Privacy policy
Data protection declaration
The person responsible for data processing is:
KoRo Handels GmbH
Hauptstr. 26
10827 Berlin
service@korodrogerie.de
Thank you for your interest in our online shop. Protecting your privacy is very important to us. Below, we will provide you with detailed information about how we handle your personal data on our website and in our app.
1. Access data and hosting
Every time you visit our website, we process connection data that your browser automatically transmits to enable you to visit the website. This connection data includes, in particular, your IP address, the date and time of the retrieval, the amount of data transferred and the requesting provider (access data). This connection data is evaluated solely for the purpose of enabling you to visit the website, ensuring that the site operates smoothly and improving our services. The legal basis for this processing is Art. 6 (1) (b) GDPR, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Art. 6 (1) (f) GDPR based on our legitimate interest in enabling website viewing and the long-term functionality and security of our systems. All access data will be deleted no later than seven days after the end of your page visit. We use Amazon Web Services to host our website.
2. Data processing for contract processing and for contacting
2.1 Orders
2.2 Customer account
If you decide to open a customer account, we will use the data you enter on the input forms to open a customer account and to store your data for further future orders on our website in accordance with Art. 6 (1) point b GDPR. You can delete your customer account at any time, either by sending a message to the contact option described in this data protection declaration or by using a function provided in the customer account. After deletion of your customer account, your data will be deleted, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) point a GDPR or we reserve the right to use data in excess thereof, which is permitted by law and about which we inform you in this statement.
2.3 Contact
As part of our customer communications, we collect personal data (in particular the name and contact address you have provided) in order to process your requests in accordance with Art. 6 (1) point b GDPR, if you voluntarily provide it to us when you contact us (e.g. using a contact form or by email). Mandatory fields are marked as such because we absolutely need the data in these cases in order to process your request. The data collected can be seen from the respective input forms. After your request has been fully processed, your data will be deleted, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) point a GDPR or we reserve the right to use data beyond this scope, which is permitted by law and about which we inform you in this statement.
Typeform
We have integrated Typeform on this website. The provider is TYPEFORM S.L., Carrer Bac de Roda, 163, 08018 Barcelona, Spain (hereinafter Typeform). Typeform enables us to create online forms and embed them on our website. The data you enter in our Typeform forms is stored on Typeform's servers until you request us to delete it, revoke any consent you have given to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions - in particular retention periods - remain unaffected. The use of Typeform is based on Art. 6 para. 1 lit. f DSGVO. The website operator has a legitimate interest in functioning online forms. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a DSGVO and § 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user's terminal device (e.g. device fingerprinting) as defined by the TTDSG. The consent can be revoked at any time.
3. Data processing for the purpose of delivery
In order to fulfil the contract in accordance with Art. 6 (1) point b GDPR, we will pass on your data required for delivery to the shipping service provider commissioned with the delivery. We use the service providers DHL Paket GmbH and United Parcel Service of America, Inc. for the shipment of parcels.
4. Payment process
4.1 Data processing for payment processing
To process payments in our online shop, we offer you common payment methods such as credit card, PayPal, SEPA direct debit or invoice. Depending on the selected payment method, we pass on the data necessary for the processing of the payment transaction to our technical service providers, the commissioned credit institutions or to the selected payment service provider. The legal basis for this is the performance of the contract in accordance with Article 6(1)(b) GDPR. In some cases, the payment service providers collect the data required for the processing of the payment themselves, e.g. on their own website or via a technical integration in the ordering process. In this respect, the data protection declaration of the respective payment service provider applies.
4.2 Data processing for the purpose of fraud prevention and optimisation of our payment processes
Where applicable, we provide our service providers with further data, which they use together with the data necessary for processing the payment as our contract processors for the purposes of fraud prevention and optimising our payment processes (e.g. invoicing, processing of contested payments, accounting support). This serves to safeguard our legitimate interests in protecting ourselves against fraud and in managing payments efficiently, which are overriding in the context of a balancing of interests, in accordance with Art. 6 (1) point f GDPR. We use our service provider Endereco, UG to validate addresses.
5. Advertisement by email and post
5.1 Registration for the email newsletter
If you register for our newsletter, we use the data required or separately provided by you for this purpose to regularly send you our email newsletter based on your consent in accordance with Art. 6 (1) point a GDPR. We use the so-called double opt-in procedure for this, i.e. we will only send you the newsletter by email if you confirm in our notification email by clicking on a link that you are the owner of the email address provided. You can unsubscribe from the newsletter at any time, either by sending a message to the contact option described below or by using a link provided in the newsletter for this purpose. After unsubscribing, we will delete your email address from the list of recipients, unless you have expressly consented to further use of your data in accordance with Art. 6 (1) point a GDPR or we reserve the right to further data use that is legally permitted and about which we inform you in this statement.
The email newsletter may also be sent by our service providers as part of processing on our behalf. For this we use our service providers Mailgun, Braze and Paqato. If you have any questions about our service providers and the basis of our cooperation with them, please use the contact option described in this data protection declaration.
5.2 Email newsletter without registration and your right of objection
5.3 Sending requests for review via email
If you have given us your consent to do so as part of your order in accordance with Art. 6 (1) point a GDPR, we will use your email address to ask you to submit a review of your order via our review system. You may revoke this consent at any time by sending a message to the contact option described in this data protection declaration or by using a link provided for this purpose in the request for a review.
We use our service providers Shopware AG and Tanmar Webentwicklung for this purpose.
5.4 Online surveys, video surveys
Occasionally, we advertise the opportunity to take part in a survey we conduct via our newsletter or social media accounts. We use the results of these surveys for market and opinion research and to improve our service. The legal basis for data processing when participating in the survey is your consent in accordance with Art. 6 (1) point a GDPR. This consent can be withdrawn at any time by sending a message to the contact option described in this data protection declaration. We use the service provider Survicate S.A. for our online surveys.
We conduct the surveys either in the context of a personal conversation or via video conference, whereby the conversations are recorded and automatically transcribed in each case in order to capture the survey results. For video conferencing, we use the service provider Zoom Video Communications, Inc.
5.5 Direct email advertising
We use your contact details to send you information about our products by post based on our legitimate interest in accordance with Art. 6 (1) point f GDPR. For this purpose, we use our service providers Deutsche Post AG and MyPostcard.com GmbH. You can object to the sending of information by post by sending a message to the contact option described below.
6. Applications
You can apply for vacancies with us using our application management system Personio from Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany. The purpose of collecting this data is to select applicants for possible employment. We process personal data such as your first and last name, email address, telephone number, application documents (e.g. certificates, CV), date of earliest possible entry into employment and salary expectations in order to receive and process your application.
The legal basis for the processing of your application data is Art. 6 (1) (b) and Art. 88 (1) GDPR in conjunction with Section 26 (1) sentence 1 of the German Federal Data Protection Act (BDSG). We store your personal data upon receipt of your application. If we accept your application and you are employed, we store your application data for as long as it is required for the employment relationship and to the extent that statutory provisions require us to retain it.
If we reject your application, we will store your application data for a maximum of six months after the rejection of your application, unless you give us your consent to store it for a longer period.
7. Cookies and other technologies
7.1 General information
We use technologies, including cookies, on various pages to make visiting our website more attractive and to enable the use of certain functions. Cookies are small text files that are automatically stored on your end device. Some of the cookies we use are deleted after the end of the browser session, i.e. after you close your browser (so-called session cookies). Other cookies remain on your device and enable us to recognise your browser the next time you visit (persistent cookies). These technologies are used to collect and process the IP address, time of visit, device and browser information, and information about your use of our website (e.g. information about the contents of the shopping cart).
We use technologies necessary for the operation of the website on the basis of our legitimate interest in accordance with Art. 6 (1) point f GDPR in order to provide the basic functions of our website (e.g. shopping cart function). In certain cases, these technologies may also be necessary for the fulfilment of a contract or for the implementation of pre-contractual measures; in this case, the processing is carried out in accordance with Art. 6 (1) point b GDPR. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG.
All other non-essential (optional) technologies that provide additional functions are used with your consent in accordance with Art. 6 para. 1 lit. a DSGVO. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TDDDG. Data processing using these technologies only takes place if we have received your prior consent.
7.2 Obtaining your consent
7.3 Use of cookies and other technologies for web analysis and advertising purposes
If you have given your consent in accordance with Art. 6 (1) point a GDPR, we use the following cookies and other third-party technologies on our website. After the purpose for and our use of the respective technology has ended, the data collected in this context will be deleted. You can revoke your consent at any time with effect for the future. You can find more information about your options for revocation in the section ‘Cookies and other technologies’. You can find more information about the individual technologies, including the basis of our cooperation with the individual providers. If you have any questions about the providers and the basis of our cooperation with them, please use the contact option described in this data protection declaration.
7.3.1. Use of Google services for web analysis and advertising purposes
We use the following technologies from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). The information automatically collected by Google technologies about your use of our website is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there. If your IP address is collected by Google technologies, it will be shortened by activating IP anonymisation before it is stored on Google's servers. Only in exceptional cases will the full IP address be sent to a Google server and shortened there. Unless otherwise stated for the individual technologies, the data processing is carried out on the basis of an agreement concluded for the respective technology between jointly responsible parties in accordance with Art. 26 GDPR. Further information about data processing by Google can be found in Google's privacy policy.
Google Analytics
For the purpose of website analysis, data (IP address, time of visit, device and browser information, and information on your use of our website) is automatically collected and stored using Google Analytics, from which user profiles are created using pseudonyms. Cookies may be used for this purpose. Your IP address will not be merged with any other Google data. The data processing is carried out on the basis of an agreement on order processing by Google. The essential information on this can be found here.
For the purpose of optimising the marketing of our website, we have activated the data sharing settings for ‘Google products and services’. This allows Google to access the data collected and processed by Google Analytics and then use it to improve Google services. The data sharing with Google as part of these data sharing settings is based on an additional agreement between the controllers. We have no influence on the subsequent data processing by Google.
We use the so-called user ID function to optimise the marketing of our website. This function allows us to assign a unique, permanent ID to your interaction data from one or more sessions on our online presences and thus analyse your user behaviour across devices and sessions.
For web analysis and advertising purposes, the extension function of Google Analytics, the so-called DoubleClick cookie, enables your browser to be recognised when you visit other websites. Google will use this information for the purpose of compiling reports on website activity and providing other services relating to website activity and internet usage.
Google Ads
For advertising purposes in Google search results and on third-party websites, the Google Remarketing cookie is set when you visit our website. This cookie automatically enables interest-based advertising by collecting and processing data (IP address, time of visit, device and browser information, and information about your use of our website) and by means of a pseudonymous cookie ID and based on the pages you visit. Any further data processing will only take place if you have activated the ‘personalised advertising’ setting in your Google account. If you are logged into Google while visiting our website, Google will use your data together with Google Analytics data to create and define target group lists for cross-device remarketing.
For website analysis and event tracking, we use Google Ads Conversion Tracking to measure your subsequent usage behaviour when you have reached our website via a Google Ads advertisement. For this purpose, cookies may be used and data (IP address, time of visit, device and browser information, as well as information on your use of our website based on events specified by us, such as visiting a website or registering for a newsletter) may be collected, from which user profiles are created using pseudonyms.
Google maps
For the visual representation of geographical information, Google Maps collects data about your use of the maps functions, in particular the IP address and location data, which is transmitted to Google and then processed by Google. We have no influence on this subsequent data processing.
Google reCAPTCHA
For the purpose of protecting against misuse of our web forms and against spam by automated software (so-called bots), Google reCAPTCHA collects data (IP address, time of visit, browser information and information on your use of our website) and uses a so-called JavaScript and cookies to analyse your use of our website. In addition, other cookies stored by Google services in your browser are evaluated. Personal data from the input fields of the respective form is not read or stored.
Google fonts
To ensure that content is displayed consistently on our website, the script code ‘Google Fonts’ collects data (IP address, time of visit, device and browser information), transmits it to Google and then processes it. We have no influence on this subsequent data processing.
YouTube video plugin
If you play a video, data (IP address, time of visit, device and browser information) is collected via the YouTube video plugin in the advanced data protection mode we use to integrate third-party content, transmitted to Google and then processed by Google only if you play a video.
7.3.2 Use of meta services for web analysis and advertising purposes
Use of Meta Pixel
We use the meta pixel as part of the following technologies from Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The meta pixel is used to automatically collect and store data (IP address, time of visit, device and browser information, and information about your use of our website based on events we specify, such as visiting a website or registering for a newsletter), which is used to create user profiles under pseudonyms. As part of the so-called extended data matching, information that can be used to identify individuals (e.g. names, email addresses and telephone numbers) is also collected and stored in hashed form for matching purposes. When you visit our website, a cookie is automatically set by the meta pixel, which automatically enables your browser to be recognised when you visit other websites by means of a pseudonymous cookie ID. Meta will combine this information with other data from your Facebook or Instagram account and use it to compile reports on website activity and to provide other services relating to website activity, in particular personalised and group-based advertising.
The information automatically collected by the Meta technologies about your use of our website is usually transferred to a server of Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA and stored there. Further information about data processing by Facebook can be found in Meta's privacy policy.
Meta for Business
We use Meta for Business to advertise this website on Facebook and other platforms. We determine the parameters of the respective advertising campaign. Meta is responsible for the exact implementation, in particular the decision on the placement of the ads for individual users. Unless otherwise stated for the individual technologies, the data processing is carried out on the basis of an agreement between jointly responsible parties in accordance with Art. 26 GDPR. The joint responsibility is limited to the collection of the data and its transmission to Meta Platforms Ireland. The subsequent data processing by Meta Platforms Ireland is not covered by this.
On the basis of the statistics compiled by Meta Pixel on visitor activity on our website, we use Custom Audience to carry out group-based advertising on Facebook by determining the characteristics of the respective target group. As part of the extended data matching process (see above) to determine the respective target group, Meta acts as our processor.
We use the pseudonymous cookie ID set by the meta pixel and the data collected about your usage behaviour on our website to operate personalised advertising via meta pixel remarketing.
We use meta pixel conversions to measure your subsequent usage behaviour for web analysis and event tracking if you have reached our website via an ad from Meta for Business. The data processing is carried out on the basis of an agreement on joint responsibility. All essential information on this is available here.
7.4 Integration of the Trusted Shops Trustbadge or other widgets
Trusted Shops widgets (e.g. Trusted Shops Trustbadge) are integrated on this website to display Trusted Shops services (e.g. seal of quality, collected reviews) and to offer Trusted Shops products to buyers after an order.
This serves to safeguard our legitimate interests in optimising marketing by enabling secure shopping in accordance with Art. 6 (1) point f GDPR, which are overriding in the process of balancing of interests. The Trustbadge and the services advertised with it are offered by Trusted Shops SE, Subbelrather Str. 15C, 50823 Cologne, Germany (Trusted Shops), with whom we are jointly responsible for data protection in accordance with Art. 26 GDPR. We will inform you about the essential contractual contents in accordance with Art. 26 (2) GDPR in the context of this data protection notice.
The Trustbadge is integrated within the framework of a joint responsibility. The essential information on this joint responsibility can be viewed here. Further information on data protection at Trusted Shops GmbH can be found here.
When the Trustbadge is accessed, the web server automatically stores a so-called server log file, which also contains your IP address, the date and time of access, the amount of data transferred and the requesting provider (access data) and documents the retrieval. The IP address is anonymised immediately after collection so that the stored data cannot be assigned to you. The server log file is stored in a security database for the analysis of security issues and is automatically deleted or anonymised no later than 90 days after its creation. The data processing is carried out in accordance with Art. 6 Para. 1 lit. f GDPR due to the legitimate interest of us and Trusted Shops for the prevention of abuse and fraud, for the optimisation of offers and websites, and to ensure the smooth operation of the website or the Trustbadge or other Trusted Shops widgets.
Further personal data is transferred to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or have already registered to use them. For this purpose, personal data is automatically collected from the order data. A neutral parameter, the email address hashed using a cryptographic one-way function, is used to automatically check whether you, as the buyer, are already registered to use a product. Before transmission, the email address is converted into this hash value, which cannot be decrypted by Trusted Shops. After checking for a match, the parameter is automatically deleted.
This serves to check whether you are already registered for services with Trusted Shops GmbH and is therefore necessary for the fulfilment of our and Trusted Shops' overriding legitimate interests in the provision of the buyer protection linked to the specific order and the transaction-based evaluation services in accordance with Art. 6 (1) point f GDPR. If this is the case, further processing will be carried out in accordance with the contractual agreement between you and Trusted Shops. If you have not yet registered for the services, you will then have the opportunity to do so for the first time. Further processing after registration is also based on the contractual agreement with Trusted Shops. If you do not register, all transmitted data will be automatically deleted by Trusted Shops and personal reference is then no longer possible.
As part of the joint responsibility between us and Trusted Shops GmbH, you can also contact Trusted Shops GmbH, whose contact details you can find here. Further information on data protection can be found here. Irrespective of this, you can always contact us using the contact details provided in this data protection declaration. If necessary, your enquiry will be forwarded to the other responsible party for a response.
7.5 Cloudflare Turnstile
We use Cloudflare Turnstile (hereinafter ‘Turnstile’) on this website to protect our web offerings from abusive automated spying and from SPAM. The provider is Cloudflare Inc, 101 Townsend St., San Francisco, CA 94107, USA (hereinafter ‘Cloudflare’).
Turnstile is used to check whether data on this website (e.g. on a contact form) is being entered by a human or by an automated program. To do this, Turnstile analyses the behaviour of the website visitor based on various characteristics. This analysis begins automatically as soon as the visitor enters a website with activated Turnstile. For the analysis, Turnstile evaluates various information (e.g. IP address, time spent on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Cloudflare. The storage and analysis of the data is based on Art. 6 para. 1 lit. f DSGVO, whereby our legitimate interest lies in ensuring the security and fast retrievability of our website.
For more information about Cloudflare Turnstile, please refer to the privacy policy here.
8. Social Media
8.1 Social plugins from Facebook, X, Instagram, Pinterest
Our website uses social buttons from social networks. These are embedded in the page only as HTML links, so that no connection is established with the servers of the respective provider when you access our website. If you click on one of the buttons, the website of the respective social network opens in a new window of your browser. There you can, for example, click the Like or Share button.
8.2 Our online presence on Facebook, X, Instagram, Youtube, Pinterest, LinkedIn, Xing
Insofar as you have given your consent to the respective social media operator in accordance with Art. 6 (1) point a GDPR, when you visit our online presence on the social media mentioned above, your data will be automatically collected and stored for market research and advertising purposes, from which user profiles are created using pseudonyms. These can be used, for example, to place advertisements inside and outside the platforms that presumably correspond to your interests. As a rule, cookies and other identifiers are used for this purpose. Please refer to the providers' data protection information linked below for detailed information on the processing and use of the data by the respective social media provider, as well as a contact option and your rights and setting options for protecting your privacy. Should you require any further assistance in this regard, please do not hesitate to contact us.
Facebook is provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The information automatically collected by Facebook Ireland about your use of our online presence on Facebook is usually transferred to a server of Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA and stored there. Data processing in the context of visiting a Facebook fan page is carried out on the basis of an agreement between jointly responsible parties in accordance with Art. 26 DSGVO. Further information (information on Insights data) can be found here.
X is an offer from Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (‘X’). The information automatically collected by X about your use of our online presence on X is usually transferred to a server of X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA and stored there.
Instagram is an offer from Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, D04 X2K5, Ireland (‘Instagram’). The information automatically collected by Instagram about your use of our online presence on Instagram is usually transferred to a server of Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA and stored there. Data processing in the context of visiting an Instagram fan page is based on an agreement between jointly responsible parties in accordance with Art. 26 DSGVO. Further information (information on Insights data) can be found here.
YouTube is a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). The information automatically collected by Google about your use of our online presence on YouTube is usually transferred to a server of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA and stored there.
Pinterest is provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland (‘Pinterest’). The information automatically collected by Pinterest about your use of our online presence on Pinterest is usually transferred to a server of Pinterest, Inc., 505 Brannan St., San Francisco, CA 94107, USA and stored there.
LinkedIn is a service provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (‘LinkedIn’). The information automatically collected by LinkedIn about your use of our online presence on LinkedIn is usually transferred to a server of the LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA and stored there.
Xing is an offering of New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany.
9. Data processing before and during use of the app
In the following, we will inform you about the processing of personal data when using the ‘KoRo App’ (hereinafter: App).
9.1 Installation of the app
To download and install our app from an app store, you must first register with an account with the provider of the respective app store (e.g. Apple App Store or Google Play) and conclude a corresponding user agreement. We have no influence on this; in particular, we are not a party to such a user agreement. When you download and install the app, the necessary information is transferred to the respective app store, in particular your name, your email address and the number of your account, the time of the download, payment information and the individual device ID.
We have no influence over this data collection and are not responsible for it. We process the data provided only to the extent necessary for downloading and installing the app on your mobile device (e.g. smartphone, tablet). Beyond that, this data is not stored.
The legal basis for data processing in our area of responsibility is Art. 6 (1) point f GDPR. Our legitimate interest lies in enabling the provision of the app. For data processing, which is the sole responsibility of the app store operator, we refer you to their data protection declarations:
- Google Play: https://play.google.com/intl/de/about/privacy-security-deception/ and https://policies.google.com/privacy?hl=de;
- Apple App Store: https://support.apple.com/de-de/HT208477 and https://www.apple.com/legal/privacy/de-ww/.
9.2 Connection data
- IP address of the requesting device; method (e.g. GET, POST) and date and time of the request;
- time zone difference to Greenwich Mean Time (GMT);
- address and path of the requested files;
- if applicable, previously accessed addresses (HTTP referrer);
- information about the operating system (name and version, e.g. ‘Android 14’ or ‘iOS 17’);
- information about the device used (name, build number, model) and the operating system (name and version);
- information about the app (name, version, app ID);
- HTTP protocol version, HTTP status code, size of the file delivered;
- request information such as language, type of content, content encoding, character sets.
The connection data is stored in internal server log files for a period of 30 days in order to find the cause and take action against it, for example in the event of repeated or criminal access that endangers the stability and security of our app or our internal systems and servers. In addition, log files are sometimes automatically created on your mobile device, which may contain various technical information (such as the type of message, date and time of the message, what triggered the message (e.g. an error, an app call), the app used, details of the content of the message). This is necessary for technical reasons so that the app works properly and you can use the desired services.
9.3 App permissions
When you install or use our app, it may be necessary to request permissions from the end device at a technical level, for example to send push notifications, to use the camera and the address book. In principle, these app authorisations are necessary to provide our app. Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG. The legal basis for the processing of personal data is then Art. 6 (1) point b GDPR, the fulfilment of the terms of use agreed with you, or Art. 6 (1) point f GDPR, our legitimate interests in enabling the provision and basic functions of the app.
These authorisations are not consent in the sense of data protection law. If, on the basis of the authorisations granted, information is stored or read in the end device that is not absolutely necessary for the provision of the app, or personal data is processed that cannot be based on the contractual basis or our legitimate interests, we will obtain your consent separately if necessary. This is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TDDDG, or for the processing of personal data in accordance with Art. 6 para. 1 lit. a GDPR.
9.4 Realtime database (Firebase Realtime Database)
We use the Firebase Realtime Database, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (collectively ‘Google’) for the storage of app-specific data. This stores and synchronises the data in its own cloud database. We have concluded an order processing contract with Google Ireland Limited for the use of Firebase.
9.5 Push notifications
When using our app, you may receive push notifications from us if you have granted the relevant authorisation in the app. We will also send you push notifications even if you are not currently using the app. These are exclusively notifications relating to various content, including marketing information such as new products, special offers and discount promotions, updates on your orders and follow-up messages in the context of your use of the app or your orders.
The legal basis for data processing in connection with sending push notifications is your consent in accordance with Art. 6 (1) point a GDPR. You can revoke this consent at any time with effect for the future by deactivating push notifications via the settings of your mobile device. Instructions for doing so can be found at the following addresses, for example:
- Android: https://support.google.com/android/answer/9079661?hl=de#zippy=%2Cbenachrichtigungen-f%C3%BCr-bestimmte-apps-aktivieren-oder-deaktivieren;
- iOS: https://support.apple.com/de-de/guide/iphone/iph7c3d96bab/ios
We use the Firebase Cloud Messaging (FCM SDK) service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’) to send push notifications. This service uses the Firebase installation ID and an authentication token to enable push notifications to be sent to your mobile device. The Firebase installation ID is assigned as an identifier for the specific app installation on your end device. It differs from app to app and does not allow any direct conclusion to be drawn about you as a person. The authentication token is used to ensure that notifications are sent and received securely only to the addressed end device. It is reissued for each notification. The notification itself does not contain any personal data. The participant ID is also not sent to Google. Instead, our app service provider matches the participant ID with the authentication token and then forwards this token to send the notification. Firebase Cloud Messaging uses encryption for data at rest and for data in transit (point-to-point encryption for Android).
Your personal data may also be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the United States pursuant to Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have entered into standard contractual clauses (Module 3) in the event that personal data is transferred from Google Ireland Limited to the United States.
9.6 Google Firebase Crashlytics
We also use Firebase Crashlytics, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA for all other users (together ‘Google’). In the event of an app crash, Firebase Crashlytics sends crash reports to us. These serve to improve the stability, functionality and reliability of our app. Crash reports are activated by default.
On our behalf, Google Firebase evaluates the data related to the crash of our app. In doing so, information about the device used and the use of our app is collected, which enables us to diagnose problems, solve errors and improve our app.
In particular, the following information may be transmitted, which does not allow any direct conclusions to be drawn about you:
- Device data: type, manufacturer, hardware data, version of the operating system;
- diagnostic data: time of the crash, state of the app and position in the source code at the time of the crash, last log messages;
- the instance ID assigned to the app on your end device when the app was installed (instance ID).
Access to and storage of information on the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 Abs. 2 TDDDG. The legal basis for the processing of personal data is then Art. 6 para. 1 lit. b DSGVO, the fulfilment of the terms of use concluded with you (see AGB), or Art. 6 para. 1 lit. f DSGVO, our legitimate interests in the correction of errors or the enabling of the call of the contents as well as lasting functionality and security of our systems.
This information is transmitted to Google in the event of an app crash and stored there for evaluation for up to 90 days. You can generally disable crash reports through a setting in your operating system (Android / iOS). Instructions for doing so can be found at:
- Google Android: https://support.google.com/accounts/answer/6078260?hl=de
- Apple iOS: https://support.apple.com/de-de/HT202100
Your personal data may also be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the United States in accordance with Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3) in the event that personal data is transferred from Google Ireland Limited to the United States.
For more information about data protection at Google and Firebase, please visit:
- https://policies.google.com/privacy?gl=de
- https://firebase.google.com/support/privacy/
9.7 Firebase Core
Our app uses Firebase Core from Google Firebase to enable basic functionalities such as data synchronisation and app instance management. Firebase Core is offered to users from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other users by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together ‘Google’). The data collected via Firebase Core is used to improve the functioning of the app, to analyse errors and crashes and to optimise the user experience.
The following data is processed when using Firebase Core:
- Device information: device ID, operating system, model, app instance
- ID Usage data: information about how often the app is used, which functions are used
- App interactions: starting and ending the app, crash reports
Access to and storage of information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TDDDG. The legal basis for the processing of personal data is then Art. 6 (1) point b GDPR, the fulfilment of the terms of use concluded with you (see GTC), or Art. 6 (1) point f GDPR, our legitimate interests in ensuring the technical functionality of the app and correcting errors.
Your personal data may also be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the United States pursuant to Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have entered into standard contractual clauses (Module 3) in the event that personal data is transferred from Google Ireland Limited to the United States.
For more information about data protection at Google and Firebase, please visit:
- https://policies.google.com/privacy?gl=de
- https://firebase.google.com/support/privacy/
9.8 User statistics (Google Analytics for Firebase)
To improve our app, we use Google Analytics for Firebase to recognise users and to statistically record and analyse general usage behaviour based on access data. Google Analytics for Firebase is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for users from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA for all other users (collectively ‘Google’). Google Analytics for Firebase is used to collect information about the use of our app and to transfer this information to Google, where it is stored. Google uses the instance ID of your app installation, the device ID and the advertising ID of the end device for this purpose.
The following data is processed when using Google Analytics for Firebase:
- IP address;
- number of users and sessions, including date, time and session duration;
- device ID, advertising ID, instance ID;
- events (such as interactions and events), including the areas/modules accessed within the app, the content viewed, the clicks on buttons;
- first start of the app, app version, app executions, app updates;
- in-app purchases;
- technical information: operating system;
- device type, brand, model and resolution;
- approximate location (region, country);
- age group, gender, interests;
- language.
Data linked to the advertising ID is stored for 60 days, user conversions for 14 months. Aggregated reports that do not allow any conclusions to be drawn about individual users are also stored.
You can restrict the use of the advertising ID in your device settings:
- Android: Settings / Privacy / Advertising: Delete advertising ID; or for older versions: Settings / Privacy / Advanced / Advertising: Deactivate personalised advertising – further information at: https://support.google.com/googleplay/android-developer/answer/6048248?hl=de;
- iOS: Settings / Security / Tracking: Allow apps to request tracking (deactivate); or for older versions: Settings / Privacy / Tracking: Allow apps to request tracking (deactivate) – further information at: https://support.apple.com/de-de/HT212025
The legal basis for the data processing is your consent in accordance with Article 6(1)(a) GDPR. Access to the information in the end device is then based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25(1) TDDDG. You can revoke your consent to the analysis of your usage behaviour at any time with effect for the future by adjusting the ‘cookie settings’.
Your personal data may also be transferred by Google Ireland Limited to Google LLC in the United States. Google LLC has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the United States pursuant to Art. 45 GDPR. In addition, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Module 3) in the event that personal data is transferred from Google Ireland Limited to the United States.
9.9 CRM Braze
To improve our app, we use the CRM platform Braze (‘CRM Braze’) to analyse general usage behaviour. CRM Braze is provided by Braze, Inc., 63 Madison Building, 28 E. 28th St, New York, NY 10016, USA (‘Braze, Inc.’). We have concluded an order processing contract with Braze Inc. for the use of CRM Braze.
CRM Braze is a so-called life-cycle engagement platform that enables us to provide users with relevant notifications, offers and updates in a personalised manner and based on their preferences, using data regarding user engagement, app usage and interaction history.
The following data is processed when using CRM Braze:
- Master data: gender, email address, date of birth (optional).
- Location data: geographical information, time zone, language settings.
- Device information: number of devices used, operating system, browser type.
- Usage data: number of sessions, including date, time and session duration, last interaction of the customer.
- Purchasing behaviour: transaction history, number of purchases, quantity, date and time of last purchase.
- Email engagement: responses to emails (e.g. clicking on links in emails, opening messages), email subscriber status.
The legal basis for data processing is your consent in accordance with Art. 6 (1) point a GDPR. Access to the information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TDDDG. You can revoke your consent to the analysis of your usage behaviour at any time with effect for the future by adjusting the ‘cookie settings’.
Your personal data may be transferred to Braze, Inc. in the United States. Braze, Inc. has joined the EU-US Data Privacy Framework, which is why the transfer in this case is based on the adequacy decision for the United States in accordance with Art. 45 GDPR.
9.10 Meta Pixel
- ‘_fbp‘ (90 days): usage analysis and retargeting;
- ’ fr’ (90 days): display of advertisements, usage analysis, conversion tracking.
In addition, we and Meta Platforms are jointly responsible for the processing of event data for targeting advertisements (by creating and selecting target groups), delivering commercial and transactional messages, improving the delivery of advertisements, and personalising features and content when using meta pixels. The mutual obligations have been set out in a joint agreement, which can be accessed at: https://www.facebook.com/legal/controller_addendum. In addition, Meta Platforms processes the event data for the protection and security of Meta Platforms products, for research and development purposes, and to maintain the integrity of the products and improve them.
If you have not consented to the use of meta pixels, Meta Platforms will only display general advertising that is not selected based on the information collected about you on this app.
Further information, in particular on joint responsibility and contact details, can be found in the data protection information of Meta Platforms, in particular for the social networks Facebook and Instagram: https://www.facebook.com/privacy/policy/.
10. Requirements for the transfer of personal data to third countries
As part of the processing described above, your personal data may be transferred or disclosed to third parties located in so-called third countries, i.e. outside the European Union or the European Economic Area (EEA). Such processing is carried out in accordance with the requirements of Art. 44 et seq. GDPR. We have already informed you about the respective details of the transfer at the relevant points.
Some third countries to which personal data may be transferred may not have a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 (1), (2) lit. c GDPR, certificates or recognised codes of conduct. The 2021 standard contractual clauses are available here. Where this is not possible, we base the data transfer on exceptions to Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the fulfilment of a contract or for the implementation of pre-contractual measures.
The European Commission certifies a level of data protection comparable to the EEA standard for some third countries by means of so-called adequacy decisions (a list of these countries, which also include the USA, and a copy of the adequacy decisions can be found here. Please contact our data protection officer if you would like more information on this).
11. Storage period
12 Your rights and how to contact us
12.1 Your rights
As a data subject, you have the following rights:
- in accordance with Art. 15 GDPR, the right to request information about your personal data processed by us to the extent described therein;
- in accordance with Art. 16 GDPR, the right to request the immediate correction of incorrect or incomplete personal data stored by us;
- in accordance with Art. 17 GDPR, the right to request the deletion of your personal data stored by us, unless further processing
- to exercise the right to freedom of expression and information;
- to fulfil a legal obligation;
- for reasons of public interest, or
- necessary for the assertion, exercise or defence of legal claims;
- in accordance with Art. 18 GDPR, the right to demand the restriction of the processing of your personal data, insofar as
- the accuracy of the data is disputed by you;
- the processing is unlawful but you object to its erasure;
- we no longer need the data, but you need it to assert, exercise or defend legal claims, or
- you have objected to the processing in accordance with Art. 21 GDPR;
- in accordance with Art. 20 GDPR, the right to receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller;
- In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters for this purpose.
Right of objection If we process personal data as described above in order to protect our legitimate interests, which are overriding in the process of balancing of interests, you can object to this processing with effect for the future. If the processing is carried out for the purposes of direct marketing, you can exercise this right at any time as described above. If the processing is carried out for other purposes, you have the right to object only on grounds relating to your particular situation. After you have exercised your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. This does not apply if the processing is carried out for direct marketing purposes. In this case, we will no longer process your personal data for this purpose.
Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if there is a reason to assert, exercise or defend legal claims. The legal basis is Article 6(1)(f) GDPR, based on our interest in defending against any civil claims under Article 82 GDPR, avoiding fines under Article 83 GDPR and fulfilling our accountability under Article 5(2) GDPR. |
12.2 Contact options
If you have any questions regarding the collection, processing or use of your personal data, or if you wish to request information, correct, restrict or delete data, or revoke any consent you may have given, or object to a particular use of data, please contact our external data protection officer.
You can also contact the supervisory authority responsible for Berlin with any questions you may have regarding data protection:
Berlin representative
for
Data protection and freedom of information
Alt-Moabit 59 - 61 (visitor entrance Alt-Moabit 60)
10555 Berlin
Phone: +49 (30) 13889-0
Fax: +49 (30) 2155050
E-mail: mailbox@datenschutz-berlin.de
Data protection officer:
ISiCO GmbH, Alina Bernhardt
Am Hamburger Bahnhof 4
10557 Berlin
Germany
info@isico-datenschutz.de