Data protection

Privacy Policy

We are very pleased that you are interested in our organization. The protection of your Personal Data is particularly important to our management. As a rule, you can use our websites without disclosing any Personal Data to us. However, if you wish to use more specific services via our websites, including our other websites, applications and social media pages, we may have to process your Personal Data. If we wish to process data about you and we cannot rely on any other legal basis, we will always ask you for your Consent first (e.g. via a cookie banner).

We always comply with applicable data protection laws when handling your Personal Data (such as name, address, email or telephone number). With this Privacy Policy, we inform you about which data we process. This Privacy Policy also explains to you what rights you have as a Data Subject.

We have taken various technical and organizational measures to protect your data on our websites in the best possible way. Nevertheless, there are always risks on the internet and complete protection is not possible. For this reason, you can also transmit your Personal Data to us by other means, for example by telephone, if you prefer.

This Privacy Policy is not only intended to fulfill the obligations under GDPR and to comply with the law of the Member States of the European Union (EU) and the European Economic Area (EEA). This Privacy Policy is also intended to comply with legislation such as UK data protection laws (UK-GDPR), Swiss Federal Data Protection Act and Swiss Data Protection Ordinance (DSG, DSV), California Consumer Privacy Act (CCPA/CPRA), China's Personal Information Protection Law (PIPL), Delaware Personal Data Privacy Act (DPDPA), Tennessee Information Protection Act (TIPA), Minnesota Consumer Data Privacy Act (MCDPA), Iowa Act Relating to Consumer Data Protection (ICDPA), Maryland Online Data Privacy Act (MODPA), Nebraska Data Privacy Act (NDPA), New Hampshire Consumer Data Privacy Law (SB255), New Jersey Data Privacy Law (SB332), South Carolina Consumer Privacy Bill (House Bill 4696) and other global data protection regulations and shall be interpreted accordingly. The following Privacy Policy shall be interpreted for each country, state or federal state in such a way that the terms and legal bases used correspond to the terms and legal bases used in the respective state or federal state.

For reasons of better readability, the simultaneous use of the language forms male, female, diverse and other gender identities (m/f/d/other) is avoided on our websites, in publications, in communication and in our Privacy Policy. All formulations used apply equally to all genders.

If you have any suggestions for improving the texts in this Privacy Policy or if you want to hire an External Data Protection Officer, please contact the author of the text: Prof. Dr. h.c. Heiko Jonny Maniero, LL.B., LL.M. mult., M.L.E..

1. Definitions

In our Privacy Policy, we use special terms from various data protection laws. We want our statement to be easy to understand and therefore explain these terms in advance.

The following definitions shall be interpreted or expanded, as appropriate, based on the case law of the General Court of the European Union (EGC), the European Court of Justice (ECJ), the Swiss Federal Supreme Court (SFSC), the Supreme Court of the United Kingdom (UKSC) or on national data protection laws or national case law of a state or federal state, including but not limited to California, including case law, also under common law, if this is necessary for the application of the law in individual cases.

We use the following terms, among others, in this Privacy Policy:

a) Personal Data

Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or who must be regarded as such under national data protection legislation or national jurisdiction of a state or federal state, including under common law.

b) Data Subject

Data Subject is any identified or identifiable natural person whose Personal Data is processed by the Controller, a Processor, an international organization or another data recipient, and persons who must be regarded as such under national data protection laws or national jurisdiction of a state or federal state, including case law, also under common law.

c) Processing

Processing is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

d) Restriction of Processing

Restriction of Processing is the marking of stored Personal Data with the aim of limiting their Processing in the future.

e) Profiling

Profiling is any form of automated Processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

f) Pseudonymization

Pseudonymization is the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

g) Controller

The Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

h) Processor

A Processor is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

i) Recipient

A Recipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third Party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

j) Third Party

A Third Party is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

k) Consent

Consent is any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

2. Name and address of the Controller

The Controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and the European Economic Area, British data protection laws, Swiss data protection laws (DSG, DSV), Californian data protection law (CCPA/CPRA), Chinese data protection law (PIPL), as well as international laws and provisions with a data protection nature is:

FLBE Health GmbH
Melchiorstraße 2
68167 Mannheim
Phone.: +49 (0) 6341 - 6813504
eMail: hallo@bedrop.de
Website: www.bedrop.de

3. Name and contact details of the data protection officer

Prof. Dr. h.c. Heiko Jonny Maniero
Franz-Joseph-Str. 11
80801 München
Deutschland
Phone.: +49 (0)178 - 6264376
eMail: info@dg-datenschutz.de

4. Collection of general data and information

Our websites collect a range of general data and information each time the websites are accessed by a Data Subject or an automated system. This general data and information are stored in the log files of the respective server. Among other things, the (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system accesses our websites (so-called referrer), (4) the sub-websites which are accessed via an accessing system on our websites, (5) the date and time of access to the website, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used for security purposes in the event of attacks on our information technology systems can be recorded.

When using this general data and information, we generally do not draw any conclusions about the Data Subject. Rather, this information is required to (1) correctly deliver the content of our websites, (2) optimize the content of our websites and the advertising for them, (3) ensure the long-term functionality of our information technology systems and the technology of our websites and (4) provide law enforcement authorities with the information necessary for criminal prosecution in the event of a cyber-attack. This anonymously collected data and information is therefore evaluated by us both statistically and with the aim of increasing data protection and data security in our organisation to ultimately ensure an optimal level of protection for the Personal Data processed by us. The data of the server log files are stored separately from all Personal Data provided by a Data Subject.

The purpose of processing is to avert danger and ensure IT security, as well as the aforementioned purposes. The legal basis is Art. 6 (1) (f) GDPR. Our legitimate interest is the protection of our information technology systems. The log files are deleted after the stated purposes have been achieved.

5. Contact possibility via the website and other data transfers and your Consent

Our website contains information that enables quick electronic contact with our organisation as well as direct communication with us, which also includes a general address of the so-called electronic mail (email address) and possibly a telephone number. If a Data Subject contacts us by email, via a contact form, via an input form or in any other way, the Personal Data transmitted by the Data Subject will be stored automatically. This Personal Data transmitted to us on a voluntary basis by a Data Subject is processed for the purposes of usage or contacting the Data Subject.

We obtain your Consent for the transmission, storage and Processing of your contact data and inquiries and for contacting you in accordance with Art. 6 (1) (a) GDPR and Art. 49 (1) (1) (a) GDPR as follows:

By transmitting your Personal Data, you voluntarily consent to the Processing of the Personal Data you have entered or transmitted for the purposes of processing the inquiry and contacting you. By transmitting your data to us, you also voluntarily give your explicit Consent in accordance with Art. 49 (1) (1) (a) GDPR to data transfers to third countries to and by the companies named in this Privacy Policy and for the purposes stated, in particular for such transfers to third countries for which there is or is not an adequacy decision by the EU/EEA and to companies or other bodies that are not subject to an existing adequacy decision on the basis of self-certification or other accession criteria and in which or for which there are significant risks and no suitable guarantees for the protection of your Personal Data (e.g. due to Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). When you gave your voluntary and explicit Consent, you were aware that there may not be an adequate level of data protection in third countries and that your data subject rights may not be enforceable. You can withdraw your Consent under data protection law at any time with effect for the future. The withdrawal of Consent does not affect the lawfulness of Processing based on Consent before its withdrawal. With a single action (entry and transmission), you give several Consents. These are Consents under EU/EEA data protection law as well as those under the CCPA/CPRA, ePrivacy and telemedia law, and other international legislation, which are required, among other things, as a legal basis for any planned further Processing of your Personal Data. With your action, you also confirm that you have read and taken note of this Privacy Policy.

6. Routine deletion and restriction of Personal Data

We process and store Personal Data for the period required to achieve the purpose of processing or if this has been provided for by the European legislator or another legislator in laws or regulations to which we are subject, or if a legal basis for the Processing exists.

If the purpose of processing no longer applies or if a storage period prescribed by the European legislator or another competent legislator expires, or if the legal basis for the Processing no longer applies, the Personal Data will be routinely restricted or deleted in accordance with the statutory provisions.

7. Rights of the Data Subject according to GDPR

a) Right to confirmation

Each Data Subject has the right to obtain from the Controller confirmation as to whether or not Personal Data concerning him or her is being processed.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

b) Right to information

Each Data Subject has the right to obtain from the Controller free information about the Personal Data stored about him/her and a copy of this data at any time. Furthermore, the European legislator has granted the Data Subject access to the following information:

• the purposes of processing,

• the categories of Personal Data that are processed,

• the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organizations,

• where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period,

• the existence of the right to request from the Controller rectification or erasure of Personal Data or Restriction of Processing of Personal Data concerning the Data Subject or to object to such Processing,

• the existence of a right to lodge a complaint with a supervisory authority,

• if the Personal Data is not collected from the Data Subject: All available information about the origin of the data,

• the existence of automated decision-making, including Profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject.

Furthermore, the Data Subject has a right to information as to whether Personal Data has been transferred to a third country or to an international organization. If this is the case, the Data Subject also has the right to obtain information about the appropriate safeguards in connection with the transfer.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

c) Right to rectification

Each Data Subject has the right to demand the immediate correction of incorrect Personal Data concerning them. Furthermore, the Data Subject has the right to request the completion of incomplete Personal Data, including by means of a supplementary declaration, taking into account the purposes of the Processing.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

d) Right to erasure (right to be forgotten)

Each Data Subject has the right, to obtain from the Controller the erasure of Personal Data concerning him or her without undue delay, and the Controller shall have the obligation to erase Personal Data without undue delay where one of the following grounds applies, as long as the Processing is not necessary:

• Personal Data was collected or otherwise processed for purposes for which it is no longer necessary.

• The Data Subject withdraws Consent on which the Processing is based according to Art. 6 (1) (a) GDPR, or Art. 9 (2) (a) GDPR, and where there is no other legal ground for the Processing.

• The Data Subject objects to the Processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the Processing, or the Data Subject objects to the Processing pursuant to Art. 21 (2) GDPR.

• Personal Data was processed unlawfully.

• The deletion of Personal Data is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the Controller is subject.

• The Personal Data was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

If one of the aforementioned reasons applies, and a Data Subject wishes to request the erasure of Personal Data stored by us, he or she may contact us at any time.

If we have made the Personal Data public and if our organisation is obliged to delete the Personal Data in accordance with Art. 17 (1) GDPR, we shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data Controllers who process the published Personal Data that the Data Subject has requested the deletion of all links to this Personal Data or of copies or replications of this Personal Data from these other data Controllers, insofar as the Processing is not necessary.

e) Right to Restriction of Processing

Each Data Subject has the right to obtain from the Controller Restriction of Processing where one of the following applies:

• The accuracy of the Personal Data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the Personal Data.

• The Processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.

• The Controller no longer needs the Personal Data for the purposes of the Processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims.

• The Data Subject has objected to Processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

If one of the aforementioned conditions is met, and a Data Subject wishes to request the restriction of the Processing of Personal Data stored by us, he or she may contact us at any time.

f) Right to data portability

Each Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit those data to another Controller without hindrance from the Controller to which the Personal Data have been provided, where Processing is based on Consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the Processing is carried out by automated means, unless the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

Furthermore, in exercising their right to data portability pursuant to Art. 20 (1) GDPR, the Data Subject has the right to have the Personal Data transmitted directly from one Controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

g) Right to object

Each Data Subject has the right to object, on grounds relating to his or her particular situation, at any time, to Processing of Personal Data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to Profiling based on these provisions.

In the event of an objection, we will no longer process the Personal Data unless we can demonstrate compelling legitimate grounds for the Processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.

If we process Personal Data for direct marketing purposes, the Data Subject shall have the right to object at any time to Processing of Personal Data concerning him or her for such marketing. This also applies to Profiling insofar as it is associated with such direct advertising. If the Data Subject objects to us to the Processing for direct marketing purposes, we will no longer process the Personal Data for these purposes.

In addition, the Data Subject has the right, on grounds relating to his or her particular situation, to object to Processing of Personal Data concerning him or her by us for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the Processing is necessary for the performance of a task carried out for reasons of public interest.

If a Data Subject wishes to exercise this right, he or she may contact us at any time. The Data Subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.

h) Automated decisions in individual cases including Profiling

Each Data Subject has the right not to be subject to a decision based solely on automated Processing, including Profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, provided that the decision (1) is not necessary for the conclusion or performance of a contract between the Data Subject and the Controller, or (2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, or (3) is based on the Data Subject's explicit Consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the Data Subject and a data Controller, or (2) it is based on the Data Subject's explicit Consent, we shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and contest the decision.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

i) Right to withdraw Consent under data protection law

Each Data Subject has the right to withdraw Consent to the Processing of Personal Data at any time.

If a Data Subject wishes to exercise this right, he or she may contact us at any time.

8. General purpose of Processing, categories of processed data and categories of recipients

The general purpose of processing of Personal Data is the handling of all activities relating to the Controller, customers, interested parties, business partners or other contractual or pre-contractual relationships between the aforementioned groups (in the broadest sense) or legal obligations of the Controller. This general purpose applies if no more specific purposes for specific Processing are specified.

The categories of Personal Data that we process are customer data, prospective customer data, employee data (including applicant data) and supplier data. The categories of recipients of Personal Data are public bodies, external bodies, internal processing, intragroup processing and other bodies.

A list of our Processors and data recipients in third countries and, if applicable, international organizations is either published on our website or can be requested from us free of charge.

9. Legal basis for the Processing

Art. 6 (1) (a) GDPR serves as the legal basis for Processing operations for which we obtain Consent for a specific Processing purpose. If the Processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party, as is the case, for example, when Processing operations are necessary for the supply of goods or to provide any other service or consideration, Processing is based on Art. 6 (1) (b) GDPR. The same applies to such Processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services. If we are subject to a legal obligation which requires the Processing of Personal Data, such as for the fulfillment of tax obligations, Processing is based on Art. 6 (1) (c) GDPR.

In rare cases, it may be necessary to process Personal Data to protect the vital interests of the Data Subject or another natural person. This would be the case, for example, if a visitor were injured in our organisation and their name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other Third Party. The Processing would then be based on Art. 6 (1) (d) GDPR.

If the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, the legal basis is Art. 6 (1) (e) GDPR.

Ultimately, Processing operations could be based on Art. 6 (1) (f) GDPR. This legal basis is used for Processing operations which are not covered by any of the abovementioned legal grounds, if Processing is necessary for the purposes of the legitimate interests pursued by our organisation or by a Third Party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data. We are permitted to carry out such Processing operations in particular because they have been specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed, for example, if the Data Subject is a customer of the Controller (Recital 47 Sentence 2 GDPR).

10. Legitimate interests in Processing pursued by the Controller or a Third Party and direct marketing

If the Processing of Personal Data is based on Art. 6 (1) (f) GDPR and no more specific legitimate interests are stated, our legitimate interest is the performance of our business activities for the benefit of the well-being of our staff and our shareholders.

We may send you direct advertising about our own goods or services that are similar to the goods or services you have requested, commissioned or purchased. You may object to direct advertising at any time (e.g. by email). You will not incur any costs other than the transmission costs according to the basic rates. The Processing of Personal Data for direct marketing purposes is based on Art. 6 (1) (f) GDPR. The legitimate interest is direct marketing.

11. Duration for which the Personal Data is stored

The criterion for the duration of the storage of Personal Data is the respective statutory retention period. If there is no statutory retention period, the criterion is the contractual or internal retention period. After this period has expired, the corresponding data is routinely deleted if it is no longer required to fulfill or initiate a contract. This applies in particular to all Processing operations for which no more specific criteria have been defined.

12. Legal or contractual provisions for the provision of Personal Data; necessity for the conclusion of the contract; obligation of the Data Subject to provide the Personal Data; possible consequences of non-provision

We would like to inform you that the provision of Personal Data is partly required by law (e.g. tax regulations) or may also result from contractual obligations (e.g. information on the contractual partner). Sometimes it may be necessary for a contract to be concluded for a Data Subject to provide us with Personal Data that must subsequently be processed by us. For example, Data Subjects are obliged to provide us with Personal Data if our organisation concludes a contract with them. Failure to provide Personal Data would mean that the contract with the Data Subject could not be concluded. The Data Subject must contact us before providing Personal Data. We will inform the Data Subject on a case-by-case basis whether the provision of the Personal Data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the Personal Data and what the consequences would be if the Personal Data were not provided.

13. Existence of automated decision-making

As a responsible company, we do not normally use automated decision-making or Profiling. If, in exceptional cases, we carry out automated decision-making or Profiling, we will inform the Data Subject either separately or via a sub-item in our Privacy Policy (here on our website). In this case, the following applies:

Automated decision-making, including Profiling, may take place if (1) this is necessary for the conclusion or performance of a contract between the Data Subject and us, or (2) this is permissible on the basis of Union or Member State legislation to which we are subject and this legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the Data Subject, or (3) this takes place with the explicit Consent of the Data Subject.

In the cases referred to in Art. 22 (2) (a) and (c) GDPR, we shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests. In these cases, you have the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.

Meaningful information on the logic involved and the scope and intended effects of such Processing for the Data Subject will be provided in this Privacy Policy where applicable.

14. Recipients in a third country and appropriate or adequate safeguards and how to obtain a copy of them or where they are available.

According to Art. 46 (1) GDPR, the Controller or Processor may only transfer Personal Data to a third country if the Controller or Processor has provided appropriate safeguards and if enforceable rights and effective legal remedies are available to the Data Subjects. Appropriate safeguards can be provided by standard contractual clauses without the need for special approval from a supervisory authority, Art. 46 (2) (c) GDPR.

The EU standard contractual clauses or other appropriate safeguards are agreed with all recipients from third countries prior to the first transfer of Personal Data, or the transfers are based on adequacy decisions. Consequently, it is ensured that appropriate safeguards, enforceable rights and effective legal remedies are guaranteed for all Processing of Personal Data. Any Data Subject can obtain a copy of the standard contractual clauses or adequacy decisions from us. In addition, the standard contractual clauses and adequacy decisions are available in the Official Journal of the European Union.

Art. 45 (3) GDPR authorizes the European Commission to decide by means of an implementing decision that a non-EU country ensures an adequate level of protection. This means a level of protection for Personal Data that essentially corresponds to the level of protection within the EU. Adequacy decisions mean that Personal Data can flow from the EU (as well as from Norway, Liechtenstein and Iceland) to a third country without further obstacles. Similar regulations apply to the United Kingdom, Switzerland and some other countries.

In all cases where the European Commission, or a government or competent authority of another country, has decided that a third country ensures an adequate level of protection and/or a valid framework exists (e.g., EU-U.S. Data Privacy Framework, Swiss-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework), all transfers by us to the members of such frameworks (e.g. self-certified entities) are based solely on the membership of that entity in the respective framework or on the respective adequacy decisions. If we or one of our group companies is a member of such a framework, all transfers to us or our group company are based exclusively on the membership of the respective company in this framework. If we or one of our group companies is located in a third country with an adequate level of protection, all transfers to us or our group company are based solely on the respective adequacy decisions.

Any Data Subject can obtain a copy of the frameworks from us. In addition, the frameworks are also available in the Official Journal of the European Union or in the published legal materials or on the websites of data protection supervisory authorities or other authorities or institutions.

15. Right to lodge a complaint with a data protection supervisory authority

As the Controller, we are obliged to inform the Data Subject of the existence of the right to lodge a complaint with a supervisory authority. The right to lodge a complaint is regulated in Art. 77 (1) GDPR. According to this provision, without prejudice to any other administrative or judicial remedy, every Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the Processing of Personal Data relating to him or her infringes the General Data Protection Regulation. The right to lodge a complaint has been restricted by the EU legislator to the effect that it can only be exercised with a single supervisory authority (Recital 141 Sentence 1 GDPR). This provision is intended to avoid duplicate complaints in the same matter by the same Data Subject. If a Data Subject wishes to complain about us, it is therefore requested that only one supervisory authority is contacted.

16. Data protection for applications and in the application process

We collect and process Personal Data of applicants in the application process. Processing may also take place electronically. This is particularly the case if an applicant submits relevant application documents to us electronically, for example by email or via a web form on our or third-party websites.

For applicant data, the purpose of data processing is to carry out a review of the application in the application process. For this purpose, we process all data provided by you. Based on the data submitted as part of the application, we check whether you will be invited to an interview (part of the selection process). Then, in the case of generally suitable applicants, in particular during the interview, we process certain other Personal Data provided by you that is essential for our selection decision.

The legal basis for data Processing is Art. 6 (1) (b) GDPR, Art. 9 (2) (b) and (h) GDPR, Art. 88 (1) GDPR and national legislation.

If we do not conclude an employment contract with the applicant, the application documents will be deleted no later than six months after notification of the rejection decision, provided that no other legitimate interests of the Controller stand in the way of deletion. Another legitimate interest in this sense is, for example, the provision of evidence in legal proceedings.

17. Cookies and external connections, advertising IDs and your Consent

We use cookies, advertising IDs and external connections on our websites to improve the user experience on the one hand and to optimize our advertising and existing processes on the other. Cookies are small text files that are stored by your browser on your computer or system and that contain information to identify you more quickly during a visit. Almost all modern websites use cookies, advertising IDs and/or external connections.

Cookies usually have a so-called cookie ID. This ID is unique for each cookie and helps to distinguish your browser from others. This allows us to tailor our service to your needs and provide you with personalized user experience. Cookies also make it easier for you to use websites. For example, you do not have to log in to an online store or website every time a cookie remembers your data. You can deactivate the use of cookies in your browser at any time or delete stored cookies. We would like to point out that you may not be able to use all the functions on our websites without the stored cookies.

Advertising IDs are tied to your hardware. This ID is unique for each device and helps to distinguish your devices from others. This allows us to tailor our service to your needs and provide you with personalized user experience.

External connections are established to load and store external content and external cookies, and aim to optimize the user experience, advertising and our processes. The legal basis for the storage and reading of our cookies, advertising IDs and the establishment of external connections are the aforementioned legitimate interests (Art. 6 (1) (f) GDPR), unless separate Consent has been obtained from you in accordance with Art. 6 (1) (a) GDPR and/or Art. 49 (1) (1) (a) GDPR.

The following applies to all cookies, advertising IDs and external connections integrated in a cookie banner:

By clicking on the Consent button in our cookie banner, you voluntarily consent to the setting or activation of the respective cookies and external connections, as well as to the transmission of advertising IDs and operating system advertising IDs, such as AdIDs (Android), IDFAs (Apple) or the Windows advertising ID, (Consent pursuant to Art. 6 (1) (a) GDPR), the functions of which are explained in more detail in this Privacy Policy or in the documents or external links linked below and are therefore known to you. By clicking the Consent button, you also voluntarily give your explicit Consent in accordance with Art. 49 (1) (1) (a) GDPR to personalized advertising, Advertising ID transfers and for other data transfers to third countries for and by the companies and purposes mentioned in this Privacy Policy, in particular for such transfers to third countries for which there is or is not an adequacy decision of the EU/EEA and to companies or other entities that are not subject to an existing adequacy decision due to self-certification or other accession criteria, and in or for which there are significant risks and no appropriate safeguards for the protection of your Personal Data (e.g. due to Section 702 FISA, Executive Order EO12333 and the CloudAct in the USA). When giving your voluntary and explicit Consent, you were aware that there may not be an adequate level of data protection in third countries and that your data subject rights may not be enforceable. You can withdraw your Consent under data protection law at any time with effect for the future, e.g. by changing your cookie settings or deleting your cookies. The withdrawal of Consent does not affect the lawfulness of Processing based on Consent before its withdrawal. With a single action (pressing the Consent button), you give several Consents. These are Consents under EU/EEA data protection law as well as those under CCPA/CPRA, ePrivacy and telemedia law, and other international legislation, which are necessary, among other things, for storing and reading out information and are required as a legal basis for any planned further Processing of the data read out. Your Consent includes, in particular, explicit Consent to all downstream data Processing by third-party providers, which may also take place in unsafe third countries, in particular for personalized and targeted advertising, by all companies named in our Privacy Policy, as well as their sub-Processors and Controllers who receive or get transmitted data from these third-party providers or us within a data Processing chain. You are aware that you can refuse your Consent by clicking on the other button or, if necessary, make individual settings. By doing so, you also confirm that you have read and acknowledged this Privacy Policy.

For all cookies and external links included in our cookie banner, in addition to the legal bases listed in other areas of this Privacy Policy, the Consent pursuant to Art. 6 (1) (a) GDPR and/or the explicit Consent pursuant to Art. 49 (1) (1) (a) GDPR also apply as legal bases.

18. Data protection provisions about the application and use of Google Chrome

We use Google Chrome web browser to use web-based applications, to display Internet content and to integrate browser-based business services. Google Chrome is provided by Google and offers numerous functions, including synchronization via Google accounts, integration with other Google services, automated form entries, voice control and the use of extensions and security technologies. When using Google Chrome, personal data may be processed, especially if the browser is linked to a Google account or users voluntarily activate synchronization services and extensions. The processed data includes IP addresses, search queries, Browse history, installed extensions, location data, language settings and technical device information.

If the user is logged in with a Google account, Chrome activities such as the history of visited pages, bookmarks, passwords and other browser settings can be synchronized across devices and stored on Google servers. In addition, Chrome collects diagnostic data and usage statistics to improve the stability, security and performance of the browser, if this function is activated. Personal data is also processed locally or on the server when forms are automatically completed (e.g., addresses or credit card details). Chrome can also use third-party tools such as Safe Browse or translation services, which also trigger data processing operations.

The company that operates the service and thus the recipient of personal data is: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For data subjects in the EU and EEA, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Google UK Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Google Switzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which personal data are to be processed and the legal basis for the processing: The processing serves the secure, stable and personalized use of the web browser, the synchronization of user preferences, the improvement of browser performance, the protection against harmful content and the integration with other Google services. Processing is carried out on the basis of Art. 6 (1) (b) GDPR, i.e., for the performance of a contract to which the data subject is party, and Art. 6 (1) (f) GDPR. The legitimate interest lies in the secure provision of Internet functions, technical stability, user-friendliness and the integration of services to optimize online experience.

The company that operates the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Google Chrome can be retrieved at https://policies.google.com/privacy.

19. Data protection provisions about the application and use of Amazon Web Services (AWS)

Amazon Web Services (AWS) is a comprehensive and widely used cloud computing service. AWS offers a wide range of infrastructure services such as computing power, storage and database services that enable companies and developers to host and manage applications and services on a highly available platform.

When using AWS services, Personal Data and other sensitive information may be processed and stored, including but not limited to names, addresses, email addresses, payment information, as well as data generated by or uploaded to the AWS services.

The company that operates the service and thus the recipient of personal data is: Amazon.com, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, USA. For data subjects in the EU and EEA, Amazon EU S.à.r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Amazon UK Services Ltd., 1 Principal Place, Worship Street, London, EC2A 2FA, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Amazon Web Services Switzerland GmbH, Mythenquai 10, 8002 Zürich, Switzerland.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of using Amazon AWS is the use of cloud computing services that enable us to host and operate applications and services securely and efficiently, and hosting. Processing is based on Art. 6 (1) (f) GDPR. Our legitimate interest lies in the reliable and secure provision of our IT infrastructure and the associated services and the improvement and security of the services.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. Amazon may be a certified member of one or more of the Data Privacy Frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the company operating the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service.

Further information and the applicable data protection provisions of Amazon Web Services can be found at https://aws.amazon.com.

20. Data protection provisions about the application and use of BootstrapCDN

BootstrapCDN is used by us to optimize the loading times of our websites and to ensure a consistent design. By delivering Bootstrap, a widely used front-end library, via a content delivery network, we can ensure that our web pages load quickly and efficiently, resulting in improved user experience. BootstrapCDN also allows us to access the latest versions of Bootstrap without having to manually update them on our servers.When using BootstrapCDN, data such as IP addresses of the users of our website are collected to process the request for the Bootstrap resources. This information is used to optimize the service and to ensure that content is delivered efficiently to end users.

The company that operates the service and thus the recipient of personal data is: Volentio JSD Limited, Northside House, Mount Pleasant, Barnet, EN4 9EB, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is to optimize loading times and improve the user experience on our website. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in the efficient and secure provision of web content.the Company may have entered into one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

Further information and the applicable data protection provisions of BootstrapCDN may be retrieved under https://www.bootstrapcdn.com.

21. Data protection provisions about the application and use of jsDelivr

jsDelivr is a public, free content delivery network that enables developers to efficiently host and deliver web libraries, jQuery plugins, CSS frameworks, fonts and other JavaScript resources. By using jsDelivr, web developers can improve the load times of their websites by ensuring that these resources are loaded from servers that are geographically closer to the end users.When using jsDelivr, data such as users' IP addresses, type of resources requested, time of access and browser information are processed. This data is mainly collected for the provision of the service, performance optimization and security purposes. jsDelivr uses data protection and security measures to protect the data collected, with particular attention paid to compliance with the General Data Protection Regulation and other data protection laws.

The company that operates the service and thus the recipient of personal data is: Volentio JSD Limited, Northside House, Mount Pleasant, Barnet, EN4 9EB, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the efficient provision of web content via the CDN. The Processing is carried out on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR, namely optimizing the loading times of websites, improving the user experience and ensuring the security of the service.

Further information and the applicable data protection provisions of jsDelivr may be retrieved under https://www.jsdelivr.com.

22. Data protection provisions about the application and use of Google Fonts

Google Fonts is a free service from Google LLC that provides web developers with a wide range of fonts to improve the design and aesthetics of websites. By integrating Google Fonts, web developers can ensure that texts on their websites are displayed consistently and as intended on different devices and browsers. Google Fonts is provided via Google servers, ensuring high availability and fast loading times.

When using Google Fonts, Personal Data such as IP addresses and browser information may be processed, as a request is sent to the Google servers when the fonts are loaded. This data is used to provide the service, optimize performance and prevent misuse.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is to use and optimize the font service for web developers and end users. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in improving the user experience on websites by providing a variety of fonts and ensuring fast loading times.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of Google Fonts can be found at https://policies.google.com/privacy.

23. Data protection provisions about the application and use of jQuery

jQuery is a widely used JavaScript library used by web developers to simplify and speed up HTML document management, event handling, animation and Ajax interactions. The use of jQuery on our website serves to create a smoother and more interactive user experience. When visiting our website, jQuery can be used to collect certain data, such as information about user behavior and interactions on the site. The Processing takes place indirectly and is primarily aimed at improving website performance and user-friendliness. jQuery itself, as a client-side library, stores or processes Personal Data on its own servers. jQuery is executed in the user's browser and can be used for dynamic content updates by also transmitting data to external servers.

The company that operates the service and thus the recipient of personal data is: The jQuery Foundation, c/o OpenJS Foundation, 1 Letterman Drive, Suite D4700, San Francisco, CA 94129, USA.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of using jQuery is to improve the user experience on our website through an efficient interaction experience. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in the provision and use of a functional, user-friendly and visually appealing website.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

jQuery's Privacy Policy is available at https://jquery.com/.

24. Data protection provisions about the application and use of Google Analytics

Google Analytics is a tool from Google LLC that provides website and app operators with detailed statistics on traffic and user behavior. It enables the collection and analysis of data on website visits, user interactions and conversion rates, which helps operators to understand and optimize their online presence. Google Analytics uses cookies to collect information about user behavior, including page views, time spent on the site and the paths users take on the site.

When using Google Analytics, Personal Data such as IP addresses, browser information and interaction data are processed. This data helps website operators to measure the performance of their website, improve the user experience and develop targeted marketing strategies.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the analysis and optimization of websites and apps and advertising. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in improving the website, increasing user-friendliness and the effectiveness of online marketing.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of Google Analytics can be found at https://policies.google.com/privacy.

25. Data protection provisions about the application and use of Klaviyo

Klaviyo is a powerful email marketing platform designed specifically for e-commerce companies. It enables companies to create personalized and targeted marketing campaigns to strengthen their customer relationships and increase sales. Klaviyo offers features such as automated email sequences, customer list segmentation, integrations with e-commerce platforms and detailed analytics tools to measure the effectiveness of marketing campaigns.When using Klaviyo, Personal Data such as names, email addresses, purchase history, website usage data and, in some cases, demographic information is processed. This data is used to enable personalized marketing communications, create user segments and analyze customer interactions with marketing campaigns.

The company that operates the service and thus the recipient of personal data is: Klaviyo, Inc., 125 Summer St, Floor 7, Boston, Massachusetts 02110, USA. For data subjects in the EU and EEA, EDPO, Ground Floor, 71 Lower Baggot Street, Dublin D02 P593, Ireland acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: EDPO UK, 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: EDPO Switzerland, Rue de Lausanne 37, 1201 Geneva, Switzerland.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use and optimization of email marketing services. The Processing in the system is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in the effective communication with customers and interested parties as well as in the optimization of our processes. The Processing of email addresses is based on the Consent of the recipient in accordance with Art. 6 (1) (a) GDPR, the explicit Consent of the recipient in accordance with Art. 49 (1) (1) (a) GDPR or on the performance of a contract or pre-contractual measures in accordance with Art. 6 (1) (b) GDPR.The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. Klaviyo may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

Further information and the applicable data protection provisions of Klaviyo may be retrieved under https://www.klaviyo.com.

26. Data protection provisions about the application and use of Google Marketing Platform

The Google Marketing Platform is an integrated advertising and analytics platform from Google LLC that enables companies and advertisers to efficiently plan, implement and analyze their online marketing activities. It combines various services such as Google Analytics, Data Studio, Optimize, Tag Manager, Audience Center, Surveys, Campaign Manager and Display & Video 360 to support data-driven marketing and create personalized advertising campaigns across different channels and devices.

When using the Google Marketing Platform, Personal Data such as web usage data, including cookies, IP addresses, advertising IDs and interaction data with advertisements are processed. This information is necessary to manage advertising campaigns, carry out target group analyses, measure the effectiveness of marketing strategies and offer users relevant advertising content.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the analysis and optimization of online marketing and advertising activities. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in the effective design and personalization of advertising campaigns to meet both our needs and the preferences of users.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of the Google Marketing Platform can be found at https://policies.google.com/privacy.

27. Data protection provisions about the application and use of Google Tag Manager

Google Tag Manager is a tag management system from Google LLC that allows website and app operators to easily implement and manage tags for web analytics and marketing optimization tools without having to change the source code of their websites or apps. Tags are small snippets of code that are used to analyze website data, understand user behavior, and monitor the effectiveness of online marketing campaigns. Google Tag Manager supports the integration of a variety of tags, including Google Analytics, Google Ads and many third-party tags.

The service allows users to manage and trigger tags that can collect data. This data is processed and stored by the respective tags and not by the Google Tag Manager.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of using Google Tag Manager is to simplify tag implementation and tag management. Processing is based on Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in optimizing and increasing the efficiency of tag management and the associated web analysis and marketing activities.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of Google Tag Manager can be found at https://policies.google.com/privacy.

28. Data protection provisions about the application and use of Microsoft Advertising

Microsoft Advertising is an advertising platform that enables us to place online advertisements and optimize the performance of our advertising measures. By using Microsoft Advertising, personal data such as IP addresses, interaction data and information about websites visited are processed. This data helps us to show our ads to relevant users in a targeted manner and to analyze the performance of the campaigns. Microsoft uses this data to improve the display results and present targeted advertising based on user interactions. This precise targeting enables us to optimize our marketing strategies and increase conversion rates.

The company that operates the service and thus the recipient of personal data is: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. For data subjects in the EU and EEA, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Microsoft Limited, Microsoft Campus, Thames Valley Park, Reading, RG6 1WG, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Microsoft Schweiz GmbH, Seestrasse 356, 8038 Zurich, Switzerland.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to improve targeting and advertising campaign performance. The processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in efficient and targeted advertising and the improvement of campaign effectiveness.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of personal data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the company operating the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service.

Further information and the applicable data protection provisions can be found at https://ads.microsoft.com/.

29. Data protection provisions about the application and use of Microsoft Clarity

Microsoft Clarity is a tool for analyzing user behavior on websites. It enables us to understand the click behavior and interactions of users on our website in order to improve the user experience. Microsoft Clarity processes personal data such as IP addresses, information about browsers and device information as well as click and scroll behavior. This data is used to analyze the effectiveness of our website and to make possible optimizations in the user guidance. It also helps us to identify technical problems on the website and to improve the performance of the website in order to offer visitors an even better user experience.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to improve the user experience and website optimization by analyzing user behavior. The processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the improvement of website performance and user guidance.

The company operating the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions can be found at https://clarity.microsoft.com/.

30. Data protection provisions about the application and use of Facebook

Facebook is a social network that offers people the opportunity to connect, share content and communicate online. Users can create profiles, post photos and videos, exchange messages and organize themselves into groups. Facebook also offers companies and organizations a platform for advertising and interacting with their target group.When using Facebook, Personal Data such as names, email addresses, telephone numbers, usage data, location information and information on shared content is processed. This data is necessary to provide the platform, offer personalized content and advertising, ensure user safety and develop new services.

The company that operates the service and thus the recipient of personal data is: Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. For data subjects in the EU and EEA, Meta Platforms Ireland Ltd., Merrion Road, Dublin D04 X2K5, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Meta Platforms Technologies UK Ltd, 10 Brock Street, Regent's Place, London, NW1 3FG, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is to use and improve the social network functions and network services. Processing is based on Art. 6 (1) (b) GDPR for the performance of a contract to which the Data Subject is party and Art. 6 (1) (f) GDPR, whereby our legitimate interest lies in improving the user experience, providing personalized content and advertising and ensuring the security of the network.The company operating the service is located in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of Facebook can be found at https://facebook.com.

31. Data protection provisions about the application and use of Pinterest

Pinterest is a platform for visual discoveries that allows us to share and save images, ideas and content. When using Pinterest, personal data such as usage data, search queries, IP addresses and interaction data with content are processed in order to personalize the user experience and suggest content. This data is used to improve recommendations, provide personalized advertising and optimize the use of the platform.

The company that operates the service and thus the recipient of personal data is: Pinterest, Inc., 651 Brannan Street, San Francisco, CA 94107, USA. For data subjects in the EU and EEA, Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to improve the user experience through personalized content and recommendations as well as advertising. The processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the provision of relevant content and personalized advertising.

The company that operates the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the service may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. As a rule, the provision of personal data is neither legally nor contractually required, nor is it necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service.

Further information and the applicable data protection provisions of Pinterest may be retrieved under https://www.pinterest.com/.

32. Data protection provisions about the application and use of Trusted Shops

Trusted Shops offers a comprehensive trust and review management system for online stores that builds trust between buyers and sellers. With its seal of approval, buyer protection and customer reviews, Trusted Shops helps to increase security and satisfaction when shopping online. Users can assess the quality of online stores based on reviews from other customers and benefit from buyer protection in the event of non-delivery or return of goods.When using Trusted Shops, Personal Data such as names, email addresses, order data and reviews of buyers are processed. This data is required to provide the services, manage user accounts, ensure buyer protection and publish authentic customer reviews.

The company that operates the service and thus the recipient of personal data is: Trusted Shops SE, Subbelrather Straße 15c, 50823 Cologne, Germany.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of data processing is the use of trust services for online shoppers. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the Data Subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the promotion of trust in e-commerce and in us.

Further information and the applicable data protection provisions of Trusted Shops can be found at https://www.trustedshops.de.

33. Data protection provisions about the application and use of Outbrain Amplify

We use Outbrain Amplify to push relevant content, articles and recommendations within a network of premium websites and publishers. The service generates personalized content recommendations based on user interactions and interest profiles to increase reach and user engagement. Personal data may be processed during this activity - in particular data that is generated when the content is displayed and clicked on. The data processed includes IP addresses, browser types, operating systems, device data, pages visited, click patterns, time stamps and anonymized user IDs.

Processing is automated via Outbrain's cloud infrastructure. Connection information and interaction data is collected via scripts or image displays on our website and transmitted to Outbrain. Outbrain uses this data to analyze the user's interest profile and suggest suitable content.

The company that operates the service and therefore the recipient of personal data is: Outbrain, Inc., 111 W 19th St, 3rd Floor, New York, NY 10011, USA.

The company that operates the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the service may be a certified member of one or more of the data privacy frameworks. You can find more information at dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to display personalized content recommendations, analyze user interactions and increase targeting in the publishing network. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in optimizing our content marketing, improving the relevance of recommendations and increasing the effectiveness of campaigns.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Outbrain Amplify can be found at https://www.outbrain.com/.

34. Data protection provisions about the application and use of MarketGid

We use MarketGid, a service platform for content marketing and native advertising, to display relevant advertising content on our website in a qualified manner. The service analyzes visitor interactions in order to provide suitable recommendations that increase user interest and boost engagement. Usage transactions are recorded - including IP addresses, browser data and operating system data, device type, referrer URL, click behaviour, page history, length of stay and anonymized visitor IDs.

Processing is automated via MarketGid's cloud infrastructure. Scripts on our website collect interaction data and send them to MarketGid in order to evaluate user interest and customize our advertising offers.

The company that operates the service and therefore the recipient of personal data is: MGID, Inc., 1149 3rd Street No. 210, Santa Monica, CA 90403, USA.

The company that operates the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the service may be a certified member of one or more of the data privacy frameworks. You can find more information at dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate safeguards from us.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the presentation of advertising tailored to interests and the evaluation of user interactions to optimize content campaigns. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in the effective monetization of content, improving the relevance of advertising content and enhancing the user experience.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of MarketGid can be found at https://www.mgid.com/.

35. Data protection provisions about the application and use of BidSwitch

We use BidSwitch, a company from the advertising ecosystem that helps us to select, optimize and deliver ads via various publishers and SSPs (supply-side platforms). The service processes technical usage data to improve the performance of advertising campaigns. Among other things, IP addresses, browser information and device data, referrer URLs, timestamps, location at country level, page history, request parameters and anonymized user IDs are processed.

Processing is automated via BidSwitch's cloud infrastructure. As soon as ad impressions or bid requests are generated, BidSwitch collects the data, analyzes it at and routes corresponding ad orders to DSPs (demand-side platforms). The aim is to control and optimize the availability of advertising space in real time.

The company that operates the service and therefore the recipient of personal data is: Criteo S.A., 32 Rue Blanche, 75009 Paris, France.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the real-time control and delivery of advertising requests, the analysis of ad effectiveness and the optimization of our digital advertising setup. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in the efficient monetization of our digital advertising space, the optimization of the target group approach and the increase in campaign performance.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of BidSwitch can be found at https://www.bidswitch.com/.

36. Data protection provisions about the application and use of Index Exchange

We use Index Exchange as an advertising exchange for the display and management of online advertising campaigns. The service enables us to place bids for advertising space in real time and organize them in order to optimize reach and efficiency. Technical data is processed in order to automatically handle advertising calls or advertising bids. The data processed includes IP addresses, browser information and device data, referrer information, timestamps and application-related parameters, anonymized user IDs and pseudonymized profile data.

Processing is automated via the global infrastructure of Index Exchange. Metadata records for real-time auctions are transferred to the platform each time an ad is called up and evaluated there. Index Exchange analyzes this information in order to effectively manage advertising budgets and campaigns.

The company that operates the service and therefore the recipient of personal data is Index Exchange Inc., 8 Spadina Avenue, Suite 2900, Toronto, Ontario, M5V 0S8, Canada.

The company that operates the service and therefore the recipient of personal data is based in a country that has been recognized by the European Commission as having an adequate level of data protection. Therefore, no additional guarantees are required for the data transfer.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the real-time control of advertising requests, bid optimization, fraud prevention and campaign controlling. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in the effective monetization of our digital reach, in the optimization of ad placement and advertising impact and in the reduction of advertising fraud.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. If you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Index Exchange can be found at https://www.indexexchange.com/.

37. Data protection provisions about the application and use of Facebook Custom Audience

We use Facebook Custom Audience to display targeted advertising on Facebook and Instagram based on user information such as email addresses, telephone numbers or website interactions (e.g. pixel events such as purchase, shopping cart, page visit). In the course of use, personal data is transmitted, in particular hash values of email addresses or telephone numbers, pixel-based event data (e.g. which page was visited or which product was viewed), IP address, device type, browser information and timestamp of the interaction.

Processing is automated via Meta's systems. The hash values are first created locally by us and sent to the platform. Meta processes this data in order to carry out target group comparisons and enable targeted ads.

The company that operates the service and therefore the recipient of personal data is: Meta Platforms, Inc., 1 Meta Way, Menlo Park, CA 94025, USA. For data subjects in the EU and EEA, Meta Platforms Ireland Ltd, Merrion Road, Dublin D04 X2K5, Ireland acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Meta Platforms Technologies UK Ltd, 10 Brock Street, Regent's Place, London, NW1 3FG, United Kingdom.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to optimize and measure advertising on Meta's platforms. Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the effective placement of advertising and the improvement of campaign performance.

The criteria for determining the duration for which the personal data is processed are the contractual relationship with Meta and statutory or contractual retention periods. The provision of personal data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide us or Meta with personal data. If you do not provide personal data, our services or advertising cannot be personalized.

Further information and the applicable data protection provisions of Facebook Custom Audience can be found at https://facebook.com.

38. Data protection provisions about the application and use of Adscale

We use Adscale, a platform for the automation of performance marketing campaigns (e.g. Google Ads, Facebook Ads), to efficiently optimize ads and dynamically adapt target groups. The service helps us to control campaign budgets, reach relevant target groups and automatically optimize ad formats. Personal data may be processed during this activity - in particular data collected in the context of clicks and conversions. Processed data includes IP addresses, device types, browser information, location data (if enabled), click behaviour, conversion metadata (e.g. purchase, lead), timestamps and anonymized user IDs.

Processing is automated via Adscale's cloud-based infrastructure. Campaigns are fed with performance data in real time, whereupon the platform algorithms adjust campaign parameters, playout time and budget allocation based on this data. Adscale also processes aggregated and pseudonymized data to improve the effectiveness of the ads.

The company that operates the service and therefore the recipient of personal data is: Adscale Ltd, Hadamar 3, Hi-Tech Park POB 1550, Yokneam, Israel.

The company that operates the service and thus the recipient of personal data is based in a country that has been recognized by the European Commission as having an adequate level of data protection. Therefore, no additional guarantees are required for the data transfer.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the automated control and optimization of online advertising campaigns by analyzing user interactions and conversion data. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in increasing the effectiveness of advertising, the targeted delivery campaigns and the efficient use of advertising budgets.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and Adscale or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or Adscale with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Adscale can be found at https://adscale.com/.

39. Data protection provisions about the application and use of Taboola

We use Taboola, a platform for content discovery and native advertising, to display thematically relevant content, recommendations and advertisements on our website. The service analyzes user interactions and interest profiles in order to display relevant content and increase the length of stay. Technical and pseudonymized usage data may be processed - including IP addresses, browser information and device data, referrer URL, click behavior, page history, timestamps and anonymized user IDs.

Processing is automated via Taboola's cloud infrastructure. Scripts on our website collect data on page views or clicks and send them to Taboola for analysis. Taboola uses this information to optimize and display personalized recommendations.

The company that operates the service and therefore the recipient of personal data is: Taboola, Inc., 16 Madison Square West, 7th Floor, New York, NY 10010, USA. For data subjects in the EU and EEA, Lionheart Squared (Europe) Ltd, 2 Pembroke House, Upper Pembroke Street 28-32, Dublin, D02 EK84, Ireland acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Taboola Europe Limited, Aldgate House, 2nd Floor, 33 Aldgate High Street, London EC3N 1DL, United Kingdom.

The company that operates the service is based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards, as referred to in Art. 46 (2) GDPR. The company that operates the service may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the display of thematically appropriate content and advertising, the analysis of user interactions and the optimization of content displays. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in increasing user loyalty, improving the relevance of our content and monetizing our website.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and Taboola or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or Taboola with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Taboola can be found at https://www.taboola.com/.

40. Data protection provisions about the application and use of Google Dynamic Remarketing

We use Google Dynamic Remarketing to display personalized ads to visitors to our website based on their previous interactions with our web shop or our website. The service enables us to show product recommendations based on items viewed by the user, abandoned shopping baskets or other Browse behavior. Personal data may be processed during use - in particular technical and device-related information. Processed data includes IP address, browser data and operating system information, device type, pages visited, products viewed, click behavior, timestamps, subsequent conversions and anonymized user IDs generated by cookies or similar tracking technologies.

Processing is automated via Google's cloud services. When the website is visited, the integrated Google remarketing tag records data on user interactions and provides it with a cookie or device label. This data is then used to create an interest profile and enables relevant advertisements to be displayed on partner sites in the Google advertising network. Google also uses data to evaluate the effectiveness of the ads and to measure conversions.

The company that operates the service and therefore the recipient of personal data is: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. For data subjects in the EU and the EEA, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Google UK Limited, Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ, United Kingdom. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: Google Switzerland GmbH, Brandschenkestrasse 110, 8002 Zurich, Switzerland.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the personalized targeting of users through advertising and the improvement of campaign performance. Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the effective advertising of our products and increasing our reach.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions can be found at https://support.google.com.

41. Data protection provisions about the application and use of Yotpo

We use Yotpo, a platform for customer reviews, loyalty programs and marketing automation, to collect authentic feedback, encourage reactions to products and enable targeted post-purchase approaches. The service helps us to integrate reviews, star ratings, image ratings, Q&A functions and recommendation programs on our website. Personal data is processed in the course of use - in particular data that users provide when submitting reviews or that is transmitted technically. The data processed includes name or alias, email address, uploaded images, rating texts, time of submission, IP address, browser data and device data, location data and interaction behavior with the rating widgets.

Processing is automated via Yotpo's cloud infrastructure. After the purchase or at a defined point in time, customers are invited by email to submit a review. Submitted content is presented in publicly visible modules and at the same time used internally for analysis and quality control. Technical usage data is processed to improve review experience, enable moderation processes and detect fraud.

The operating company of the service and thus the recipient of the personal data is: Yotpo Ltd, 35 HaMasger St, Tel Aviv, Israel. For data subjects in the EU and EEA, SMSBump Ltd, 6 Shipka St, Sofia 1504, Bulgaria, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Yotpo UK Ltd, Shoreditch High St, Montacute Yards, London E1 6HU, United Kingdom.

The operating company of the service and thus the recipient of the personal data is based in a country that has been recognized by the European Commission as having an adequate level of data protection. Therefore, no additional guarantees are required for the data transfer.

Purposes for which the personal data is to be processed and the legal basis for the processing: The purpose of the processing is to collect, manage and present customer feedback, to increase the trustworthiness of our offers, to promote ratings and interaction by users and to support loyalty programs for customer retention. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in improving our products and services through genuine feedback, increasing visibility in the market and promoting customer loyalty.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company operating the service or statutory or contractual retention periods. The provision of personal data is generally not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide us or the operating company with personal data. However, if you do not provide it, you will not be able to use our services or those of the operating company.

Further information and the applicable data protection provisions of Yotpo can be found at https://www.yotpo.com/.

42. Data protection provisions about the application and use of Facebook Connect

We use Facebook Connect to give users the opportunity to easily register or log in to our website using their Facebook login. The service facilitates access by automating login processes and transferring profile information. In the course of use, personal data may be processed - in particular data that users provide or are technically transmitted by Facebook. The data processed includes name, email address, profile picture, language settings, Facebook ID, IP address, browser data and device data as well as the time stamp of the login.

Processing is automated via Meta's systems. As soon as users log in with Facebook, Facebook provides us with an authenticated connection and confirms their identity and the shared profile information. The data transfer is encrypted. Meta uses this information for authentication, to improve user security and to analyze login behavior. We only receive the data that has been requested as authorization.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to optimize the registration process. Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the efficient registration within our systems and websites.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions can be found at https://facebook.com.

43. Data protection provisions about the application and use of Shopify CDN

We use Shopify CDN to efficiently deliver static content such as images, stylesheets and scripts from our web shop platform and to optimize the loading speed for visitors. The service ensures that our media content is delivered quickly and reliably worldwide by distributing it via a global content delivery network. Personal data may be processed during use - in particular for the transmission of content. The IP address, browser type, device data, operating system, requested files, time stamp, language settings and, if applicable, referrer information are processed for this purpose.

Processing is automated via Shopify's CDN infrastructure as soon as a user request is triggered. The service receives corresponding access requests, delivers the requested files and logs technical metadata for performance monitoring and security purposes. Shopify uses HTTPS encryption, data caching and monitoring mechanisms to ensure fast, secure and stable delivery.

The company that operates the service and therefore the recipient of personal data is: Shopify, Inc., 151 O'Connor Street, Ottawa K1P 5H3, Canada. For data subjects in the EU and EEA, Shopify International Ltd, Haddington Road, 2nd Floor, 1-2 Victoria Buildings, Dublin D04 XN32, Ireland acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Shopify UK Ltd, 1 Bartholomew Lane, London EC2N 2AX, United Kingdom.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the technical and organizational provision of our web shop, including the presentation of goods, processing of orders, payment integration, customer support, stock management and marketing analyses. Processing is carried out on the basis of Art. 6 (1) (b) GDPR for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract, as well as on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in the secure, economic and functional handling of e-commerce operations, the improvement of customer satisfaction, the analysis of key business figures and the legally compliant implementation of global online sales through the efficient delivery of web content.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required, nor is it necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Shopify CDN can be found at https://cdn.shopify.com/.

44. Data protection provisions about the application and use of TikTok Analytics

We use TikTok Analytics to analyze the performance of our TikTok content, posts and campaigns in a meaningful way. The service provides metrics such as views, interactions, viewer behavior, demographics and reach. We process data to optimize our social media presence. The data processed includes the number of video views, likes, shares, comments, length of stay, demographic data (age range, gender), location data on a country basis, device type, IP address and timestamps of interactions.

Processing is automated via TikTok's cloud-based platform. When content is published or advertised, certain events and usage information are collected for measurement purposes and transmitted to the analysis services. This allows, for example, particularly successful content to be recognized and improved in a targeted manner.

The company that operates the service and therefore the recipient of personal data is: TikTok Technology Limited, 2 Cardiff Lane Grand, Canal Dock, Dublin, D02 E395, Ireland.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the data processing lies in the use of the video platform and the analysis of our content. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the data subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the use of a platform for advertising, the analysis of our content and the increase of our market presence.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of TikTok Analytics can be found at https://www.tiktok.com.

45. Data protection provisions about the application and use of Google APIs

We use Google APIs to integrate functions such as geodata, calendar integration, cloud storage or database access into our applications and services. These programming interfaces allow us to access user data, device information and system-relevant services and thus, for example, to synchronize appointments, visualize locations or retrieve cloud content. As part of this processing activity, personal data may be processed - especially when users link Google accounts or data requests are triggered. The data processed includes name, email address, calendar data or document information, location data, IP address, device type, browser information, times of use, API requests and associated metadata.

Processing is automated via Google's cloud infrastructure. When API calls are made, our application sends requests to Google servers that return or update user information. Google processes this data to verify access rights, provide content and enable functions such as synchronization or analysis.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the use of Google APIs. Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in the efficient implementation of processes using APIs.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither required by law or contract nor necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions can be found at https://support.google.com.

46. Data protection provisions about the application and use of GitHub Pages

We use GitHub Pages to host static content from our website, documentation and blogs directly in our GitHub repositories. The service makes it easy to provide and update HTML, CSS and JavaScript files without having to operate your own servers. Personal data may be processed in the course of use - in particular technical access data when websites are accessed. Processed data includes IP address, browser type, operating system, device data, requested files, timestamps, referrer information and language settings.

Processing is automated via GitHub's cloud infrastructure. As soon as a user accesses our site, GitHub Pages delivers the content and logs system-related metadata to analyze availability, detect errors and optimize delivery.

The company that operates the service and therefore the recipient of personal data is: GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, 94107 CA, USA.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the publication of websites, documentation and blogs. Processing is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in economic efficiency and increasing reach via GitHub.

The criteria for determining the duration for which the personal data is processed are the contractual relationship with GitHub or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions can be found at https://pages.github.com/.

47. Data protection provisions about the application and use of Klaviyo Forms

We use Klaviyo Forms to provide customized registration forms, contact forms or feedback forms on our website. The tools enable us to collect email addresses, names and preferences of visitors in order to initiate targeted newsletters, offer communication or automatic follow-up messages. Personal data is processed when users actively fill out forms. Data collected includes name, email address, location data, time of use, IP address, browser information and device information as well as tool interaction data.

Processing is automated via Klaviyo's cloud infrastructure. Forms are dynamically integrated and transmitted form data is transferred directly to Klaviyo. Contact data is stored there and organized in campaign lists. Technical metadata is logged to monitor form functionality, detect spam activity and optimize usability.

The company that operates the service and therefore the recipient of personal data is: Klaviyo, Inc., 125 Summer St Floor 6, Boston, MA 02110, USA.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the use and optimization of email marketing services. The processing in the system is based on Art. 6 (1) (f) GDPR, whereby the legitimate interest lies in effective communication with customers and interested parties as well as in the optimization of our processes. The processing of email addresses is based on the consent of the recipient in accordance with Art. 6 (1) (a) GDPR, the express consent of the recipient in accordance with Art. 49 (1) (1) (a) GDPR or on the performance of a contract or pre-contractual measures in accordance with Art. 6 (1) (b) GDPR.

The criteria for determining the duration for which the personal data is processed are the contractual relationship with Klaviyo or statutory or contractual retention periods. The provision of personal data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide us or Klaviyo with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Klaviyo can be found at https://www.klaviyo.com.

48. Data protection provisions about the application and use of Snowplow

We use Snowplow, an open-source and cloud-based platform for collecting, processing and analyzing user information and event data on our website and in applications. Snowplow enables us to collect detailed technical and behavioral data - such as page views, click paths, interaction times and form submissions - in order to improve our offering in a targeted manner. Personal data may be processed in the course of use - in particular when linking to user IDs or other context data. Processed data includes IP address, user agent, screen size, referrer URL, time of the event, event type, anonymized or pseudonymized user IDs and, if applicable, user profiles.

Processing is automated via Snowplow's integrative infrastructure, which collects data via tracking pixels or event snippets and sends it to an analysis backend. There, the information is stored, aggregated and prepared for reports and dashboards.

The company that operates the service and therefore the recipient of personal data is: Snowplow Analytics Limited, Floor 3, 48-50 Scrutton Street, London, EC2A 4HH, United Kingdom.

Purposes for which the personal data is to be processed and the legal basis for the processing: The purpose of the processing is the comprehensive collection, evaluation and optimization of user behavior, technical workflows and conversion processes as well as the support of data-based business decisions. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in improving the user experience, the technical quality of our website and applications and in managing our digital-based services on the basis of relevant data.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is neither legally nor contractually required or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions can be found at https://snowplow.io/.

49. Data protection provisions about the application and use of Post Affiliate Pro

We use Post Affiliate Pro, a platform for managing and analyzing affiliate programs and affiliate marketing programs. The service allows us to record clicks, leads and conversions via affiliate links in order to calculate commissions, optimize processes and create campaign reports. Personal data is processed during this activity - in particular data that is generated during the registration of partners and the tracking of transactions. The data processed includes name, email address, affiliate ID, IP address, time of click or order, browser information and device data, referrer information and other technical metadata.

Processing is automated via the infrastructure of Post Affiliate Pro. Tracking scripts on our website send event data for clicks or orders to the service, where they are displayed in dashboards and analyzed for remuneration models. Affiliates can log in with their login data to check their performance.

The company that operates the service and therefore the recipient of personal data is: Quality Unit, LLC, 3 Germay Dr. Unit 4-1130, Wilmington, DE 19804, United States.
For data subjects in the EU and EEA, Quality Unit, s. r. o., Vajnorska 100/A, 83104 Bratislava, Slovakia acts as contact person and representative within the meaning of Art. 27 GDPR.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is the administration of affiliate programs, the calculation of remuneration based on click data, conversion tracking and sales data, performance analysis and fraud prevention. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. The legitimate interest lies in the transparent processing of our partner programs, accurate billing and the optimization of marketing efficiency.

The criteria for determining the duration for which the personal data is processed are the contractual relationship with Quality Unit or statutory or contractual retention periods. The provision of personal data is not required by law or contract or necessary for the conclusion of a contract. You are not obliged to provide us or the company that operates the service with personal data. However, if you do not provide it, you may not be able to use our services or those of the company that operates the service.

Further information and the applicable data protection provisions of Post Affiliate Pro can be found at https://www.postaffiliatepro.com/.

50. Data protection provisions about the application and use of Telegram

Telegram offers a messaging service that is characterized by high security standards and user-friendliness. Users can exchange messages, images, videos and files via Telegram and use group chats and channels for communication. A special feature of Telegram is the end-to-end encryption for so-called secret chats, which ensures secure communication.

When using Telegram, certain Personal Data is processed, usually including the user's telephone number as the primary identification feature and optionally the name and profile picture. Telegram stores messages in encrypted form on its servers to enable synchronization between different user devices. However, Telegram emphasizes that it has no access to the content of end-to-end encrypted secret chats.

The company that operates the service and thus the recipient of personal data is: Telegram Messenger, Inc., Vistra Corporate Services Centre, Wickhams Cay Ii, Road Town, Tortola, VG1110, British Virgin Islands. For data subjects in the EU and EEA, European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Telegram Messenger LLP, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of data processing is to provide and use a messaging service. Processing of the telephone number and optionally other data such as name and profile picture are based on the Consent of the user in accordance with Art. 6 (1) (a) GDPR or serves to fulfill a contract in accordance with Art. 6 (1) (b) GDPR, to which the Data Subject is a party. The use of the application is also based on legitimate interests in accordance with Art. 6 (1) (f) GDPR, such as the use of an efficient method of communication.

The company that operates the serviceis located in a third country. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR.

The company that operates the servicemay have concluded one of the EU standard contractual clauses with us. If transfers are made, you can request a copy of the suitable or appropriate guarantees from us.

The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the company that operates the service with Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service.

Further information and the applicable data protection provisions of Telegram can be found at https://telegram.org.

51. Data protection provisions about the application and use of Instagram

Instagram is a widely used social network that allows users to share photos and videos, post stories, and interact with followers and friends. Instagram offers a variety of features, including direct messages, IGTV for longer videos, Instagram Live for real-time broadcasts and a Discover page to find new content and users.

When using Instagram, Personal Data such as names, email addresses, telephone numbers, user content (photos, videos, comments, etc.), location data, usage information and, in some cases, payment information is processed. This data helps to provide the service, ensure the security of the platform, offer personalized advertising and improve the user experience.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use and optimization of the social network functions. Processing is based on Art. 6 (1) (b) GDPR for the performance of a contract to which the Data Subject is party and Art. 6 (1) (f) GDPR, where our legitimate interest lies in the improvement and personalization of the user experience, the provision of customer support and ensuring the security and integrity of the platform, as well as in the use of the platform and marketing.

The company that operates the servicemay be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of Instagram can be viewed at https:// instagram.com.

52. Data protection provisions about the application and use of TikTok

TikTok, a platform for short video clips that enjoys great popularity worldwide, enables users to create, share and discover creative content. Users can dance, sing, perform art or participate in trends on TikTok and interact with a global community.

When using TikTok, Personal Data such as names, email addresses, telephone numbers, dates of birth, profile information, user content (videos, comments), location data and information from social networks are processed. This data is required to provide the services, personalize the platform, enable user interactions and improve support.

The company that operates the service and thus the recipient of personal data is: TikTok Pte. Ltd., 1 Raffles Quay, No. 26-10, South Tower, 048583, Singapore. For data subjects in the EU and EEA, TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey Street, London, EC1A 9HP, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of data processing is the use of the video platform. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the Data Subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the use of a global platform for advertising and increasing our market presence.

The company operating the service is located in a third country. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company operating the service may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of TikTok may be retrieved under https://www.tiktok.com.

53. Data protection provisions about the application and use of X (formerly Twitter)

X (formerly known as Twitter) is a global platform for public self-expression and real-time conversation. Users can create and share short messages, called tweets, which can include text, images, videos and links. The platform allows users to follow breaking news, interact with others and participate in global discussions.

When using X, various types of Personal Data are processed, including usernames, email addresses, telephone numbers and location data. This information can be used for account creation, personalization of content, provision of advertising, security purposes and for analytical evaluations.

The company that operates the service and thus the recipient of personal data is: X Corp., 865 FM-1209, Building 2, Bastrop, TX 78602, USA. For data subjects in the EU and EEA, X Internet Unlimited Company, 1 Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under Art. 14 of the Federal Act on Data Protection (FADP) in Switzerland is: X Schweiz GmbH, c/o Wasag Treuhand AG, Normannenstrasse 8, 3018 Bern, Switzerland.The Processing of Personal Data takes place, among other things, on the basis of the user's Consent (Art. 6 (1) (a) GDPR), for the performance of a contract (Art. 6 (1) (b) GDPR) to which the Data Subject is a party, or on the basis of legitimate interests (Art. 6 (1) (f) GDPR), such as the use of the platform and the improvement of communication with the public.

The company that operates the serviceis based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the servicemay be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

Further information and the applicable data protection provisions of X can be found at https://twitter.com/.

54. Data protection provisions about the application and use of YouTube

YouTube is a video sharing and viewing platform used by individuals, artists, businesses and media companies to publish a variety of content such as music videos, vlogs, educational material and much more. YouTube offers users the ability to upload, share, comment and interact with a broad community.

When using YouTube, Personal Data such as IP addresses, user interactions (e.g. videos viewed, comments), location data (if enabled for services) and information from linked Google accounts are processed. This information is required to provide personalized content and advertising, enable user interactions, keep the platform secure and improve the user experience.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of data processing lies in the use of the video sharing services. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the Data Subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the use of an efficient video platform, the improvement of the user experience, the use of personalized advertising and the use of embedded videos on our website.

The company that operates the serviceis based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. The company that operates the servicemay be a certified member of one or more of the data privacy frameworks. You can find more information at https://www.dataprivacyframework.gov/list. You can request a copy of the suitable or appropriate guarantees from us.

The criteria for determining the duration for which the Personal Data is processed are the contractual relationship between us and the company that operates the serviceor statutory or contractual retention periods. The provision of Personal Data is generally not required by law or contract, nor is it necessary for the conclusion of a contract. As a rule, you are not obliged to provide us or the company that operates the servicewith Personal Data. However, if you do not provide it, you may not be able to use our services or those of the company operating the service.

Further information and the applicable data protection provisions of YouTube can be found at https://policies.google.com.

55. Data protection provisions about the application and use of DHL

DHL is a logistics and express shipping provider that offers a wide range of services for international and domestic parcel shipping, freight transportation, e-commerce solutions and supply chain management. By using DHL's services, we can ship our products and shipments reliably and efficiently to customers worldwide, benefiting from advanced tracking options and customized logistics solutions.In providing its services, DHL processes Personal Data such as names, addresses, contact details of shippers and recipients, shipment information and shipment histories. This data is necessary to provide shipping services, track shipments, perform customs clearance and ensure an efficient supply chain.

The company that operates the service and thus the recipient of personal data is: DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, Germany.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use of shipping and logistics services. Processing is based on Art. 6 (1) (b) GDPR for the performance of a contract to which the Data Subject is party or to take steps prior to entering into a contract. In addition, the Processing may be based on Art. 6 (1) (c) GDPR in relation to the fulfillment of legal obligations arising from customs and commercial law.

The criteria for determining the duration for which the Personal Data is processed are the statutory or contractual retention periods. The provision of Personal Data is required by law or contract or is necessary for the conclusion of a contract. You are obliged to provide us with Personal Data for this Processing activity.

Further information and the applicable data protection provisions of DHL can be found at https://www.dhl.de.

56. Data protection provisions about the application and use of Klarna

Klarna is a financial technology company that offers innovative payment solutions for consumers and merchants. With services such as "Pay Now", "Pay Later" and "Installment Purchase", Klarna enables flexible payment processing for online shopping. Klarna improves the shopping experience through simple, secure and fast payment transactions while offering protection for buyers and sellers.

When using Klarna services, Personal Data such as names, addresses, email addresses, telephone numbers, financial information, transaction data and information about purchasing behavior are processed. This data is necessary to provide payment services, verify identity, prevent fraud and ensure customer support.

The company that operates the service and thus the recipient of personal data is: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden. The representative under national law in the United Kingdom is: Klarna Financial Services UK Limited, 10 York Road, London, SE1 7ND, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use and optimization of payment services. Processing is based on the performance of a contract (Art. 6 (1) (b) GDPR) to which the Data Subject is party and on legitimate interests (Art. 6 (1) (f) GDPR), such as the improvement of the user experience, the prevention of fraud and compliance with legal requirements.

The criteria for determining the duration for which the Personal Data is processed are the statutory or contractual retention periods. The provision of Personal Data is required by law or contract or is necessary for the conclusion of a contract. You are not obliged to provide us with Personal Data for this Processing activity. However, if you do not provide it, you will not be able to use our services.

Further information and the applicable data protection provisions of Klarna may be retrieved under https://www.klarna.com.

57. Data protection provisions about the application and use of Mastercard

Mastercard is a technology company in the payments sector that enables individuals, businesses and organizations to make electronic payments securely and efficiently. Mastercard offers a wide range of payment products and services, including credit, debit and prepaid cards issued by banks and financial institutions and accepted at millions of merchants worldwide. In addition, Mastercard develops innovative payment solutions such as contactless technologies and mobile payment systems to enhance the shopping experience and ensure the security of transactions.

When using Mastercard products and services, Personal Data such as names, card numbers, transaction data (e.g. purchase amounts, purchase data, merchant information), and location data are processed. This information is necessary to authorize transactions, prevent fraud, provide customer service and improve the user experience.

The company that operates the service and thus the recipient of personal data is: Mastercard, Inc., 2000 Purchase Street, Purchase, NY 10577, USA. For data subjects in the EU and EEA, Mastercard Europe SA, Chaussée de Tervuren 198A, 1410 Waterloo, Belgium, acts as contact and representative within the meaning of Art. 27 GDPR.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of processing is the use of payment services and the improvement of payment security. Processing is based on the performance of a contract (Art. 6 (1) (b) GDPR) to which the Data Subject is party and on legitimate interests (Art. 6 (1) (f) GDPR), such as the prevention of fraud and the use of cashless payment technologies.

The company that operates the serviceis based in a third country, namely the USA. Transfers to third countries may be based on the conclusion of standard contractual clauses or other suitable or appropriate safeguards referred to in Art. 46 (2) GDPR. Mastercard may have concluded one of the EU standard contractual clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which the Personal Data is processed are the statutory or contractual retention periods. The provision of Personal Data is required by law or contract or is necessary for the conclusion of a contract. You are not obliged to provide us with Personal Data for this Processing activity. However, if you do not provide it, you will not be able to use our services.

Further information and the applicable data protection provisions of Mastercard can be found at https://www.mastercard.de.

58. Data protection provisions about the application and use of PayPal

PayPal is a payment service provider that enables us to process payments for our products and services securely and efficiently online. By using PayPal, personal data such as name, address, e-mail address, payment information and transaction data are processed. This data is necessary to authorize payments, verify the identity of the buyer, prevent fraud and process the payment securely. PayPal also uses this information to analyze transactions and improve security measures. In addition, PayPal helps us to optimize the payment process and offer users a convenient payment option.

The company that operates the service and thus the recipient of personal data is: PayPal, Inc., 2211 N. First Street, San Jose, CA 95131, USA. For data subjects in the EU and EEA, PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Bird & Bird GDPR Representative UK, 12 New Fetter Lane, Holborn, London, EC4A 1JP, United Kingdom.

Purposes for which personal data are to be processed and the legal basis for the processing: The purpose of the processing is to carry out online payments and to ensure a secure payment process. The processing is based on Art. 6 (1) (b) GDPR, as it is necessary for the performance of a contract to which the data subject is party.

The company that operates the servicemay have concluded one of the EU Standard Contractual Clauses with us. You can request a copy of the suitable or appropriate safeguards from us.

The criteria for determining the duration for which the personal data is processed are the contractual relationship between us and the company that operates the service or statutory or contractual retention periods. The provision of personal data is required by law or contract or is necessary for the conclusion of a contract. You are obliged to provide us with personal data for this processing operation.

Further information and the applicable data protection provisions of PayPal, Inc. can be found at https://www.paypal.com/am/home.

59. Data protection provisions about the application and use of Visa

Visa is a payment technology company that enables consumers, businesses, banks and governments to make digital payments quickly, securely and reliably. Visa offers a wide range of products and services, including credit, debit and prepaid cards, as well as other payment and technology solutions to simplify and accelerate payment transactions.

When using Visa services, Personal Data such as name, card number, expiration date, security code, transaction data, location data and contact details are processed. This data is required to authorize payment transactions, prevent fraud, provide customer support and offer personalized services.

The company that operates the service and thus the recipient of personal data is: Visa, Inc., 900 Metro Center Boulevard, Foster City, CA 94404, USA. For data subjects in the EU and EEA, Visa Europe (Netherlands) B.V., Herikerbergweg 238, Luna Arena, 1101 CM Amsterdam Zuidoost, Netherlands, acts as contact and representative within the meaning of Art. 27 GDPR. The representative under national law in the United Kingdom is: Visa Europe Limited, 1 Sheldon Square, London, W2 6TT, United Kingdom.

Purposes for which the Personal Data is to be processed and the legal basis for the Processing: The purpose of data processing is the use of cashless payment options and the improvement of payment security. Processing is based on the performance of a contract pursuant to Art. 6 (1) (b) GDPR, to which the Data Subject is a party, and on legitimate interests pursuant to Art. 6 (1) (f) GDPR, such as the optimization of payment processing and fraud prevention.

The company that operates the service and thus the recipient of the Personal Data is based in a country that has been recognized by the European Commission as having an adequate level of data protection. Therefore, no additional guarantees are required for the transfer of data.

The criteria for determining the duration for which the Personal Data is processed are the statutory or contractual retention periods. The provision of Personal Data is required by law or contract or is necessary for the conclusion of a contract. You are not obliged to provide us with Personal Data for this Processing activity. However, if you do not provide it, you will not be able to use our services.

Further information and the applicable data protection provisions of Visa may be retrieved under https://www.visa.com/.

60. Data protection provisions about the application and use of Criteo

We use Criteo, a platform for personalized advertising and retargeting, to display relevant product suggestions and targeted advertisements on our website. Criteo processes data to analyze user interactions, in particular browsing data such as products viewed, click behavior and ad impressions, which are linked via unique identifiers such as cookies or mobile advertising IDs. In addition, data is processed to detect and prevent click fraud (e.g. shortened IP addresses, tracking IDs).
The company that operates the service and therefore the recipient of the personal data is: Criteo S.A., 32 Rue Blanche, 75009 Paris, France.
Purposes for which personal data is to be processed and the legal basis for the processing: The purpose is to provide targeted advertisements through personalized retargeting, to analyze user interactions and to optimize campaigns. The processing is carried out on the basis of Art. 6 (1) (f) GDPR. Our legitimate interest lies in increasing the relevance of advertisements, in marketing and in an improved user approach.
The criteria for determining the duration for which the personal data is processed are based on the respective purpose of the data processing and the storage periods of Criteo. The provision of personal data is necessary for the use of personalized advertising and platform services. Without provision, service or advertising-related functions may be restricted.
Further information and the applicable data protection provisions of Criteo can be found at https://www.criteo.com/.

Wähle dein Geschenk

Wähle deine Geschenke

Data protection

Privacy Policy

1. Definitions

2. Name and address of the Controller

3. Name and contact details of the data protection officer

4. Collection of general data and information

5. Contact possibility via the website and other data transfers and your Consent

6. Routine deletion and restriction of Personal Data

7. Rights of the Data Subject according to GDPR

8. General purpose of Processing, categories of processed data and categories of recipients

9. Legal basis for the Processing

10. Legitimate interests in Processing pursued by the Controller or a Third Party and direct marketing

11. Duration for which the Personal Data is stored

12. Legal or contractual provisions for the provision of Personal Data; necessity for the conclusion of the contract; obligation of the Data Subject to provide the Personal Data; possible consequences of non-provision

13. Existence of automated decision-making

14. Recipients in a third country and appropriate or adequate safeguards and how to obtain a copy of them or where they are available.

15. Right to lodge a complaint with a data protection supervisory authority

16. Data protection for applications and in the application process

17. Cookies and external connections, advertising IDs and your Consent

18. Data protection provisions about the application and use of Google Chrome

19. Data protection provisions about the application and use of Amazon Web Services (AWS)

20. Data protection provisions about the application and use of BootstrapCDN

21. Data protection provisions about the application and use of jsDelivr

22. Data protection provisions about the application and use of Google Fonts

23. Data protection provisions about the application and use of jQuery

24. Data protection provisions about the application and use of Google Analytics

25. Data protection provisions about the application and use of Klaviyo

26. Data protection provisions about the application and use of Google Marketing Platform

27. Data protection provisions about the application and use of Google Tag Manager

28. Data protection provisions about the application and use of Microsoft Advertising

29. Data protection provisions about the application and use of Microsoft Clarity

30. Data protection provisions about the application and use of Facebook

31. Data protection provisions about the application and use of Pinterest

32. Data protection provisions about the application and use of Trusted Shops

33. Data protection provisions about the application and use of Outbrain Amplify

34. Data protection provisions about the application and use of MarketGid

35. Data protection provisions about the application and use of BidSwitch

36. Data protection provisions about the application and use of Index Exchange

37. Data protection provisions about the application and use of Facebook Custom Audience

38. Data protection provisions about the application and use of Adscale

39. Data protection provisions about the application and use of Taboola

40. Data protection provisions about the application and use of Google Dynamic Remarketing

41. Data protection provisions about the application and use of Yotpo

42. Data protection provisions about the application and use of Facebook Connect

43. Data protection provisions about the application and use of Shopify CDN

44. Data protection provisions about the application and use of TikTok Analytics

45. Data protection provisions about the application and use of Google APIs

46. Data protection provisions about the application and use of GitHub Pages

47. Data protection provisions about the application and use of Klaviyo Forms

48. Data protection provisions about the application and use of Snowplow

49. Data protection provisions about the application and use of Post Affiliate Pro

50. Data protection provisions about the application and use of Telegram

51. Data protection provisions about the application and use of Instagram

52. Data protection provisions about the application and use of TikTok

53. Data protection provisions about the application and use of X (formerly Twitter)

54. Data protection provisions about the application and use of YouTube

55. Data protection provisions about the application and use of DHL

56. Data protection provisions about the application and use of Klarna

57. Data protection provisions about the application and use of Mastercard

58. Data protection provisions about the application and use of PayPal

59. Data protection provisions about the application and use of Visa

60. Data protection provisions about the application and use of Criteo