Privacy policy Babyartikel

We take data protection seriously

The protection of your privacy when processing personal data is an important concern for us. When you visit our website, our web servers store the IP of your Internet service provider, the website from which you visit us, the web pages you visit on our site and the date and duration of your visit as standard. This information is essential for the technical transmission of the web pages and secure server operation. There is no personalised analysis of this data.

If you send us data via the contact form, this data will be stored on our servers as part of the data backup process. Your data will only be used by us to process your enquiry. Your data will be treated as strictly confidential. It will not be passed on to third parties.

1. Who is responsible for data processing and who can you contact?

Responsible person:

KP Family International GmbH
Einsteinring 1-7
85609 Aschheim
E-Mail-Adresse: info@kp-family.de

The company data protection officer is

Herr Christian Volkmer
Projekt 29 GmbH & Co. KG
Ostengasse 14
93047 Regensburg
E-Mail: anfragen@projekt29.de
Phone: 0941-2986930

2. Personal data

Personal data is data about your person. This includes your name, your address and your e-mail address. You do not have to disclose any personal data in order to visit our website. In some cases, we need your name and address as well as other information in order to be able to offer you the desired service.

The same applies if we supply you with information material on request or if we answer your enquiries. In these cases, we will always point this out to you. Furthermore, we only store the data that you have transmitted to us automatically or voluntarily.

When you use one of our services, we generally only collect the data that is necessary to provide you with our service. We may ask you for further information, but this is voluntary. Whenever we process personal data, we do so in order to be able to offer you our service or to pursue our commercial objectives.

3. Visit the website

3.1. General use

When you visit our website, our web servers store the IP of your internet service provider, the website from which you visit us, the web pages you visit on our site and the date and duration of your visit by default. The processing of this information is absolutely necessary for the technical transmission of the web pages, the convenient use of our services and secure server operation. Our legitimate interest arises from Art. 6 para. 1 lit. f) GDPR.
It is not possible to draw any direct conclusions about your identity from the information and we will not do so. The information is stored and automatically deleted after the aforementioned purposes have been achieved. The standard periods for erasure are based on the criterion of necessity.

3.2. Automatically saved data

Server files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These are

• Date and time of the request
• Name of the requested file
• Page from which the file was requested
• Access status (file transferred, file not found, etc.)
• Web browser and operating system used
• Complete IP address of the requesting computer
• Amount of data transferred

This data is not merged with other data sources. Processing is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in improving the stability and functionality of our website.
For reasons of technical security, in particular to defend against attempted attacks on our web server, this data is stored by us for a short time. It is not possible for us to identify individual persons from this data. After seven days at the latest, the data is anonymised by shortening the IP address at domain level so that it is no longer possible to establish a link to the individual user. The data is also processed in anonymised form for statistical purposes; it is not compared with other databases or passed on to third parties, even in excerpts.

3.3. Contact us

When contacting us (e.g. by contact form, e-mail, telephone or via social media), the data of the enquiring persons will be processed insofar as this is necessary to answer the contact enquiries and any requested measures.
The response to contact enquiries in the context of contractual or pre-contractual relationships is carried out to fulfil our contractual obligations or to respond to (pre)contractual enquiries and otherwise on the basis of the legitimate interests in responding to the enquiries.

• Processed data types: Inventory data (e.g. names, addresses), Contact data (e.g. e-mail, telephone numbers), Content data (e.g. entries in online forms).
• Affected persons: Communication partner.
• Purposes of processing: contact enquiries and communication.
• Legal bases: Contract fulfilment and pre-contractual enquiries (Art. 6 para. 1 lit. b. GDPR), Legitimate interests (Art. 6 para. 1 lit. f. GDPR).

3.4. Cookies

Our Internet pages use so-called cookies. Cookies are small data packets that do not cause any damage to your computer. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or your web browser automatically deletes them.

Cookies may originate from us (first-party cookies) or from third-party companies (so-called third-party cookies). Third-party cookies enable the integration of certain services from third-party companies within websites (e.g. cookies for processing payment services).

Cookies have different functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies can be used to analyse user behaviour or for advertising purposes.

Cookies that are required to carry out the electronic communication process, to provide certain functions that you have requested (e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience) (necessary cookies) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies and comparable recognition technologies has been obtained, the processing is carried out exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDSG); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted. You can find out which cookies and services are used on this website in this privacy policy.

You can change your settings for the use of cookies here at any time:

Privacy Settings

4. Consent Manager Platform (CMP)

We use a consent management service ("Consent Manager Platform (CMP)") on our website to inform you about the cookies and other technologies we use on our website and to obtain, manage and document any consent you may have given to the processing of your personal data by these technologies. This is necessary pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR to fulfil our legal obligation pursuant to Art. 7 para. 1 GDPR to be able to prove your consent to the processing of your personal data to which we are subject.

After you submit your cookie declaration on our website, the web server stores the following data: IP address, device information, browser information, set language, website accessed or its URL, date and time of your declaration of consent and information on your consent behaviour.

In addition, the following technologies are used, which contain information about your consent behaviour: Cookies.

The data is stored exclusively in a cookie; personal data is not transmitted to the provider of the Consent Manager Platform (CMP). Your data will be deleted after one year, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.

5. Service optimisation

5.1. Platform

Amazon Web Services (AWS)

We host our website with AWS. The provider is Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter: AWS).

When you visit our website, your personal data is processed on the servers of AWS. Personal data may also be transferred to the parent company of AWS in the USA. The data transfer to the USA is based on the EU standard contractual clauses. Details can be found here:
https://aws.amazon.com/de/blogs/security/aws-gdpr-data-processing-addendum/.

Amazon is also certified in accordance with the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified in accordance with the DPF undertakes to comply with these data protection standards.

Further information can be found in the AWS privacy policy:
https://aws.amazon.com/de/privacy/?nc1=f_pr.

The use of AWS is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible.

Hetzner

We host our website with Hetzner. The provider is Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen (hereinafter referred to as Hetzner).

Details can be found in Hetzner's privacy policy:
https://www.hetzner.com/de/rechtliches/datenschutz.

The use of Hetzner is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in displaying our website as reliably as possible. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting). Consent can be revoked at any time.

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract prescribed by data protection law, which ensures that the provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

Transactional emails via Mailchimp

We use the Mailchimp service provided by Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA, to send transactional emails. Transactional emails are automated emails that are triggered by certain actions, such as purchase confirmations, password resets or dispatch notifications.

We process the following personal data when sending transactional emails:

• E-mail address
• Name (if required)
• Information on the respective transaction (e.g. order number, product details)
• Technical information such as IP address and browser data

Processing takes place exclusively for the purpose of processing the respective transaction and providing relevant information to the recipient. Transaction emails are used to fulfil the contract and are necessary for communication within the framework of an existing business relationship.

Your data is processed in accordance with Art. 6 para. 1 lit. b GDPR (fulfilment of contract) and Art. 6 para. 1 lit. f GDPR (legitimate interest in efficient communication).

Your personal data will be transmitted to Mailchimp and processed there. Since Mailchimp is based in the USA, the data transfer is based on the standard contractual clauses of the EU Commission pursuant to Art. 46 para. 2 lit. c GDPR to ensure an adequate level of data protection.

The data will only be stored for as long as is necessary to process the transaction or for as long as there are statutory retention obligations.

We have concluded an order processing contract with Mailchimp in accordance with Art. 28 GDPR. This ensures that your data is processed exclusively in accordance with our instructions and in compliance with the applicable data protection regulations.

Further information on data processing by Mailchimp can be found in their privacy policy: https://mailchimp.com/legal/privacy/.

TRUSTED SHOPS

The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops seal of approval and any collected reviews as well as to offer Trusted Shops products to buyers after an order.

This serves to safeguard our legitimate interests, which predominate in the context of a balancing of interests, in optimal marketing by enabling secure shopping in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR. The Trustbadge and the services advertised with it are an offer from Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne. The trust badge is provided by a CDN provider (content delivery network) as part of order processing.

If you have given us your express consent to this during or after your order by activating a corresponding checkbox or clicking on a button provided for this purpose ("Rate later"), we will send your e-mail address to Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Cologne (www.trustedshops.de), so that they can remind you by e-mail of the opportunity to submit a rating. This consent can be revoked at any time by sending a message to us or directly to Trusted Shops.

Bunny.net

We use the Content Delivery Network (CDN) of Bunny.net, provided by BunnyWay d.o.o., Cesta Komandanta Staneta 4A, 1215 Medvode, Slovenia, to optimise the loading speed and availability of our website. A CDN is a network of servers that efficiently serves static content such as images, scripts and videos.

When using Bunny.net, the following technical connection data is processed:

• IP address
• Date and time of access
• Requested page or URL
• Information about the browser and operating system used

The processing is carried out to deliver and provide our website and to improve its stability and functionality. This serves our legitimate interest in the secure and efficient operation of the website in accordance with Art. 6 para. 1 lit. f GDPR.

The data may be transferred to Bunny.net, whereby the server locations may be limited to EU member states. We have concluded an order processing contract with Bunny.net in accordance with Art. 28 GDPR to ensure that your data is only processed in accordance with our instructions and in compliance with the applicable data protection regulations.

The data will only be stored for as long as is necessary for the above-mentioned purposes.

Further information on data processing by Bunny.net can be found in their privacy policy at https://bunny.net/privacy e https://bunny.net/gdpr.

jsDelivr (Content Delivery Network)

We use the Content Delivery Network (CDN) jsDelivr from the Polish company ProspectOne, Królewska 65A/1, 30-081 Kraków, Poland, to optimise the loading speed and availability of our website. jsDelivr enables the fast delivery of JavaScript libraries, images and other files via a global network of servers.

The following personal data may be processed when using jsDelivr:

• IP address
• Browser type and version
• Operating system
• Date and time of access
• URL of the website accessed

The processing is carried out to deliver and provide our website and to improve its stability and functionality. This serves our legitimate interest in the secure and efficient operation of the website in accordance with Art. 6 para. 1 lit. f GDPR.

The use of jsDelivr is based on Art. 6 para. 1 lit. f GDPR (legitimate interest).

jsDelivr operates servers in various countries around the world, which means that your data may be transferred outside the European Economic Area (EEA). We have concluded an order processing contract with ProspectOne in accordance with Art. 28 GDPR to ensure that your data is only processed in accordance with our instructions and in compliance with the applicable data protection regulations.

The data will only be stored for as long as is necessary for the above-mentioned purposes or for as long as there are statutory retention obligations.

You have the right to information, correction, deletion and restriction of the processing of your personal data as well as a right to object to the processing. If you have any questions about the processing of your data by jsDelivr, you can contact us at any time.

Further information on data processing by jsDelivr can be found in their privacy policy at https://www.jsdelivr.com/privacy-policy.

Userwerk (subscription offers on the order confirmation page)

We use the services of Userwerk GmbH, Zwickauer Straße 16, 09112 Chemnitz, Germany, to present you with additional subscription offers on the order confirmation page immediately after completing your order in our web shop. These offers are provided by Userwerk and enable you to book additional products or services directly.

The following personal data is processed as part of the use of Userwerk services:

• Name
• Address
• E-mail address
• Telephone number (if required)
• Order information (e.g. product details, order number)
• Technical data such as IP address and browser information

The processing is carried out to provide and process the subscription offers and to carry out pre-contractual measures and to fulfil the contract with the third-party provider whose services you wish to use. This serves our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to provide you with relevant additional offers.

Your data is processed either on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR or for the fulfilment of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

Your personal data will be transmitted to Userwerk as soon as you select an offer and submit the order form. Userwerk stores this data and transmits it to the respective third-party provider for further processing of your order. If you cancel the order process, no data will be transmitted to Userwerk.

Your personal data will only be stored for as long as is necessary to fulfil your order or until you withdraw your consent. After completion of the order, the data may continue to be stored for legally prescribed retention periods.

Further information on data processing by Userwerk can be found in their privacy policy at https://www.userwerk.com/de/datenschutzerklaerung/.

5.2. Newsletter

If you subscribe to our newsletter, we will use the data required for this or separately provided by you to regularly send you our email newsletter based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. You can unsubscribe from the newsletter at any time, either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. After unsubscribing, we will delete your email address from the recipient list, unless you have expressly consented to further use of your data in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR or we reserve the right to use data beyond this, which is permitted by law and about which we inform you in this declaration.
We would like to point out that we evaluate your user behaviour when sending the newsletter. For this purpose, we also analyse your interaction with our newsletter by measuring, storing and evaluating opening rates and click rates for the purpose of designing future newsletter campaigns ("newsletter tracking").
For this analysis, the emails sent contain single-pixel technologies (e.g. so-called web beacons, tracking pixels) that are stored on our website. In particular, we link the following "newsletter data" for the analyses;

• the page from which the page was requested (so-called referrer URL),
• the date and time of the call,
• the description of the type of web browser used,
• the IP address of the requesting computer,
• the e-mail address,
• the date and time of registration and confirmation

and single-pixel technologies with your e-mail address or IP address and, if applicable, an individual ID. Links contained in the newsletter may also contain this ID.
If you do not wish to receive newsletter tracking, you can unsubscribe from the newsletter at any time as described above.
The information is stored for as long as you have subscribed to the newsletter.
The newsletter may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy policy.
The newsletter and the newsletter tracking described above may also be sent by our service providers as part of processing on our behalf. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this privacy policy.

Emarsys

We use the Emarsys service, provided by Emarsys eMarketing Systems AG, Märzstraße 1, A-1150 Vienna, Austria, to send our newsletter. Emarsys enables us to manage and send newsletters and to analyse user behaviour in order to optimise our newsletters.

We process the following personal data as part of the newsletter registration process:

• Your e-mail address (mandatory)
• Optional: Your name and other voluntary details
• Technical information such as IP address, browser type and operating system
• Time of registration and date and time of your consent

Your data is processed to send our newsletter and to analyse and optimise our marketing measures. With the help of technologies such as tracking pixels or web beacons, we can recognise whether and when a newsletter was opened and which links were clicked on. These analyses help us to better tailor our content to your interests.

Your data is processed on the basis of your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by using the unsubscribe link at the end of each newsletter or by contacting us directly.

Storage period:
Your data will be stored for as long as you have subscribed to the newsletter. After cancellation, your data will be deleted, provided that there are no legal retention obligations to the contrary.

The data you provide will be transmitted to Emarsys and stored on servers within the European Union. We have concluded an order processing contract with Emarsys in accordance with Art. 28 GDPR to ensure that your data is only processed in accordance with our instructions and in compliance with the applicable data protection regulations.

Further information on data processing by Emarsys can be found in their privacy policy: https://www.emarsys.com/de/datenschutzrichtlinie/.

5.3. Chatbot

Melibo

We use the AI-powered chatbot service Melibo, provided by Thinking Tech GmbH (Eisenlohrstr. 13, 76135 Karlsruhe, Germany), to enable our customers to communicate interactively and efficiently on our website. The chatbot helps us automate and accelerate customer enquiries.

The following personal data may be processed when using the chatbot:

• Communication content that you enter in the chat
• Technical information such as IP address, browser type, and time of the enquiry
• Optional: Contact information if provided voluntarily

Your data is processed to respond to your enquiries and to optimise our customer service. This is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR to ensure fast and efficient communication. If the communication is aimed at processing a contract, the legal basis is Art. 6(1)(b) GDPR (contract fulfilment).

Before using the chatbot, we request your consent pursuant to Art. 6(1)(a) GDPR. Processing of your data begins only after you have activated the chatbot widget by providing consent. You can revoke your consent at any time with future effect by deactivating the widget or contacting us.

The transmitted data is stored only as long as necessary to process your enquiry. Once communication is completed, the dialogues are anonymised and used solely to improve the chatbot.

Your data is transmitted via secure SSL encryption. Access to the data is protected by multiple firewalls to prevent unauthorised access.

We have concluded a data processing agreement with Melibo in accordance with Art. 28 GDPR to ensure that your data is processed strictly according to our instructions and in compliance with applicable data protection laws.

Further information on data processing by Melibo can be found in their privacy policy at https://www.melibo.de/datenschutz.

5.4. Product Evaluation

Bazaarvoice

We use the service Bazaarvoice, Inc., 3900 N. Capital of Texas Highway, Suite 300, Austin, Texas 78746, USA, to display and manage product reviews on our product detail pages. Bazaarvoice allows our customers to submit reviews of our products, which are then published on our website.

The following personal data is processed when you use Bazaarvoice:

• Display name
• E-mail address
• IP address
• Review content and assigned rating
• Additional voluntary information (e.g. photos or further comments)

Processing is carried out to display product reviews and to moderate and verify the authenticity of these reviews. This is in our legitimate interest under Art. 6(1)(f) GDPR to provide a transparent and trustworthy review platform.

Bazaarvoice uses both automated and manual verification mechanisms to ensure that submitted reviews are genuine and originate from real customers. To this end, Bazaarvoice relies on industry-leading fraud detection technology and human moderation.

The processing of your data is based on your consent pursuant to Art. 6(1)(a) GDPR, which you provide when submitting your review.

Data may be transferred to Bazaarvoice in the United States. Such transfers are based on the standard contractual clauses under Art. 46 GDPR and the EU-US Privacy Shield framework, which ensures an adequate level of data protection.

Your personal data will be retained for as long as your review remains visible on our website or until you withdraw your consent. Upon withdrawal, your data will be deleted in accordance with legal requirements.

You have the right to access, rectify, erase, and restrict the processing of your personal data, as well as the right to object to processing. You may also revoke your consent at any time with future effect.

Further information on data processing by Bazaarvoice is available in their privacy policy at https://www.bazaarvoice.com/legal/privacy-policy/.

6. Tools and Services for Analytics, Statistics, and Marketing

6.1. Analytics and Statistics

Algolia (Search and tracking function in the web store)

We use the Algolia service, provided by Algolia SAS, 55 Rue d'Amsterdam, 75008 Paris, France, to integrate a powerful search function into our web store. Algolia allows our users to find products quickly and accurately and offers additional features such as personalized product recommendations and dynamic filter options. In addition, user behavior is analyzed through tracking to continuously optimize search results and the shopping experience.
Processed data:

• When using Algolia, the following personal data may be processed:
• IP address
• Browser type and version
• Operating system
• Search terms and filter settings
• Interactions with search results (e.g., clicks or dwell time)
• Location data (if geolocation is activated)

The processing is carried out to provide a fast and accurate product search and to analyze user behavior in order to improve our search function and product recommendations. This is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to ensure an optimal user experience in our web store.

Algolia uses technologies such as cookies and other tracking methods to analyze user behavior during searches. These data help us increase the relevance of search results and provide personalized recommendations. If consent has been obtained, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

The data is transmitted to Algolia and processed on servers within the European Union and worldwide. We have concluded a data processing agreement with Algolia pursuant to Art. 28 GDPR to ensure that your data is processed exclusively in accordance with our instructions and in compliance with applicable data protection regulations.

Data will only be stored for as long as necessary for the above purposes or until you revoke your consent. Anonymized data may be stored longer for statistical purposes.

Further information on data processing by Algolia can be found in the privacy policy at https://www.algolia.com/policies/privacy.

Google Tag Manager

We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies into our website.
Google Tag Manager does not create user profiles, store cookies, or perform independent analyses. It merely facilitates the management and deployment of tools integrated through it. However, Google Tag Manager collects your IP address, which may also be transmitted to Google's parent company in the USA.

Google Tag Manager is used on the basis of Art. 6 para. 1 lit. f GDPR.

Google Analytics (4)

This website uses features of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyze the behavior of website visitors. The website operator receives various usage data, such as page views, visit duration, operating systems used, and the user's origin. These data are summarized under a user ID and assigned to the respective end device of the website visitor.

With Google Analytics we can also record, among other things, mouse movements and scroll behavior as well as clicks. Google Analytics also uses various modeling approaches to supplement the collected data and employs machine learning technologies for data analysis.

Google Analytics uses technologies that enable user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Google about your use of this website is usually transmitted to a Google server in the USA and stored there. The use of this service is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time.

Data transfer to the USA is based on the EU Commission's standard contractual clauses. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/.

Google is also certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA designed to ensure compliance with European data protection standards for data processing in the USA. Each company certified under the DPF commits to adhering to these data protection standards.

Browser Plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. For more information on how Google Analytics handles user data, see Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Google Signals

We use Google Signals. When you visit our website, Google Analytics collects, among other things, your location, search history, and YouTube history, as well as demographic data (visitor data). These data can be used for personalized advertising with the help of Google Signals. If you have a Google account, the visitor data collected by Google Signal is linked to your Google account and used for personalized advertising messages. The data is also used to compile anonymous statistics on the behavior of our users.

Google Analytics E-Commerce Measurement

This website uses the “e-commerce measurement” feature of Google Analytics. With the help of e-commerce measurement, the website operator can analyze the purchasing behavior of site visitors to improve their online marketing campaigns. Information such as orders placed, average order value, shipping costs, and the time between viewing and purchasing a product is recorded. These data can be aggregated by Google using a transaction ID assigned to the respective user or device.

ABlyft

We use the ABlyft service on our website, provided by Conversion Expert GmbH, Zeppelinring 52c, 24146 Kiel, Germany. ABlyft is a tool for analyzing user behavior with the aim of improving the usability of our website.

ABlyft does not store personal data such as IP addresses or user IDs. All collected data is anonymized and stored in aggregate form. The information collected includes:

• Search terms
• Viewed products
• Browser and device information (e.g., browser type, operating system)
• Date and time of the visit
• Referrer URL
• Geographic location
• Viewed pages

These data are processed exclusively to improve usability and optimize our website.

Processing is based on Art. 6 para. 1 lit. f GDPR (legitimate interest). Our legitimate interest lies in the analysis and optimization of our website.

You can object to the use of ABlyft at any time by clicking the following link:

https://shop.bvb.de/?ablyft_opt_out=true

Stape.io (Server-side tracking)

We use the services of Stape.io, provided by STAPE EUROPE OÜ, Sepapaja tn 6, Tallinn 15551, Estonia, to implement server-side tracking and data management in our online store. Stape.io enables us to collect first-party data, increase the effectiveness of our marketing efforts, and protect user privacy. When using Stape.io, the following data is processed:

• IP address
• Browser and device data
• Interactions with our website (e.g., clicks, conversions)
• Location data (if geolocation is enabled)

Processing is carried out to optimize our marketing measures, improve data quality, and ensure GDPR-compliant use of analytics tools such as Google Analytics. This is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. If corresponding consent has been obtained, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG. Consent can be revoked at any time. We have concluded a data processing agreement pursuant to Art. 28 GDPR with the above-mentioned provider. This contract ensures that your personal data is processed exclusively in accordance with our instructions and in compliance with the GDPR. Further information on data processing by Stape.io can be found in their privacy policy at https://stape.io/eu-privacy-notice.

Matomo (local)

This website uses the open-source web analytics service Matomo. Matomo uses technologies that enable cross-page user recognition for the purpose of analyzing user behavior (e.g., cookies or device fingerprinting). The information collected by Matomo about the use of this website is stored on our server. The IP address is anonymized before storage. With the help of Matomo, we are able to collect data on the use of our website by visitors and to analyze it. This allows us to identify, for example, when page views occurred and from which region they came. We also collect various log files (e.g., IP address, referrer, browser and operating systems used) and can measure whether visitors to our website perform certain actions (e.g., clicks, purchases, etc.). The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the anonymous analysis of user behavior in order to optimize both its website and its advertising. If consent has been obtained, processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR and § 25 para. 1 TDDDG, provided that the consent includes the storage of cookies or access to information on the user's end device (e.g., device fingerprinting) under the TDDDG. Consent can be revoked at any time. We use IP anonymization for analysis with Matomo. Your IP address is shortened before analysis so that it can no longer be clearly assigned to you. We host Matomo exclusively on our own servers, so all analytics data remains with us and is not shared.

6.2. Advertising and Marketing

GK Artificial Intelligence

We use the AI technology of GK Artificial Intelligence for Retail AG (GK AIR), Zwickauer Straße 16, 09112 Chemnitz, Germany, to provide personalized product recommendations in our online store. GK AIR’s solutions are based on self-learning algorithms and enable us to present you with dynamic and relevant product suggestions based on your previous browsing and purchasing behavior. When using GK AIR, the following data is processed:

• Items and product categories you have viewed, searched for, or purchased
• Your purchase history
• Pseudonymized information such as your email address (if provided)
• Technical data such as IP address and browser information

The processing is carried out to provide you with personalized product recommendations and to optimize your shopping experience. This is in our legitimate interest pursuant to Art. 6 (1) (f) GDPR to offer you a personalized shopping experience. If corresponding consent has been obtained, the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. Consent can be revoked at any time. We have concluded a data processing agreement (DPA) pursuant to Art. 28 GDPR with the above-mentioned provider. This is a contract required by data protection law, which ensures that the personal data of visitors to our website is processed exclusively in accordance with our instructions and in compliance with the GDPR. Your personal data will be stored for as long as necessary to fulfill the above-mentioned purposes or until you revoke your consent. Further information: Further details on data processing by GK AIR can be found in the privacy policy at https://www.gk-software.com/de/datenschutz.

Google Ads

The website operator uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads enables us to display advertisements in the Google search engine or on third-party websites when users enter certain search terms into Google (keyword targeting). Furthermore, ads can be shown based on user data available to Google (e.g. location and interests) (audience targeting). As website operators, we can evaluate this data quantitatively, for example by analyzing which search terms led to the display of our ads and how many ads generated corresponding clicks. The use of this service is based on your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. Consent can be revoked at any time. For the USA, an adequacy decision by the European Commission exists, provided that the companies are certified under the Data Privacy Framework. Google is certified accordingly and therefore meets the requirements of the European Commission.

Google AdSense (non-personalized)

This website uses Google AdSense, a service for integrating advertisements. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

We use Google AdSense in "non-personalized" mode. Unlike the personalized mode, the ads are not based on your previous user behavior and no user profile is created. Instead, so-called "contextual information" is used to select the ads. The selected advertisements are based, for example, on your location, the content of the website you are visiting, or the search terms you are using. For more information about the differences between personalized and non-personalized targeting with Google AdSense, see:

https://support.google.com/adsense/answer/9007336.

Please note that even when using Google AdSense in non-personalized mode, cookies or similar recognition technologies (such as device fingerprinting) may be used. According to Google, these are used to combat fraud and abuse.

The use of this service is based on your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. Consent can be revoked at any time.

The transfer of data to the USA is based on the European Commission's standard contractual clauses.

For more details, please refer to: https://privacy.google.com/businesses/controllerterms/mccs/.

You can independently change your advertising settings in your user account. To do so, click on the following link and log in:

https://adssettings.google.com/authenticated.

For more information on Google's advertising technologies, please visit:

https://policies.google.com/technologies/ads and

https://www.google.de/intl/de/policies/privacy/.

Microsoft Advertising

We use the Microsoft Advertising service on our website, provided by Microsoft Ireland Operations Limited (Ireland/EU) (formerly Bing Ads). Microsoft Advertising is an online marketing service that uses the Universal Event Tracking (UET) tool to help us target ads via the Microsoft Bing search engine. For this purpose, Microsoft Advertising uses cookies. Personal data is processed in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers, and information about device and browser settings.

Microsoft Advertising collects data via UET that allows us to monitor audiences using remarketing lists. For this purpose, a cookie is stored on the device used when visiting our website. Microsoft Advertising can recognize that our website has been visited and, if you later use Microsoft Bing or Yahoo, you may be shown an advertisement. The information is also used to generate conversion statistics, i.e. to record how many users came to our website after clicking on an ad. This tells us the total number of users who clicked on our ad and were redirected to our website. However, we do not receive any information that can be used to personally identify users.
Further information on these processing activities, the technologies used, the data stored, and the retention period is available in the settings of our Consent Management Tool. Processing will only take place with your consent in accordance with Section 25 TDDDG or Article 6 (1) (a) GDPR. You can revoke your consent via our Consent Management Tool.
For Microsoft services, it cannot be ruled out that data may be transferred to Microsoft Corp. in the USA. Microsoft is certified under the Data Privacy Framework and therefore meets the requirements of the EU Commission’s adequacy decision. For more information on data protection at Microsoft, please refer to Microsoft's privacy policy at https://privacy.microsoft.com/de-de/privacystatement.

Webgains

We use the affiliate marketing platform Webgains, provided by Webgains GmbH, Frankenstraße 146, 90461 Nuremberg, Germany. Webgains allows us to offer targeted advertising through partnerships with publishers and to monitor and analyze the resulting sales.

When using Webgains, the following data is processed:

• IP address
• Order details (e.g. product information, transaction ID)
• Campaign information (e.g. program ID, session ID)
• Technical data such as browser type and operating system

The processing is carried out to execute affiliate marketing campaigns, including the assignment of sales to the respective publishers and to optimize our advertising measures. This is based on our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

Webgains uses proprietary cookies placed on our website to track the origin of a sale or request. These cookies store information such as campaign data and session IDs to validate the connection between publisher and advertiser. The cookies have a default lifespan of 30 days and do not contain any personal information.

If corresponding consent has been requested, processing will be carried out exclusively on
the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

We have concluded an order processing agreement (AV) pursuant to Art. 28 GDPR with the aforementioned provider. This is a contract required by data protection law to ensure that the personal data of visitors to our website is processed exclusively in accordance with our instructions and in compliance with the GDPR.

Further information on data processing by Webgains can be found in their privacy policy at:

https://www.webgains.com/public/de/datenschutzerklaerung/.

Admetrics

We use the Admetrics analytics service, provided by Admetrics GmbH, Hanauer Landstraße 161-173, 60314 Frankfurt am Main, Germany, to analyze the effectiveness of our advertising and marketing measures. With the help of Admetrics, we can evaluate user behavior on our website and optimize the performance of our campaigns.

The following data is processed when using Admetrics:

• IP address
• Device data (e.g. operating system, browser type)
• Search terms and URLs that led to the website
• Interactions with our online store (e.g. clicks, dwell time)
• If necessary, linkage with an existing user account (e.g. customer account or newsletter subscriptions)

The processing is carried out to analyze and optimize our marketing efforts and to improve the user experience on our website. This falls within our legitimate interest pursuant to Art. 6 (1) (f) GDPR.

Admetrics uses cookies to collect user data and analyze interactions with our online store. These cookies store information about your visits and allow for a more precise analysis of user behavior.

If the corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

We have concluded a data processing agreement (DPA) with the above-mentioned provider pursuant to Art. 28 GDPR. This is a contract required by data protection law, which ensures that the personal data of visitors to our website is processed solely in accordance with our instructions and in compliance with the GDPR.

For more information on data processing by Admetrics, please refer to their privacy policy at https://www.admetrics.io/en/privacy_policy/.

ChannelAdvisor

ChannelAdvisor is a leading cloud-based e-commerce platform that helps brands and retailers optimize and manage their online sales activities across multiple channels. The platform offers a centralized solution for managing product data, digital marketing, order processing, and fulfillment.

When using ChannelAdvisor, the following data may be processed:

• Product information (e.g. item numbers, prices, stock levels)
• Order data (e.g. transaction ID, shipping details)
• Marketing data (e.g. clicks, conversion rates)
• Technical data such as IP address and browser information

The processing is carried out for the centralized management of product data, optimization of advertising campaigns, automation of ordering processes, and expansion of multichannel sales. This falls within our legitimate interest pursuant to Art. 6 (1) (f) GDPR to increase the efficiency of our e-commerce activities.

If the corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

We have concluded a data processing agreement (DPA) with the above-mentioned provider pursuant to Art. 28 GDPR. This is a contract required by data protection law, which ensures that the personal data of visitors to our website is processed solely in accordance with our instructions and in compliance with the GDPR.

Features of ChannelAdvisor:

• Product data management: synchronization of product information across various marketplaces and platforms.
• Multichannel sales: support for over 920 marketplaces worldwide, including Amazon, eBay, and Zalando.
• Digital marketing: automation and optimization of campaigns on search engines, social media, and marketplace advertising.
• Order fulfillment: centralized management of orders, inventory, and shipping processes.
• Brand Analytics: monitoring of distribution channels and protection of brand reputation.

For more information on data processing by ChannelAdvisor, please refer to their privacy policy at https://www.channeladvisor.com/de/privacy-policy/.

Hatch

Hatch, originally founded under the name Iceleads, is an e-commerce platform based in Amsterdam that helps brands sell their products through online retailers. The platform offers a "Where to Buy" solution that allows brands to link their products directly with over 2,800 online retailers worldwide.

The following data may be processed when using Hatch:

• Product information (e.g. item numbers, availability)
• Click data (e.g. interactions with "Where to Buy" buttons)
• Technical data such as IP address and browser information
• Location data, if applicable (if geolocation is enabled)

The processing is carried out to provide the "Where to Buy" functionality and to optimize the connection between brands and online retailers. This corresponds to the legitimate interest pursuant to Art. 6 (1) (f) GDPR to promote the visibility and distribution of products.

If the corresponding consent has been requested, the processing will be carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

We have concluded a data processing agreement (DPA) with the above-mentioned provider pursuant to Art. 28 GDPR. This is a contract required by data protection law, which ensures that the personal data of visitors to our website is processed solely in accordance with our instructions and in compliance with the GDPR.

For more information on data processing by Hatch, please refer to the privacy policy at https://www.hatch.com.

6.3. Social Media and Communication

Meta Pixel

This website uses the Facebook visitor action pixel to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Facebook, the data collected is also transferred to the USA and other third countries.

This allows the behavior of website visitors to be tracked after they have been redirected to the provider's website by clicking on a Facebook advertisement. This enables the evaluation of the effectiveness of Facebook ads for statistical and market research purposes and helps optimize future advertising measures.

For us, as operators of this website, the data collected is anonymous; we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Facebook in such a way that it can be linked to the respective user profile, and Facebook may use the data for its own advertising purposes in accordance with Facebook's Data Usage Policy. This allows Facebook to display advertisements on Facebook pages and outside of Facebook. As website operators, we have no influence over this use of the data.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

The transfer of data to the USA is based on the EU Commission's standard contractual clauses.
Facebook is also certified under the Data Privacy Framework Program.
https://www.facebook.com/legal/EU_data_transfer_addendum and
https://de-de.facebook.com/help/566994660333381.

Facebook is also certified under the Data Privacy Framework.

Insofar as personal data is collected on our website using the tool described here and forwarded to Facebook, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, are jointly responsible for this data processing (Art. 26 GDPR). Joint responsibility is limited solely to the collection of the data and its transfer to Facebook. Any processing by Facebook after transmission is not part of the joint responsibility. Our joint obligations have been defined in a joint processing agreement. The text of the agreement is available at the following address:
https://www.facebook.com/legal/controller_addendum. According to this agreement, we are responsible for providing data protection information when using Facebook tools and for implementing the tool in a data protection-compliant manner on our website. Facebook is responsible for the data security of Facebook products. You can assert your data subject rights (e.g., access requests) regarding data processed by Facebook directly with Facebook. If you assert your data subject rights with us, we are obliged to forward them to Facebook.
Further information on privacy can be found in Facebook's privacy policy: https://de-de.facebook.com/about/privacy/.

You can also use the “Custom Audiences” remarketing function in the settings area to deactivate Facebook ads at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen.
In addition, you must be logged in to Facebook.

Meta Custom Audiences

We use Meta Custom Audiences. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

When you visit or use our websites and apps, take advantage of our free or paid offers, transmit data to us, or interact with our company's Facebook content, we collect your personal data. If you give us your consent to use Facebook Custom Audiences, we will transmit this data to Facebook, which may use it to show you suitable advertisements. It is also possible to define target groups using the data (lookalike audiences).

Facebook processes this data as our processor. Details can be found in Facebook's user agreement:
https://www.facebook.com/legal/terms/customaudience.

The use of this service is based on your consent in accordance with Art. 6 (1) (a) GDPR and § 25 (1) TDDDG. Consent can be revoked at any time.

Data is transferred to the USA based on the European Commission's standard contractual clauses.
Details can be found here:
https://www.facebook.com/legal/terms/customaudience and
https://www.facebook.com/legal/terms/dataprocessing. Facebook is also certified under the Data Privacy Framework.

Pinterest Tag

We have integrated Pinterest tags on this website. The provider is Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

The Pinterest tag is used to record certain actions you take on our website. The data can then be used to show you interest-based advertising on our website or on another page of the Pinterest tag-based advertising network.

For this purpose, the Pinterest tag records, among other things: a tag ID, your location, and the referrer URL. In addition, campaign-specific data such as order value, order quantity, order number, category of purchased items, and video views can be recorded.

Pinterest Tag uses technologies that enable user recognition across multiple pages to analyze behavior (e.g. cookies or device fingerprinting).

Since corresponding consent has been requested, processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as consent includes the storage of cookies or access to information on the user's terminal device (e.g. device fingerprinting) under the TDDDG. Consent can be revoked at any time.

Pinterest is a global company, so data transfers to the United States
may occur. According to Pinterest, this data transfer will be carried out
on the basis of the European Commission's standard contractual clauses. Details are available here:
https://policy.pinterest.com/de/privacy-policy.

For more information about Pinterest Tag, see here:
https://help.pinterest.com/de/business/article/track-conversions-with-pinterest-tag.

We have concluded a data processing agreement (DPA) pursuant to Art. 28 GDPR with the provider mentioned above. This is a contract required by data protection law, which ensures that the personal data of our website visitors is processed solely in accordance with our instructions and in compliance with the GDPR.

TikTok Pixel

We use the TikTok Pixel on our website. TikTok Pixel is a tool for TikTok advertisers provided by two providers:

• TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and
• TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (hereinafter collectively referred to as "TikTok")

The TikTok Pixel is a JavaScript code snippet that allows us to understand and track visitor activity on our website. The TikTok Pixel collects and processes information about visitors to our website or the devices they use (so-called event data).
The event data collected via the TikTok Pixel is used to target our ads and improve ad delivery and personalized advertising. For this purpose, the event data collected on our website via the TikTok Pixel is transmitted to TikTok.
Some of this event data is information stored on the device you use. In addition, TikTok Pixel also uses cookies to store information on your device. This storage of information by TikTok Pixel or access to information already stored on your device only takes place with your consent. The use of this service is based on your consent pursuant to Art. 6 (1) (a) GDPR and Section 25 (1) TDDDG. Consent can be revoked at any time.
This collection and transmission of event data is carried out by us and TikTok as joint controllers under Art. 26 GDPR. We have concluded a joint data processing agreement with TikTok, which defines the division of data protection obligations between us and TikTok. In this agreement, we and TikTok have agreed, among other things,

• that we are obliged to provide you with all information pursuant to Art. 13, 14 GDPR regarding the joint processing of personal data;
• that TikTok is responsible for fulfilling the rights of data subjects under Articles 15 to 20 GDPR with respect to personal data stored by Facebook Ireland after joint processing.

You can access the agreement concluded between us and TikTok at https://ads.tiktok.com/i18n/official/article?aid=300871706948451871.
TikTok is solely responsible for the further processing of the event data transmitted. For more information about how TikTok processes personal data, including the legal basis TikTok relies on and how to exercise your rights against TikTok, please refer to TikTok’s Data Policy at:
https://ads.tiktok.com/i18n/official/article?aid=300871706948451871

7. Customer Account

Contractual partners can create an account within our online offering (e.g. customer or user account, hereinafter referred to as "customer account"). If registration of a customer account is required, contractual partners will be informed and made aware of the necessary registration information. Customer accounts are not public and cannot be indexed by search engines. During registration and subsequent logins and use of the customer account, we store the IP addresses of customers along with access times to prove registration and prevent misuse of the customer account.

If the customer has closed their account, the account-related data will be deleted unless its retention is required for legal reasons. It is the customer's responsibility to back up their data after closing the account. The legal basis for data processing is therefore Art. 6 (1) (b) GDPR.

7.1. Shop and e-commerce

We process the data of our customers in order to enable them to select, purchase, or order selected products, goods, and related services, as well as to pay for and receive or execute them. If necessary for the execution of an order, we use service providers, especially postal, shipping, and freight companies, to carry out delivery or execution for our customers. To process payment transactions, we use the services of banks and payment service providers. Required information is marked as such during the ordering or similar process and includes information necessary for delivery, provision, and invoicing, as well as contact information for any necessary follow-up.

• Types of data processed: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contact data (e.g. emails, telephone numbers), contract data (e.g. subject of the contract, duration, customer category), usage data (e.g. websites visited, interest in content, access times), metadata/communication data (e.g. device information, IP addresses).
• Data subjects: interested parties, business and contractual partners, customers
• Purpose of processing: provision of contractual services and customer support, contact requests and communication, administrative and organizational procedures, administration and response to inquiries, security measures, conversion measurement (measurement of marketing effectiveness), interest-based and behavioral marketing, profiling (creating user profiles).
• Legal basis: contractual performance and pre-contractual inquiries (Art. 6 (1) (b) GDPR), legal obligation (Art. 6 (1) (c) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).

7.2. Complaint management

To make the complaint and repair process efficient and transparent for our customers, we use the easyRMA® complaint management system provided by WNM GmbH. easyRMA® allows our customers to easily submit complaints online and monitor the processing status of their complaints or repairs via status messages.

The following personal data is processed when using EasyRMA:

• Name
• Email address
• Address
• Order information (e.g. item, order number)
• Optional: uploaded images to document damages or complaints

The processing is carried out to handle complaints and repairs, as well as to improve customer service. By using EasyRMA, we can accelerate the handling of your requests and ensure transparency at all times regarding the status of your complaint.

Your data will be processed in accordance with Art. 6 (1) (b) GDPR (contract execution) and Art. 6 (1) (f) GDPR (legitimate interest in efficient return management).

Your data will be transmitted to EasyRMA and processed there. Processing takes place exclusively within the European Union. We have concluded a data processing agreement with EasyRMA in accordance with Art. 28 GDPR to ensure that your data is processed solely according to our instructions and in compliance with applicable data protection regulations.

Your data will be stored for the duration of the complaint or repair and will then be deleted unless retention is required by law.

Further information on data processing by EasyRMA can be found in their privacy policy: Link to EasyRMA's privacy policy.

7.3. Economic analysis and market research

For business purposes and in order to recognize market trends and the needs of contractual partners and users, we analyze the data available to us on business transactions, contracts, inquiries, etc., where the group of data subjects may include contractual partners, interested parties, customers, visitors, and users of our online offering.
The analyses are conducted for business evaluation, marketing, and market research purposes (e.g., to identify customer groups with different characteristics). In doing so, we may, where available, take into account profiles of registered users along with their information, such as services used. The analyses are for our internal use only and are not disclosed externally unless they are anonymous analyses with aggregated values, i.e., anonymized. Furthermore, we respect users' privacy and process the data for analysis in a manner that is as pseudonymized as possible and, where feasible, in anonymized form (e.g., as aggregated data).

7.4. Payment Service Providers

As part of contractual and other legal relationships, due to legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and, in addition to banks and credit institutions, we use other payment service providers (collectively referred to as "payment service providers").

The data processed by the payment service providers includes inventory data, such as names and addresses, bank data such as account numbers or credit card numbers, passwords, TANs, and checksums, as well as information related to the contract, the amount, and the recipient. The information is necessary to complete the transactions. However, the data entered is processed and stored only by the payment service providers. This means that we do not receive any account or credit card information, but only information confirming or rejecting the payment. In certain cases, the payment service provider may transmit the data to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. For this purpose, we refer to the general terms and privacy policies of the payment service providers.
For payment transactions, the terms and conditions and privacy notices of the respective payment service providers apply, which can be accessed on their respective websites or applications. We also refer to them for further information and for exercising your rights of revocation, information, and other data subject rights.

7.5. Shipping Service Providers

To deliver ordered goods, we work with logistics service providers/shipping companies and/or shipping partners to whom the following data is transmitted for the purpose of delivery or shipment notification: first name, last name, postal address, and, if applicable, email address and phone number. The legal basis for the processing is Art. 6(1)(b) GDPR.

7.6. Credit Checks

If you make a purchase with deferred payment or use any other payment method that involves advance payment, we may conduct a credit check (scoring). For this purpose, we transmit the data you provide (e.g., name, address, age, or bank data) to a credit agency. Based on this data, the probability of a payment default is determined. If the risk of non-payment is too high, we may reject the chosen payment method.

The credit check is carried out based on contract fulfillment (Art. 6 (1) (b) GDPR) and
to prevent payment defaults (legitimate interest pursuant to Art. 6 (1) (f) GDPR). If consent has been obtained, the credit check is based on this consent (Art. 6 (1) (a) GDPR); consent can be revoked at any time.

8. Online Presence on Social Media

If you have given your consent pursuant to Art. 6 (1) (a) GDPR to the respective social media provider, when you visit our online presence on our social media channels, your data will be automatically collected and stored for market research and advertising purposes, from which user profiles are created using pseudonyms. These may be used, for example, to show you advertisements that presumably match your interests both within and outside the platforms. Cookies are usually used for this purpose. For detailed information on the processing and use of data by the respective social media provider, as well as contact information, your rights, and settings options to protect your privacy, please refer to the respective privacy policies linked on the providers' websites. If you need further assistance, feel free to contact us.

9. Security

We have implemented technical and administrative security measures to protect your personal data from loss, destruction, manipulation, and unauthorized access. All our employees and service providers working on our behalf are obligated to comply with applicable data protection laws.

Whenever we collect and process personal data, it is encrypted before transmission. This means your data cannot be misused by third parties. Our security measures are subject to continuous improvement and our privacy policies are constantly reviewed. Please ensure you have the latest version.

10. Information Obligations for Customers and Business Partners

We process the data that we have received from you in the context of initiating or processing a contract, based on consent, as part of your application, or as part of your employment with us.

Personal data includes the following

• Your personal/contact data, for customers this includes e.g. first and last name, address, contact details (email address, phone number), and bank details.
• For business partners and suppliers, this includes e.g. the names of their legal representatives, company name, commercial register number, VAT ID, company registration number, address, contact details (email address, phone number, fax), and bank account details.

In addition, we also process the following other personal data:

• Information on the type and content of contractual data, order data, sales data and documents, customer and supplier history as well as consultation documents,
• Advertising and sales data,
• Information from your electronic communication with us (e.g. IP address, login data),
• Other data that we have received from you in the course of our business relationship (e.g. in customer conversations),
• Data we generate ourselves from master/contact data and other data, such as analyses of customer needs and potential,
• Documentation of your consent declaration to receive, for example, newsletters,
• Photographs taken during events.

For what purposes and on what legal basis are the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act 2018 as amended:

-for the fulfilment of (pre-)contractual obligations (Art. 6 para. 1 lit. b GDPR):
Your data is processed for contract processing online or in our shop and for contract processing in business relationships. The data is processed in particular when initiating business and when executing contracts with you.

-for the fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR):
The processing of your data is necessary for the purpose of fulfilling various legal obligations, e.g. from the German Commercial Code or the German Fiscal Code.

-to safeguard legitimate interests (Art. 6 para. 1 lit. f GDPR):
Based on a balancing of interests, data processing may take place beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. Data processing to protect legitimate interests takes place in the following cases, for example:

• Advertising or marketing
• Measures for business management and further development of services and products;
• in the context of legal prosecution
• Sending of non-sales-promoting information and press releases.

-within the scope of your consent (Art. 6 para. 1 lit. a GDPR):
If you have given us your consent to process your data, e.g. to send you our newsletter, to store your data beyond the eigl. purposes

11. Advertising

11.1. Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time, either as a whole or for individual measures, without incurring any costs other than the transmission costs according to the basic rates.

Subject to the legal requirements of Section 7 (3) UWG, we are authorised to use the email address you provided when concluding the contract for direct advertising for our own similar goods or services. You will receive these product recommendations from us regardless of whether you have subscribed to a newsletter.

If you do not wish to receive such recommendations from us by e-mail, you can object to the use of your address for this purpose at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form is sufficient for this. Of course, each e-mail always contains an unsubscribe link.

11.2. Use of your data for marketing purposes within the group of companies

If you give us your express consent, we may also use your personal data (e.g. name, e-mail address, telephone number) to send you information about products, services or offers not only from us, but also from other companies in our group of companies.

Specifically, this currently affects the following companies:

• Hauck Retail GmbH
• Hauck GmbH & Co. KG

The data will be transmitted exclusively for the purpose of sending you personalized marketing information (e.g. via email or postal mail). They will not be used for other purposes or passed on to third parties outside the corporate group.

Your consent is voluntary and can be revoked at any time with future effect, e.g. by sending an email to info@kp-family.de or via the unsubscribe link included in every marketing email.

Without your consent, your data will not be used for the purposes mentioned above.

12. Recipients of the Data

12.1. Who receives my data?

As the data controller, we regularly process personal data. However, processing through the transfer or disclosure of personal data to third parties may be necessary in the context of carrying out our business activities, particularly if one of the following reasons applies according to the legal basis indicated:

• It is necessary for the performance of a contract with the data subject or for the implementation of pre-contractual measures taken at their request (Art. 6 (1) (b) GDPR).
• The transfer is necessary for the establishment, exercise or defense of legal claims and there is no reason to believe that the data subject has an overriding legitimate interest in not having their data transferred (Art. 6 (1) (f) GDPR).
• There is a legal obligation to transmit the data (Art. 6 (1) (c) GDPR).
• We have valid consent (Art. 6 (1) (a) GDPR).

Categories of recipients in the context of our activities and operations may include in particular

• Postal, telecommunications, and transport service providers
• Payment and financial service providers
• Business and sales partners, and other individuals and companies involved in providing services
• Authorities, courts, defendants, and other involved parties

In addition, we point out in the individual processing operations if other recipients come into consideration.

12.2. Information on transfers to third countries (data transfer to third countries)

We use technologies from service providers on our website whose registered office and/or server locations may be located in third countries outside the EU or the EEA. If there is no adequacy decision by the EU Commission for this country, an adequate level of data protection must be ensured by means of other suitable guarantees.

Suitable guarantees in the form of contractually agreed standard contractual clauses of the EU Commission or binding internal data protection regulations (Binding Corporate Rules) are generally possible, but require a prior review by the contracting parties to determine whether an adequate level of protection can be guaranteed. According to the case law of the ECJ, it may be necessary to take additional protective measures.

We have generally agreed the standard data protection clauses issued by the EU Commission with the technology providers we use who process personal data in a third country. Where possible, we also agree additional guarantees to ensure that adequate data protection is guaranteed in third countries without an adequacy decision.

Notwithstanding this, it is possible that, despite all contractual and technical measures, the level of data protection in the third country does not correspond to that of the EU. In such cases, we will ask you, if necessary, for your consent to transfer your personal data to a third country as part of the cookie consent process in accordance with Art. 49 (1) (a) GDPR.

In particular, there is a risk that local authorities in the third country may not have sufficiently restricted access rights to your personal data from a European data protection perspective, that we as the data exporter or you as the data subject may not be aware of this and/or that you may not have sufficient legal remedies to prevent this and/or to take action against such access.

The following countries in particular are currently categorised as third countries without an adequacy decision by the EU Commission (sample list):

• China
• Russia
• Taiwan

You can find out to which third countries data is transferred by us in the data protection information for the respective tool and/or service used by us for consent management / Consent Manager Platform (CMP).

12.3. Order processing by service providers

In order to carry out our activities, we also use service providers bound by instructions as processors in accordance with Art. 28 GDPR, who are also considered recipients of the data within the meaning of data protection. A contract for order processing ensures in particular that the processing is carried out on the basis of our instructions, that sufficient guarantees exist for compliance with suitable technical and organisational measures and that the rights of data subjects are guaranteed.

We generally use service providers for the following processing purposes:

• Hosting of our online offers/websites with providers (infrastructure and platform services, computing capacity, storage space and database services).
• Care, maintenance and servicing of online offers/websites.
• Implementation, care, maintenance and servicing of IT systems.
• Document and information management.
• Communication, contact and conference systems (e-mail, contacts, appointments, messenger, video conferencing, etc.).
• File and data carrier destruction

13. How long will my data be stored?

We generally store personal data as long as it is necessary for the purposes of the corresponding processing, statutory or regulatory retention periods exist or we have a legitimate interest in the storage or the corresponding consent of the data subject.

We store certain data in accordance with the following rules for the duration specified in each case and delete or destroy it after the specified storage period has expired:

• If the processing is based on your consent, we will delete the data concerned after your cancellation.
• If none of the following retention periods apply, we delete the data after the purpose of processing has expired.
• 3 years: Data and content relating to legal transactions (including their preparation) to the extent necessary for information and defence as well as for the assertion or defence of claims. This also includes data for marketing and customer support, unless they also fall under a category for a longer storage period.
• 6 years: commercial letters received and sent (§ 257 para. 1 no. 2 and 3, para. 4 HGB)
• 10 years: Documents relevant for taxation, accounting records, trading books (§§ 147 para. 1 AO, 257 para. 1 no. 1 and 4, para. 4 HGB).
• 30 years: Data that is stored due to special circumstances in our own or a third party's interest, as there are corresponding limitation periods or special retention periods (e.g. enforcement order, special limitation periods).

14. What data protection rights do I have?

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing as well as a right to data portability and to lodge a complaint in accordance with the requirements of data protection law.

Right to information:
You can request information from us as to whether and to what extent we process your data.

Right to rectification:
If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.

Right to cancellation:
You can demand that we erase your data if we process it unlawfully or if the processing disproportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obligations. Irrespective of the exercise of your right to erasure, we will erase your data immediately and completely, provided that there is no legal or statutory retention obligation to the contrary.

Right to restriction of processing:
You can request that we restrict the processing of your data if
- you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data.
- the processing of the data is unlawful, but you refuse to have it erased and instead request that the use of the data be restricted,
- we no longer need the data for the intended purpose, but you still need this data for the assertion or defence of legal claims, or
- you have objected to the processing of the data.

Right to data portability:
You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to another controller without hindrance from us, provided that
- we process this data on the basis of a consent given and revocable by you or for the fulfilment of a contract between us, and
- this processing is carried out using automated procedures.
If technically feasible, you can request that we transfer your data directly to another controller.

Right to object:
If we process your data on the basis of a legitimate interest, you can object to this data processing at any time; this would also apply to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

Right of appeal:
If you are of the opinion that we are violating German or European data protection law when processing your data, please contact us so that we can clarify any questions you may have. Of course, you also have the right to contact the supervisory authority responsible for you, the respective state office for data protection supervision.
If you wish to assert one of these rights against us, please contact our data protection officer. In case of doubt, we may request additional information to confirm your identity.

Am I obliged to provide data?
The processing of your data is necessary for the conclusion or fulfilment of the contract you have entered into with us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or will no longer be able to fulfil an existing contract and will therefore have to terminate it. However, you are not obliged to give your consent to data processing with regard to data that is not relevant or legally required for the fulfilment of the contract.

15. Changes to this privacy policy

We reserve the right to change our privacy policy if this should be necessary due to new technologies. Please ensure that you have the latest version. If fundamental changes are made to this privacy policy, we will announce these on our website.

In case of doubt, the German version of this privacy policy shall apply.