Placeholder text

Privacy Policy

 

Privacy Policy

I. Name and address of the data controller

The data controller within the meaning of Article 4(7) of EU Regulation 2016/679, known as the General Data Protection Regulation (GDPR), and other national data protection laws of the Member States, as well as other data protection provisions, is:

momox SE
represented by the Executive Board: Christian von Hohnhorst and Claudia Frese (Chair)
Schreiberhauer Straße 30
10317 Berlin, Germany

 

II. Name and address of the Data Protection Officer

The data protection officer of the data controller is:

PROLIANCE GmbH
www.proliance.ai
Leopoldstr. 21
80802 Munich, Germany

[email protected]

 

III. General information on data processing

1. Access to and storage of information on end devices

The use of our application may result in access to information (e.g. IP address) or the storage of information (e.g. cookies) on your end devices and thus in the processing of personal data within the meaning of the GDPR.

In cases where such access to or storage of information is absolutely necessary for the technically fault-free provision of our services, this is carried out on the basis of Section 25(1), first sentence, and (2)(2) of the TDDDG.

In cases where such a process serves other purposes (e.g. tailoring our website to your needs), this is carried out on the basis of Section 25(1) of the TDDDG only with your consent in accordance with Article 6(1)(a) of the GDPR. This consent may be withdrawn at any time with future effect.

Further information on the processing of your personal data and the relevant legal bases in this context can be found in the following sections on the specific processing activities involved in using our website.

2. Scope of the processing of personal data

In principle, you can visit us (i.e. the internet services of momox SE) without telling us who you are. When you visit our website, your browser automatically transmits various data; see ‘IV. Provision of the website and creation of log files’ below. This information is analysed for purely statistical purposes and then deleted. Our services are reserved for visitors of legal age.

Personal data is generally only collected on our website if you provide it to us of your own accord (e.g. when opening a user account or as part of the ordering process). We use this data exclusively for the purposes specified in each case, as listed below.

Personal data is generally only collected on our website and via the relevant interfaces if you provide it to us of your own accord (e.g. when opening a user account or as part of the ordering process). We use this data exclusively for the purposes specified in each individual case, as set out below.

Your personal data will not be passed on to third parties, unless

  1. we have expressly stated this in the description of the relevant data processing,
  2. if you have given your explicit consent in accordance with Article 6(1), first sentence, point (a) of the GDPR,
  3. the transfer is necessary pursuant to Article 6(1)(f) of the GDPR for the establishment, exercise or defence of legal claims in court, and there is no reason to believe that you have an overriding legitimate interest in your data not being transferred,
  4. in the event that there is a legal obligation to transfer the data in accordance with Article 6(1), first sentence, point (c) of the GDPR, and
  5. insofar as this is necessary for the performance of our contractual relationship with you, in accordance with Article 6(1), first sentence, point (b) of the GDPR.

We enter into contracts with external service providers who process personal data on our behalf, known as data processors, in accordance with Article 28 of the GDPR. We have carefully selected these data processors; they have been given a specific mandate and are bound by our instructions. The GDPR defines countries outside the European Union/European Economic Area as third countries and regulates transfers to these countries separately in accordance with Articles 44 to 49 of the GDPR. We occasionally use data processors in third countries. Our cooperation with these data processors is based on standard data protection clauses in accordance with Article 46(2)(c) of the GDPR. These clauses oblige the recipient in the third country to process the data in accordance with the level of protection applicable in Europe.

We maintain up-to-date technical measures to ensure the protection of personal data. These measures are adapted to the current state of the art.

If you visit our websites via the app, the privacy notices set out there also apply.

3. Data erasure and retention period

The data subject’s personal data will be erased or blocked as soon as the purpose for which it was stored no longer applies. Data may also be stored if this is provided for by European or national legislation in EU regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted when a retention period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.

 

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected in this process:

  1. Information about the browser type, language and version used
  2. The user’s operating system
  3. The user’s internet service provider
  4. The user’s IP address
  5. Date and time/time zone of access
  6. Content of the request (specific page)
  7. Access status/HTTP status code
  8. Websites from which the user’s system accessed our website
  9. Websites accessed by the user’s system via our website
  10. Amount of data transferred

The data is also stored in our system’s log files. This data is not stored together with any other personal data relating to the user. However, in the event of an error during an API query, we additionally log the ID (pseudonymous identifier), the IP address and the relevant HTTP request, as well as the email address of the user making the request (if used), to enable subsequent error analysis and rectification.

Furthermore, we use Constructor.io (San Francisco, 268 Bush St., #4450, United States), a platform designed to optimise search engine rankings on our website. Data processing involves the collection and analysis of user interactions, including search queries, click behaviour, interactions with the website and other online activities. This information is used to optimise search results and to enable you to navigate the website more easily and in greater detail. The information is processed only in aggregated or anonymised form and is not used for any other purposes. We have entered into a data processing agreement with the provider. As Constructor.io is certified under the EU-US Data Privacy Framework, data transfers to the provider in the USA take place under an adequacy decision issued by the European Commission. Further information can be found at: Privacy Policy | Constructor

To better track website visits and interactions, we use Bounce Commerce, a service provided by Bounce Commerce GmbH (Lindenallee 39, 47608 Geldern, Germany). 

For this purpose, Bounce Commerce sets cookies and processes the following data:

·  Request ID

· URL accessed

· HTTP header

· Time of access

· Session hash

· Information on page redirects

No personal data is processed.

2. Legal basis for data processing

Insofar as our log files involve the processing of personal data, the legal basis is Article 6(1)(f) of the GDPR. Our legitimate interest is to ensure that the website connects smoothly and to enable users to use our website conveniently. Furthermore, the log file is used to evaluate system security and stability, as well as for administrative purposes.

For Constructor.io, data processing is carried out on the basis of our legitimate interest pursuant to Article 6(1)(f) of the GDPR in providing a detailed search engine option, improving the user experience on our website and increasing the relevance of search results.

When using Bounce Commerce, your device is accessed as part of the cookie placement process. Processing is carried out on the basis of your consent in accordance with Section 25(1) of the TDDDG.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must be stored for the duration of this process. The repeated automated extraction of web pages (so-called ‘scraping’) is also made more difficult by recording the IP address. The storage of data in the event of an error is necessary within the meaning of Article 6(1)(f) of the GDPR to ensure the functionality of the website.

We use Lunio.ai to detect and prevent click fraud. The legal basis for the processing is our legitimate interest in preventing fraud and ensuring the secure provision of our website in accordance with Article 6(1)(f) of the GDPR.

The purposes of data processing by Constructor.io include optimising search results, providing relevant content, and improving the user-friendliness and relevance of the search

The purposes of data processing by Bounce Commerce include tracking website visits and interactions in order to optimise our website offering.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of IP addresses, these are truncated – i.e. anonymised – once the relevant session has ended. The data is then no longer personally identifiable. All log files are deleted after 50 days.

Lunio.ai deletes IP addresses as soon as they have been verified.

Constructor.io anonymises the IP address immediately and processes further data only for as long as is necessary to fulfil the purposes mentioned above.

The cookies set by Bounce Commerce are stored for a period of 3 hours, after which the anonymous data collected via these cookies is further processed.

5. Right to object, withdraw consent and request erasure

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Consequently, users have no right to object.

Users have the right to object to the processing of their personal data by Constructor.io. However, this is also a service necessary for the search function. Whether an objection can be effectively implemented will be assessed on a case-by-case basis. 

V. Our shop system

1. Description and scope of processing

For hosting, the presentation of the shop, fraud prevention and to enable you to make payments via our shop, we use the system provided by Shopify International Limited, Victoria Buildings, 2nd Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (‘Shopify’).

All data collected on our website and provided by you is processed on the provider’s servers. This includes, in particular: 

        Customer and contact details

        Order details

        Payment and transaction information

        Usage and interaction data

        Device information

 Withdrawal notices and associated metadata (timestamps, processing status, browser language preference, email delivery status) when using the electronic withdrawal function

Furthermore, we use services and apps provided by Shopify, some of which also receive and process the aforementioned personal data:

         Pathway (invoicing and bookkeeping)

         Matrixify, Metafields Guru and Flowcompanion (design and data management)

         Checkout Blocks (design)

       Dynamic Yield by Mastercard (learning algorithms, personalisation and A/B testing)

         Persistent Cart – Sync Devices (shopping basket synchronisation)

         Judge.me (product reviews)

     Revoq – EU withdrawal button (Jonas Busch, sole trader) – electronic withdrawal function in accordance with Section 356a of the German Civil Code (BGB)

 

2. Legal basis for data processing

Our shop cannot be used without the processing of data by Shopify. Processing is therefore carried out on the basis of Article 6(1)(b) of the GDPR, for the performance of contractual obligations, as well as on the basis of Article 6(1)(f) of the GDPR, our legitimate interest in providing an optimal shop and payment system. This also includes the processing of your data by Shopify services and apps, insofar as these are necessary for the provision of our shop and its core functions. The processing of your data for fraud prevention is also based on our legitimate interest in protecting against misuse.

If your data is processed for any other purpose, e.g. as part of a transfer to other providers for advertising purposes or for personalisation, your consent will always be sought in accordance with Article 6(1)(a) of the GDPR and you will be informed accordingly.

Data transfers to third countries in connection with Shopify services and apps: When using the aforementioned Shopify services and apps, personal data may be transferred to countries outside the EU or the EEA (so-called third countries, e.g. the USA, the United Kingdom or Canada). We ensure that such transfers take place only in compliance with the requirements of Articles 44 et seq. of the GDPR. Where necessary, we have entered into data processing agreements with the relevant providers in accordance with Article 28 of the GDPR. Where no adequacy decision has been issued by the European Commission for the recipient country, we base the transfer on appropriate safeguards within the meaning of Article 46 of the GDPR, in particular the EU Commission’s Standard Contractual Clauses, supplemented by appropriate technical and organisational measures to protect your data.

Use of the “Revoq – EU Withdrawal Button” app: To fulfil the legal obligation under Section 356a of the German Civil Code (BGB) (with effect from 19 June 2026), we use this app provided by Jonas Busch (sole trader), email: [email protected]. The provider processes the aforementioned withdrawal data as our data processor in accordance with Article 28 of the GDPR; the data processing agreement can be viewed at https://www.consumer-withdrawal.eu/dpa. The provider’s infrastructure is predominantly located within the EU (database hosting: Supabase Inc., Frankfurt; application hosting: Fly.io Inc., Amsterdam/Frankfurt; email delivery: Resend Inc., Ireland); API access to order data is provided by Shopify Inc. (Canada) on the basis of an adequacy decision and, in addition, on the basis of standard contractual clauses in accordance with Article 46(2)(c) of the GDPR. The legal basis is Article 6(1)(c) of the GDPR (legal obligation) and Article 6(1)(b) of the GDPR with regard to the confirmation of receipt.

3. Purpose of data processing

The processing of personal data by Shopify and Shopify services and apps is carried out for the following purposes:

        Hosting the shop

        Displaying the shop and providing shop functions

        Payment processing, invoicing and bookkeeping

        Fraud prevention

        Recommendations and personalisation

        A/B testing

  Receipt, documentation and processing of electronic notices of withdrawal in accordance with Section 356a of the German Civil Code (BGB)

4. Duration of storage

Your data will only be processed for as long as is necessary for the purpose of processing. Following the conclusion of a sales contract, it may be necessary to store the contractual partner’s personal data in order to fulfil contractual or statutory obligations. More detailed information on individual processing steps can be found in the following sections of this privacy policy.

5. Right to object and right to erasure

Where your data is processed on the basis of our legitimate interest, you have the right to object. Where your data is processed on the basis of consent, you have the right to withdraw this consent with effect for the future. Where processing is carried out to fulfil a legal obligation – in particular in connection with the electronic cancellation function – there is no right to object.

Further information on Shopify can be found in the provider’s privacy policy: https://www.shopify.com/de/legal/datenschutz

 

VI. Use of cookies and similar technologies

1. Description and scope of data processing

When you use our services, usage data is collected as part of what is known as ‘web tracking’. This means that the behaviour of certain users can be tracked on a pseudonymous basis in order to analyse and personalise our services and to optimise the display of advertising. To this end, we use so-called cookies and similar technologies in several places.

What are cookies? Cookies are small text files containing information that are stored on your device. They are normally used to associate a specific action or preference on a website with a user, without, however, identifying the user as a person or revealing their identity.  They serve to make our website more user-friendly and effective. Cookies are not automatically good or bad, but it is worth understanding why we use them so that you can make your own decisions and adjust your settings accordingly.  

Some of the cookies we use are so-called ‘session cookies’, which are automatically deleted when you close your browser. In addition, there are some persistent cookies, which we use to recognise you as a visitor. If you do not wish to have cookies installed, you can disable the acceptance of cookies in your browser. However, please note that if you disable all cookies, you may not be able to use our website to its full extent.

In addition to cookies, we use other technologies to track users. These include, for example, so-called pixel tags (also known as ‘web beacons’, ‘GIFs’ or ‘bugs’).  

What are pixel tags? Pixel tags are transparent, single-pixel images embedded on the website. They track, for example, whether a specific area of the website has been clicked on. When triggered, the pixel tag logs a user interaction and can read or set cookies. As pixels often rely on cookies to function, disabling cookies may affect them. However, even if you disable cookies, pixels can still detect a visit to the website.

The pixels send information (e.g. your IP address, the referrer URL of the webpage visited, the time at which the pixel was viewed, the browser used, and previously set cookie information) to a web server. This makes it possible to carry out audience measurement and other statistical analyses, which help us to optimise our service. The data collected in this way primarily consists of information about users’ technical devices, but may also include data such as IP addresses, login details (email address, first name and surname, gender, session ID, no password), shopping basket contents, as well as interests or information on user behaviour (e.g. most recently viewed offers or favourites). This data is pseudonymised through technical measures, so that it is not possible to link the data to the individual user accessing the site.

Cookies and similar technologies may also be set via our website by our advertising partners, and data collected in this way may be processed by these companies. You can access further information about these recipients at any time via the Consent Manager integrated into our website under ‘Settings’.

Further information can be found at and here.

2. Purposes and legal bases

Technically necessary cookies, Section 25(2) TDDDG, Article 6(1)(f) GDPR

The use of these technologies serves, on the one hand, to make your experience of our website more pleasant. For example, we use session cookies to recognise that you have already visited individual pages of our services, that you have already logged into your user account, or to display your shopping basket. These are automatically deleted when you leave our site.
In addition, we also use temporary cookies to optimise user-friendliness; these are stored on your device for a specific, predetermined period. If you visit our site again to use our services, the system will automatically recognise that you have previously visited us and recall the entries and settings you have made, so that you do not have to re-enter them. The data processed by these cookies is necessary for the purposes stated, in order to safeguard our legitimate interests and those of third parties in accordance with Article 6(1)(f) of the GDPR.

Consent-based: Analytics and marketing cookies, Section 25(1) of the German Telemedia Act (TDDDG), Article 6(1)(a) of the GDPR

Furthermore, subject to your consent, we and third parties use cookies and pixel technologies to statistically record and analyse the use of our website (statistics) and to be able to address our users more precisely and repeatedly on third-party websites and on our own websites (personalisation).

You can access further information on the specific purposes and legal bases for the technologies used at any time via the Consent Manager integrated into our websites under ‘Settings’.

There, you can also withdraw any consent you have previously given at any time with future effect. You can access the Consent Manager again at any time by clicking on ‘Privacy Settings’ at the bottom of our web pages.  

Further information and to withdraw consent: here.

3. Duration of storage

Cookies are stored on the user’s computer and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may no longer be possible to use all the website’s functions to their full extent (see ‘Technically necessary cookies’ above).

You can view the specific cookie retention period at any time via the Consent Manager integrated into our websites under ‘Settings’.

There, you can also withdraw any consent you have previously given at any time, with effect for the future. You can access the Consent Manager again at any time by clicking on ‘Privacy Settings’ at the bottom of our web pages.  

Further information and to withdraw consent: here.

4. Options for objection, withdrawal and removal

You can reset your browser before or after visiting our website so that all cookies are rejected or to be notified when a cookie is sent. By default, the setting of cookies can be managed via your browser’s settings, including options to prevent cookies from being set altogether or to delete them. Your browser may also have an incognito mode. You can use these browser functions yourself at any time. However, if you have disabled cookies by default in your browser, our website or our services may not function correctly.  

You can also withdraw any consent you have previously given at any time, with effect for the future, via the consent manager integrated into our websites. You can access the consent manager at here, or at any time by clicking on ‘Privacy settings’ at the bottom of our websites.

If you access our website from multiple devices and browsers, you must therefore configure data collection separately and again on each of these devices and in each browser.

The YourOnlineChoices.eu preference manager offers another convenient way to disable cookies

 

VII. Sending of newsletters

1. Description and scope of data processing

On our website, you have the option to subscribe to a free newsletter containing promotional content for momox SE’s own offers and selected offers from advertising partners. When you register for the newsletter, the following data is transmitted to us:

  1. Email address and title as provided
  2. First name and surname (optional)
  3. IP address of the computer accessing the site
  4. Date and time of registration

Your consent to the processing of this data is obtained as part of the registration process, and reference is made to this privacy policy. You will first receive an email asking you to confirm your registration (known as the double opt-in procedure).

We use Braze, provided by Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (‘Braze’), to send out the newsletter. We have entered into a data processing agreement with this service provider. When using this service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy

We send you reminders about incomplete transactions (shopping basket) and invite you by email to take part in surveys (including product and satisfaction surveys). You will also receive loyalty messages by email if you have made transactions particularly regularly or have not made any transactions for a long period of time.

Please note that we track the usage of our newsletters. To do this, we use the service provider RichRelevance Inc., 303 Second Street, Suite 350, San Francisco, CA 94107, USA. We have entered into a data processing agreement with this service provider, in which we oblige them to protect our customers’ data and not to disclose it to third parties. For the purposes of analysis, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel image files stored on our website. For this analysis, we link the data and the web beacons to your email address and a unique ID. Links contained in the newsletter are also assigned an ID. We use the data obtained in this way to create a user profile in order to tailor the newsletter to your individual interests. In doing so, we record when you read our newsletter, which links you click on within it, and use this to deduce your personal interests. We link this data to your actions on our website using the technologies mentioned above.

We also use your email address, based on the consent you have given, to display interest-based information and advertising to you on our advertising partners’ platforms (e.g. Google Search or YouTube). To this end, we transmit your email address to our advertising partners via file upload or by means of a tracking pixel; the data is not transmitted in plain text, but as a so-called ‘hash value’, i.e. a mathematical representation of the data. This enables us to recognise you as a user of our web services when you visit our advertising partners’ platforms, so that we can display tailored information and adverts to you. We use the following services for this purpose:

        Google Customer Match: Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, email: [email protected]; further information on the use of data by Google and Google Customer Match can be found at the following link: https://support.google.com/googleads/answer/6379332?hl=de

      Facebook Custom Audiences from File: Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland; further information on the use of data by Facebook and Facebook Custom Audiences can be found at the following links: https://www.facebook.com/ads/about and https://www.facebook.com/legal/terms/customaudience.

    Criteo Audience Match: Provider: Criteo SA, 32 Rue Blanche, 75009 Paris, France; further information on Criteo’s use of data can be found at the following links: https://www.criteo.com/de/privacy/ and https://www.criteo.com/de/privacy/disable-criteo-services-on-internet-browsers/

As the use of the above-mentioned service providers for the purposes of newsletter tracking and cross-channel advertising may involve the transfer of personal data to countries outside the EU and the EEA, additional safeguards are required to ensure the level of data protection provided by the GDPR. For the USA, there is an adequacy decision by the European Commission pursuant to Article 45(1) of the GDPR with regard to companies certified under the EU-US Data Privacy Framework. Google LLC and Meta Platforms Inc. are certified under the EU-US Data Privacy Framework and are therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search. For potential transfers to the aforementioned service providers for which no certification exists, and for transfers to other third countries outside the EU and the EEA for which no adequacy decision has been issued by the European Commission, we have also agreed standard data protection clauses with the providers in accordance with Article 46(2)(c) of the GDPR. These oblige the recipients of the data in the third country to process the data in accordance with the level of protection in Europe.

We also use the Braze service provided by Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (“Braze”) for these purposes. We use Braze to aggregate data from our newsletter service provider and analyse interactions with our newsletters. This involves the processing of emails, tokens, pixels, interaction data and your IP address. We have entered into a data processing agreement with the service provider. When using the service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy

2. Legal basis for data processing

The legal basis for the data processing operations referred to in section VI.1 is your consent pursuant to Article 6(1)(a) of the GDPR. You may withdraw your consent at any time with future effect (see section VI.5).

3. Purpose of data processing

The collection of the user’s email address serves to deliver the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or of the email address provided.

The personalisation of the newsletter through newsletter tracking and on the basis of the customer profile serves the purpose of tailoring the newsletters to the needs and interests of our customers. Newsletter tracking also serves to evaluate the success of our advertising measures and to optimise the commercial structure of our offering. Requests for surveys and reviews also serve the purpose of improving our offering.

The sharing of the email address with our aforementioned advertising partners serves to display interest-based information and advertising on our advertising partners’ platforms.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected, or if you have withdrawn your consent. The user’s email address is therefore deleted when the user cancels their newsletter subscription and the processing of the email address is no longer required for any other purposes (e.g. for the performance of a contract or to safeguard a legitimate interest on our part).

Other personal data collected as part of the registration process is generally deleted after a period of seven days. Scanned articles are stored for 30 days.

Furthermore, once you have unsubscribed from the newsletter, we will no longer pass on your data to the aforementioned advertising partners.

5.    Right to withdraw consent and right to erasure

The newsletter subscription may be cancelled by the data subject at any time. A link for this purpose is provided in every newsletter. Furthermore, you also have the option to unsubscribe from the newsletter via your customer account. For further information, see ‘Rights of the data subject’ below.

If you wish to withdraw your consent to newsletter tracking and personalisation, as well as your consent to the transfer of your personal data to our advertising partners for cross-channel advertising purposes, you must unsubscribe from the newsletter.

You can also restrict usage tracking by disabling the display of images by default in your email programme.

You can also object in general to the creation of a profile by our advertising partners mentioned above for the purposes of interest-based delivery of information and advertising by contacting them separately using the contact details provided above.

 

VIII. Marketing to existing customers via email

1. Description and scope of data processing

If you buy or sell goods on our website and provide your email address in the process, we may subsequently use this for marketing to existing customers. In such cases, the promotional email will be used exclusively to send direct marketing for our own similar goods or services (marketing to existing customers). You will be made aware of this policy upon registration or when buying and selling.

We use Braze, provided by Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (‘Braze’), to send marketing communications to existing customers. We have entered into a data processing agreement with this service provider. When using this service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy

In connection with data processing for the purpose of sending marketing communications to existing customers, no data is disclosed to third parties for their own purposes.

2. Legal basis for data processing

The legal basis for processing data for the purpose of sending marketing communications to existing customers by email is our legitimate interest pursuant to Article 6(1)(f) of the GDPR (Section 7(3) of the UWG). You may object to this processing at any time with future effect. To do so, please send your objection to the email address given above.

3. Purpose of data processing

The collection of the user’s email address serves to deliver marketing communications to existing customers and thus to send direct marketing for our own similar goods or services.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected, or if you have objected to marketing to existing customers. The user’s email address will therefore be deleted if an objection is lodged or the customer account is deleted, and the processing of the email address is no longer required for any other purposes (e.g. for the performance of a contract or to safeguard a legitimate interest on our part).

5. Right to object and right to erasure

You may object at any time, with future effect, to the processing of your email address for the purposes of marketing to existing customers. To do so, please send your objection to the email address given above.

 

IX. Sending emails regarding surveys or ratings/reviews and participation in these

1. Description and scope of data processing

When you visit our website, you may be prompted to take part in surveys via separate windows (pop-ups). If you register on our website, buy or sell goods and provide your email address in the process, or subscribe to the newsletter, we may ask you by email to rate our service and/or the product. This is done via the services specified in the email or on third-party platforms. Participation in the review is always voluntary. The platforms do not receive any personal data from us in this context, unless otherwise stated here.

If you submit a review for a product on our website, we will only publish the first name stored in your customer account, so that it is generally not possible for other users of our website to identify you. As part of the review, you also have the option to enter further content in a free-text field. It is entirely up to you whether you provide further details in this free-text field that could enable others to identify you. To protect your privacy, we recommend that you write product reviews without providing any personal data. We reserve the right not to publish reviews that contain personal data or to anonymise them (in whole or in part). In order to show you which products you have already reviewed, we also link your submitted review to your customer account held with us and the personal data stored there.

We use the following third-party providers:

  1. Survey pop-ups are provided by the service provider SurveyMonkey Europe UC, 2 Shelbourne Buildings, Second Floor, Shelbourne Road, Dublin 4, Ireland, and SurveyMonkey Inc., One Curiosity Way, San Mateo, CA 94403, USA. In this context, cookies (see ‘Use of cookies’ above and https://de.surveymonkey.com/mp/legal/survey-page-cookies/) and device data (see https://de.surveymonkey.com/mp/legal/privacy-policy/#pp-section-2 - respondents) are processed. The service provider is engaged on a data processing basis. As personal data is transferred to the USA, additional safeguards are required to ensure the level of data protection provided by the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection applicable in Europe. In cases where this cannot be guaranteed even by this contractual extension, we endeavour to secure further arrangements and commitments from the recipient in the USA.
  2. We use software provided by ThinkingTech GmbH & Co. KG, Darmstädter Str. 5, 64625 Bensheim, Germany, to respond to your enquiries regarding the delivery status of orders via Zendesk. ThinkingTech processes the name, content and technical details of the communication on our behalf. This is carried out within the framework of data processing on our behalf. We have entered into a data processing agreement with ThinkingTech in accordance with Article 28 of the GDPR, which obliges them to process your data solely on our behalf and in accordance with our instructions. Further information on data processing by ThinkingTech can be found in the privacy policy at https://www.melibo.de/rechtliches/datenschutz.
  3. We use Braze from Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (‘Braze’), to analyse interactions with our emails. We have entered into a data processing agreement with this service provider. When using this service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy
  4. We use the “Zigpoll” service provided by Argonautic Labs LLC to provide surveys and feedback features during the checkout process or via email. In doing so, Zigpoll processes, in particular: IP address, browser and device information, usage and order data (e.g. interaction with surveys and widgets; products ordered) and, where applicable, content entered by users (responses, free-text entries). The purpose of this processing is the technical provision, display and evaluation of the surveys and feedback elements to improve our offering and services. As part of the use of Zigpoll, data is transferred to Argonautic Labs LLC in the USA. We have concluded a data processing agreement with the provider in accordance with Article 28 of the GDPR. The transfer of data takes place on the basis of the European Commission’s Standard Data Protection Clauses in accordance with Article 46(2)(c) of the GDPR. These clauses oblige the recipient of the data in the third country to process it in accordance with the European level of protection. Further information on the service’s data protection: https://www.zigpoll.com/privacy
  5. We work with SaaS.group zenloop GmbH, Pappelallee 78/79, 10437 Berlin, Germany (“zenloop”). zenloop is a business-to-business Software-as-a-Service platform that enables us to collect and analyse feedback from our customers via various channels. This allows us to tailor our services to our customers’ needs and improve them.

The following data is collected for this purpose:

      • Email address
      • Customer ID
      • Customer type
      • Device
      • Sales or order number
      • Basket value
      • Delivery partner
      • Number of parcels
      • Newsletter status
      • Number of orders or sales
      • Gender

In addition, zenloop collects your survey responses. Further information on data processing by zenloop can be found in the privacy policy at https://www.zenloop.com/de/legal/privacy.

6. We use the analytics software “wootric” provided by Wootric, Inc., 220 27th St., San Francisco, CA 94131, USA, to survey users (of the newsletter). Wootric processes the user’s email address, rating and optional comments on our behalf and acts as a data processor. As the use of the service provider Wootric involves the transfer of personal data to the USA, further safeguards are required to ensure the level of data protection provided by the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection applicable in Europe. In cases where this cannot be ensured even through a contractual extension, we endeavour to secure further arrangements and commitments from the recipient in the USA.

2. Legal basis for data processing

The legal basis for requesting reviews by email and the associated processing of your personal data (email address and name) is your consent in accordance with Article 6(1)(a) of the GDPR.

If, when submitting reviews of purchased products on our website, you provide personal data in the free-text field provided for publication, the legal basis for this is your consent in accordance with Article 6(1)(a) of the GDPR.

The legal basis for linking submitted reviews to your personal data stored in your customer account is our legitimate interest, in accordance with Article 6(1)(f) of the GDPR, in providing an overview of reviews already submitted and documenting these in your customer account. Furthermore, we have a legitimate interest pursuant to Article 6(1)(f) of the GDPR in linking reviews to customer accounts in order to take action, where necessary, against infringements of third-party rights or the publication of unlawful content.

You may withdraw your consent at any time with effect for the future.

3. Purpose of data processing

The purpose of the data processing carried out by us or our data processors is to improve our services for users and to increase our reach through (positive) reviews. The collection of your email address and information regarding your use of our service serves to send you a message requesting a review.

The purpose of linking the reviews you have submitted to the personal data stored in your customer account is to provide you with an overview of reviews you have already submitted and to document them. We also process this data in order to take action, where necessary, against infringements of third-party rights or the publication of unlawful content.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. With regard to cookies used in surveys, our information above under ‘Use of cookies’ also applies.

5. Right to withdraw consent, object and have data erased

If you unsubscribe from the newsletter, you will no longer receive emails from us requesting a review. You also have the option to withdraw your consent at any time. Where the processing of your personal data is based on a legitimate interest on our part, you have the right to object to such processing at any time. To do so, please send your withdrawal or objection to the email address given above.

In the event of objections relating to review requests submitted to Customer Support, you may also use the online form provided by our data processor, Google LLC.

Our information above under ‘Use of Cookies’ also applies to cookies used in surveys.

 

X. Marketing communications

1. Description and scope of data processing

If you buy or sell goods on our website and provide your postal address in the process, we may subsequently use this address to send you advertising post. In such cases, we will only send direct marketing for our own similar goods or services. You will be made aware of this policy upon registration or when buying or selling.

We use the services of Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA, to manage our customers’ address data for the purpose of sending postal advertising and to document any objections to advertising. We have entered into a data processing agreement with this service provider, in which we oblige them to protect our customers’ data and not to disclose it to third parties.

We use Deutsche Post Dialog Solutions GmbH, Koblenzer Str. 67, 53177 Bonn, Germany, to dispatch promotional post. This company receives your postal address for the purpose of sending promotional post as part of a data processing arrangement.

If you no longer wish to receive our information and offers in future, you may object to the use of your data for advertising purposes. Please notify us of this in writing, enclosing the advertising material and stating your name and address, to: momox SE, Schreiberhauer Straße 30, 10317 Berlin, Germany, or via [email protected].

2. Legal basis for data processing

The legal basis for sending promotional post following the sale of goods or services is Article 6(1)(f) of the GDPR.

3. Purpose of data processing

The collection of your postal address serves the purpose of delivering the promotional post.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. The user’s postal address will therefore be stored until their registration (see below) is no longer active.

5. Right to object and right to erasure

You may object to receiving marketing mail in future, in accordance with Article 21(2) and (3) of the GDPR.

 

XI. Registration

1. Description and scope of data processing

On our website, we offer users the option to register by providing personal data. The data is entered into a form, transmitted to us and stored. The following data is collected as part of the registration process:

  1. Title, first name and surname
  2. Email address
  3. Password of your choice
  4. Address (street, house number, postcode, town)
  5. Optional consent to receive the newsletter
  6. Optional telephone number
  7. Optional date of birth
  8. Your account details (when making a purchase from momox, following registration)

The following data is also stored at the time of registration:

  1. Date and time of registration
  2. Source of registration: web, iOS app, Android app

After registration, customers have the option, amongst other things, to post comments (reviews) on the website about products on offer. The customer’s first name, as provided during registration, will be published alongside the comment under the product.

We also use your email address and information relating to purchases or sales you have made (OrderID) to display interest-based information and adverts to you on our advertising partners’ platforms (e.g. Google Search or YouTube). To this end, we transfer your email address and OrderIDs to our advertising partners via file upload; the email address is not transferred in plain text, but as a so-called ‘hash value’, i.e. by means of a mathematical representation of the data. This enables us to recognise you as a user of our web services when you visit our advertising partners’ platforms, so that we can display tailored information and adverts to you. We use the following services for this purpose:

     Google Customer Match: Provider: Google Inc., Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, email: [email protected]; further information on the use of data by Google and Google Customer Match can be found at the following link: https://support.google.com/googleads/answer/6379332?hl=de

    Facebook Custom Audiences from File: Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland; further information on the use of data by Facebook and Facebook Custom Audiences can be found at the following links: https://www.facebook.com/ads/about and https://www.facebook.com/legal/terms/customaudience.

 Criteo Audience Match: Provider: Criteo SA, 32 Rue Blanche, 75009 Paris, France; further information on Criteo’s use of data can be found at the following links: https://www.criteo.com/de/privacy/ and https://www.criteo.com/de/privacy/disable-criteo-services-on-internet-browsers/

As the use of the above-mentioned service providers for the purposes of newsletter tracking and cross-channel advertising may involve the transfer of personal data to countries outside the EU and the EEA, additional safeguards are required to ensure the level of data protection provided by the GDPR. For the USA, there is an adequacy decision by the European Commission pursuant to Article 45(1) of the GDPR with regard to companies certified under the EU-US Data Privacy Framework. Google LLC and Meta Platforms Inc. are certified under the EU-US Data Privacy Framework and are therefore committed to complying with appropriate data protection standards, which can be viewed at the following link: https://www.dataprivacyframework.gov/s/participant-search. For potential transfers to the aforementioned service providers for which no certification exists, and for transfers to other third countries outside the EU and the EEA for which no adequacy decision has been issued by the European Commission, we have also agreed standard data protection clauses with the providers in accordance with Article 46(2)(c) of the GDPR. These clauses oblige the recipients of the data in the third country to process the data in accordance with the level of protection in Europe.

Furthermore, for these purposes, we use the Braze service provided by Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (‘Braze’). We use Braze to aggregate data from our newsletter service provider and analyse interactions with our newsletters. This involves the processing of emails, tokens, pixels, interaction data and your IP address. We have entered into a data processing agreement with the service provider. When using the service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy

2. Legal basis for data processing

The legal basis for processing data for the purpose of registration and providing the customer account is Article 6(1)(b) of the GDPR.

The legal basis for the processing and disclosure of the aforementioned data to our advertising partners is our legitimate interest, in accordance with Article 6(1)(f) of the GDPR, in providing targeted and interest-based advertising for our products on our advertising partners’ platforms.

3. Purpose of data processing

User registration is necessary for the performance of a contract with the user or for the implementation of pre-contractual measures. This relates to our purchase and sale of goods by or to the user.

Where personal data is provided in the free-text field for publication when submitting reviews of purchased products on our website, this is done for the purpose of publishing the review.

The processing and disclosure of the above-mentioned data to our advertising partners is carried out in order to display interest-based information and advertising relating to our products to you on our advertising partners’ platforms (e.g. Google Search or YouTube).

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of data collected during the registration process for the fulfilment of a contract or for the implementation of pre-contractual measures, this is the case when the data is no longer required for the performance of the contract. Even after the contract has been concluded, it may still be necessary to store the contractual partner’s personal data in order to comply with contractual or legal obligations. If there is no activity in the customer account for a period of 6 years, the customer account will be deleted.

5. Right to object, withdraw consent and request erasure

As a user, you may cancel your registration at any time by emailing our support team or using our contact form. You may have the data stored about you amended at any time. For further information, see ‘Rights of the data subject’ below.

If the data is required to fulfil a contract or to carry out pre-contractual measures, early deletion of the data is only possible insofar as no contractual or statutory obligations prevent such deletion. You also have the right to withdraw any consent you have given at any time. To do so, please contact the data controller at the email address given above.

Where the processing of your personal data is based on a legitimate interest on our part, you have the right to object to the processing at any time. You may object to the processing of your personal data for the purposes of targeted and interest-based advertising for our products on our advertising partners’ platforms either by contacting the relevant advertising partner directly or by contacting the data controller at the email address provided above. Information on how to exercise your right to object with our advertising partners can be found in the privacy notices of the respective advertising partners, linked above.

 

XII. Purchase and sale of goods

1. Description and scope of data processing

On our website, we offer users the opportunity to sell goods to us or to buy goods from us.  

In doing so, data is transmitted to us and stored in accordance with the user’s registration details, in conjunction with the goods, payment methods and delivery details selected by the user. The following user data is collected as part of the buying and selling process and transmitted to the service providers listed here:

  1. Email address
  2. Title, first name and surname, address
  3. Goods
  4. Payment information: Your payment details are transmitted to the relevant payment service provider depending on the payment method you have selected. The payment service provider is responsible for your payment details. When certain payment methods are selected, the payment service providers may carry out a credit risk assessment based on mathematical and statistical methods (known as ‘scoring’) through a credit reference agency. We have no influence over this assessment and do not receive the results of the checks. Information, in particular regarding the data controller of the payment service providers, the contact details of the data protection officers of the payment service providers and the categories of personal data processed by the payment service providers, can be obtained from the service providers:
    1. Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, is the data controller. Information on data protection and also on any credit checks carried out by, amongst others, BillPay GmbH, Zinnowitzer Str. 1, 10115 Berlin, Germany, can be found here: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy
    2. PayPal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg, Luxembourg, is the data controller. Information on data protection and any credit checks carried out by other service providers can be found here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE
    3. PayOne: BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, Germany, is the data controller (credit card and direct debit). Information on data protection and any credit checks carried out by other service providers can be found here: https://www.bs-card-service.com/de/datenschutz/
    4. Amazon Payments: All personal data that you provide to Amazon Payments or that is collected during the payment process is controlled primarily by Amazon Payments s.c.a. (as the data controller) and secondarily by Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, all three of which are based at 5, Rue Plaetis L 2338, Luxembourg. You confirm your acceptance of the privacy policy when you register with Amazon: https://pay.amazon.com/de/help/201751600
  5. Delivery information: When we arrange for goods to be dispatched, we pass on data to the contracted delivery company to the extent that this is necessary for delivery or to provide information on the status of the consignment. The service providers are specified at the time of ordering. These are currently:

        Deutsche Post AG and DHL Paket GmbH

        PIN Mail AG

6. Order and usage information: In order to tailor our offering as effectively as possible, optimise our business processes and provide targeted advertising to specific customer groups, we process our customers’ order data for statistical analysis and to categorise customers into segments. To this end, we process data relating to the use of your customer account, such as your log-in status, as well as the recency of your last order, your order frequency and the total turnover resulting from your orders, returns or other costs. Segmentation is carried out solely for the purpose of providing specific customer groups – provided they have subscribed to the newsletter or activated mobile push notifications – with targeted promotional measures such as early-access offers or exclusive voucher deals.

7. Integration of the Trusted Shops seal of approval: The Trusted Shops Trustbadge is integrated into this website to display our Trusted Shops seal of approval and the reviews collected, as well as to offer Trusted Shops products to buyers following an order. This serves to safeguard our overriding legitimate interests, as determined following a balancing of interests, in the optimal marketing of our offering. The Trustbadge and the services advertised through it are provided by Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, Germany. When the Trustbadge is accessed, the web server automatically stores a so-called server log file containing, for example, your IP address, the date and time of access, the volume of data transferred and the requesting provider (access data), which documents the access. This access data is not analysed and is automatically overwritten no later than seven days after the end of your visit to the website. Further personal data is only transmitted to Trusted Shops if, after completing an order, you decide to use Trusted Shops products or have already registered to use them. In this case, the contractual agreement between you and Trusted Shops applies.

8. Integration of the Shopauskunft badge: Our website incorporates the widget provided by Shopauskunft Händlerbund Management AG, Torgauer Str. 233, 04347 Leipzig, Germany. This serves the purpose of displaying the number and results of the reviews we have received to date via Shopauskunft and of advertising them. In order to display the widget, it is technically necessary for your web browser to transmit usage data to the Shopauskunft server and to store this in log files (so-called server log files) for 7 days. This stored data includes the name and URL of the file accessed, the date and time of access, the IP address of the requesting computer, the website from which access is made (referrer URL), the browser used and, where applicable, your computer’s operating system, as well as the name of your internet service provider.

9. If you purchase new books on our website, we use the retailer Libri GmbH, Friedensallee 273, 22763 Hamburg, Germany, to distribute the goods. Libri GmbH therefore receives the details of the book ordered and the delivery address.

10. Customer contact centre providers (e.g. call centres): As part of our customer support services, data is transferred to our service providers Yoummday GmbH, Belgradstraße 68, 80804 Munich, Germany, M Plus Serbia d.o.o., Tosin Bunar 272, 11070 Novi Beograd, Serbia, and CMX Solutions GmbH, Rosenstr. 2, 10178 Berlin, Germany, as part of data processing on our behalf.

2. Legal basis for data processing

The legal basis is Article 6(1)(b) or (f) of the GDPR.

3. Purpose of data processing

The processing and disclosure of data for customer support, logistics, payment and dispatch is necessary for the performance of the contract in accordance with Article 6(1)(b) of the GDPR. This relates to our purchase and sale of goods from or to the user.

The processing and transfer of data for the purpose of enforcing claims is also necessary for the performance of the contract with us and is carried out on the basis of Article 6(1)(b) of the GDPR.

With regard to processing through the integration of the Trusted Shops quality seal and the activities of LIBRI GmbH, there is a legitimate interest in accordance with Article 6(1)(f) of the GDPR. Our legitimate interest is the provision of buyer protection linked to the specific order in question and transactional review services.

The transfer of the email address to the delivery service provider commissioned to deliver the relevant order serves to facilitate a customer-friendly arrangement of the delivery time and location. This, together with the prevention of incorrect deliveries (including to avoid costs associated with undeliverable parcels and, from the courier’s perspective, to protect postal confidentiality, amongst other things), constitutes both our legitimate interest and that of the courier in accordance with Article 6(1)(f) of the GDPR.

4. Duration of storage

The data will be erased as soon as it is no longer necessary for the purpose for which it was collected.

In the case of the purchase and sale contract or the implementation of pre-contractual measures, this is the case when the data is no longer required for the performance of the contract. Even after the contract has been concluded, there may still be a need to store the contractual partner’s personal data in order to comply with contractual or legal obligations.

5. Right to object and right to erasure

If the data is required for the performance of a contract or for the implementation of pre-contractual measures, early erasure of the data is only possible insofar as no contractual or statutory obligations preclude such erasure. Where we process your personal data on the basis of legitimate interests pursuant to Article 6(1)(f) of the GDPR, you have the right, under Article 21 of the GDPR, to object to the processing of your personal data. You may submit your objection by email to [email protected].

If you wish, you can also request the deletion of your customer account here.

 

XIII. Contact form and email contact

1. Description and scope of data processing

Our website features a contact form which can be used to contact us electronically. If a user makes use of this option, the data entered in the form is transmitted to us and stored. The message and the user’s email address are required. Further data is optional:

  1. Title, first name and surname
  2. Order number
  3. Telephone number

Alternatively, you may contact us via the email address provided. In this case, the user’s personal data transmitted via the email will be stored.

  1. We use software from ThinkingTech GmbH & Co. KG, Darmstädter Str. 5, 64625 Bensheim, Germany, to respond to your enquiries regarding the delivery status of orders via Zendesk. ThinkingTech processes the name, content and technical details of the communication on our behalf. This is carried out within the framework of data processing on our behalf. We have entered into a data processing agreement with ThinkingTech in accordance with Article 28 of the GDPR, which obliges them to process your data solely on our behalf and in accordance with our instructions. Further information on data processing by ThinkingTech can be found in the privacy policy at https://www.melibo.de/rechtliches/datenschutz
  2. We use software from Zendesk Inc., 1019 Market St, San Francisco, CA 94103, USA (“Zendesk”), to handle customer enquiries. Zendesk is used to manage customer emails and organise their processing. Zendesk processes the names, content and technical details of communications on our behalf. As personal data is transferred to the USA, additional safeguards are required to ensure the level of data protection provided by the GDPR. To ensure this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) of the GDPR. These oblige the recipient of the data in the USA to process the data in accordance with the level of protection applicable in Europe. In cases where this cannot be guaranteed even by this contractual extension, we endeavour to secure further arrangements and commitments from the recipient in the USA. Further information on data processing by Zendesk can be found in Zendesk’s privacy policy at http://www.zendesk.com/company/privacy.
  3. We send emails relating to the purchase and sale of goods (so-called transactional emails) via the following service provider: 
    We use Braze, provided by Braze Inc., 28 East 28th St, 12th Floor Mailroom, New York, NY 10016, USA (‘Braze’), to analyse interactions with our emails. We have entered into a data processing agreement with this service provider. When using this service, data may be transferred to the USA. This is considered appropriate as Braze is part of the EU-US Data Privacy Framework. Further information can be found in Braze’s privacy policy: https://www.braze.com/company/legal/privacy

2. Legal basis for data processing

Where the user has given their consent, the legal basis for data processing is Article 6(1)(f) of the GDPR.

If the purpose of the email contact is to conclude a contract, the additional legal basis for processing is Article 6(1)(b) of the GDPR.

3. Purpose of data processing

We process the personal data provided via the contact form in order to handle your enquiry.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For personal data from the contact form’s input field and that sent by email, this is the case once the relevant conversation with the user has ended. The conversation is deemed to have ended when it can be clearly inferred from the circumstances that the matter in question has been conclusively resolved.

5. Right to object and right to erasure

If the user contacts us by email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. For further information, see ‘Rights of the data subject’ below.

 

XIV. Contact via chatbot (“melibo”)

1. Description and scope of data processing

On our website, we use the chatbot service ‘melibo’ provided by ThinkingTech GmbH & Co.KG, Darmstädter Str. 5, 64625 Bensheim, Germany. You can use the chatbot to request status updates on your orders or to be put through to our customer service team. Verification is carried out using your email address, postcode and order number. In addition, the following data is processed:

        UserID

        Conversation ID

        Any additional data entered by the user

The first time you use the chatbot, you will be assigned a randomly generated UserID. The UserID remains stored in your browser until you clear your browsing history. If you wish to use the bot again after clearing your browsing history, a new, randomly generated UserID will be created. In this case, you may need to re-enter any previously selected responses, questions asked or data entered. When you use the bot again, your browser will transmit the UserID to it. This allows you to resume a previously interrupted conversation, search or input in the bot at any time (similar to the use of cookies on websites). The conversations, searches or entries you have started are also generated and stored in the events on your browser. To continuously improve the bot, we record events such as ‘Bot was displayed’ and click events such as ‘User clicked on answer X’. For this purpose, we use ConversationIDs, which are generated within the bot’s database in the same way as the UserID. They serve as object identifiers and are necessary for the bot’s operation, as database entries require a unique identifier.

Functional cookies are also used to operate the chat function. These cookies enable the website visitor’s internet browser to be recognised, ensuring that individual users of the chat function on our website can be distinguished from one another. The information generated by the cookies regarding your use of this website is transmitted to a server belonging to the chat service provider and stored there.

2. Legal basis for data processing

The legal basis for the processing of your personal data is, on the one hand, our legitimate interest pursuant to Article 6(1)(f) of the GDPR in providing a smooth customer service and responding to enquiries from website visitors and customers. If the enquiry is aimed at concluding a contract or serves to answer questions regarding your order, Article 6(1)(b) of the GDPR also forms the legal basis for the processing of your personal data. We have entered into a data processing agreement with the chatbot provider, ThinkingTech GmbH & Co. KG, in accordance with Article 28 of the GDPR, which obliges ThinkingTech GmbH & Co. KG to process your data solely on our behalf and in accordance with our instructions.

3. Purpose of data processing

The purpose of processing your personal data in connection with the use of the chatbot is to provide a functional means of contacting us, to respond to your enquiries and to facilitate the provision of status information.

4. Duration of storage

The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected.

5. Options to object and have data erased

You may object to the storage of your personal data at any time. In such a case, however, the conversation cannot be continued. For further information, see ‘Rights of the data subject’ below.

 

XV. Social media plug-ins

1. Description and scope of data processing

Below you will find information on how we handle your data collected through your use of our social media presence on social networks and platforms. Your data is processed in accordance with the relevant legal provisions.

1. Providers

1.1. Facebook Fan Page

1.1.1. Data controller

In the event that the data you provide to us is also or exclusively processed by Facebook, Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland, is the data controller alongside us or in our place, within the meaning of the GDPR. To this end, we have entered into an agreement with Facebook in accordance with Article 26 of the GDPR regarding joint responsibility for data processing (Controller Addendum). The agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook fan page. You can view this agreement via the following link: https://www.facebook.com/legal/terms/page_controller_addendum

As Meta Platforms Ireland Ltd. transfers personal data to the USA, including to Facebook Inc., additional safeguards are required to ensure the level of data protection provided by the GDPR. To this end, the provider uses standard data protection clauses in accordance with Article 46(2)(c) of the GDPR. These clauses oblige the recipient of the data in the USA to process the data in accordance with the level of protection applicable in Europe. If, as a visitor to the site, you wish to exercise your rights (right of access, rectification, erasure, restriction of processing, data portability, right to lodge a complaint with the supervisory authority, right to object or right to withdraw consent), you may contact either Facebook or us. You can adjust your advertising settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads or http://www.youronlinechoices.com

For further details, please refer to Facebook’s Privacy Policy: https://www.facebook.com/about/privacy/

1.1.2. Facebook’s Data Protection Officer

To contact Facebook’s Data Protection Officer, you can use the online contact form provided by Facebook at the following link: https://www.facebook.com/help/contact/540977946302970.

1.1.3. Data processing for statistical purposes using Page Insights

Facebook provides so-called Page Insights for our Facebook fan page: https://www.facebook.com/business/a/page/page-insights. This consists of aggregated data that provides information on how people interact with our page. Page Insights may be based on personal data collected in connection with a visit to or interaction with our page and in connection with the content provided. Please be aware of the personal data you share with us via Facebook. Your data may be processed for market research and advertising purposes, even if you are not logged in to Facebook or do not have a Facebook account. For example, user profiles may be created based on users’ behaviour and the resulting interests. These user profiles may in turn be used, for example, to display adverts both on and off the platforms that are presumed to match users’ interests. This data collection takes place via cookies stored on your device. Furthermore, user profiles may also store data that is independent of the devices used by users; in particular, where users are members of the respective platforms and are logged in to them. The legal basis for the processing is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the optimised presentation of our services, effective information and communication with customers and prospective customers, and the targeted placement of advertisements. Please note that we have no influence over the collection and further processing of data by Facebook. Consequently, we are unable to provide any information regarding the extent to which, the location where, and the duration for which the data is stored by Facebook. Furthermore, we are unable to comment on the extent to which Facebook complies with existing obligations to erase data, what analyses and linkages Facebook carries out with the data, or to whom Facebook discloses the data. If you wish to prevent the processing of your personal data by Facebook, please contact us by other means.

1.2. Other social media providers

1.2.1. Data controller

If your personal data is processed by one of the providers listed below, that provider is the data controller within the meaning of the GDPR. To exercise your rights as a data subject, please note that these can be exercised most effectively with the respective providers. Only they have access to the data they have collected. Should you nevertheless require assistance, please feel free to contact us at any time. We maintain an online presence on the social media platforms of the following providers:

        Instagram Inc., Meta Platforms Ltd., 4 Grand Canal Square, Dublin 2, Ireland

        TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

1.2.2. Data Protection Officer

You can find details on how to contact the data protection officers of the other social media providers here:


2. General information on social media platforms
2.1. Data controller

The data controller within the meaning of the GDPR is the organisation named at the beginning of this privacy policy, insofar as we ourselves process any data transmitted to us via one of the social media platforms.

2.2. Our Data Protection Officer

If you have any queries regarding data processing carried out by us as the data controller, you can contact our Data Protection Officer using the contact details provided at the beginning of this privacy policy.

3. General data processing on social media platforms
3.1. Data processing for market research and advertising

As a rule, personal data is processed on the company’s website for market research and advertising purposes. To this end, a cookie is placed in your browser, which enables the relevant provider to recognise you when you visit a website. The data collected can be used to create user profiles. These are used to display adverts, both on and off the platform, that are presumed to match your interests. Furthermore, data may also be stored in the user profiles regardless of the devices you use. This is usually the case if you are a member of the relevant platforms and are logged in to them.

3.2. Data processing and contacting us

We collect personal data ourselves when, for example, you contact us via a contact form or through a messaging service such as Facebook Messenger. The data collected depends on the information you provide and the contact details you have supplied or shared. We store this data for the purpose of processing your enquiry and in case of any follow-up questions. Under no circumstances will we pass on this data to third parties without your consent. The legal basis for processing the data is our legitimate interest in responding to your enquiry in accordance with Article 6(1)(f) of the GDPR and, where applicable, Article 6(1)(b) of the GDPR, if your enquiry is aimed at concluding a contract. Your data will be deleted once your enquiry has been fully processed, provided that this does not conflict with any statutory retention periods. We assume that processing has been finalised when it is clear from the circumstances that the matter in question has been conclusively resolved.

3.3. Data processing for the performance of a contract

If your contact via a social network or other platform is aimed at concluding a contract with us for the supply of goods or the provision of services, we process your data to fulfil the contract, to carry out pre-contractual measures or to provide the requested services. The legal basis for the processing of your data in this case is Article 6(1)(b) of the GDPR. Your data will be deleted once it is no longer required for the performance of the contract or once it is established that the pre-contractual measures will not lead to the conclusion of a contract corresponding to the purpose of the contact. Please note, however, that even after the contract has been concluded, it may still be necessary to store personal data of our contractual partners in order to comply with contractual or legal obligations.

3.4. Data processing based on consent

If you are asked by the respective platform providers to give your consent to processing for a specific purpose, the legal basis for the processing is Article 6(1)(a) and Article 7 of the GDPR. Consent that has been given may be withdrawn at any time with effect for the future.

      3.5 Data transfer and recipients

When visiting and using the platforms listed above, personal data may be transferred to the USA or other third countries outside the EU; in such cases, additional safeguards are required to ensure the level of data protection provided by the GDPR. Further information on whether, and what, appropriate safeguards the providers can demonstrate in this regard can be found in the list below. We have no influence over the processing of your personal data by the provider or how it is handled. Nor do we have any information on this matter. For further information, please check the privacy policy of the respective provider and, if necessary, use the opt-out or personalisation options regarding data processing by the provider:

        Instagram

o    Privacy policy/opt-out: http://instagram.com/about/legal/privacy/

o    According to its privacy policy, Instagram (Facebook) uses standard data protection clauses to ensure an adequate level of data protection in accordance with the requirements of the GDPR for the transfer of data to the USA and other third countries outside the EU: http://instagram.com/about/legal/privacy/

         TikTok

o    Privacy policy/opt-out: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE

o    Where applicable, TikTok relies on an adequacy decision by the European Commission when transferring personal data. Otherwise, according to its privacy policy, standard data protection clauses are used to ensure an adequate level of data protection in accordance with the requirements of the GDPR for data transfers to the USA or other third countries outside the EU. https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE (section ‘Our global activities and data transfers’).

 

XVI. Comments on our website

1. Description and scope of data processing

Personal data is collected when you submit a review via our websites (e.g. the blog). In this context, we collect the data provided in the relevant form and your IP address. Providing your name and email address is voluntary.

2. Legal basis for data processing

Where the user has given their consent, the legal basis for the processing of the data is Article 6(1)(a) of the GDPR.

3. Purpose of data processing

The user gives their consent. We process the personal data entered in the form in order to handle the comment.

4. Duration of storage

The data will be deleted if the author of the comment withdraws their consent or the purpose of the processing no longer applies.

5. Right to object and right to erasure

The user may withdraw their consent to the processing of personal data at any time. They may also request that we anonymise certain details, for example by shortening the name provided. For further information, see ‘Rights of the data subject’ below.

XVII. Rights of the data subject

If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data relating to you is being processed by us.

If such processing is taking place, you may request the following information from the controller:

  1. the purposes for which the personal data is being processed;
  2. the categories of personal data being processed;
  3. the recipients or categories of recipients to whom your personal data has been or will be disclosed;
  4. the envisaged period for which the personal data relating to you will be stored or, if it is not possible to provide specific details in this regard, the criteria used to determine the storage period;
  5. the existence of a right to rectification or erasure of your personal data, a right to restrict processing by the data controller, or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information on the origin of the data, where the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the GDPR and – at least in such cases – meaningful information about the logic involved, as well as the significance and the intended consequences of such processing for the data subject.
  9. You have the right to request information as to whether your personal data is being transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

2. Right to rectification

You have the right to request that the controller rectify and/or complete your personal data if the personal data concerning you that is being processed is inaccurate or incomplete. The controller must carry out the rectification without undue delay.

3. Right to restriction of processing

You may request the restriction of the processing of your personal data under the following conditions:

  1. if you contest the accuracy of the personal data relating to you for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use;
  3. the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims; or
  4. if you have objected to the processing in accordance with Article 21(1) of the GDPR and it has not yet been determined whether the controller’s legitimate grounds override your grounds.

Where the processing of your personal data has been restricted, such data – apart from its storage – may only be processed with your consent, or for the purpose of establishing, exercising or defending legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State.

If the restriction on processing has been imposed in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erase

You may request that the controller erases personal data relating to you without delay, and the controller is obliged to erase such data without delay if any of the following grounds apply:

  1. The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You withdraw your consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing.
  3. You object to the processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing in accordance with Article 21(2) of the GDPR.
  4. The personal data relating to you has been processed unlawfully.
  5. The erasure of your personal data is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
  6. The personal data concerning you was collected in relation to information society services offered in accordance with Article 8(1) of the GDPR.

b) Information to third parties

Where the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers who are processing the personal data that you, as the data subject, have requested the erasure of all links to that personal data or of copies or replicas of that personal data.

c) Exceptions

The right to erasure does not apply where the processing is necessary

  1. for the exercise of the right to freedom of expression and information;
  2. to comply with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (these include, for example, retention obligations under commercial and tax law);
  3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the GDPR and Article 9(3) of the GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, in so far as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
  5. to establish, exercise or defend legal claims.

5. Right to information

If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to notify all recipients to whom your personal data has been disclosed of such rectification, erasure or restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller of the identity of these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that

  1. the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and
  2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another, insofar as this is technically feasible. The freedoms and rights of other individuals must not be adversely affected by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.

Where personal data relating to you is processed for the purposes of direct marketing, you have the right, in accordance with Article 21(2) and (3) of the GDPR, to object at any time to the processing of personal data relating to you for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.

If you object to processing for the purposes of direct marketing, your personal data will no longer be processed for these purposes.

In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you have the option of exercising your right to object by means of automated procedures using technical specifications.

8. Right to withdraw consent under data protection law

You have the right to withdraw your consent to the processing of personal data at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

  1. is necessary for the conclusion or performance of a contract between you and the controller,
  2. is authorised by Union or Member State law to which the controller is subject, and that law provides for appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
  3. is based on your explicit consent.

However, such decisions must not be based on special categories of personal data as referred to in Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to safeguard your rights and freedoms as well as your legitimate interests.

With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.

XVIII. Validity of this Privacy Policy

We reserve the right to amend this privacy policy from time to time. The current version is available on our website. Should any amendment significantly restrict the rights of registered users, we will notify them. Furthermore, the privacy policy currently available on our website applies to our website users.

 date: 19.06.2026