Privacy Policy

---

5. Newsletter

5.1 Description and Scope of Data Processing

On our website, users are given the opportunity to subscribe to a free newsletter. When registering for the newsletter, the data from the input form is transmitted to us.

The following data may be collected:

• Email address

• First name and surname (if provided)

• Date and time of registration

For the processing of the data, your consent is obtained during the registration process, and reference is made to this privacy policy.

If you purchase goods or services from us and provide your email address in doing so, this may subsequently be used by us to send you a newsletter. In such a case, the newsletter will exclusively contain direct advertising for similar goods or services of our own.

No data is disclosed to third parties in connection with the data processing for the sending of newsletters. The data is used exclusively for sending the newsletter.

5.2 Legal Basis for Data Processing

The legal basis for processing the data after registration for the newsletter by the user is Article 6(1)(a) GDPR, provided that the user has given consent.
The legal basis for sending the newsletter as a result of the sale of goods or services is § 7 (3) UWG (German Act Against Unfair Competition).

5.3 Purpose of Data Processing

The collection of the user’s email address serves the purpose of delivering the newsletter.
The collection of other personal data during the registration process serves to prevent misuse of the services or of the email address used.

5.4 Duration of Storage

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. Accordingly, the user’s email address will be stored for as long as the newsletter subscription is active.

5.5 Possibility of Withdrawal and Removal

The subscription to the newsletter may be cancelled by the user at any time. Each newsletter contains a corresponding link for this purpose.
This also allows withdrawal of consent to the storage of personal data collected during the registration process.

6. Registration and User Account

6.1 Description and Scope of Data Processing

On our website, we offer users the option to register by providing personal data. The data is entered into an input form, transmitted to us, and stored. The data is not transferred to third parties.

The following data may be collected during registration:

• First name and surname

• Address

• Email address

• Telephone number (if provided)

• Chosen username and password

• Date and time of registration

At the time of registration, the following additional data is also stored:

• The user’s IP address

• Date and time of registration

During the registration process, the user’s consent to the processing of this data is obtained.

6.2 Legal Basis for Data Processing

If the user has given consent, the legal basis for processing the data is Article 6(1)(a) GDPR.
If registration serves to fulfil a contract to which the user is a party or to carry out pre-contractual measures, the additional legal basis for data processing is Article 6(1)(b) GDPR.

6.3 Purpose of Data Processing

User registration is required for the provision of certain content and services on our website.
It also enables users to manage orders, view their purchase history, and update personal details, ensuring smooth execution of contractual relationships.

6.4 Duration of Storage

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.
For data collected during the registration process, this is the case when registration on our website is cancelled or modified.

If the data is required for the performance of a contract or for pre-contractual measures, premature deletion of the data is only possible if contractual or statutory obligations do not prevent deletion.

6.5 Possibility of Withdrawal and Removal

As a user, you have the possibility to cancel your registration at any time. You may request the deletion or modification of the data stored about you at any time.

If the data is necessary for the performance of a contract or for pre-contractual measures, early deletion of the data is only possible insofar as contractual or legal obligations do not preclude deletion.

7. Contact Form and Email Contact

7.1 Description and Scope of Data Processing

Our website provides a contact form which can be used to contact us electronically. If a user takes advantage of this option, the data entered in the input form is transmitted to us and stored.

This data typically includes:

• Name

• Email address

• Subject

• Message content

• Date and time of submission

At the time of sending the message, the following data is also stored:

• The user’s IP address

• Date and time of submission

For the processing of data, your consent is obtained during the submission process and reference is made to this privacy policy.

Alternatively, contact via the provided email address is possible. In this case, the user’s personal data transmitted with the email will be stored.

The data is not disclosed to third parties in this context. The data is used exclusively for processing the conversation.

7.2 Legal Basis for Data Processing

The legal basis for processing the data, where the user has given consent, is Article 6(1)(a) GDPR.
The legal basis for the processing of data transmitted in the course of sending an email is Article 6(1)(f) GDPR.
If the purpose of the email contact is the conclusion of a contract, Article 6(1)(b) GDPR also applies as a legal basis.

7.3 Purpose of Data Processing

The processing of personal data from the input form serves solely to process the contact request.
In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the submission process serves to prevent misuse of the contact form and to ensure the security of our information technology systems.

7.4 Duration of Storage

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.
For the personal data from the input form and that sent by email, this is the case when the respective conversation with the user has ended.
The conversation is deemed to have ended when the circumstances indicate that the matter in question has been conclusively resolved.

The additional personal data collected during the submission process will be deleted after a period of seven days at the latest.

7.5 Possibility of Withdrawal and Removal

The user has the possibility at any time to withdraw consent to the processing of personal data.
If the user contacts us via email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of establishing contact will be deleted in this event.

8. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the General Data Protection Regulation (GDPR), and you have the following rights vis-à-vis the controller:

8.1 Right of Access (Article 15 GDPR)

You have the right to obtain confirmation from the controller as to whether personal data concerning you is being processed.
If such processing is taking place, you have the right to obtain access to the following information:

• The purposes for which the personal data is processed;

• The categories of personal data concerned;

• The recipients or categories of recipients to whom the personal data has been or will be disclosed;

• The envisaged period for which the personal data will be stored, or, if specific information is not possible, the criteria used to determine that period;

• The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning you, or to object to such processing;

• The right to lodge a complaint with a supervisory authority;

• Where the personal data is not collected from you, any available information as to its source;

• The existence of automated decision-making, including profiling, referred to in Articles 22(1) and 22(4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

You also have the right to request information as to whether personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

8.2 Right to Rectification (Article 16 GDPR)

You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.

8.3 Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR)

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase such data without undue delay where one of the following grounds applies:

• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

• You withdraw your consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, and where there is no other legal ground for the processing.

• You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) GDPR.

• The personal data has been unlawfully processed.

• The personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.

• The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

Where the controller has made the personal data public and is obliged pursuant to this Article to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure of any links to, or copy or replication of, such personal data.

The right to erasure shall not apply to the extent that processing is necessary:

• For exercising the right of freedom of expression and information;

• For compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• For reasons of public interest in the area of public health pursuant to Article 9(2)(h) and (i) and Article 9(3) GDPR;

• For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) GDPR, in so far as the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of that processing;

• For the establishment, exercise, or defence of legal claims.

8.4 Right to Restriction of Processing (Article 18 GDPR)

You have the right to obtain from the controller restriction of processing where one of the following applies:

• You contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;

• The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

• The controller no longer needs the personal data for the purposes of processing, but it is required by you for the establishment, exercise, or defence of legal claims;

• You have objected to processing pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the controller override yours.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

If you have obtained restriction of processing, you will be informed by the controller before the restriction is lifted.

8.5 Right to Notification (Article 19 GDPR)

If you have exercised your right to rectification, erasure, or restriction of processing, the controller is obliged to communicate this to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the controller about these recipients if you request it.

8.6 Right to Data Portability (Article 20 GDPR)

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used, and machine-readable format.
You also have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where:

• The processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and

• The processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
This right shall not adversely affect the rights and freedoms of others.

8.7 Right to Object (Article 21 GDPR)

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

8.8 Right to Withdraw Consent (Article 7(3) GDPR)

You have the right to withdraw your consent to the processing of personal data at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8.9 Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

 

9. Data Security and Technical and Organisational Measures

9.1 Security of Processing

We take appropriate technical and organisational measures (TOMs) in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

Such measures include, in particular:

• The pseudonymisation and encryption of personal data;

• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

We also take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

9.2 Confidentiality and Access Control

Access to personal data is strictly limited to those employees, service providers, or third parties who require access for legitimate business purposes and who are bound by corresponding confidentiality obligations.

All of our staff members who are involved in data processing are obliged to comply with the data protection regulations and are regularly trained in this regard.

9.3 Data Encryption

To protect your data during transmission, we use SSL (Secure Socket Layer) or TLS (Transport Layer Security) encryption technology.
This ensures that any data you transmit to us via our website cannot be read by third parties.

9.4 Backup and Recovery

We maintain appropriate backup and recovery procedures to prevent data loss and to ensure the timely restoration of data in case of system failure or data corruption.

9.5 Physical and Logical Security

Our IT systems and data centres are protected by physical security measures, including access controls and environmental safeguards. Logical security measures such as firewalls, intrusion detection systems, and multi-level authentication protocols further protect stored and processed data.

9.6 Third-Party Processors

When we engage external service providers for the processing of personal data (so-called data processors), this is done in accordance with Article 28 GDPR on the basis of data processing agreements that ensure compliance with data protection obligations.

10. Data Transfers to Third Countries

10.1 General Information

Your personal data will only be transferred to third countries (countries outside the European Union (EU) or the European Economic Area (EEA)) if:

• It is necessary for the performance of a contract between you and us,

• It is required by law,

• You have expressly consented to the transfer, or

• The transfer is otherwise permitted under the GDPR.

In all such cases, we ensure that an adequate level of data protection is maintained in accordance with Articles 44–50 GDPR.

10.2 Adequacy Decisions

Where the European Commission has determined that a third country, territory, or specific sector within a third country ensures an adequate level of protection (an adequacy decision pursuant to Article 45 GDPR), data transfers to that country may take place without further authorisation.

10.3 Standard Contractual Clauses (SCCs)

In the absence of an adequacy decision, we may transfer personal data to recipients in third countries only if appropriate safeguards are provided, such as through the use of the European Commission’s Standard Contractual Clauses (SCCs) in accordance with Article 46(2)(c) GDPR.
These clauses contractually oblige the recipient to protect the data in compliance with EU data protection standards.

10.4 Additional Safeguards

Where necessary, we implement additional technical and organisational measures to protect your data during and after transfer — such as encryption, pseudonymisation, and strict access control — to prevent unauthorised access or disclosure.

10.5 Transfers Based on Consent or Necessity

If a data transfer to a third country takes place without an adequacy decision or suitable safeguards, it may still be carried out if:

• You have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers (Article 49(1)(a) GDPR), or

• The transfer is necessary for the performance of a contract between you and us, or for the implementation of pre-contractual measures taken at your request (Article 49(1)(b) GDPR).

10.6 Data Transfers to Service Providers (Processors)

In some cases, we use service providers located in third countries (e.g., for website hosting, email distribution, or customer service).
Such providers are carefully selected, contractually bound by data processing agreements in accordance with Article 28 GDPR, and required to comply with EU data protection standards, including the application of Standard Contractual Clauses and, where applicable, supplementary measures.

11. Data Retention and Deletion Periods

11.1 General Principles

We process and store your personal data only for as long as is necessary to fulfil the purposes for which it was collected or to comply with our legal, contractual, or statutory obligations. Once the purpose for which the data was collected no longer applies, or the applicable retention period expires, your personal data will be deleted or anonymised in accordance with legal requirements.

11.2 Legal and Contractual Retention Obligations

Data may be retained beyond the initial purpose where required by:

• Statutory retention obligations (e.g., under commercial or tax law),

• The necessity to preserve evidence within the scope of statutory limitation periods, or

• Legitimate business interests, such as the assertion, exercise, or defence of legal claims.

During this retention period, processing of the data will be restricted and access limited to the minimum necessary.

11.3 Criteria for Determining the Retention Period

The specific retention period for personal data depends on the following criteria:

• The category of data and the purpose of processing;

• The duration of any contractual relationship or ongoing service;

• The applicable legal retention requirements (for example, up to ten years for accounting and taxation records);

• Legitimate interest considerations related to legal defence or compliance obligations.

11.4 Deletion or Anonymisation of Data

Once the applicable retention period expires, or when storage is no longer required for the stated purposes, the data will be deleted in a secure and irreversible manner.
Where deletion is not technically or legally feasible, we will anonymise the data so that it can no longer be associated with an identifiable person.

11.5 Backup Data and System Logs

Data stored in backup systems will be deleted in accordance with our standard backup cycles.
Log files and system records necessary for the security and operation of our IT systems are generally retained for a short, predefined period before being automatically overwritten or deleted, unless required for incident investigation.

12. Automated Decision-Making and Profiling

12.1 General Information

As a rule, we do not use automated decision-making, including profiling, as defined in Article 22 GDPR, which produces legal effects concerning you or similarly significantly affects you.

If we were to introduce such procedures in the future, we would ensure that this is done only in accordance with the applicable legal provisions — in particular Articles 22(2) and (4) GDPR — and that appropriate measures are in place to safeguard your rights, freedoms, and legitimate interests.
In such cases, you would be separately informed about:

• The existence of automated decision-making,

• The logic involved,

• The significance and the envisaged consequences of such processing for you.

12.2 Profiling for Statistical or Marketing Purposes

In certain instances, we may analyse aspects of your personal data to better understand your preferences and to provide you with relevant offers or communications. This may include:

• Statistical analysis of purchase behaviour, website activity, or engagement with marketing materials;

• The use of pseudonymised data to evaluate trends and customer interests.

Such processing does not have any legal effect on you, nor does it significantly affect you within the meaning of Article 22 GDPR.
You have the right to object to such processing at any time pursuant to Article 21 GDPR.

12.3 Safeguards

Where profiling or partially automated processing is used, we ensure that:

• Processing is based on lawful grounds (e.g., consent or legitimate interest),

• Data minimisation and accuracy principles are maintained, and

• Adequate technical and organisational measures are in place to prevent misuse or discrimination.

13. Updates and Amendments to this Privacy Policy

13.1 Version Control and Review

We reserve the right to update or amend this Privacy Policy at any time in order to reflect changes in our data processing practices, legal obligations, or regulatory requirements.
All updates will comply with applicable data protection laws, including the General Data Protection Regulation (GDPR) and relevant national legislation.

13.2 Notification of Changes

If substantial modifications are made — for example, changes that significantly affect how your personal data is processed — we will inform you of these changes in a timely and appropriate manner.
Notification may be provided via:

• A visible notice on our website,

• Direct communication by email (where appropriate), or

• Any other suitable means, depending on the nature and impact of the change.

13.3 Availability of the Current Version

The current version of this Privacy Policy is always available on our website and may be downloaded or printed at any time.
Each version includes the effective date to ensure transparency regarding which version applies at the time of your visit or interaction with our services.

13.4 Continued Use

By continuing to use our website or services after an updated Privacy Policy has taken effect, you acknowledge and agree to the revised terms, unless you exercise your rights under the GDPR to object or withdraw consent where applicable.