The point of contact and the so-called controller for the processing of your personal data when you visit this website within the meaning of the
General Data Protection Regulation (GDPR) is

Lillydoo GmbH
Hanauer Landstraße 147-149
60314 Frankfurt am Main

Telephone: +49 (0) 69 643 57 420
Email: service@lillydoo.de

If you have any questions about data protection in connection with the use of our website, you can also contact our data protection officer at any time. She can be reached at the above address and at the email address: privacy@lillydoo.com
(subject line: “For the attention of the data protection officer”). We would like to expressly point out that if you use this email address, the contents will not be viewed exclusively by our data protection officer. If you wish to exchange confidential information, we kindly request that you first contact us directly via this email address.

2.1 ACCESSING OUR WEBSITE/CONNECTIVITY DATA

Every time you use our website, we collect connection data that your browser automatically transmits to enable you to visit the website. This connection data includes the so-called http header information, including the user agent, and
includes in particular:

• IP address of the requesting device,
• method (e.g. GET, POST), date and time of the request,
• address of the requested website and path of the requested file,
• if applicable, the previously accessed website/file (HTTP referrer),
• information about the browser and operating system used,
• HTTP protocol version, HTTP status code, size of the file delivered,
• request information such as language, type of content, content encoding, character sets,
• if applicable, the username used in the case of authentication with directory password protection.
  

The processing of this connection data is absolutely necessary to enable you to visit the website, to ensure the long-term functionality and security of our systems and for general administrative maintenance of our website. The connection data is also stored in internal log files for a limited time and only to the extent necessary for the purposes described above in order to find the cause and
take action against it.

The legal basis for this is Art. 6 Para. 1 lit. b GDPR, insofar as the page view occurs in the course of the initiation or execution of a contract, and otherwise Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in enabling the website to be accessed and the long-term functionality and security of our systems. However, the automatic transmission of the connection data and the log files developed from it does not constitute access to the information in the end device within the meaning of the implementing laws of the ePrivacy Directive of the EU member states; in Germany, Section 25 of the German Teleservices Data Protection Act (TTDSG). However, it would be
absolutely necessary in any case.

The log files are stored for 10 days and then anonymized.

2.2 CONTACT

You have various options for getting in touch with us. These include the contact form, live chat, registering for events or the call-back function. In this context, we process data solely for the purpose of communicating with you.

The legal basis is Art. 6 (1) point b GDPR, insofar as your information is needed to answer your inquiry or to initiate or execute a contract; otherwise Art. 6 (1) point f GDPR, based on our legitimate interest in ensuring that you can contact us and that we can answer your inquiry. We only make advertising telephone calls if you have given your consent for us to do so. If you are not an existing customer, we will only send you advertising e-mails on the basis of your consent. The legal basis in these cases is Art. 6 (1) point a GDPR.

The data collected by us when you contact us will be automatically deleted after your request has been fully processed, unless we still need your request to fulfill contractual or legal obligations.

For the purpose of establishing contact, we also use the Dixa service provided by Dixa ApS Vimmelskaftet 41A, 1 Sal., 1161 Copenhagen, Denmark (hereinafter “Dixa”).

This is a customer relationship management (“CRM”) solution. We use it to provide optimal support for existing customers, e.g. through live chat and community software, and to optimize sales processes.

As a European company, Dixa is subject to the requirements of the GDPR. Dixa provides us with the software for technical user data processing. Only in special cases (e.g. technical support) do we grant Dixa's employees temporary access to user data. In addition, we have concluded an order processing contract with Dixa in accordance with Art. 28 GDPR. In this contract, Dixa undertakes to process the data obtained in this way only in accordance with our instructions and to comply with the EU data protection level.

Various categories of data are processed: contact data (e.g. name, address, telephone number, e-mail), content data (e.g. photographs) and the data you enter. We have verified that user data is secure with Dixa. Communication is encrypted using the HTTPS protocol and SSL certificates, and the data is stored in Europe.

You can find more information about data processing by Dixa in Dixa's privacy policy.

We use the cloud telephony service “Aircall” from Aircall SAS, 11 Rue Saint-Georges, 75009 Paris, France, to conduct meeting appointments. Aircall processes your telephone number for the purpose of providing the telephone software. We have a
Data Processing Agreement. The legal basis for the processing of your data in relation to the Aircall service is our
legitimate interest in accordance with Art. 6 (1) point f GDPR. Our legitimate interest is the efficient handling of telephone calls in order to ensure adequate customer support. Further information on Aircall's data protection can be found at: .

We use the “Microsoft Bookings” service on our website, provided by
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Bookings is a booking tool that allows you to quickly and easily book meetings online to further improve our customer support. To make an appointment, the information you enter (name, phone number, email address and customer number) is transferred to Microsoft. We have
Microsoft standard contractual clauses.

The legal basis for the processing of your data in relation to the “Microsoft Bookings” service is our legitimate interest in accordance with Art. 6 (1) point f GDPR. Our legitimate interest arises from our aim to offer you a user-friendly website with a wide range of functions and to enable you to make an appointment with our employees quickly and easily whenever you need to. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use one of the other contact options offered to make an appointment. Further information can be found in Microsoft's privacy policy
at: https://privacy.microsoft.com/de-de/privacystatement

2.3 REGISTRATION

You have the option to register for our login area in order to be able to use the full range of functions on our website. We have highlighted the data that you are required to provide by labeling the fields as mandatory. It is not possible to register without this data. The legal basis for the processing is Art. 6 Para. 1 lit. b GDPR.

2.4 ORDERS

During the ordering process, we collect the mandatory information necessary for the contract:

• title,
• first and last name,
• date of birth,
• email address,
• password,
• billing and shipping address.

You can optionally provide your phone number so that we can contact you if we have any questions. The legal basis for the processing is Art. 6 Para. 1 lit. b GDPR.

2.5 NEWSLETTER AND PRINTMAGAZINE

You have the option to subscribe to our newsletter, in which we regularly inform you about new developments regarding our products and promotions.
We use the so-called double opt-in procedure for newsletter orders, i.e. we will only send you the newsletter by email if you confirm in our notification email by clicking on a link that you are the owner of the email address provided. If you confirm your email address, we store your email address, the time of registration and the
used IP address until you unsubscribe from the newsletter. The
storage serves the sole purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link can be found in each newsletter. A message to the contact details given above or in the newsletter (e.g. by e-mail or letter) is
of course also sufficient. The legal basis for the
processing is your consent in accordance with Art. 6 (1) point a GDPR.
For certain newsletters (e.g. the #momlife newsletter), we store further data about you (e.g. for the #momlife newsletter, your calculated due date and your pregnancy week), which can be seen in the respective input fields of the registration and which we need to send you this newsletter. The legal basis for this data processing is also Art. 6 (1) point a GDPR.
So that we can provide you with our print magazine the #momlife pregnancy guide, we need your address in addition to the information from the #momlife newsletter. The legal basis for this data processing is Art. 6 (1) point b GDPR.
We also send you advertising mailings in which we ask you for feedback on your order, for example. If you have requested our print magazine #momlife pregnancy guide, we use your address to send you advertising mailings by post, for example about our products. The legal basis for this data processing is Art. 6 (1) point f GDPR.
For sending our newsletters and advertising mailings, we work with service providers to whom we transmit, among other things, your e-mail address and your newsletter registration in order to be able to send you the newsletters and advertising mailings. The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b, f DSGVO.
We use standard technologies in our newsletters to measure interactions with the newsletters (e.g. opening the email, clicking on links). We use this data in pseudonymous form for general statistical evaluations and to optimize and further develop our content and customer communication. This is done, on the one hand, with the help of small graphics embedded in the newsletter (so-called pixels) that connect to the image server when the email is opened. On the other hand, we use links that initially register the click
and then forward you to the desired target page. In addition, we measure whether our newsletter could be delivered at all.
The legal basis for this is your consent in accordance with Art. 6 (1) point a GDPR. Access to the
information in the terminal device is then based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 (1) TTDSG. We want to use our newsletter to share content that is as relevant as possible to our customers and to better understand what you are actually interested in. If you do not want your usage behavior to be analyzed, you can unsubscribe from the newsletter. You can prevent the opening of an email from being measured by disabling graphics or the output of HTML content in your email program by default.

2.6 EXISTING CUSTOMER ADVERTISING BY E-MAIL

If you register with us or make a purchase from us, we will also use your contact information to send you further information about our products that may be relevant to you (“existing customer advertising”). This may include, in particular, new products, promotions and offers, as well as feedback and other surveys.
The legal basis for this data processing is Art. 6 (1) point f GDPR in conjunction with Section 7 (3) of the German Act Against Unfair Competition (UWG), according to which data processing is
permissible for the purpose of safeguarding legitimate interests, insofar as this concerns the storage and further use of the data for advertising purposes. You can object to the promotional use of your data at any time by means of a corresponding link in the
e-mails or by notifying us at the contact details given above (e.g.
by e-mail or letter), without incurring any costs other than the transmission costs according to the basic rates.

2.7 SURVEYS

You have the option to take part in one of our surveys. We use the results of these surveys to improve our service.
The legal basis for the data processing in the context of the survey is your consent in accordance with Art. 6 (1) point a GDPR. We base the sending of the surveys on Art. 6 (1) point f GDPR in conjunction with Section 7 (3) of the German Unfair Competition Act (UWG), based on our legitimate interest in designing our services to meet demand and continuously improving them.
You can object to the sending of a satisfaction survey and the promotional use of your data at any time by means of a corresponding link in the e-mails or by notifying us using the contact details given above (e.g. by e-mail or letter), without incurring any costs other than the transmission costs at the basic rates.

2.8 DATA PROCESSING IN CONNECTION WITH RAFFLES

You have the opportunity to take part in competitions that we advertise.

By taking part in competitions that we advertise, participants expressly agree that we may use and store the personal data required for the competition
until the competition has ended. For this purpose, your contact details, such as your name, address and email address, will be processed by our marketing department.

The legal basis for this is Art. 6 (1) (a) GDPR. Participants can revoke their consent at any time by contacting us. After the competition has ended, your data will be deleted after 7 days.

2.9 APPLICATIONS

You can apply for vacancies with us by email or via our careers portal. The purpose of collecting this data is to select applicants for possible employment. To process your application, we collect the data you provide (usually: first and last name; email address; application documents such as certificates and CV; date of earliest possible job entry; telephone number if applicable, salary expectations). We would like to point out that if applications are sent unencrypted by email, confidentiality cannot be guaranteed. As a rule, you can also apply for our jobs by post.

We use the Recruitee software from Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, Netherlands, to provide our careers portal at https://we.are.lillydoo.com and to manage applications
(“Recruitee”). We have concluded an order processing contract with Recruitee. Your application data is stored by Recruitee in encrypted form in the Netherlands or the European Union and transmitted in encrypted form. Insofar as Recruitee works with sub-processors whose parent company is not based in the European Union, Recruitee and its sub-processors have concluded standard contractual clauses and taken additional measures to protect the data. The legal basis
for the processing of your application documents is Art. 6 para. 1 lit. b and Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 p. 1 BDSG.

When visiting the careers portal, log files (server logs, error logs) are also created (see section 2.1). For more information, please refer to Recruitee's explanations at the end of the privacy policy on the
career portal. The legal basis for this is Recruitee's legitimate interest in providing the career portal, Art. 6 (1) (f) GDPR. Insofar as information is read out or stored on your end device when you access our careers portal (e.g. storing the language in a cookie), this is absolutely necessary to provide the careers portal and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 Abs. 2 TTDSG.

We store your personal data upon receipt of your application. If we accept your application and you are employed, we store your application data for as long as it is required for the employment relationship and to the extent that statutory provisions require its retention.

If we reject your application, we will store your application data for a maximum of six months after your application has been rejected, unless you give us your consent to store it for longer. If you have given us your separate consent, we will store the data you provided as part of your application in our pool of applicants for a further twelve months after the application process has ended
application process in order to identify any other interesting positions for you and to contact you again if necessary. After this period has expired, the data will be deleted. You can revoke this consent at any time for the future by sending us an e-mail to career@lillydoo.com.

2.10 PAYMENT OPTIONS AND PAYMENT SERVICE PROVIDERS

For orders in our online store, we offer you the
most common online payment methods: credit card, PayPal,
SEPA direct debit or invoice. Depending on the payment method selected in the ordering process, we provide your specified data (e.g.
Bank details or credit card details) for payment processing to the
bank/credit institution commissioned with the payment or to the
commissioned payment service provider. Without this transmission of the
payment data to the payment service provider or the bank/credit institution, the payment and contract processing is not possible. The legal basis
for this data processing is Art. 6 para. 1 sentence 1 lit. b GDPR. In
this context, we work together with the following payment service providers:

• Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg. Further information about
  Unzer can be found in Unzer's privacy policy:
  
• PayOne GmbH, Loyner Straße 9, 60528 Frankfurt a.M. Further information about PayOne can be found in the PayOne data protection guidelines:
  
• PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg. For more information about PayPal, please see the PayPal privacy policy:
  

If you choose the payment option Purchase on Invoice or SEPA, our payment service providers will use Unzer (Unzer GmbH, Avangerowstraße 18, 69115
Heidelberg) to check your creditworthiness. Further information about Unzer can be found in Unzer's privacy policy.

2.11 LOQATE

To ensure that no incorrect address data is stored in our system, we use the “Global Address” service provided by GB Group PLC, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, United Kingdom (“Loqate”) for appropriate data validation. We have concluded a data processing agreement with Loqate. Your
address (no other personal data is processed) is checked for validity as it is entered via an online interface and is not stored by Loqate. If an error is detected in the address you enter, an alternative address or the correct spelling of your address will be suggested. Your data is compared with the Loqate database, which is located in the United Kingdom, via the interface. The Commission has issued a corresponding adequacy decision for the United Kingdom in accordance with Art. 45 (1) GDPR, which legitimizes the transfer and processing of your data in the United Kingdom.

The processing of your data itself is based on Art. 6 (1) 1 lit. f GDPR. Our legitimate interest lies in ensuring that valid data is stored so that we can guarantee a smooth processing of
customer enquiries and orders can be guaranteed.

Further information on data protection at Loqate can be found at: https://www.loqate.com/de/datenschutzerklärung-für-produkte-und-dienstleistungen/.

2.12 -SECURITY SERVICE PROVIDERS

2.12.1 LINK11

For IT security purposes (e.g. to increase the security of our website against
fraud attacks, to ensure DDoS protection and to protect your
customer experience from the consequences of malicious bots), we use the services of the Germany-based IT service provider Link11 GmbH, Lindleystraße 12, 60314 Frankfurt am Main. When you, as a user,
access our website, several requests are sent to us for the respective page to be visited and we send back the content to be displayed. The request contains all the information we need to display the appropriate content to you: browser information, which page to call up, any forms that have been sent (e.g. in the checkout), passwords when logging in, etc. The requests are encrypted. Link11 can only access these requests to analyze them for bots. In addition, the following data is transmitted: IP address, access time, access date,
requested URL, user agent, referrer.

The legal basis is our legitimate interest (Art. 6 para. 1 lit. f DSGVO). We have with the IT service provider Link11, which
processor for us, we have concluded an order processing contract.

The functionality of the website cannot be guaranteed without the processing by the IT security service provider. Your
personal data will be stored by the provider for as long as is necessary for the purposes described. IP addresses are generally stored for 96 hours.

Further information on objection and removal options vis-à-vis the provider can be found at: .

2.12.2 CLOUDFLARE

On our website, we also use content delivery network services provided by Cloudflare Inc., 701 Townsend St., San Francisco, CA 94107 (USA).

With the help of a content delivery network, the contents of our website are stored on the service provider's server. The service provider's server distributes this content to you or your browser when you access our website. Cloudflare processes, for example, your IP address and DNS log data.

We use Cloudflare to defend against attacks such as DDoS or bot attacks on our website. Furthermore, the aim of the data processing is to shorten the loading times of our website in order to provide you with the content of our pages as quickly as possible.

Personal data may be
personal data may be transferred to third countries. In order to ensure the comprehensive protection of your data in this case as well, there are sufficient guarantees or other instruments in place to ensure compliance with European data protection principles.

The legal basis for the use of Cloudflare is Art. 6 (1) point f GDPR, which is based on our legitimate interest in increasing the security and
speed of delivery of our website. We have
Cloudflare a data processing agreement.

For more information, please refer to Cloudflare's privacy policy.

2.13 LOYALTY AND REWARDS PROGRAM (REWARDS SHOP) LOYALTY LION

You have the option to participate in our loyalty program. To implement the program, we use the platform service provider LoyaltyLion from LoyaltyLion Limited, 2nd Floor, 201 Haverstock Hill, London, NW3 4QG, United Kingdom. Your data will be forwarded to LoyaltyLion for the purpose of receiving email notifications about your current point balance and current bonus offers. This data includes the customer number, the order total, your email address, your name and date of birth (optional). LoyaltyLion processes this data for the purpose of implementing the program; the service provider provides the platform and manages the points collected by you and provides the rewards shop. The rewards shop can only be used by customers with an active subscription. When using the rewards shop, the following data in particular is collected: login data, browser data, location and the products purchased.

The legal basis for the forwarding of the data is the rewards program contract in accordance with Art. 6 (1) 1 lit. b GDPR. We have concluded an order processing contract with LoyaltyLion. LoyaltyLion stores your points balance and when points are redeemed by you. The data transfer to the United Kingdom is based on an adequacy decision by the European Commission.

For more information, please refer to LoyaltyLion's privacy policy.

2.14 ADDITIONAL INFORMATION ABOUT THE TRUSTED SHOP TRUST BADGE

We are a member of Trusted Shops and use the Trusted Shop trustmark and reviews. We are required by Trusted Shops to provide the following information:

To display our Trusted Shops trustmark and any
collected reviews and to offer Trusted Shops products to buyers after an order, the Trusted Shops Trustbadge is integrated on this website. This serves to safeguard our
legitimate interests in the optimal marketing of our offer. The legal basis for this data processing is Art. 6 para. 1 lit. f DSGVO. The Trustbadge and the services advertised with it are an offer from Trusted Shops
(Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne).

When the Trustbadge is accessed, the web server automatically stores a so-called server log file, which contains, for example, your IP address, the date and time of access, the amount of data transferred and the requesting provider
(access data) and documents the retrieval. These access data are not analyzed and are automatically overwritten no later than seven days after the end of your visit to the site. Further personal data are only transmitted to Trusted Shops if you
decide to use Trusted Shops products after completing an order or have already registered to use them. In this case, the contractual agreement between you and Trusted Shops applies.

3.1 TECHNOLOGIES USED

This website uses various services and applications (collectively
“tools”) that are either offered by us or by third parties. These include, in particular, tools that use technologies to store or access information in the end device:

• Cookies: information stored on the end device, consisting in particular of a cookie name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
  
• Web Storage (Local Storage / Session Storage): information stored on the end device, consisting of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiry date and generally remains stored unless a deletion mechanism has been set up (e.g. storage of a local storage with a time entry). Information in local and session storage can also be removed manually.
  
• JavaScript: programming codes embedded in or called up by the website that, for example, set cookies and web storage or actively collect information from the end device or about the user's behavior. JavaScript can be used for “active fingerprinting” and to create user profiles. JavaScript can be blocked by a setting in the browser, although most services will then no longer work.
  
• Pixel: a tiny graphic automatically loaded by a service, which can make it possible to recognize visitors through the automatic transmission of the usual connection data (in particular IP address, information about browser, operating system,
  language, fonts, address accessed and time of access)
  and, for example, to determine the opening of an e-mail or a visit to a website. With the help of pixels,
  “passive fingerprinting” and the creation of user profiles
  can be carried out. The use of pixels can be prevented, for example, by blocking images, such as in e-mails, although this will severely restrict the display.
  

With the help of these technologies and also by simply establishing a connection on a page, so-called “fingerprints” can be created, i.e. user profiles that do not require the
use of cookies or web storage and can still recognize visitors. Fingerprints due to the establishment of a connection cannot be completely prevented manually.

Most browsers are set by default to accept cookies, run scripts and display graphics. However, you can usually adjust your browser settings to reject all or certain cookies or to block scripts and graphics. If you completely block the storage of cookies, the display of graphics and the execution of scripts,
our services are likely to not work or to not work properly.

The tools we use are listed below by category, where we provide you with information in particular about the providers of the tools, the storage period of the cookies or information in local storage and session storage, and the disclosure of data to third parties. It also explains in which cases we obtain your voluntary consent to use the tools and how you can revoke it.

3.2 LEGAL BASIS AND REVOCATION

3.2.1 LEGAL BASIS

We use tools necessary for the operation of the website on the basis of our legitimate interest in accordance with Art. 6 (1) point f GDPR to provide the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract; in such cases,
the processing is carried out in accordance with Art. 6 para. 1 lit. b DSGVO. In these cases, access to and storage of information in the terminal device is absolutely necessary and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 2 TTDSG.

All other non-essential (optional) tools that provide additional functions
we use them based on your consent in accordance with Art. 6 Sect. 1 a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with § 25 para. 1 TTDSG. Data processing with the help of these tools only takes place if we have received your consent in advance.

If personal data is transferred to third countries, we refer you to Section 6 (“Data transfer to third countries”), also with regard to the risks that may be associated with this. We will inform you if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools, we will transfer the data processed when using the tools (also) on the basis of this
consent in accordance with Art. 49 (1) a GDPR to third countries.

3.2.2 OBTAINING YOUR CONSENT

We use the tool consent-manager.de from consentmanager AB, Håltegelvägen 1b, 72348 Västerås, Sweden (“consentmanager”) to obtain and manage your consent. This tool generates a banner that informs you about the data processing on our website and gives you the opportunity to consent to all, some or none of the data processing through optional tools. This banner appears the first time you visit our website and when you access the selection of your settings again to change them or revoke consent. The banner also appears on subsequent visits to our website if you have disabled the storage of cookies or the cookies or information in the local storage of consentmanager have been deleted or have expired.

During your visit to our website, consentmanager is provided with your consents or revocations, your IP address, information about your browser, your end device and the time of your visit. consentmanager also stores necessary information on your end device to store your consents and revocations:

• __cmpconsentx (storage period: 1 year)
• __cmpcpcx (storage period: 1 year)
  
• __cmpcvcx (Storage period: 1 year)

The data processing by consentmanager is necessary to provide you with the legally required consent management and to fulfill our documentation obligations. The legal basis for the use of consentmanager is Art. 6 Para. 1 lit. f GDPR, justified by our interest in fulfilling the legal requirements for consent management. Accessing and storing information in the end device is absolutely necessary in these cases and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 Abs. 2 TTDSG.

3.2.3 REVOCATION OF YOUR CONSENT OR CHANGE OF YOUR SELECTION

You can revoke your consent for certain tools at any time. To do so, click on the following link/button: [Link/Button]. There you can also change the selection of tools that you wish to consent to use, as well as obtain additional information about the tools used. Alternatively, you can assert your revocation of certain tools
directly with the provider.

3.3 NECESSARY TOOLS

We use certain tools to enable the basic functions of our website (“necessary tools”). Without these tools, we would not be able to provide our service. Therefore, necessary tools are used without consent. The legal basis for necessary tools is the necessity to fulfill our legitimate interests in accordance with Art. 6 Para. 1 lit. f GDPR or to fulfill a contract or to carry out pre-contractual measures in accordance with Art. 6 Para. 1 lit. b GDPR. In these cases, access to and storage of information in the end device is absolutely necessary and is carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in
Germany according to § 25 para. 2 TTDSG.

In the event that personal data is transferred to the USA or other third countries, we refer in addition to the following
information provided below, please refer to section 6 (“Data transfer to third countries”).

3.3.1 OWN TOOLS

We use our own necessary tools that access information on the end device or store information on the end device, in particular

• for login authentication,
• for load distribution,
• to store your language settings,
  
• to note that you have been shown a piece of information placed on our website
  so that it is not shown again the next time you visit the website.
  

3.3.2 GOOGLE RECAPTCHA

Our website uses the Google reCAPTCHA service, which is offered for individuals from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other individuals by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”).

reCAPTCHA prevents automated software (so-called bots) from carrying out abusive activities on the website, i.e. it checks whether the entries made actually come from a human. To do this,
reCAPTCHA uses JavaScript and stores cookies and information in the local storage on your device. In particular, the following data is processed:

• Referrer URL (address of the page from which the visitor came);
• IP address;
  
• cookies set by Google;
• snapshot of the browser window;
• input behavior
  of the user (e.g. answering the reCAPTCHA question,
  speed of input in form fields, order of selection of input fields by the user, number of mouse clicks);
  
• Technical information: browser type, browser plug-ins, browser size and resolution, date, language settings, display instructions (CSS) and scripts (Javascript).

The following cookies from reCAPTCHA may be used for this: “_GRECAPTCHA” (6 months).

The following information in local storage can be set by reCAPTCHA: “_grecaptcha”.

Furthermore, Google reads the cookies of other Google services such as Gmail, Search and Analytics. If you do not want this assignment to your Google account, it is necessary that you log out of Google before accessing a page on which we have integrated Google reCAPTCHA.

The data mentioned is sent to Google in encrypted form. Google's evaluation decides in which form the captcha is displayed on the page. The use of reCAPTCHA is statistically
evaluated. According to Google, your data will not be used for personalized advertising.

The legal basis is the necessity to fulfill a contract or to carry out
pre-contractual measures according to Art. 6 para. 1 lit. b GDPR, for example in the
the context of registering a user account, using a contact form or subscribing to a newsletter. Google reCAPTCHA is used to protect IT security, ensure the stability of our website and prevent misuse.

In some cases, the data may also be processed on servers in the USA. In the event that personal data is transferred to the USA or other third countries, this is done on the basis of Art. 49
(1) (b) GDPR to enable the performance of a contract with you or to
take steps prior to entering into a contract.

You can find more information about this

• in Google's privacy policy:
• in Google's terms of service:

3.4 FUNCTIONAL TOOLS

We also use optional tools to improve the user experience on
our website and to offer you more functions (“functional tools”). Although these are not absolutely necessary for the basic functions of the website, they can provide visitors with significant advantages, particularly in terms of user-friendliness and the provision of additional communication, display or payment channels.

The legal basis for the functional tools is your consent in accordance with Art. 6 (1) point a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) TTDSG. For the revocation of your consent, see 3.2.3: “Revocation of your consent or change of your selection”.

In the event that personal data is transferred to the USA or other third countries, your consent expressly also extends to the transfer of data (Art. 49 para. 1 lit. a GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.

3.5 ZENLOOP

We work with zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin. zenloop is a business-to-business software-as-a-service platform that enables us to collect and analyze feedback from our customers through various channels. This allows us to tailor our services to our customers' needs and improve them.
In addition, zenloop collects your survey responses.

The legal basis for data processing by zenloop is Art. 6 para. 1 lit. f GDPR.

We have concluded an order processing contract with zenloop in accordance with Art. 28 para. 3 GDPR and are satisfied that zenloop has implemented appropriate technical and organizational measures in such a way that the processing is carried out in accordance with the requirements of the GDPR and ensures the protection of your rights.

You can find more information in the data protection declaration at

For the purposes of customer and product reviews by our customers and for our own quality management, we use the personal data provided by you as part of the purchase, such as the email address to request a review of your order via the rating system we use.

3.6 ANALYSIS TOOLS

In order to improve our website, we use optional tools for
statistical recording and analysis of general usage behavior based on access data (“analysis tools”). We also use analysis services to evaluate the use of our various marketing channels.

The legal basis for the analysis tools is your consent in accordance with Art. 6 (1) point a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 (1) TTDSG. For the revocation of your consent, see 3.2.3: “Revocation of your consent or change of your selection”.

In the event that personal data is transferred to the USA or other third countries,
your consent also expressly extends to the transfer of data (Art. 49 (1) (a) GDPR). The
associated risks can be found in section 6 (“Data transfer to
third countries”).

3.6.1 GOOGLE ANALYTICS

Our website uses the Google Analytics service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for individuals from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”) for all other individuals.

Google Analytics uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is used to analyze your usage behavior and improve our website. We will process the information obtained to evaluate your use of the website and to compile reports on website activity for the website operators. The data collected in this context may be transmitted by Google to a server in the US for evaluation and stored there.

We have made the following data protection settings for Google Analytics:

• IP anonymization (shortening of the IP address before evaluation)
• Automatic deletion of old logs by limiting the storage period to 26 months;
• Disabled cross-device and cross-page tracking.

The following data is processed by Google Analytics:

• IP address;
  
• referrer URL (previously visited page);
• pages viewed (date, time, URL, title, duration of visit);
• downloaded files;
• links clicked on to other websites;
• if applicable, achievement of certain goals (conversions);
• technical information: operating system; browser type, version and language; device type, brand, model and resolution;
  
• approximate location (country and possibly city, based on anonymized IP address).

Google Analytics sets the following cookies for the specified purpose with the respective storage period:

• “_ga” (storage period: 2 years): recognition and differentiation of visitors through a user ID;
• “_gid” (storage period: 24 hours): recognition and differentiation of visitors through a user ID;
  
• “_gat_” (storage period: 2 minutes): Reduction of requests to the Google servers;
• “_dc_gtm_UA-[GA-ID]” (storage period: 1 minute): Reduction of requests to the Google servers;
• “IDE” (storage period: 13 months): Recognition and differentiation of visitors by means of a user ID, recording of interaction with advertising, display of personalized advertising.
  

We have concluded an order processing contract with Google Ireland Limited for the use of Google Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 Para. 2 lit. c DSGVO.

For more information, please see Google's privacy policy: .

3.6.1.1 GOOGLE SIGNALS

As an extension to Google Analytics 4, our website may use Google
Signals can be used on our website to create reports across devices. If you have activated personalized cookies and your device is linked to your Google account, Google can, subject to your consent to the use of Google Analytics, analyze your usage behavior across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics. The legal basis for the data processing is your consent in accordance with Art. 6 (1) point a GDPR.

If you want to stop cross-device analysis, you can disable the “Personalized Advertising” feature in your Google Account settings. To do this, follow the instructions on the following page: https://support.google.com

For more information about Google Signals, please follow this link:

3.6.2 SPOTEFFECTS AND MATOMO

This website uses the “Spoteffects” service provided by XAD spoteffects GmbH (Saarstr. 7, 80797 Munich) to measure the effectiveness of our TV advertising campaigns. Spoteffects uses the analysis tool Matomo (formerly Piwik), an open-source analysis software for the statistical evaluation of visitor access, to analyze interactions.

We have made the following data protection settings with Matomo:

• IP anonymization (shortening of the IP address before evaluation, so that no conclusions can be drawn about your identity);
• Processing (in particular geo-localization) and storage of your visit only with the help of the anonymized IP address;
• Automatic deletion of old logs / limitation of the storage period;
• Accepting “Do Not Track” of the browser.
  

The following data could be stored in the user log together with a pseudonymized user ID:

• Anonymized IP address;
• Referrer URL (previously visited page);
• Pages viewed (date, time, URL, title, duration of visit);
• Downloaded files;
• Links clicked on to other websites;
• Achievement of certain goals (conversions), if applicable;
  
• Technical information: operating system; browser type, version and language; device type, brand, model and resolution;
• approximate location (country and possibly city, based on anonymized IP address).

When using Matomo, the following cookies are set for the specified purpose with the respective storage period:

• “_pk_id” (storage period: 13 months): storage of the user ID;
  
• “_pk_ref” (storage period: 6 months): storage of the websites from which the visitor came;
• “_pk_ses”, (storage period: 30 minutes): short-term storage of usage data;

You can also find more information on this in Matomo's privacy policy: .

3.6.4 TRBO

We use the services of trbo GmbH, Leopoldstr. 41, 80802 Munich (“Trbo”) on our website. Trbo is a tracking tool that helps us to optimize our website. By using Trbo, we can control and improve our online offers by measuring the use of our online offers and the effectiveness of our online advertising. This helps us to understand which pages and products are of most interest to our customers and which individual offers we should make to our website users.

Technically, the tracking tools used include, in particular, so-called “cookies”
(“marketing cookies”) and “web beacons” to collect the following information: Which pages are visited when, how often, and in which order, which products are searched for, which links or offers are clicked on, and which orders are placed. The data collected and used in this context
is always stored under a pseudonym (e.g. a random
identification number) and will not be merged with personal data about you (e.g. name, address, etc.). Insofar as the external service providers have access to the data, this is done exclusively on our behalf and under our control.

“You can find more information about Trbo's privacy policy here.”

3.6.5 LINKSTER

We use the tracking technology of Linkster GmbH, Geschwister-Scholl-Straße 52, 20251 Hamburg, on this site to measure and visualize insights into partnerships and advertising channels. This is a function for measuring the efficiency of the corresponding advertising measures. Furthermore, the information enables us to allocate advertising successes for billing with corresponding advertising partners. When you click on an advertising integration, cookies are set in your browser, which are read in the event of a transaction. At each touchpoint, your browser sends an HTTP request to the Linkster server, with which certain information is transmitted. This information includes the URL of the website on which the advertising material is placed (referrer URL), the browser identification (user agent) of your device (including information about the device type and operating system), the IP address of the device (this IP address is anonymized and hashed by us before storage), HTTP headers (an
automatically transmitted data package with various technical information), the time of the request and, if already stored on the end device, the cookie with its content. The tracking technology stores cookies on your end device to document actions. A 24-digit anonymous ID is stored in the cookie. The data linked to this ID is stored in encrypted form in our database on the server. This includes information about the last touch points (i.e. when a particular ad was displayed or clicked on by a device). The stored touch points can be combined into a sequence chain (user journey) if necessary. When you submit a request, the order number and the shopping cart value of your order are usually also transmitted and stored by us. In addition, the following values can be transmitted and stored: your customer number, new customer attribute, your age and gender, as well as the information you provided in a customer survey. The cookies stored by Linkster GmbH are deleted after 30 days at the latest. The information transmitted to us and the cookies are used solely for the purpose of correctly assigning the success of an advertising medium and the corresponding billing and is with our legitimate
interests according to Art. 6 para. 1 sentence 1 lit. f DSGVO justified. If you
do not want cookies to be stored, you can disable this in our cookie banner and visit the “Cookie Settings” at any time.

The collection and processing of
tracking data can also be disabled by clicking on this tracking opt-out link: trck.linkster.co/privacy-optout.do.

You can view your data at: trck.linkster.co/privacy-mydata.do.

3.6.6 TIKTOK

We use the “TikTok Pixel” service on our website, which is provided by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380,
Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (both hereinafter collectively referred to as “TikTok”).

We use the TikTok pixel to understand and track the activities of visitors to our website. The TikTok pixel collects and processes information about the visitors to our website or the devices they use (so-called event data). This event data is used to target our ads and improve ad delivery, as well as for personalized advertising. The data collected in this context may be transferred by TikTok to servers located in so-called third countries for evaluation and stored there.

Some of this event data is information stored on the device you are using. In addition, cookies are also used via the TikTok pixel, which store information on the device you are using. Such storage of information by the TikTok pixel or access to information already stored on your device will only take place with your consent.

The legal basis for this data processing is your consent in accordance with Art. 6 (1) point a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to Section 25 (1) TTDSG. In the event that personal data is transferred to TikTok companies based in third countries, we have concluded corresponding standard contractual clauses of the Commission (Implementing Decision (EU) 2021/914) in accordance with Art. 46 (2) lit. c GDPR.

We and TikTok are jointly responsible for the collection and transmission of event data. We have an agreement with TikTok regarding
processing as joint controllers, which
specifies the distribution of data protection obligations between us and TikTok. In this agreement, we and TikTok have in particular agreed that

• we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR regarding the joint processing of personal data
  ;
• that TikTok is responsible for enabling the rights of data subjects under Art. 15 to 20 GDPR with regard to the personal data stored by TikTok after the joint
  processing.

You can access the agreement concluded between us and TikTok at .

TikTok is solely responsible for the processing of the transmitted event data following the transmission. For more information about how TikTok processes personal data, including the legal basis on which TikTok relies and the options for exercising your rights against TikTok, please refer to TikTok's data policy at

We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when you use our website is used to create user profiles that store, in particular, your usage behavior, the advertisements you view or click on, and, based on this, your classification into advertising categories, interests and preferences. By analyzing and evaluating this access data, we are able to display personalized advertising to you on our website and on the websites of other providers, i.e. advertising that matches your actual interests and needs. To do this, we analyze your usage behavior in order to recognize you on other sites and to address you in a personalized way based on your use of our site (retargeting).

The legal basis for the marketing tools is your consent in accordance with Art. 6 (1) point a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany in accordance with Section 25 (1) TTDSG. For the revocation of your consent, see 3.2.3: “Revocation of your consent or change of your selection”.

In the event that personal data is transferred to the US or other third countries, your consent also expressly extends to the data transfer (Art. 49 (1) (a) GDPR). Please refer to section 6 (“Data transfer to third countries”) for the associated risks.

In the following section, we would like to explain the tools and the providers used for them in more detail. The data collected may include, in particular:

• the IP address of the device;
  
• information from cookies and local or session storage;
• device ID of mobile devices (e.g. device ID, advertising ID);
• referrer URL (previously visited page);
• pages viewed (date, time, URL, title, duration of visit);
• downloaded files;
• links clicked on to other websites;
• achievement of certain goals (conversions), if applicable;
  
• Technical information: operating system; browser type, version and language; device type, brand, model and resolution;
• approximate location (country and possibly city).

However, the data collected is stored exclusively under a pseudonym, so that no direct conclusions can be drawn about the persons.

3.6.7 META-PIXEL

Our websites use the “Meta-Pixel” service for marketing purposes, which is provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland for persons outside the United States and Canada and by Meta Platforms Inc., 1601 Willow Road, Menlo Park, California 94025, USA (collectively, “Meta Platforms”) for all other persons.

We use meta pixels to analyze the general use of our websites and to track the effectiveness of advertising (“conversion tracking”). We also use meta pixels to show you individualized advertising messages in the social networks of Meta Platforms (such as Facebook and Instagram) based on your interest in our products (“retargeting”). This also involves target group remarketing through Custom Audience. The data collected in this context may be transferred by Meta Platforms to a server in the United States for analysis and stored there.

Meta Platforms processes data that the service collects via JavaScript, cookies and other technologies on our websites. These include in particular:

• HTTP header information such as information about the browser used (e.g. user agent, language);
• information about events such as “page view”, other object properties and
  buttons clicked by visitors to the website;
• online identifiers such as IP addresses and, if provided, Facebook business-related identifiers or device IDs (such as advertising IDs for mobile operating systems) as well as information on the status of disabling/limiting ad tracking.

The following cookies are set and read by Meta-Pixel for the stated purpose with the respective storage period:

• “_fbc” (storage period: 3 months): usage analysis and retargeting;
• “_fbp” (storage period: 3 months): usage analysis and retargeting;
  

The legal basis for this data processing is your consent in accordance with Art. 6 (1) point a GDPR. Access to and storage of information in the terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 (1) TTDSG. The transfer of your data to the USA and other third countries is based on your explicit consent in accordance with Art. 49 (1) a GDPR.

Meta Platforms acts as our processor for matching, measurement and analysis services, in particular for analyzing the use of our website, matching user IDs and creating reports on our advertising campaigns. Therefore, we have concluded a data processing agreement. In the event that
personal data is transferred from Meta Platforms Ireland Limited to the USA for these
purposes, Meta Platforms Ireland Limited and Meta Platforms Inc. have concluded standard contractual clauses
(Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 (2) point c GDPR.

In addition, we and Meta Platforms are jointly responsible for the processing of event data for targeting advertisements (by creating and selecting
target groups), delivering commercial and transactional
messages, improving ad delivery, and
personalization of features and content as part of the use of Meta Pixel. The mutual obligations have been set out in a joint contract that can be accessed at the following address: .

In addition, Meta Platforms processes the event data to protect the security and safety of Meta Platforms products, for research and development purposes, to maintain the integrity of the products and to improve them.

If you are a member of Facebook or Instagram and you have allowed Meta Platforms to do so through your account privacy settings, Facebook or Instagram may associate the information collected about your visit to our site with your account and use it to target advertising. You can view and change the privacy settings of your
Facebook profile can be viewed and changed at any time: . You can prevent the linking of data collected outside of Instagram for the purpose of displaying personalized advertising in Instagram as follows
: .

If you have not consented to the use of meta pixels, Meta Platforms will only display general advertising that is not selected based on the information collected about you on this website.

Further information, in particular on joint responsibility and
contact details, can be found in Meta Platforms' data protection information, in particular on the social networks Facebook and Instagram: .

3.6.8 GOOGLE ADS CONVERSION TRACKING AND ADS REMARKETING

Our websites use the “Google Ads” service, which is offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for individuals from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (collectively “Google”) for all other individuals.

With Google Ads, customer actions defined by us (such as clicking on an ad, page views, downloads) are recorded and analyzed using “Google Ads Conversion Tracking.” We use “Google Ads Remarketing” to display individualized advertising messages for our products on Google partner websites. Both services use cookies, JavaScript, pixels, and other technologies for this purpose. Google also processes the data to improve and further develop its own products and services, for aggregated statistical analysis of conversions and to improve the quality and accuracy of conversions. The data collected in this context may be transferred by Google to a server in
the US for analysis and stored there.

The following cookies are set by Google:

• “_gcl_au” (storage period: 90 days): conversion tracking, storage of ad clicks;
  
• “_gcl_aw” (storage period: 90 days): conversion tracking, storage of ad clicks
• "_gac_* (storage period: 90 days) addition of the Google click identifier in the URL for conversion tracking (auto-tagging).

The legal basis for this data processing is your consent in accordance with Art. 6 (1)
lit. a GDPR. Access to and storage of information in the
terminal device is then carried out on the basis of the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG. The transfer of your data to the USA and other third countries is based on your explicit consent in accordance with Art. 49 para. 1 lit. a GDPR.

If you use a Google account, Google may link your web and app browsing history to your Google account and use information from your Google account to personalize ads, depending on the settings stored in your Google account.
If you do not want this information to be linked to your Google account, you must log out of Google before accessing our website.

If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent, you also have the option of
disable personalized advertising in the Google advertising settings: .

Further information can be found

• in the data usage notes:
• in Google's privacy policy:

3.6.9 SALESFORCE MARKETING CLOUD

For marketing purposes (e.g. to send our newsletter and information emails) and for analysis purposes when you visit our website, we use the customer relationship management module “Salesforce Marketing Cloud” from Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA (“Salesforce”). We use Salesforce to tailor our offers and services to your interests and to improve our advertising and communications for you. Salesforce uses cookies or other unique identifiers (e.g. cookie IDs)
to learn more about your usage behavior on our websites. However, you can disable this at any time in the cookie settings. Your contact data (e.g. name, address, email address, IP address) are transferred to the Salesforce Marketing Cloud for the above-mentioned purposes. The Salesforce Marketing Cloud data
are stored and processed on Salesforce servers in the United States. Salesforce is committed to complying with binding internal data protection rules in accordance with Art. 46 (2) b) and Art. 47 GDPR (so-called Binding Corporate Rules), including an appropriate level of data protection when processing data outside the European Union.
Salesforce has also implemented standard contractual clauses (SCCs) in a data processing agreement.
standard contractual clauses (SCCs).

For more information about the Salesforce Marketing Cloud and Service and the data processed, please visit .

3.6.10 UNBOUNCE

We use the service of Unbounce Marketing Solutions Inc., 400-401 West Georgia Street, Vancouver BC, Canada, V6B 5A1, (“Unbounce”), which provides us with so-called “landing pages” that we create for certain promotions. On these campaign pages of our website, we offer interested parties and customers coupon codes, discounts or other benefits and enable immediate redirection to our website.

The promotion page is hosted by Unbounce and, when you visit it, it records your IP address, the website you come from, the browser you use, user agent, date and time of your visit, which device and cookie data (see also section 2.1 of this privacy policy). Unbounce uses cookies to measure the success of our promotion page. If you fill out a contact form on a promotion page, your contact data will also be collected by Unbounce.

The legal basis for the aforementioned data processing is Art. 6 Para. 1 lit. a, f GDPR based on our legitimate interests. Our legitimate interest lies in promoting our products and measuring the success rate of our advertising efforts.

For more information about data processing, please see the Unbounce privacy policy.

3.6.11 CRITEO

Our website also uses the remarketing technology of Criteo GmbH, Unterer Anger 3, 80331 Munich (“Criteo”). Criteo uses cookies (“marketing
cookies”) and similar technologies to collect purely anonymized data about the surfing behavior of website visitors for marketing purposes.

Criteo can thus analyze surfing behavior and then display targeted product recommendations
as a suitable advertising banner when other websites are visited. Under no circumstances can the anonymized data be used to personally identify visitors to the website.

The data collected by Criteo is used solely to improve the advertising offering. On each displayed banner, there is a small “i” (for information) in the lower right corner, which opens on mouse-over and when clicked, leads to a page that explains the system.

You can find more information about this in Criteo's privacy policy, where you can also object to the anonymous analysis of your surfing behavior.

3.6.12 A&S MAIL

This website uses technologies from a+s Online GmbH, Stuttgarter Straße 41, 71254 Ditzingen, Germany. a+s Online GmbH uses cookies for this. a+s Online GmbH is an internet advertising service that allows advertisers to target users with
advertising. The purpose of a+s Online GmbH is to advertise our website by sending relevant advertising in e-mails.

The legal basis for the processing of the user's data is Art. 6 Sect. 1 lit. f GDPR. These data processing operations are carried out in each case to protect our legitimate interests in the optimization and economic operation of our website. The data are deleted or their processing is restricted or blocked as soon as they are no longer required to achieve the purpose for which they were collected or the data subject has objected to this processing or after 60 days.

Further information on data protection can be found on the website of a+s Online GmbH at as-dialoggroup.de. If you wish to object to the use of “PerformanceHub-Conversiontracking” in the
future (“opt out”), you can do so at track.performancehub.de/opt-out.

3.6.13 TYPEFORM

We use the services of Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona (“Typeform”) on our website. Typeform is a tool for creating and conducting user surveys that helps us to improve our offer and our service based on your feedback.

With the help of Typeform, we integrate user surveys (e.g. cancellation survey, how do you know LILLYDOO survey) into our website, which are voluntary to complete. When conducting surveys, Typeform processes and stores personal data (e.g. customer number) and survey results. We have concluded a so-called “Data Processing Agreement” with Typeform, in which we oblige Typeform to protect our customers' data, not to pass it on to third parties and, in the event of a transfer of personal data via sub-processors or affiliated companies to the USA, to comply with the provisions of the standard contractual clauses in accordance with Art. 46 GDPR.

The legal basis for data processing is our legitimate interest in accordance with Art. 6 (1) point f GDPR in the technically error-free and optimized
provision of our service. For more information about
data processing by Typeform, please refer to the Typeform privacy policy.

3.6.14 SESSIONLY

We use the service of sessionly, Renata Bognar, Prenzlauer Allee 186, 10405 Berlin (“sessionly”). Sessionly is an
evaluation tool that helps us to conduct surveys with our customers so that we can learn more about your satisfaction with our products. After your order process, sessionly sets a cookie (“marketing cookie”) to record the products you have purchased and your email address. We then receive this information from sessionly so that we can send you an email to
evaluate the product (see also the section on newsletters and
advertising mailings). In this email, you have the opportunity to share your experience with us about our products via sessionly. You can find more information about sessionly here.

3.6.15 JENTIS

We use the services of JENTIS GmbH, Schönbrunner Straße 231, 1120 Vienna (“JENTIS”) to analyze the user behavior of website visitors and to optimize the website. For these purposes, JENTIS is given access to web analysis data, which is measured, stored and processed by the analysis tools in use and provided to JENTIS itself.

For analysis purposes, data is transmitted to JENTIS on the one hand, and on the other hand, JENTIS independently collects data on our behalf with regard to the browser environment or the behavior of the visitor. JENTIS only processes data that cannot be traced back to a person by JENTIS.

The synthetically generated client ID set by JENTIS is used for pseudonymization, so that no assignment to a person can take place via the usage behavior of website visitors to third parties. Your IP address will either be shortened before storage in such a way that the personal reference is no longer applicable or, after matching a geo-database, it will be completely removed and replaced by an artificial value.

The legal basis for the server-side transmission of the browser data synthetically generated by the JENTIS server
generated browser data, such as the client ID without the IP address, to third-party servers, i.e. the pseudonymous analysis of user behavior, is Art. 6 Para. 1 lit. f DSGVO. For technical reasons, for IT security purposes and to fulfill user interests as well as for the economic operation of our online offer, this is absolutely necessary in the sense of § 25 Abs. 2 Nr. 2 TTDSG.

You can find more information about Jentis data processing at: .

3.6.16 SMARTLOOK

We use the Smartlook service on our website, which is provided by
Smartlook.com, s.r.o., Šumavská 524/31, 602 00 Brno., Czech Republic. Smartlook is a tool for analyzing the user behavior of visitors to our website.

With Smartlook, only your mouse and scroll movements as well as clicks are recorded anonymously on this page. From this information, Smartlook creates so-called heat maps, which can be used to determine which areas of the website are viewed preferentially by the website visitor. Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at which point you canceled your entries in a contact form (so-called conversion funnels). In addition, direct feedback from website visitors can be obtained using Smartlook. This function is used to improve our web offerings. Smartlook uses technologies that enable the recognition of the user for the purpose of analyzing user behavior (e.g. cookies or the use of device fingerprinting). The data collected is stored for a period of 180 days and then deleted.

The following cookies are set and read by Smartlook for the purpose stated, with the respective storage period:

• “SL_C_23361dd035530_KEY” (storage period: 13 months): indicates that the website has implemented the Smartlook tool
• “L_C_23361dd035530_SID”
  (storage period: 13 months): storage of the session ID; indicates that the website has implemented the Smartlook tool
  
• “SL_C_23361dd035530_VID” (storage period: 13 months): indicates that this website has implemented the Smartlook tool

The legal basis for the data processing is your consent in accordance with Art. 6 (1) point a GDPR.

You can influence the data collection by Smartlook in advance via the cookie banner for cookie control.

You can also prevent the use of the Smartlook tool by using a “Do Not Track Header”. In this case, no data about your visit to our website will be collected. To do this, you have to set your browser accordingly. You can find instructions in German at: .

You can also deactivate Smartlook by using the opt-out switch at: Smartlook Opt-Out.

You can find more information about Smartlook and the data that can be collected at the following link: and in the Smartlook privacy policy.

3.6.17 Innkeepr

As soon as you have given your consent to the use of advertising/tracking cookies, our website uses Innkeepr. Innkeepr is a web analysis service provided by Innkeepr UG, Senefelderstraße 35, 09126 Chemnitz, which makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyze your activities across devices. This enables us to compile statistics that we can use to improve our services for you and make them more interesting. The legal basis for our use of Innkeepr is your consent in accordance with Art. 6 (1) a GDPR.

Innkeepr uses cookies that are stored on your computer and enable an analysis of your use of our website. The information collected in this way is stored exclusively on servers within Germany.

Inkeepr sets the following cookies for the specified purpose with the respective storage period:

We use Innkeepr without collecting IP addresses, so that the data we collect cannot be directly linked to a particular person.

• “tjs_userData” (storage period: 1 year): sets a browser-specific ID to identify a new click in the same browser;

• “tjs_sessionData” (storage period: 1 year): sets a browser-specific ID to identify a new session in the same browser.

For more information, please see the Innkeepr privacy policy: Innkeepr

3.6.18 WISEPOPS

As soon as you have given your consent to the use of advertising/tracking cookies, Wisepops is used on our website. Wisepops is a service provided by Wisepops, Inc., 87 Boulevard Suchet, 75016 Paris, France, which enables pop-ups to be created and displayed on our website. Wisepops processes meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times) and contact data (e.g. email addresses, telephone numbers) in the EU.

The processing is carried out on the basis of your consent. The legal basis for the processing is therefore Art. 6 para. 1 sentence 1 lit. a GDPR.

Wisepops uses cookies that are stored on your computer to ensure the functionality of the pop-ups. The information collected in this way is stored exclusively on servers within the EU.

For more information, please refer to the Wisepops privacy policy.

3.7 SOCIAL MEDIA PLUG-INS AND EXTERNAL MEDIA

We also use social network tools that allow you to log in to the website with your existing account or share posts and content via these networks (“social media plug-ins”), as well as other external media, such as embedded videos or maps.

The legal basis for this is – unless otherwise stated – your consent in accordance with Art. 6 (1) 1 lit. a GDPR, which you give via the consent banner or with the respective tool itself by allowing its use via an overlay. Access to and storage of information in the end device is subject to consent in these cases and is based on the implementing laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

For the revocation of your consent, see 3.2.3: “Revocation of your consent or change of your selection”. In the event that personal data is transferred to the United States or other third countries, your consent also expressly covers the data transfer (Art. 49 (1) (a) GDPR). Please refer to the associated risks
in section 6 (“Data transfer to third countries”).

3.7.1 FACEBOOK PLUGINS

Our website uses social media plugins (such as the Like button) from the social network Facebook, which is offered to users outside the United States and Canada by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland and to all other users by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (collectively “Facebook”).

For data protection reasons, no personal data is initially passed on to the social network when you visit our website. The plug-in is only activated after you have given your consent and direct contact between your browser and the social network is possible. This is how we prevent data from being transferred to the network and stored there without your knowledge. If you have given your consent, your
data will be processed as follows:

Facebook receives the information that you have accessed the corresponding subpage of our online service. This happens regardless of whether you have a Facebook account and are logged in to it. If you are logged in to Facebook, this information is directly associated with your account. If you click on the activated plug-in and link to the page, for example, Facebook also stores this information, including the date and time, in your user account and communicates this publicly to your contacts. If you do not want this information to be associated with your Facebook profile, you must log out before activating the plug-in.

Facebook stores this data as user profiles and uses it for the purposes of advertising, market research and/or the design of its website to meet user needs.
Such an evaluation is carried out in particular (even for users who are not logged in) to display targeted advertising and to inform other users of the social network about your activities on our website.

The data collected in this context may be transmitted by Facebook to a server in the United States and stored there.

In addition to withdrawing your consent, as a Facebook member you also have the option of disabling advertising based on social actions in the advertising preferences.

For more information, please refer to the Facebook privacy policy.

3.7.2 YOUTUBE VIDEOS

We have embedded videos in our website that are stored on YouTube and can be played from our websites, provided you have given your consent. YouTube is a multimedia service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (“YouTube”), which is offered for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”).

We have activated YouTube's advanced privacy mode. This means that Google receives less usage information and does not personalize video recommendations and advertisements. However, information is stored in the local storage and session storage of your device, in particular your device ID and other information regarding the playback of the video, which can be accessed by Google.

The following cookies may be set by YouTube:

• “PREF” (stored for 8 months): stores settings such as autoplay and video size.

The following information is stored in local storage:

• “yt-remote-device-id” (stored for 1 year): stores user settings when a YouTube video is accessed;
• “yt-player-headers-readable”
  (Storage duration: 1 month): Used to determine the optimal video quality based on the visitor's device and network settings;
• “yt.innertube::requests”
  (Storage duration: 1 day): Registers a unique ID to keep statistics of the YouTube videos the user has seen;
• “yt.innertube::nextId”
  (Storage period: 1 day): Registers a unique ID to keep statistics of the videos from YouTube that the user has seen;
• “yt-remote-connected-devices” (Storage period: 1 day): Stores the user settings when retrieving a YouTube video;
  
• “yt-player-bandwidth”
  (Storage duration: 1 month): This is used to determine the optimal video quality based on the visitor's device and network settings.
  

The following information is stored in the session storage:

• “yt-remote-session-app” (storage duration: session): Stores the user settings when a YouTube video is accessed.
• “yt-remote-cast-installed”
  (storage duration: session): Stores the user settings when a YouTube video integrated on other websites is accessed.
  
• “yt-remote-session-name” (Storage duration: Session): Stores the user settings when a YouTube video is accessed.
• “yt-remote-cast-available”
  (Storage duration: Session): Stores the user settings when a YouTube video integrated into other websites is accessed.
  
• “yt-remote-fast-check-period” (Storage duration: Session): Stores the user settings when a YouTube video is accessed.

When you visit our website, YouTube and Google receive the information that you have accessed the corresponding subpage of our website. This occurs regardless of whether you are logged in to YouTube or Google or not. YouTube and Google use this data for the purposes of
advertising, market research and the design of their websites to meet requirements. If you access YouTube on our website while you are logged into your YouTube or Google profile, YouTube and Google can also link this event to the respective profiles. If you do not want this assignment, you must log out of Google before accessing our website.

In addition to withdrawing your consent, you also have the option of disabling personalized advertising in the Google advertising settings. In this case, Google will only display non-personalized advertising.

For more information, please refer to Google's privacy policy, which also applies to YouTube.

3.7.3 GOOGLE MAPS

Our website uses the mapping service Google Maps, which is offered for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (together “Google”).

In order for the Google map material we use to be integrated and displayed in your web browser, your web browser must connect to a Google server when you visit our website, which
may also be located in the USA.

By integrating the map material, Google receives the information that a page of our website has been accessed from the IP address of your device. If you access the Google Maps service on our website while logged into your Google profile, Google may also link this event to your Google profile. If you do not wish to be associated with your Google profile, you must
you must log out of Google before accessing our contact page. Google stores your data and uses it for advertising and market research purposes and to personalize the display of Google Maps.

For more information, please refer to the Google privacy policy and the additional terms of service for Google Maps.

We maintain an online presence on social networks in order to communicate with customers and prospects and to provide information about our products. The data of the users are processed by the relevant social networks, usually for market research and advertising purposes. This allows user profiles to be created based on the interests of the users. For this purpose, cookies and other identifiers are stored on the computers of the data subjects. Based on these user profiles, advertisements are then placed within the social networks, but also on third-party websites.

As part of the operation of our online presences, we may have access to information such as statistics on the use of our online presences provided by the social networks. These statistics are aggregated and may include demographic information (e.g. age, gender, region) as well as data on interaction with our online presences (e.g. likes) and the posts and content shared through them. These may also provide information about the interests of users
users and what content and topics are particularly relevant to them. We may also use this information to customize the design and our activities and content on the online presence and to optimize it for our audience. Details and links to the social network data that we as the operator of the
online presence can access can be found in the list below. The collection and use of these statistics are generally subject to a shared responsibility.

The legal basis for the data processing is Art. 6 para. 1 sentence 1 lit. f DSGVO, based on our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 lit. b DSGVO, in order to stay in contact with our customers and to inform them, as well as to carry out pre-contractual measures with interested parties.

If you have an account with the social network, it is possible that we will be able to see your publicly available information and media when we view your profile. In addition, the social network may allow us to contact you. This can be done via direct messages or posted posts. Communication via the social network is the responsibility of the social network as a messenger and platform service.

Please refer to the data protection notices of the respective social network for the legal basis of the data processing carried out by the social networks on their own responsibility. You can also find further information on the respective data processing and the options for objecting to it at the following links.

We would like to point out that data protection queries can be most efficiently
addressed to the respective social network provider ,
as only these providers have access to the data and can take appropriate action directly. If you contact us with your concern, we will forward your request to the social network provider. Below is a list of
social networks on which we operate online presences:

• Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4
  Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland)
• Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland)
• Google/ YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
  
• Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
• Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg)
• Pinterest. Privacy Policy / Opt-Out: https://policy.pinterest.com/de/privacy-policy

We will only transfer the data we have collected if

• you have given your express consent to do so in accordance with Art. 6 (1) 1 lit. a GDPR,
• the transfer is necessary in accordance with Art. 6 (1) 1 lit. f GDPR for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data,
  
• we are legally obliged to pass on your data in accordance with Art. 6 (1) sentence 1 lit. c GDPR or
• this is legally permissible and necessary for the performance of a contract with you or for the implementation of
  pre-contractual measures, which take place upon your request, in accordance with Art. 6 (1) sentence 1 lit. b GDPR.
  

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this data protection declaration, this may include, in particular, data centers that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting firms. If we pass on data to our service providers, they may use the data exclusively to fulfill their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organizational measures in place to protect the rights of the data subjects, and are regularly monitored by us.

In addition, data may be disclosed in connection with official inquiries, court orders, and legal proceedings if it is necessary for legal prosecution or enforcement.

As explained in this data protection declaration, we use services whose providers are sometimes based in so-called third countries (outside the European Union
or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have taken appropriate precautions to ensure an adequate level of data protection for any data transfers. These include, among other things, the standard contractual clauses of the European Union or binding internal data protection regulations.
Where this is not possible, we base the data transfer on exceptions under Art. 49 GDPR, in particular your express consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures.
If a transfer to a third country is planned and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities

In principle, we only store personal data for as long as is necessary to fulfill the purposes for which we collected the data. After that, we delete the data immediately, unless we still need the data until the expiry of the statutory limitation period for evidence purposes for civil claims or due to statutory retention requirements.
For evidence purposes, we must keep contract data for three years from the end of the year in which the business relationship with you ends. Any claims become time-barred in accordance with the statutory limitation period, but no earlier than this point in time.
Even after that, we still need to store some of your data for accounting reasons. We are obliged to do so due to statutory documentation requirements that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act and the German Securities Trading Act. The periods for storing documents specified in these laws range from two to ten years.

You have the rights of data subjects formulated in Art. 15 – 21, Art. 77 GDPR at all times:

• Right to revoke your consent;
• Right to object to the processing of your personal data (Art. 21 GDPR);
• Right to information about your personal data processed by us (Art. 15 GDPR);
• Right to correction of your personal data stored incorrectly by us (Art. 16 GDPR);
  
• Right to erasure of your personal data (Art. 17 GDPR);
• Right to restriction of processing of your personal data (Art. 18 GDPR);
• Right to data portability of your personal data (Art. 20 GDPR);
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR).
  

To exercise your rights as described here, you can contact us at any time using the contact details provided above. This also applies if you wish to receive copies of guarantees to prove an adequate level of data protection. Provided that the respective legal requirements are met, we will comply with your data protection request
.

Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, for a longer period if necessary to assert, exercise or defend legal claims. The legal basis is Art. 6 (1) 1 lit. f GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR, and fulfilling our accountability obligations under Art. 5 (2) GDPR.

You have the right to revoke consent you have given us at any time. As a result, we will no longer continue the data processing based on this consent in the future. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to data processing for direct marketing purposes, you have a general right of objection, which we will implement without you having to state reasons.

If you wish to exercise your right of revocation or objection, simply send an informal message to the contact details given above.

Finally, you have the right to complain to a data protection supervisory authority. For example, you can assert this right before a supervisory authority in the member state of your residence, your workplace or the location of the alleged infringement. In Frankfurt am Main, where we are based, the competent supervisory authority is the Hessian Commissioner for Data Protection and Freedom of Information, Gustav Stresemann-Ring 1, 65189 Wiesbaden.

We occasionally update this data protection declaration, for example when we adapt our website or when legal or official requirements change.