresses as a result.

The recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google LLC, based in California, USA, and, where applicable, US authorities may access the data stored by Google.

The use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. Consent can be revoked at any time. Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here:
https://policies.google.com/privacy and https://privacy.google.com/businesses

Microsoft Advertising

We use the Microsoft Advertising service of Microsoft Ireland Operations Limited (Ireland/EU) (formerly Bing Ads) on our website. Microsoft Advertising is an online marketing service that helps us deliver ads in a targeted manner via Microsoft’s Bing search engine using the Universal Event Tracking (UET) tool. Microsoft Advertising uses cookies for this purpose. In doing so, personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about device and browser settings are processed.

Microsoft Advertising collects data via UET that allows us to track audiences using remarketing lists. For this purpose, a cookie is stored on the device used when visiting our website. This enables Microsoft Advertising to recognise that our website has been visited and to display an advertisement during later use of Microsoft Bing or Yahoo. The information also serves to create conversion statistics, i.e. to record how many users have reached our website after clicking on an ad. We thereby learn the total number of users who clicked on our ad and were redirected to our website. However, we do not receive any information that could personally identify users.

Further information on these processing activities, the technologies used, stored data and storage duration can be found in the settings of our consent management tool. Processing only takes place with your consent pursuant to § 25 TDDDG or Art. 6 (1) lit. a GDPR. You can revoke your consent via our consent management tool.

With Microsoft services, data transfers to Microsoft Corp. in the USA cannot be ruled out. Microsoft is certified under the Data Privacy Framework and therefore meets the requirements of the EU Commission’s adequacy decision. Further information on data protection at Microsoft can be found in Microsoft’s privacy statement at https://privacy.microsoft.com/en-gb/privacystatement.

RTB House

We use services from RTB House on our website. RTB House provides retargeting technology that makes it possible to show visitors to our website targeted advertisements on other websites based on their previous interactions with our website. For this purpose, RTB House uses cookies and similar technologies to collect pseudonymous information about user behaviour (e.g. products viewed, click behaviour). These data are not combined with other personal information and do not allow direct identification.
Processing takes place exclusively on the basis of your explicit consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TTDSG (setting of cookies). Consent can be revoked at any time via the consent manager. Further information on data processing by RTB House can be found at https://www.rtbhouse.com/privacy-center/.

Google Dynamic Remarketing

We use the functions of Google Dynamic Remarketing on our website, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Dynamic Remarketing enables us to display targeted advertising to visitors to our website on other websites within the Google advertising network (e.g. in Google Search or on YouTube) that is tailored to users’ interests. For this purpose, Google analyses user behaviour on our website, such as which products were viewed or purchased, in order to display corresponding advertisements on other pages.
To this end, Google uses cookies or comparable technologies (e.g. pixels) that allow the visitor’s browser to be recognised. Pseudonymous usage profiles can be created in the process. According to Google, no combination with personal data takes place unless the user has expressly consented to the processing (e.g. via a Google account).

The use of Google Dynamic Remarketing takes place exclusively on the basis of your consent pursuant to Art. 6 (1) lit. a GDPR, provided you have given this via our consent management tool. Consent can be revoked at any time with effect for the future.

The information collected through remarketing is generally transmitted to Google servers in the USA and stored there. An adequate level of data protection exists for the transfer via the EU-US Data Privacy Framework and the conclusion of Standard Contractual Clauses pursuant to Art. 46 GDPR. Further information on Google’s data processing and settings options can be found in Google’s privacy policy: https://policies.google.com/privacy

6.3 Social Media and Communication

Meta Pixel

This website uses Facebook’s visitor action pixel for conversion measurement. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. According to Facebook, the data collected may also be transferred to the USA and other third countries.

This makes it possible to track the behaviour of site visitors after they have been redirected to the provider’s website by clicking on a Facebook ad. This allows the effectiveness of Facebook ads to be evaluated for statistical and market research purposes and to optimise future advertising measures.

The data collected is anonymous to us as the operator of this website; we cannot draw any conclusions about the identity of users. However, the data is stored and processed by Facebook so that a connection to the respective user profile is possible and Facebook can use the data for its own advertising purposes in accordance with the Facebook Data Policy. This enables Facebook to place advertisements on Facebook pages as well as outside of Facebook. We as the site operator have no influence on this use of data.

Use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. You can withdraw your consent at any time. Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Facebook is also certified under the Data Privacy Framework program: https://www.facebook.com/EU_data_transfer and https://de-de.facebook.com/help

Where personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited exclusively to the collection of the data and its transmission to Facebook. Processing by Facebook after transmission is not part of the joint responsibility. Our joint obligations are set out in an agreement on joint processing. The text of the agreement can be found at: https://www.facebook.com/legal/controller.
Under this agreement, we are responsible for providing data protection information when using the Facebook tool and for the privacy-compliant implementation of the tool on our website. Facebook is responsible for the data security of Facebook products. You can assert data subject rights (e.g. access requests) regarding the data processed by Facebook directly with Facebook. If you assert your rights with us, we are obliged to forward them to Facebook.
Further information on protecting your privacy can be found in Facebook’s privacy information: https://www.facebook.com/privacy/policy/

You can also deactivate the “Custom Audiences” remarketing function in the ad settings section at https://www.facebook.com/ads/preferences. You must be logged in to Facebook to do this.

Meta Custom Audiences

We use Meta Custom Audiences. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

If you visit or use our websites and apps, use our free or paid services, transmit data to us or interact with our company’s Facebook content, we collect your personal data. If you give us consent to use Facebook Custom Audiences, we will transmit this data to Facebook so that Facebook can display suitable advertising to you. Target groups (lookalike audiences) can also be defined using your data.

Facebook processes this data as our processor. Details can be found in Facebook’s terms of use: https://www.facebook.com/legal/terms/customaudience.

Use of this service is based on your consent pursuant to Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG. You can withdraw your consent at any time.

Data transfer to the USA is based on the EU Commission’s Standard Contractual Clauses. Details can be found here:
https://www.facebook.com/customaudience and https://www.facebook.com/dataprocessing.
Facebook is also certified under the Data Privacy Framework.

YouTube

This website embeds videos from the YouTube website. The operator of that website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. When you visit one of our pages on which YouTube is embedded, a connection to the YouTube servers is established. The YouTube server is informed which of our pages you have visited.

YouTube can also store various cookies on your device or use comparable recognition technologies (e.g. device fingerprinting). In this way, YouTube can obtain information about visitors to this website. This information is used, among other things, to compile video statistics, improve user-friendliness and prevent fraud attempts.

If you are logged into your YouTube account, you enable YouTube to associate your browsing behaviour directly with your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is in the interest of an attractive presentation of our online offerings. This constitutes a legitimate interest within the meaning of Art. 6 (1) lit. f GDPR. Where consent has been requested, processing takes place exclusively on the basis of Art. 6 (1) lit. a GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information on the user’s device (e.g. device fingerprinting) within the meaning of the TDDDG. Consent can be withdrawn at any time. Further information on the handling of user data can be found in YouTube’s privacy policy: https://policies.google.com/privacy

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an arrangement between the European Union and the USA designed to ensure compliance with European data protection standards when processing data in the USA. Any company certified under the DPF undertakes to comply with these standards. Further information from the provider is available here: https://www.dataprivacyframework.gov

7. Customer Account

If you register for a personal customer account, we process the registration data for the creation and administration of your customer account as well as for the processing of future orders. Registration is carried out using a passwordless procedure. For this purpose, you enter your email address and receive a one-time verification code by email. After entering the code, you gain access to your personal customer account or a customer account is created for you. In your customer account, you can, among other things, view your order history and save and modify your personal settings (e.g. newsletter preferences, billing and delivery addresses).

The legal basis for processing is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR in providing the “customer account” service described above for you and/or the performance of a user contract with you (Art. 6 (1) lit. b GDPR). These data are deleted when registration on our website and/or the customer account is cancelled or deleted.

You can object to processing of your data based on Art. 6 (1) lit. f GDPR. In principle, we could demonstrate compelling legitimate grounds for the processing in order to continue it. However, for use of a customer account we will not do so; the customer account must then be deleted and will no longer be available to you. Please note that we may store data relating to orders visible in your customer account for a longer period.

7.1 Shop and E-Commerce

We process our customers’ data in order to enable them to select, purchase and/or order the chosen products, goods and related services, as well as to enable their payment and delivery and/or performance. Where necessary for fulfilling an order, we use service providers—particularly postal, freight and shipping companies—to carry out delivery and/or performance to our customers. We use banks and payment service providers to process payments. The required details are marked as such during the ordering or comparable purchase process and include the information necessary for delivery/provision and billing, as well as contact information so that we can follow up if necessary.

• Categories of data processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. email, phone numbers), contract data (e.g. subject matter, term, customer category), usage data (e.g. pages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses)
• Data subjects: prospects, business and contractual partners, customers
• Purposes of processing: performance of contractual services and customer service, handling contact requests and communication, office and organisational procedures, administration and response to enquiries, security measures, conversion measurement (measuring the effectiveness of marketing measures), interest-based and behavioural marketing, profiling (creating user profiles)
• Legal bases: performance of contract and pre-contractual enquiries (Art. 6 (1) sentence 1 lit. b GDPR), legal obligation (Art. 6 (1) sentence 1 lit. c GDPR), legitimate interests (Art. 6 (1) sentence 1 lit. f GDPR)

7.2 Economic Analyses and Market Research

For business management purposes and to be able to recognise market trends and the wishes of contractual partners and users, we analyse the data available to us regarding business transactions, contracts, enquiries, etc. The group of data subjects may include contractual partners, prospects, customers, visitors and users of our online offering.
The analyses are carried out for the purpose of business evaluations, marketing and market research (e.g. to identify customer groups with different characteristics). Where available, we may take into account the profiles of registered users along with their details, e.g. about services used. The analyses are for our use only and are not disclosed externally unless they are anonymous analyses with aggregated, i.e. anonymised, values. We also respect users’ privacy and process data for analytical purposes as pseudonymously as possible and, where feasible, anonymously (e.g. as aggregated data).

7.3 Payment Service Providers

As part of contractual and other legal relationships, due to legal obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and use, in addition to banks and credit institutions, other payment service providers (“payment service providers”).

The data processed by the payment service providers include inventory data such as name and address, bank data such as account or credit card numbers, passwords, TANs and checksums, as well as contract, totals and recipient-related information. The information is required to carry out the transactions. The entered data are processed only by the payment service providers and stored by them. In other words, we do not receive any account or credit card related information, only information confirming or rejecting payment. In certain circumstances, the payment service providers transmit the data to credit reference agencies. This transmission is intended to verify identity and creditworthiness. For this we refer to the terms and privacy notices of the payment service providers.
For payment transactions, the terms and privacy notices of the respective payment service providers, which are available within the respective websites or transaction applications, apply. We also refer you to these for further information and to exercise rights of revocation, access and other data subject rights.

7.4 Carriers

For the purpose of delivering ordered goods, we work with logistics service providers/carriers and/or shipping partners. The following data are transmitted to them for the purpose of delivering the ordered goods and/or for shipment notifications: first name, last name, postal address and, where applicable, email address and, where applicable, phone number. The legal basis for processing is Art. 6 (1) lit. b GDPR.

7.5 Credit Checks

For purchases on account or other payment methods where we provide goods or services in advance, we may carry out a credit check (scoring). For this purpose, we transmit the data you have entered (e.g. name, address, age or bank details) to a credit reference agency. Based on this data, the probability of a payment default is determined. If the risk of non-payment is excessive, we may refuse the relevant payment method.

The credit check is carried out on the basis of performance of a contract (Art. 6 (1) lit. b GDPR) and to avoid payment defaults (legitimate interest pursuant to Art. 6 (1) lit. f GDPR). Where consent has been obtained, the credit check is carried out on the basis of this consent (Art. 6 (1) lit. a GDPR); consent can be withdrawn at any time.

8. Online presence on social media

Where you have given your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR to the respective social media provider, your data will be automatically collected and stored for market research and advertising purposes when you visit our online presences on our social media channels. Using pseudonyms, usage profiles may be created from this data. These profiles can be used, for example, to display advertisements within and outside the platforms that are presumed to match your interests. Cookies are generally used for this purpose. Detailed information on the processing and use of data by the respective social media provider, as well as contact details and your rights and setting options to protect your privacy, can be found in the respective privacy notices linked on the providers’ websites. Should you need assistance in this regard, you can contact us.

For details on the collection and storage of your personal data as well as the type, scope, and purpose of its use by the operator of the respective social network, please refer to the privacy policies of the respective operators.

• Facebook: Joint controller is Meta Platforms Technologies Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. You can view Facebook’s privacy policy at https://www.facebook.com/privacy/policy/.
• Instagram: Joint controller is Meta Platforms Technologies Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. You can view Instagram’s privacy policy at https://help.instagram.com.
• YouTube: Joint controller is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. You can view YouTube’s privacy policy at https://www.gstatic.com/policies/privacy.
• LinkedIn: Joint controller is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. You can view LinkedIn’s privacy policy at https://www.linkedin.com/privacy-policy.
• Xing: Joint controller is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. You can view Xing’s privacy policy at https://privacy.xing.com/en/privacy-policy.

Facebook page

We operate this page as a communication and information channel to inform about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary form of information and interaction with the users and visitors of the page.

Please note that you use this Facebook page and its functions under your own responsibility. This applies in particular to the use of interactive features (e.g. commenting, sharing, rating).

Processing of personal data by Facebook:

When you visit our Facebook page, Facebook collects, among other things, your IP address as well as further information stored as cookies on your computer. This information is used to provide us, as the operator of the Facebook pages, with statistical information on the use of the Facebook page. Further information is provided by Facebook at the following link: https://www.facebook.com/privacy/policy/

The data collected about you in this context is processed by Facebook Ltd. and may be transferred to countries outside the European Union. Facebook describes what information it receives and how it is used in general terms in its data usage guidelines. There you will also find information on how to contact Facebook and on the settings for advertisements. The data usage guidelines as well as the information required under Article 13 para. 1 lit. a) and b) GDPR are available at the following link: https://www.facebook.com/privacy/data_policy_redirect

How Facebook uses the data from visits to Facebook pages for its own purposes, the extent to which activities on the Facebook page are assigned to individual users, how long Facebook stores this data, and whether data from a visit to the Facebook page is passed on to third parties is not conclusively and clearly stated by Facebook and is unknown to us.

When you access a Facebook page, the IP address assigned to your device is transmitted to Facebook. According to Facebook, this IP address is anonymised (in the case of “German” IP addresses) and deleted after 90 days. Facebook also stores information about its users’ devices (e.g. within the scope of the “login notification” function); Facebook may thus be able to assign IP addresses to individual users.

If you are currently logged in to Facebook as a user, a cookie with your Facebook ID is stored on your device. This allows Facebook to track that you have visited this page and how you have used it. This also applies to all other Facebook pages. Facebook buttons embedded in websites allow Facebook to record your visits to these websites and associate them with your Facebook profile. Based on this data, content or advertising can be tailored to you. If you want to avoid this, you should log out of Facebook or disable the “stay logged in” function, delete the cookies present on your device, and close and restart your browser. This will delete Facebook information that can directly identify you. You can then use our Facebook page without revealing your Facebook ID. If you access interactive functions of the page (like, comment, share, messages, etc.), a Facebook login screen will appear. After any login, you will again be recognised by Facebook as a specific user.

As personal data is transferred to the USA, additional protective mechanisms are required to ensure the GDPR level of data protection. To ensure this, we have agreed standard contractual clauses pursuant to Art. 46 para. 2 lit. c) GDPR with the provider. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even by this contractual extension, we endeavour to agree on additional provisions and assurances from the recipient in the USA. Further information from the third-party provider regarding data protection, including the legal basis on which Facebook Ireland relies, and information on how you can manage or delete information about you, can be found on Facebook’s website: https://www.facebook.com/privacy/policy/

Processing of data by us:

Through the so-called “Insights” of the Facebook page, we can access statistical data of different categories. These statistics are generated and provided by Facebook. As the operator of the page, we have no influence on the generation and display of this data. We cannot disable this function or prevent the generation and processing of the data. For a selectable period of time and for the categories fans, subscribers, reached persons and interacting persons, Facebook provides us with the following data relating to our Facebook page:

• Total number of page views and activities, post interactions (likes, comments, shared content, link clicks, etc.), (post) reach, video views, responses,
• Gender distribution,
• Origin by country and city,
• Language,
• Shop views and clicks,
• Clicks on route planners,
• Clicks on phone numbers.

Data on Facebook groups linked to our Facebook page is also provided in this way. Due to the ongoing development of Facebook, the availability and preparation of the data changes, so we refer to Facebook’s privacy policy mentioned above for further details. We use this aggregated data available to us to make our posts and activities on our Facebook page more attractive to users. For example, we use the distribution by age and gender to adapt our address, and the preferred visiting times of users for optimised timing of our posts. Information about the type of devices used by visitors helps us adjust the visual design of our posts. According to the Facebook terms of use, which every user has agreed to when creating a Facebook profile, we can identify subscribers and fans of the page and view their profiles as well as other information they have shared.

Users’ rights:

Within the framework of the agreement on joint responsibility concluded between us and Facebook, Facebook Ireland assumes primary responsibility under the GDPR for the processing of Insights data and fulfils all obligations arising from the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). In addition, Facebook Ireland will make the essence of this Page Insights Supplement available to data subjects.

You are welcome to contact either us or Facebook if you have any questions. Under the agreement between us and Facebook, we will forward your request to Facebook without delay if Facebook alone is responsible for fulfilling your data subject rights. Facebook Ireland will respond to requests in accordance with the obligations incumbent upon us under this Page Insights Supplement.

Instagram

We operate this page as a communication and information channel to inform you about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary means of information and interaction with users and visitors of the page.

Please note that you use this Instagram page and its functions under your own responsibility. This applies in particular to the use of interactive features (for example, commenting or rating).

When you visit our Instagram page, Facebook collects, among other things, your IP address as well as further information stored as cookies on your device. This information is used to provide us, as the operator of the Instagram page, with statistical information about the use of the Instagram page. The data collected about you in this context is processed by Facebook and may be transferred to countries outside the European Union. Which information Facebook receives and how it is used is described by Facebook in general terms in its privacy policy. There you will also find information on how to contact Facebook and on the settings for advertisements. The privacy policy is available at the following link: https://help.instagram.com

How Facebook uses data from visits to Instagram pages for its own purposes, to what extent activities on the Instagram page are assigned to individual users, how long Facebook stores this data, and whether data from a visit to the Instagram page is passed on to third parties is not conclusively and clearly stated by Facebook and is unknown to us.

When you access an Instagram page, the IP address assigned to your device is transmitted to Facebook. According to Facebook, this IP address is anonymised (for “German” IP addresses) and deleted after 90 days. Facebook also stores information about its users’ devices (for example, within the scope of the “login notification” function); Facebook may thus be able to assign IP addresses to individual users.
If you are currently logged in to Instagram as a user, a cookie with your Instagram ID is stored on your device. This enables Facebook to track that you have visited this page and how you have used it. This also applies to all other Instagram pages. Instagram buttons embedded in websites allow Facebook to record your visits to these websites and associate them with your Instagram profile. Based on this data, content or advertising can be tailored to you. If you wish to avoid this, you should log out of Instagram or disable the “stay logged in” function, delete the cookies stored on your device, and close and restart your browser. In this way, Instagram information that can directly identify you will be deleted. You can then use our Instagram page without revealing your Instagram ID. If you access interactive functions of the page (like, comment, messages and others), an Instagram login screen will appear. After any login, you will again be recognised by Instagram as a specific user.

As personal data is transferred to the USA, additional protective mechanisms are required to ensure the GDPR level of data protection. To ensure this, we have agreed standard contractual clauses pursuant to Art. 46 para. 2 lit. c GDPR with the provider. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection in Europe. In cases where this cannot be ensured even by this contractual extension, we endeavour to agree on additional provisions and assurances from the recipient in the USA. Further information from the third-party provider on data protection, as well as information on how you can manage or delete information about you, can be found in the Instagram Help Center at the following address: https://help.instagram.com.

YouTube channel

We operate this page as a communication and information channel to inform you about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary means of information and interaction with users and visitors of the page.

Please note that you use the YouTube channel offered here and its functions on your own responsibility. This applies in particular to the use of the “Discussion” function. Information about which data is processed by Google and for what purposes it is used can be found in Google’s privacy policy: https://policies.google.com/privacy

We have no influence over the type and scope of the data processed by Google, the manner in which it is processed and used, or the disclosure of this data to third parties. Nor do we have effective means of control in this regard. By using Google, your personal data is collected, transmitted, stored, disclosed, and used by Google. In addition, regardless of your place of residence, your data may be transferred to, stored, and used in the United States, Ireland, and any other country in which Google LLC conducts business. Data is also transferred to companies affiliated with Google and to other trusted companies or individuals who process it on Google’s behalf. Google processes, on the one hand, the data you voluntarily enter, such as your name and username, email address, and phone number. Google also processes the content you create, upload, or receive from others when using the services. This includes, for example, photos and videos you store, documents and spreadsheets you create, and comments you write on YouTube videos. On the other hand, Google also analyses the content you share to determine which topics you are interested in, stores and processes confidential messages you send directly to other users, and can determine your location based on GPS data, information about wireless networks, or your IP address in order to deliver advertising or other content to you.

For analysis, Google may use tools such as Google Analytics. We have no influence on the use of such tools by Google and have not been informed about any such potential use. Should Google use tools of this kind for our YouTube channel, we have neither commissioned nor otherwise supported this. Nor are the data obtained from such analyses made available to us. Only the profiles of subscribers are visible to us via their accounts. Moreover, we have no means of preventing or disabling the use of such tools on your YouTube channel.

Finally, Google also receives information when you view content, for example, even if you have not created an account. Such so-called “log data” may include the IP address, browser type, operating system, information about the previously visited website and the pages you access, your location, your mobile provider, the device you use (including device ID and application ID), the search terms you use, and cookie information.

You can restrict the processing of your data in the general settings of your Google account. In addition to these tools, Google also offers specific privacy settings for YouTube. You can find more information in Google’s Guide to privacy in Google products: https://policies.google.com/technologies

Further information on these points can be found in Google’s privacy policy under “Your privacy controls”: https://policies.google.com/privacy

We also process your data when you communicate with us via YouTube. Although we do not collect any data ourselves via your YouTube account, the data you enter on YouTube, in particular your username and the content published under your account, is processed by us insofar as we may respond to your comments and your posts under “Discussions”. The data you freely publish and share on YouTube may thus be included in our offer and made accessible to our followers.

LinkedIn

We operate this channel as a communication and information platform to inform you about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary means of information and interaction with users and visitors of the page.

Please note that you use this LinkedIn page and its functions under your own responsibility. This applies in particular to the use of interactive features (for example, when you leave a comment, click a like button, share a post, send us a message, visit the page, or otherwise interact on our LinkedIn page).

We have no influence over the type and scope of the data processed by LinkedIn, the manner in which it is processed and used, or the disclosure of this data to third parties. Nor do we have effective means of control in this regard. By using LinkedIn, your personal data is collected, transmitted, stored, disclosed, and used by LinkedIn.

You can restrict the processing of your data in the general settings of your LinkedIn account. In addition, on mobile devices (smartphones, tablets), you can limit LinkedIn’s access to contact and calendar data, photos, location data, etc. in the device settings. However, this depends on the operating system you use.

The transfer of data to the USA is based on the European Commission’s standard contractual clauses.
Details can be found here:
https://www.linkedin.com/dpa and
https://www.linkedin.com/eu-sccs

In addition, an adequacy decision by the European Commission applies to the USA if companies certify under the Data Privacy Framework program. LinkedIn is certified accordingly and thus meets the European Commission’s requirements.

Further information on these points can be found in LinkedIn’s privacy policy: https://www.linkedin.com/privacy-policy

Information about personalization and privacy settings can be found here: https://www.linkedin.com/help/linkedin/answer

We also process your data when you communicate with us via LinkedIn. By analysing visits and interactions on our LinkedIn page, we receive usage profiles and statistics. The visitor statistics created are provided to us exclusively in anonymised form. We have no access to the underlying individual data. Based on this information collected by LinkedIn, demographic and geographic analyses are also generated and made available to us. With the help of this data, companies can better understand which posts interest users, interact more effectively with their target audience, and place more targeted advertising.

Xing

We operate this page as a communication and information channel to inform you about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary means of information and interaction with users and visitors of the page.

XING is a social network operated by XING SE, based in Hamburg. Members can primarily manage their professional but also private contacts and establish new connections. Organisations can create a page with a logo and short profile, post news, and initiate discussion groups. To use the network functions, users must register. There is a free basic version and a paid version with additional features. Unlike other social networks, XING is more focused on the combination of personal and electronic contact, is less commercial and less visually oriented. The main focus is professional exchange on specialist topics with people who share the same professional interests. In addition, XING is frequently used by companies and other organisations for recruiting staff and presenting themselves as attractive employers. XING is also linked to the employer review platform kununu.

Please note that you use this Xing page and its functions under your own responsibility. This applies in particular to the use of interactive features (for example, when you leave a comment, click a like button, share a post, send us a message, visit the page, or otherwise interact on our Xing page).

We have no influence over the type and scope of the data processed by Xing, the manner in which it is processed and used, or the disclosure of this data to third parties. Nor do we have effective means of control in this regard. By using Xing, your personal data is collected, transmitted, stored, disclosed, and used by Xing.

You can restrict the processing of your data in the general settings of your Xing account. In addition, on mobile devices (smartphones, tablets), you can limit Xing’s access to contact and calendar data, photos, location data, etc. in the device settings. However, this depends on the operating system you use.

Further information on these points can be found in Xing’s privacy policy: https://privacy.xing.com/privacy-policy

We also process your data when you communicate with us via Xing. By analysing visits and interactions on our Xing page, we receive usage profiles and statistics. The visitor statistics created are provided to us exclusively in anonymised form. We have no access to the underlying individual data. Based on this information collected by Xing, demographic and geographic analyses are also generated and made available to us. With the help of this data, companies can better understand which posts interest users, interact more effectively with their target audience, and place more targeted advertising.

TikTok page

We operate this page as a communication and information channel to inform you about our offers. Personal data is processed in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in using this contemporary form of communication.

Please note that you use the TikTok channel and its functions under your own responsibility. This applies in particular to the use of interactive features (e.g. commenting, liking, sharing). Information about what data TikTok processes and for what purposes can be found in TikTok’s privacy policy: https://www.tiktok.com/privacy-policy

We have no influence on the type and scope of data processing by TikTok, the further processing, use or disclosure to third parties. TikTok may also transfer personal data outside the EU (e.g. to the USA or Singapore), in particular to group companies such as TikTok Inc. in the USA. TikTok bases such transfers on the European Commission’s standard contractual clauses and states that it takes technical and organisational measures to protect personal data.

TikTok processes data such as:

• Your IP address, device information and location data
• Usage activities, e.g. interactions with content, likes, shares, comments
• Content and media you upload or share with others
• When registering: account data such as email address, phone number, profile name

We also process your data when you interact with us on TikTok (e.g. by commenting or sending direct messages). Content you voluntarily publish on TikTok (including your username and posts) may be used by us for public relations purposes.

Pinterest page

We operate our Pinterest presence as an information channel about our products and content. The processing of personal data is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

Please note that you use Pinterest and its functions under your own responsibility. This applies in particular to commenting, saving (pinning), or sharing content. Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, is responsible for data protection. Information about Pinterest’s data processing can be found at: https://policy.pinterest.com/privacy-policy

Pinterest collects, among other things:

• Device information (including IP address, browser type, operating system)
• Location data, cookies, and tracking data
• Information about your activities on Pinterest (viewed pins, search terms, interactions)

Pinterest may also process personal data in third countries outside the EU, in particular in the USA. Pinterest bases such transfers on the European Commission’s standard contractual clauses.

We may also gain insight into publicly available information through your interactions (e.g. repins, comments) and use this to interact with you on the platform. No further processing by us takes place beyond this.

9. Competitions

We occasionally run competitions, including on social media platforms. If you take part in one of our competitions, we process the following data about you:

• Name
• Contact details (e.g. email address, phone number)
• Your social media profile, if applicable

The processing of this data is based on the competition contract (Art. 6 para. 1 lit. b GDPR) and serves exclusively to carry out the competition, including determining and notifying the winners.

For certain competitions, subscribing to our newsletter is required, as this is an integral part of the participation conditions. By entering, you agree to subscribe to our newsletter. The newsletter is sent exclusively to provide relevant information about our products, services, and offers.
You can unsubscribe from the newsletter at any time by using the unsubscribe link included in the newsletter or by contacting us directly. Please note that unsubscribing from the newsletter during the competition period may end your participation, as subscription is a contractual requirement.

Your data will be deleted after the competition has ended, unless statutory retention obligations require longer storage or you have consented to further use (e.g. for the newsletter).

For competitions held on social media platforms, the respective provider’s privacy policies also apply.

Your data will only be passed on to third parties if this is necessary for prize delivery (e.g. to shipping service providers).

Detailed information about each competition can be found in the specific terms and conditions of participation.

10. Processing of personal data for advertising purposes

We would like to use the data you have provided or that has been collected during your use of the website to inform you about our products and services relating to our range (“Wardow services”) (advertising) or to improve our offers and services (product development).

On our website, you can subscribe to a free newsletter. The data collected during registration is processed (fields marked as mandatory are required to receive the newsletter, while voluntarily provided data is used solely for personalised communication and to select the information shown to you).

By email we contact you with information, offers, and promotions tailored to your interests and use of Wardow services, either based on your explicit consent or – if you purchase similar goods or services from us and provide your email address – also without separate consent. We process data about your usage behaviour after sending you emails (e.g. click behaviour).

By phone we only contact you with your explicit consent, with information, offers, and promotions tailored to your interests and use of Wardow services.

By postal mail we may contact you, even without consent, to the extent legally permitted, regarding Wardow services.

You can object to the use of your personal data for advertising and product development purposes, as well as the associated contact, in whole or in part, at any time or revoke any consent you may have given. Please use the functions provided (e.g. the unsubscribe function in the newsletter) or send a written message (keyword: data protection) or an email to the contact details provided.

The legal basis for processing is your consent (Art. 6 para. 1 lit. a GDPR) and our legitimate interests (Art. 6 para. 1 lit. f GDPR), if applicable in conjunction with Section 7 para. 3 UWG (German Act Against Unfair Competition).

These data will be deleted after your objection or the withdrawal of any consent given or, at the latest, after the end of use by us, or will only be stored in aggregated, anonymised form. Where necessary, we will record the fact of your objection to ensure you are not contacted again.

11. Security

We have implemented technical and administrative security measures to protect your personal data against loss, destruction, manipulation, and unauthorized access. All our employees as well as service providers working on our behalf are bound by the applicable data protection laws.

Whenever we collect and process personal data, it is encrypted before being transmitted. This means your data cannot be misused by third parties. Our security measures are subject to continuous improvement, and our privacy policies are regularly reviewed. Please ensure that you have the most recent version.

12. Information obligations for customers and business partners

We process the data that we receive from you in the course of contract initiation and execution, based on your consent, during your application with us, or as part of your employment with us.

The personal data includes:

Your master/contact details, which for customers include, for example, first and last name, address, contact details (email address, phone number, fax), and bank details.

For business partners, this includes, for example, the names of their legal representatives, company name, commercial register number, VAT ID, company number, address, contact person details (email address, phone number, fax), and bank details.

For which purposes and on which legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 in its applicable version:

• To fulfil (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR):
  The processing of your data takes place for the execution of contracts online. The data is particularly processed during the initiation and execution of contracts with you.
• To comply with legal obligations (Art. 6 para. 1 lit. c GDPR):
  The processing of your data is necessary to comply with various legal obligations, for example from the German Commercial Code or the Fiscal Code.
• To protect legitimate interests (Art. 6 para. 1 lit. f GDPR):
  Based on a balancing of interests, data processing may take place beyond the actual performance of the contract in order to safeguard our legitimate interests or those of third parties. Data processing to protect legitimate interests occurs, for example, in the following cases:
• Advertising or marketing
• Measures for business management and the development of services and products
• Within the scope of legal prosecution
• Sending non-sales-promoting information and press releases
• Based on your consent (Art. 6 para. 1 lit. a GDPR):
  If you have given us your consent to process your data, e.g. to send you our newsletter.

13. Data recipients

13.1 Who receives my data?

As a rule, personal data is processed by us as the controller. However, processing by transferring or disclosing personal data to third parties may be necessary as part of carrying out our activities, particularly if one of the following reasons applies on the stated legal basis:

• It is necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures at their request (Art. 6 para. 1 lit. b GDPR).
• The disclosure is required for the establishment, exercise or defence of legal claims and there is no reason to assume that the data subject has an overriding legitimate interest in the non-disclosure of their data (Art. 6 para. 1 lit. f GDPR).
• There is a legal obligation to disclose the data (Art. 6 para. 1 lit. c GDPR).
• We have valid consent (Art. 6 para. 1 lit. a GDPR).

Categories of recipients in the course of our activities may in particular include:

• Postal, telecommunications and transport service providers
• Payment and financial service providers
• Sales and business partners as well as other persons and companies involved in providing services
• Authorities, courts, opposing parties and other participants

We also indicate, within the respective processing descriptions, if further recipients are to be considered.

13.2 Information on transfers to third countries (data transfer to non-EU/EEA countries)

We use technologies from service providers on our website whose registered office and/or server locations may be in third countries outside the EU or EEA. If there is no adequacy decision for this country by the European Commission, an adequate level of data protection must be ensured by other appropriate safeguards.

Appropriate safeguards in the form of contractually agreed standard contractual clauses issued by the European Commission or binding corporate rules are generally possible but require prior review by the contracting parties to ensure an adequate level of protection can be guaranteed. According to the case law of the European Court of Justice (ECJ), it may be necessary to take additional protective measures.

We have generally concluded the standard data protection clauses issued by the European Commission with the technology providers we use who process personal data in a third country. Where possible, we also agree on additional safeguards to ensure that an adequate level of data protection is maintained in third countries without an adequacy decision.

Nevertheless, despite all contractual and technical measures, the level of data protection in the third country may not correspond to that of the EU. In such cases, we may request your consent under Art. 49 para. 1 lit. a GDPR, where necessary, within the cookie consent process, to transfer your personal data to a third country.

There is in particular the risk that local authorities in the third country may not be sufficiently restricted in their access rights to your personal data from a European data protection perspective, that we as the data exporter or you as the data subject may not be aware of this and/or that you may have no adequate legal remedies to prevent or challenge such access.

The following countries in particular are currently considered third countries without an adequacy decision by the European Commission (non-exhaustive examples):

• China
• Russia
• Taiwan

You can find out which third countries we transfer data to in the privacy notices for the respective tool and/or the consent management service (Consent Management Platform – CMP) we use.

13.3 Processing on behalf by service providers

To carry out our activities, we also use service providers as processors in accordance with Art. 28 GDPR within the scope of processing personal data. These service providers are also considered recipients of the data under data protection law. A data processing agreement ensures, in particular, that the processing is carried out based on our instructions, that sufficient guarantees exist for the implementation of appropriate technical and organisational measures, and that the rights of data subjects are safeguarded.
In general, we use service providers for the following processing purposes:

• Hosting of our online services/websites with providers (infrastructure and platform services, computing capacity, storage space and database services)
• Maintenance and support of the online services/websites
• Implementation, maintenance and support of IT systems
• Document and information management
• Communication, contact and conferencing systems (email, contacts, appointments, messengers, video conferencing, etc.)
• File and data carrier destruction

14. How long will my data be stored?

We generally store personal data for as long as it is necessary for the purposes of the respective processing, as long as statutory or regulatory retention periods exist, or as long as we have a legitimate interest in storage or corresponding consent has been given by the data subject.

We store certain data according to the following rules for the respective specified period and delete or destroy them after the specified retention period has expired:

• If processing is based on your consent, we delete the affected data after you withdraw your consent
• If none of the following retention periods apply, we delete the data once the processing purpose no longer applies
• 3 years: Data and content related to legal transactions (including their preparation) as far as necessary to provide information and defence capability as well as to assert or defend claims. This also includes data for marketing and customer care, unless they fall under a category with a longer retention period.
• 6 years: Received and sent commercial letters (§ 257 para. 1 no. 2 and 3, para. 4 German Commercial Code – HGB)
• 10 years: Tax-relevant documents, booking receipts, accounting records (§§ 147 para. 1 German Fiscal Code – AO, 257 para. 1 no. 1 and 4, para. 4 HGB)
• 30 years: Data stored due to special circumstances in our own or third-party interest, as corresponding limitation periods or special retention periods exist (e.g. enforcement orders, special limitation periods)

15. What data protection rights do I have?

You have the right at any time to access, rectify, erase, or restrict the processing of your stored data, the right to object to the processing, as well as the right to data portability and to lodge a complaint in accordance with the requirements of data protection law.

Right of access:

You may request information from us about whether and to what extent we process your data.

Right to rectification:

If we process your data that is incomplete or incorrect, you may request at any time that we correct or complete it.

Right to erasure:

You may request that we delete your data if we are processing it unlawfully or if the processing disproportionately interferes with your legitimate interests in protection. Please note that there may be reasons that prevent immediate deletion, for example in the case of statutory retention obligations.
Regardless of whether you exercise your right to erasure, we will promptly and fully delete your data unless there are legal or contractual obligations to retain it.

Right to restriction of processing:

You may request that we restrict the processing of your data if:

• you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data
• the processing of the data is unlawful, but you object to its deletion and instead request restriction of its use
• we no longer need the data for the intended purpose, but you still require it to assert or defend legal claims, or
• you have objected to the processing of the data

Right to data portability:

You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you transmit this data to another controller without hindrance by us, provided that

• we process this data based on your consent, which can be withdrawn, or for the performance of a contract between us, and
• the processing is carried out using automated means

Where technically feasible, you may request that we transfer your data directly to another controller.

Right to object:

If we process your data based on legitimate interests, you may object to this processing at any time; this also applies to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves to assert, exercise, or defend legal claims. You may object to the processing of your data for direct marketing purposes at any time without providing reasons.

Right to lodge a complaint:

If you believe that we are violating German or European data protection law by processing your data, we kindly ask you to contact us so that we can clarify any questions. You also have the right to contact the supervisory authority responsible for you, which is the respective State Data Protection Authority. If you wish to exercise any of the rights mentioned above, please contact our Data Protection Officer. In case of doubt, we may request additional information to confirm your identity.

Am I obliged to provide data?

The processing of your data is necessary for the conclusion or performance of the contract you have entered into with us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or will no longer be able to perform an existing contract and may have to terminate it. However, you are not obliged to provide consent for the processing of data that is not relevant for contract fulfilment or not required by law.

Changes to this privacy policy

We reserve the right to amend our privacy policy if necessary due to new technologies. Please ensure that you have the most up-to-date version. If we make fundamental changes to this privacy policy, we will announce them on our website.

Status: September 2025