Privacy Policy

This Privacy Policy informs you how personal data is processed when visiting our website and our online shop.
Personal data is information that relates to an identified or identifiable person. This mainly includes information that permits conclusions about your identity, for example your name, your telephone number, your address or your email address. However, certain identifiers such as your IP address or the ID of the device you are using are also classified as personal data.
Statistical data that we collect when you visit our website or in other situations and that cannot be associated with you personally does not count as personal data.
You can print or save this Privacy Policy (e.g. as a PDF file). Simply use the standard functions of your browser to do so.

Inklapbare content

1. Controller and primary contact

The primary contact and controller for the processing of your personal data when visiting this website within the meaning of the General Data Protection Regulation (GDPR) is

Lillydoo GmbH
Hanauer Landstraße 147-149
60314 Frankfurt am Main

Telefon: +31 800 2400100
E-Mail: service@lillydoo.nl

You may also contact our data protection officer at any time if you have questions on the subject of data protection in connection with the use of our website. She can be reached at the above address as well as at the email address: privacy@lillydoo.com (keyword: attn. data protection officer). We would like to point out explicitly that persons other than the data protection officer may become aware of the contents if you use this email address. Please contact us first directly at this email address if you wish to exchange confidential information.

2. Data processing on our website

2.1 ACCESSING OUR WEBSITE/CONNECTION DATA

Each time you use our website, we collect connection data that your browser automatically transmits to enable you to visit the website. This connection data comprises the header information, including the user agent, and includes in particular:

  • IP address of the requesting device;
  • method (e.g. GET, POST), date and time of the request;
  • address of the requested website and path of the requested file;
  • if applicable, the previously accessed website/file (HTTP referrer);
  • information about your browser and operating system;
  • version of the HTTP protocol, HTTP status code, size of the delivered file;
  • information concerning the request such as the language, type of content, encoding of content, character sets;
  • if applicable, the user name entered for authentication if directory password protection is enabled.

Processing of this connection data is absolutely necessary to enable your visit to the website, to ensure the permanent functionality and security of our systems as well as to conduct general administrative maintenance on our website. The connection data is also stored temporarily in internal log files for the purposes described above, although this is limited to the most necessary content. This takes place, for instance, to determine the causes of and initiate countermeasures against recurring or unlawful requests for service that may place the stability and security of our website at risk.

The legal basis is Art. 6 para. 1 point b) GDPR, insofar as the page is accessed for the purpose of contractual performance or to take steps prior to entering into a contract, and is otherwise Art. 6 para. 1 point f) GDPR due to our legitimate interest in enabling access to the website and the permanent functionality and security of our systems. However, automatic transfer of the connection data and the log files obtained on this basis does not constitute access to the information in the device in the meaning of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 Data Protection and Privacy in Telecommunications and Telemedia Act (TTDSG) in Germany. But this would be classified as absolutely necessary in any case..

The log files are stored for 10 days and then anonymised.

2.2 CONTACT

There are various ways for you to contact us. They include the contact form, live chat, event registration or the callback function. We process data in this regard exclusively for the purpose of communicating with you.

The legal basis is Art. 6 para. 1 point b) GDPR, insofar as your information is required to respond to your enquiry or for the purpose of contractual performance or to take steps prior to entering into a contract, and otherwise Art. 6 para. 1 point f) GDPR due to our legitimate interest in your ability to contact us and for us to respond to your enquiry. We will only make promotional telephone calls if you have given your consent. Moreover, we will only send you promotional emails on the basis of your consent if you are not currently a customer. The legal basis in these cases is Art. 6 para. 1 point a) GDPR.

The data we collect when you contact us is erased automatically once we have fully processed your enquiry, unless we still need your enquiry for compliance with our contractual or legal obligations.

For contact purposes, we also use the Dixa service of the provider Dixa ApS Vimmelskaftet 41A, 1 Sal., 1161 Copenhagen, Denmark (hereinafter "Dixa").

This is a customer relationship management ("CRM") solution that we use to deliver optimized services to current customers, e.g. through live chat and community software, and to optimize sales processes. The shared CRM platform enables us to ensure optimized management of customer relationships and to promote an ideal customer experience.

As a European company, Dixa is subject to the requirements of the GDPR. Dixa provides us with its software for processing our costumer data and only processes it in a technical sense. Only in special cases (e.g. technical support) do we grant Dixa's employees temporary access to costumer data. In addition, we have concluded a Data Processing Agreement with Dixa for commissioned processing in accordance with Art. 28 GDPR, in which Dixa undertakes to process the data thus received only in accordance with our instructions and to comply with the EU level of data protection.

Various categories of data are processed: Contact data (e.g. name, address, phone number, email), content data (e.g. photographs), the data you enter. We have made sure that user data is secure at Dixa. Communications are encrypted using the HTTPS protocol and SSL certificates and data is stored in Europe.

Kindly refer to the Dixa Privacy Policy for more information about data processing by Dixa.

We use the cloud telephony service "Aircall" of Aircall SAS, 11 Rue Saint-Georges, 75009 Paris, France to conduct meeting appointments. Aircall processes your telephone number for the purpose of providing the telephone software. We have concluded an order processing contract with Aircall. The legal basis for processing your data in relation to the Aircall service is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest is the efficient execution of telephone calls to ensure adequate customer support. For more information on Aircall's data protection, please visit: https://aircall.io/privacy/.

We use the "Microsoft Bookings" service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA on our website. Microsoft Bookings is a booking tool to offer you a fast and uncomplicated online booking for meeting appointments to further improve our customer support. To make an appointment, your entries (Name, telephone number, e-mail address and customer number) in the form are transferred to Microsoft. We have concluded standard contractual clauses with Microsoft.

The legal basis for processing your data in relation to the "Microsoft Bookings" service is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Our legitimate interest results from our claim to offer you a user-friendly website with a wide range of functions and to give you the opportunity to make an appointment with our staff quickly and easily at any time if required. Please note that you are not obliged to use Microsoft Bookings to make an appointment. If you do not wish to use the service, please use another of the contact options offered to make an appointment. For more information, please see Microsoft's privacy policy at: https://privacy.microsoft.com/de-de/privacystatement.

2.3 REGISTRATION

You have the option of registering for our login area, which gives you access to the full range of functions on our website. We have highlighted the data you are required to enter by marking them as mandatory fields. Registration is not possible without this data. The legal basis for processing is Art. 6 para. 1 point b) GDPR.

2.4 ORDERS

We collect mandatory data that is necessary for performance of the contract during an order process:

  • title;
  • first name and surname;
  • date of birth;
  • email address;
  • password;
  • billing and shipping address.

You also have the option of entering your telephone number so that we can contact you if we have any questions. The legal basis for processing is Art. 6 para. 1 point b) GDPR.

2.5 NEWSLETTER AND PRINT MAGAZINE

You have the option of subscribing to our newsletter, in which we regularly inform you about innovations to our products and about promotions.

We use the double opt-in procedure when subscribing to our newsletter, which means that we will only send you our newsletters by email if you confirm that you are the owner of the specified email address by clicking on a link in our notification email. If you confirm your email address, we will store your email address, the time of registration and the IP address used for registration until you unsubscribe from the newsletter. This information is stored exclusively for the purpose of sending you the newsletter and to be able to prove your registration. You can unsubscribe from the newsletter at any time. A corresponding unsubscribe link is included in each newsletter. Naturally, sending a message (e.g. by email or letter) to us using the contact details provided above or in the newsletter is sufficient to unsubscribe from the newsletter. The legal basis for processing is your consent in accordance with Art. 6 para. 1 point a) GDPR.

We store additional data concerning you (e.g. your calculated childbirth date and your week of pregnancy) for certain newsletters (e.g. the #momlife newsletter). The individual input fields during registration state the information concerned, which we require in order to send you these newsletters. The legal basis for this data processing is also Art. 6 para. 1 point a) GDPR.

In addition to the information from the #momlife newsletter, we require your address in order to send you our print magazine, the #momlife pregnancy guide. The legal basis for this data processing is Art. 6 para. 1 point b) GDPR.

We also send you promotional mailings in which we ask for your feedback on your order, for example. If you have requested our print magazine, the #momlife pregnancy guide, we will, for instance, use your address to send you promotional mailings about our products. The legal basis for this data processing is Art. 6 para. 1 point f) GDPR.

We cooperate with service providers to send you our newsletters and promotional mailings. Among other things, we transfer your email address and your newsletter registration to these service providers in order to be able to send you the newsletters and promotional mailings. The legal basis for this data processing is Art. 6 para. 1 sentence 1 points b), f) GDPR.

We use standard market technologies in our newsletters to measure interaction with the newsletters (e.g. email opened, links selected). We use this data in a pseudonymous form for general statistical evaluations and to optimise and continue developing our content and customer communication. This takes place first of all using small graphics that are embedded in the newsletters (known as “pixels”) and that establish a connection to the image server when the email is opened. Secondly, we use links which register when they are clicked on and then redirect the user to the selected page. We also measure the success rate of news-letter delivery.

The legal basis for this is your consent in accordance with Art. 6 para. 1 point a) GDPR. Access to the information on the device is then based on the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 1 TTDSG in Germany. It is our intention to use our newsletters to share content with the greatest possible relevance for our customers and to improve our understanding of their interests. You may unsubscribe from the newsletter if you do not want your usage behaviour to be analysed. You can also change the default settings of your email program to disable graphics or the display of HTML content, which will prevent tracking when the email is opened.

2.6 MARKETING TO CURRENT CUSTOMERS BY EMAIL

If you register with us or make a purchase from us, we will also use your contact details to send emails with further information about relevant products (“marketing to current customers”). This may include, but is not limited to, news, promotions and offers as well as feedback and other surveys.

The legal basis for this data processing is Art. 6 para. 1 point f) GDPR in conjunction with Section 7 para. 3 Act against Unfair Competition (UWG), which permits data processing to safeguard legitimate interests, insofar as this concerns the storage and continued use of data for marketing purposes. You may object to the use of your data for marketing purposes at any time by selecting the corresponding link in the emails or by sending a message to the contact details above (e.g. by email or letter). You will not incur any costs other than the transmission costs according to the basic rates in these cases.

2.7 SURVEYS

You are invited to take part in one of our surveys. We use the results of these surveys to improve our service.

The legal basis for the data processing within the scope of the survey is your consent according to Art. 6 para. 1 point a) GDPR. We base the circulation of surveys on Art. 6 para. 1 point f) GDPR in conjunction with Section 7 para. 3 UWG, due to our legitimate interest in designing and continuously improving our services in line with demand.

You may object to the use of your data for marketing purposes at any time by selecting the corresponding link in the emails or by sending a message to the contact details above (e.g. by email or letter). You will not incur any costs other than the transmission costs according to the basic rates in these cases.

2.8 DATA PROCESSING IN CONNECTION WITH COMPETITIONS

You are invited to enter in competitions organised by us.

By participating in competitions organised by us, participants explicitly consent to the use and storage by us of personal data that is required to hold the competition until the end of the competition. Our Marketing Department will process your contact details such as name, address and email address for this purpose.

The legal basis is Art. 6 para. 1 point a) GDPR. Participants may withdraw their consent at any time by contacting us. Your data will be erased after 7 days once the competition is finished.

2.9 APPLICATIONS

You may apply to us for vacant positions by email or on our career portal. The purpose of data collection is to select applicants for the potential establishment of an employment relationship. We collect the data you provide (usually: first name and surname; email address; application documents such as references and CV; earliest possible starting date; telephone number, if applicable; salary expectations) in order to process your application. Please bear in mind that confidentiality cannot be guaranteed if applications are sent by email without encryption. You may also apply for our positions by post as a rule.

We use the Recruitee software by Recruitee B.V., Keizersgracht 313, 1016 EE Amsterdam, the Netherlands (“Recruitee”) to provide our career portal athttps://we.are.lillydoo.com and to manage applications. We have entered into a data processing agreement with Recruitee. Your application data is stored by Recruitee in an encrypted form in the Netherlands or the European Union and also transferred in an encrypted form. Where Recruitee works with subcontracted processors whose parent company is not domiciled in the European Union, Recruitee and its subcontracted processors have entered into standard contractual clauses and have implemented additional measures for the protection of data.

The legal basis for the processing of your application documents is Art. 6 para. 1 point b) and Art. 88 para. 1 GDPR in conjunction with Section 26 para. 1 sentence 1 Federal Data Protection Act (BDSG).

Log files (server logs, error logs) are also created (refer to Section 2.1) when you visit the career portal. In this regard, we refer to Recruitee’s statements at the end of the Privacy Policy on the career portal. The legitimate interests of Recruitee in providing the career portal constitute the legal basis, specifically Art. 6 para. 1 point f) GDPR. Where information is accessed or stored on your device when you visit our career portal (e.g. the storage of language settings in a cookie), doing so is absolutely necessary to provide the career portal and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 2 TTDSG in Germany.

We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we store your application data for as long as is necessary for the employment relationship and to the extent that is necessary for compliance with legal obligations.

If we reject your application, we will store your application data for no more than six months after rejecting your application, unless you issue us with your consent to a longer storage period. If you have given us your consent separately, we will store your data submitted as part of your application in our pool of applicants for a further twelve months after the end of the application process in order to identify any other interesting positions for you and, if necessary, to make contact with you again. The data will be erased after this period. You may withdraw your consent at any time with effect for the future by sending us an email at career@lillydoo.com.

2.10 PAYMENT OPTIONS AND PAYMENT SERVICE PROVIDERS

We offer the payment methods commonly used in the online sector to pay for your orders in our online shop, namely credit card, PayPal, SEPA direct debit or invoice. We will transfer your specified data (e.g. bank details or credit card data) to the bank/banking institution commissioned with the payment or to the commissioned payment service provider for payment processing, depending on the payment method selected in the order process. Payment and performance of the contract are not possible if this payment data is not transferred to the payment service provider or the bank/banking institution. The legal basis for this data processing is Art. 6 para. 1 sentence 1 point b) GDPR. We cooperate with the following payment service providers in this regard:

Our payment service providers will use Unzer (Unzer GmbH, Avangerowstraße 18, 69115 Heidelberg) to check your creditworthiness if you select the payment option purchase on account or SEPA. Refer to the Unzer Privacy Policy for more information about Unzer.

2.11 LOQATE

We use the “Global Address” service by GB Group PLC, The Foundation, Herons Way, Chester Business Park, Chester, CH4 9GB, United Kingdom (“Loqate”) for appropriate validation of data and to ensure that incorrect address data is not stored in our system. We have entered into a data processing agreement with Loqate.

Your address (no other personal data will be processed) will be checked directly by Logate for validity during entry in the online interface and will not be stored beyond that. An alternative address or the correct spelling of your address will be suggested if an error is detected when entering your address. The interface is used to compare your data with Loqate’s database, which is located in the United Kingdom. The European Commission has issued a corresponding adequacy decision for the United Kingdom pursuant to Article 45 para. 1 GDPR, which legitimises transfer of your data to the United Kingdom or its processing in the United Kingdom.

Your data is processed on the basis of Art. 6 para. 1 sentence 1 point f) GDPR. Our legitimate interest is to ensure that valid data is retained and to guarantee smooth processing of customer enquiries and orders.

For more information about data protection at Loqate, visit: https://www.loqate.com/de/datenschutzerklärung-für-produkte-und-dienstleistungen/.

2.12 SECURITY SERVICE PROVIDER

2.12.1 LINK11

We use the IT service provider Link11 GmbH, Lindleystraße 12, 60314 Frankfurt am Main, Germany, for IT security purposes (e.g. to increase the security of our website against fraud attacks, to ensure DDoS protection and to protect your customer experience against the effects of malicious bots). When you access our website as a user, several requests are sent to us for a visit to the respective page and we send back the content to be displayed. The request contains all the information we need to display the relevant content to you: browser information, which page will be accessed, any forms submitted (e.g. during checkout) and login details etc. The requests are encrypted. Link11 can only access these requests in order to analyse them for bots. The following data is transferred as well: IP address, access time, access date, requested URL, user agent and referrer.

The legal basis is our legitimate interest (Art. 6 para. 1 point f) GDPR). We have concluded a data processing agreement with the IT service provider Link11, which acts as a processor on our behalf.

The functionality of our website cannot be guaranteed without this processing by the IT security service provider. Your personal data will be stored by the provider for as long as is necessary for the purposes described above. As a rule, IP addresses are stored for 96 hours.

For more information about how to object and remove your data from the provider, visit: https://www.link11.com/de/datenschutz/.

2.12.2 CLOUDFLARE

Our website also uses the content delivery network services provided by Cloudflare Inc, 701 Townsend St, San Francisco, CA 94107 (USA).

The content delivery network stores the content of our website on the service provider’s server. The service provider's server distributes this content to you or your browser when you access our website. Cloudflare processes your IP address and DNS log data, for example.

We use Cloudflare for the purpose of defending against attacks such as “DDos or bot attacks” on our website. Furthermore, data processing aims to shorten the loading times of our website so that the content of our pages is made available to you as quickly as possible.

Personal data may be transferred to third countries. Adequate safeguards or other instruments to ensure compliance with the European data protection principles have been implemented for the comprehensive protection of your data in this case.

The legal basis for the use of Cloudflare is Art. 6 para. 1 point f) GDPR due to our legitimate interest in increasing the security and delivery speed of our website. We have entered into a data processing agreement with Cloudflare.

Refer to the Cloudflare Política Privacy Policy for more information.

2.13 LOYALTY AND REWARDS PROGRAMME (REWARDS SHOP) LOYALTY LION

You have the option to participate in our loyalty programme. We use the platform service provider LoyaltyLion, LoyaltyLion Limited, 2nd Floor, 201 Haverstock Hill, London, NW3 4QG, United Kingdom, to run the programme. Your data will be forwarded to LoyaltyLion for thepurpose of receiving email notifications about your current points balance and current rewards promotions.This data includes the customer number, the order total, your email address, your name and date of birth (optional). LoyaltyLion processes this data for the purpose of implementing the programme; the service provider provides the platform and manages the points collected by you and provides the rewards shop.The rewards shop can only be used by customers with an active subscription.When using the rewards shop, the following data in particular is collected: login data, browser data, location and the products purchased.The legal basis for the forwarding of the data is the rewards programme contract in accordance with Art. 6 (1) 1 lit. b GDPR. We have concluded an order processing contract with LoyaltyLion. LoyaltyLion stores your points balance and when points are redeemed by you. The data transfer to the United Kingdom is based on an adequacy decision by the European Commission.For more information, please refer to the LoyaltyLion data protection information.

2.14 ADDITIONAL INFORMATION ABOUT THE TRUSTED SHOP TRUST BADGE

We are a member of Trusted Shops and use the Trusted Shop seal of approval and ratings. We are required by Trusted Shops to provide the following information:

The Trusted Shops trust badge is integrated on this website to display our Trusted Shops seal of approval and any ratings collected, as well as to offer Trusted Shops products to buyers after they have placed an order. The purpose in this regard is to uphold our legitimate interests in optimised marketing of our products and services, which outweigh other interests in the context of a balancing of interests. The legal basis for this data processing is Art. 6 para. 1 point f) GDPR. The trust badge and the services advertised in connection with it are provided by Trusted Shops (Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne).

When you access Trustbadge, the web server automatically saves a so-called server log file, which contains – among other things – your IP address, the date and time of access, the volume of data transferred and the requesting provider (access data) and documents the access. This access data is not evaluated and is automatically overwritten at the latest seven days after the end of your visit to the site. Further personal data is only transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or if you have already registered for their use. The contractual agreement between you and Trusted Shops will apply in this case.


3. Use of tools on the website

3.1 TECHNOLOGIES USED

This website uses various services and applications (collectively, “tools”) that are provided either by us or by third parties. These include, in particular, tools that use technology to store or access information on your device:

  • Cookies:information stored on your device, consisting in particular of a cookie name, a value, the storing domain and an expiry date. So-called session cookies (e.g. PHPSESSID) are deleted after the session, while so-called persistent cookies are deleted after the specified expiry date. Cookies can also be removed manually.
  • Almacenamiento web (Local Storage / Session Storage):information stored on the device, consisting of a name and a value. Information in the session storage is deleted after the session, while information in the local storage has no expiry date and remains stored unless a deletion mechanism has been established (e.g. local storage with timed entry). Information in the local and session storage can also be removed manually.
  • JavaScript:programming codes embedded in or accessed on the website that, for example, set cookies and web storage or actively collect information from the device or about the usage behaviour of visitors. JavaScript can be used for “active fingerprinting” and the creation of usage profiles. JavaScript can be blocked by making appropriate browser settings, although most services will no longer function in this case.
  • Píxel:a tiny graphic that is loaded automatically by a service. Its purpose is to enable visitor recognition by automatically transfer of the usual connection data (in particular the IP address, browser information, operating system, language, fonts, accessed address and time of access) and to determine, for example, when an email is opened or a website visited. Pixels can be used for “passive fingerprinting” and to create usage profiles. The use of pixels can be prevented, for example, by blocking images in emails and elsewhere, although doing so will severely limit their display.

“Fingerprints” can be created using these technologies and also just by establishing a connection on a page. These fingerprints are usage profiles that do not require the use of cookies or web storage to recognise visitors. There is no manual method that enables the prevention of fingerprints entirely.In their default settings, most browsers accept cookies, run scripts and display graphics. In most cases, however, you can adjust your browser settings to reject all or certain cookies or to block scripts and graphics. Our services will probably not work - either partly or properly – if you block the storage of cookies, the display of graphics and the execution of scripts completely.The following section lists the tools we use by category. In particular, we offer information about the providers of the tools, the storage duration of the cookies or information in the local storage and session storage as well as the transfer of data to third parties. We also explain in which cases we obtain your voluntary consent to use the tools and how you can withdraw this consent.

3.2 LEGAL BASIS AND WITHDRAWAL

3.2.1 LEGAL BASIS

We use tools that are necessary for website operation based on our legitimate interest pursuant to Art. 6 para. 1 point f) GDPR in order to provide the basic functions of our website. In certain cases, these tools may also be necessary for the performance of a contract or to take measures prior to entering into a contract, in which case the processing is carried out in accordance with Art. 6 para. 1 point b) GDPR. The access to and storage of information in the device is absolutely necessary in these cases and is carried out on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 2 TTDSG in Germany.We use all other non-essential (optional) tools that provide additional functions on the basis of your consent pursuant to Art. 6 para. 1 point a) GDPR. Access to and storage of information in the device is then carried out on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 2 TTDSG in Germany. These tools are only used for data processing if we have received your prior consent.Where personal data is transferred to third countries, we refer, also with regard to the risks that may be involved, to para. 6 (“Data transfer to third countries“). We will inform you if standard contractual clauses or other guarantees have been concluded for the use of certain tools. If you have given your consent to the use of certain tools, we (also) transfer the data processed when using the tools to third countries on the basis of this consent in accordance with Art. 49 para. 1 point a) GDPR.

3.2.2 OBTAINING YOUR CONSENT

To obtain and manage your consent, we use the consentmanager.com tool from consent-manager AB, Håltegelvägen 1b, 72348 Västerås, Sweden (“consentmanager”). The tool creates a banner informing you about how data is processed on our website and giving you the option to consent to all, some or no data processing by means of optional tools. This banner is shown on your first visit to our website and when you revisit the preferences selection to make changes or withdraw consent. The banner will also be shown on further visits to our website if you have deactivated the storage of cookies or if the cookies or information in consentmanager’s local storage have been deleted or have expired.Your consent or withdrawal, your IP address, information about your browser, your device and the time of your visit are transmitted to consentmanager during your visit to the website. In addition, consentmanager stores necessary information on your end device in order to retain your consent and withdrawal of consent:

  • __cmpconsentx (storage period: 1 year)
  • __cmpcpcx (storage period: 1 year)
  • __cmpcvcx (storage period: 1 year)

Data processing by consentmanager is necessary to provide the legally required consent management and to comply with our documentation obligations. The legal basis for the use of consentmanager is Art. 6 para. 1 point f) GDPR, according to our interest in compliance with the legal obligations for consent management. Access to and storage of information on the device are absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 2 TTDSG in Germany.

3.2.3 WITHDRAWAL OF YOUR CONSENT OR CHANGE IN YOUR PREFERENCES

You may withdraw your consent for certain tools at any time. To do so, click on the following link/button: [link/button]. You can also change the selection of the tools to which your consent applies and obtain additional information on the tools in question. Alternatively, you may also exercise your right of withdrawal for certain tools by contacting the provider directly.

3.3 NECESSARY TOOLS

We use certain tools to enable the basic functions of our website (“necessary tools”). We would be unable to provide our service without these tools. The use of necessary tools therefore does not require consent. The legal basis for necessary tools is the requirement to maintain our legitimate interests according to Art. 6 para. 1 point f) GDPR, or to perform a contract or to take steps prior to entering into a contract according to Art. 6 para. 1 point b) GDPR. Access to and storage of information on the device is absolutely necessary in these cases and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 2 TTDSG in Germany.In regard refer to the information provided below, we refer to para. 6 (“Data transfer to third countries”) for the event that personal data is transferred to the USA or other third countries.

3.3.1 PROPRIETARY TOOLS

We use our proprietary tools that access information on the device or store information on the device, in particular to

  • authenticate login authentication;
  • balance load;
  • save your language settings;,
  • remember that you have been shown information placed on our website – so that it is not shown again the next time you visit the website.

3.3.2 GOOGLE RECAPTCHA

Our website uses the Google reCAPTCHA service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (jointly “Google”) for all other persons.reCAPTCHA prevents automated software (so-called bots) from performing abusive activities on the website, i.e. it checks whether entries actually originate from a human being. reCAPTCHA uses JavaScript and stores cookies and information in the local storage of your device for this purpose. The following data is processed in particular:

  • referrer URL (address of the page last visited by the user);
  • IP address;
  • cookies set by Google;
  • snapshot of the browser window;
  • user’s input behaviour (e.g. answering the reCAPTCHA question, input speed in form fields, order of selection of input fields by the user, number of mouse clicks);
  • technical information: Browser type, browser plugins, browser size and resolution, date, language setting, display instructions (CSS) and scripts (Javascript).

The following cookies from reCAPTCHA can be used for this purpose: “_GRECAPTCHA” (6 months).The following information in the local storage can be set by reCAPTCHA: “_grecaptcha”.Furthermore, Google reads the cookies from other Google services such as Gmail, Search and Analytics. You must log out of Google before accessing a page in which we have integrated Google reCAPTCHA if you do not want this information to be associated with your Google account.The above data is sent to Google in an encrypted form. Google’s evaluation decides in which form the Captcha is shown on the page. The use of reCAPTCHA is statistically evaluated. Google has claimed that your data will not be used for personalised advertising.The legal basis is the necessity to perform a contract or to take steps prior to entering into a contract according to Art. 6 para. 1 point b) GDPR, for instance in connection with registering a user account, using a contact form or subscribing to a newsletter. Google reCAPTCHA is used to protect IT security, ensure the stability of our website and prevent misuse.In some cases, the data may also be processed on servers in the USA. In the event that personal data is transferred to the USA or other third countries, this shall take place on the basis of Art. 49 para. 1 point b) GDPR for the performance of a contract or to take steps prior to entering into a contract.For more information in this regard, visit:

3.4 FUNCTIONAL TOOLS

We also use optional tools to enhance the user experience on our website and to provide you with more features (“functional tools”). Although they are not essential for the basic functions of the website, they can provide significant benefits to visitors, particularly in terms of user experience and additional communication, display or payment channels.The legal basis for the functional tools is your consent in accordance with Art. 6 para. 1 point a) GDPR. Access to and storage of information on the device is then based on the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 1 TTDSG in Germany. Refer to 3.2.3: “Withdrawal of your consent or change in your preferences” to withdraw your consent.In the event that personal data is transferred to the USA or other third countries, your consent explicitly extends to the transfer of data (Art. 49 para. 1 point a) GDPR). Please refer to section 6 (“Data transfer to third countries”) in regard to the associated risks.

3.5 ZENLOOP

We work with zenloop GmbH, Erich-Weinert-Straße 145, 10409 Berlin. zenloop is a business-to-business software-as-a-service platform that allows us to collect and analyse feedback from our customers through various channels. By doing so, we are able to tailor and improve our internet presence to the needs of our customers. In addition, zenloop collects your survey responses.The legal basis for data processing by zenloop is Art. 6 para. 1 point f) GDPR.We have entered into a data processing contract with zenloop in accordance with Art. 28 para. 3 GDPR and are satisfied that zenloop has implemented appropriate technical and organisational measures to ensure that the processing complies with the requirements of the GDPR and guarantees the protection of your rights.For more information in this regard, refer to the Privacy Policy at https://www.zenloop.com/en/legal/privacy. We use the personal data provided by you during the purchase – for instance the email address – to request that you use the evaluation system provided by us to rate your order. We do so to obtain customer and product evaluations from our customers and to carry out our own quality management.

3.6 ANALYTICS TOOLS

We use optional tools to collect statistics and analyse general usage behaviour based on access data (“analytics tools”) in order to improve our website. Moreover, we use analytics services to evaluate the use of our various marketing channels.The legal basis for the analytics tools is your consent in accordance with Art. 6 para. 1 point a) GDPR. Access to and storage of information on the device is then carried out on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 1 TTDSG in Germany. Refer to 3.2.3: “Withdrawal of your consent or change in your preferences” to withdraw your consent.In the event that personal data is transferred to the USA or other third countries, your consent explicitly extends to the transfer of data (Art. 49 para. 1 point a) GDPR). Please refer to section 6 (“Data transfer to third countries”) in regard to the associated risks.

3.6.1 GOOGLE ANALYTICS

Our website uses the Google Analytics service, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from Europe, the Middle East and Africa (EMEA) and by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (collectively “Google”) for all other persons.Google Analytics uses JavaScript and pixels to read information on your device and cookies to store information on your device. This information is used to analyse your usage behaviour and to improve our website. We will process the information obtained to evaluate your use of the website and to compile reports on website activities on behalf of the website operators. The data generated in this context may be transferred by Google to a server in the USA for analysis and stored there.We have made the following data protection settings for Google Analytics:

  • IP anonymisation (truncation of the IP address prior to evaluation);
  • automatic deletion of old logs by limiting the storage period to 26 months;
  • disabling of cross-device and cross-page tracking.

The following data is processed by Google Analytics:

  • IP address;
  • referrer URL (page last visited);
  • pages viewed (date, time, URL, title, length of stay);
  • downloaded files;
  • clicked links to other websites;
  • if applicable, achievement of certain goals (conversions);
  • technical information: operating system; browser type, version and language; device type, brand, model and resolution;
  • approximate location (country and city, if applicable, based on the anonymised IP address).

Google Analytics places the following cookies for the designated purpose and with the respective storage period:

  • „_ga“ (storage period: 2 years): Recognition and distinction of visitors by a user ID;
  • "_gid" (storage period: 24 hours): Recognition and distinction of visitors by a user ID;
  • „_gat_“ (storage time: 2 minutes): Reduction of requests to Google servers;
  • „_dc_gtm_UA-[GA-ID]“ (storage time: 1 minute): Reduction of requests to the Google servers;
  • “ (storage time: 13 months): Recognition and differentiation of visitors by a user ID, recording interaction with advertisements, playing out personalized advertisements.

We have entered into a data processing agreement with Google Ireland Limited for the use of Google Analytics. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46 para. 2 point c) GDPR.For more information in this regard, refer to the Google Privacy Policy at: https://support.google.com/analytics/answer/6004245.

3.6.1.1 GOOGLE SIGNALS

As an extension to Google Analytics , Google Signals can be used on our website to generate cross-device reports. If you have activated personalised cookies and your device is linked to your Google account, Google can, subject to your consent to the use of Google Analytics, analyse your usage behaviour across devices and create database models, including for cross-device conversions. We do not receive any personal data from Google, only statistics. The legal basis for data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR

If you want to stop the cross-device analysis, you can deactivate the "Personalised advertising" function in the settings of your Google account. To do this, follow the instructions on the following page: https://support.google.com

You can find more information about Google Signals at the following link https://support.google.com/analytics/answer/7532985?hl=de#zippy=%2Cthemen-in-diesem-artikel

3.6.2 SPOTEFFECTS AND MATOMO

This website uses the “Spoteffects” service by XAD spoteffects GmbH (Saarstr. 7, 80797 Mu-nich) to record the effectiveness of our TV advertising campaigns. To analyse interaction, Spoteffects uses the analytics tool Matomo (formerly Piwik), an open source analysis software for the statistical evaluation of visitor accesses.We have made the following data protection settings for Matomo:

  • IP anonymization (shortening of the IP address before evaluation so that no conclusions can be drawn about your identity);
  • Processing (especially geolocalization) and storage of your visit only with the help of the anonymized IP address;
  • Automatic deletion of old logs / limitation of storage time;
  • Accepting "Do Not Track" of the browser.

The following data may be stored in the user log together with a pseudonymised user ID:

  • anonymised IP address;
  • referrer URL (page last visited);
  • pages viewed (date, time, URL, title, length of stay);
  • downloaded files;
  • clicked links to other websites;
  • if applicable, achievement of specific goals (conversions);
  • technical information: operating system; browser type, version and language; device type, brand, model and resolution;
  • approximate location (country and city, if applicable, based on anonymised IP address).

The following cookies are placed for the specified purpose and with the respective storage period when using Matomo:

  • „_pk_id“ (storage period: 13 months): Storage of the user ID;
  • „_pk_ref” (storage period: 6 months): Storage through which websites the visitor came;
  • „_pk_ses“ (storage time: 30 minutes): short storage of usage data;

Refer to the Matomo Privacy Policy at: https://matomo.org/privacy/ for more information in this regard.

3.6.3 ADTRIBA

Our website uses the services of Adtriba GmbH (Veilchenweg 26b, 22529 Hamburg). Adtriba is an analysis and tracking tool that helps us draw conclusions about the success of our online marketing campaigns. We can use this information to evaluate our marketing campaigns and optimise them accordingly. To do this, Adtriba uses cookies (“analytics cookies”) to identify your touch points with our digital marketing campaigns. Your interactions with our advertising are measured additionally, for instance your clicks on our advertising banners.Moreover, your cookie ID, IP address (truncated to the last octet), technical information (browser type, operating system, device data), the marketing touchpoint (channel, source, campaign, time of interaction) and your visit to our website (page visited, referrer URL, interaction with the website and the time of your visit) are recorded as well.Refer to the Adtriba Privacy Policy for more information on data processing.

3.6.4 TRBO

Our website uses the service of trbo GmbH, Leopoldstr. 41, 80802 Munich (“Trbo”). Trbo is a tracking tool that helps us to design our website in the best possible way. By using Trbo, we can control and improve our online services by measuring the use of our online services and the effectiveness of our online advertising. This helps us to understand which pages and products interest our customers the most and which individual offers we should make to our website users in each case.From a technical perspective, the tracking tools include in particular “cookies” (“marketing cookies”) and “web beacons” to collect the following information: which pages are visited and when, how often and in which order, which products are searched for, which links or offers are clicked on and which orders are placed. The data collected from you and used in this context is stored in a pseudonymous form in all cases (e.g. a random identification number) and is not associated with personal data about you (e.g. name, address, etc.). Where the external service providers acquire access to the data, this takes place exclusively on our behalf and under our control.For more information about data protection at Trbo, click here.

3.6.5 LINKSTER

This website uses tracking technology by Linkster GmbH, Geschwister-Scholl-Straße 52, 20251 Hamburg, to measure and visualise insights into partnerships and advertising channels. This is a function to measure the efficiency of the corresponding advertising campaigns. Furthermore, the information enables us to allocate advertising successes to advertising partners for billing purposes. When you click on an integrated advert, cookies are placed in your browser and read in the event of a transaction. At each touch point, your browser sends an HTTP request to the Linkster server containing the transfer of certain information. This information includes the URL of the website on which advertising material is placed (referrer URL), the browser identifier (user agent) of your device (including information about the device type and operating system), the IP address of the device (this IP address is anonymised and hashed by us before storage), HTTP header (data package automatically transmitted by your browser containing various technical information), the time of the request and the cookie with its content if this has already been placed on your device. The tracking technology stores cookies on your device to document operations. A 24-digit, anonymous ID is stored in the cookie. The data is linked to this ID and stored in an encrypted form in our database on the server. It contains information about the last touch points (i.e. when a particular advertising medium was displayed or clicked on from a device). If necessary, the stored touch points can be put together to form a sequence chain (user journey). In the case of a request for action, the order number and the shopping basket value of your order are usually also transmitted and stored by us. In addition, the following values may be transmitted and stored: your customer number, new customer feature, your age and gender as well as the information you provided in a customer survey. The cookies stored by Linkster GmbH are deleted after 30 days at the latest. The information transferred to us and the cookies themselves are intended exclusively to ensure correct allocation of an advertising medium’s performance and the corresponding billing and is justified by our legitimate interests according to Art. 6 para. 1 sentence 1 point f) GDPR. Where you do not wish cookies to be placed on your device, you can deactivate this in our cookie banner and visit the “Cookie settings” at any time.You can also opt-out of the collection and processing of tracking data by clicking on this tracking opt-out link: trck.linkster.co/privacy-optout.do. You can view your data at: trck.linkster.co/privacy-mydata.do

3.6.6 TIKTOK

Our website uses the “TikTok Pixel” service, which is offered by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, and TikTok Information Technologies UK Limited, WeWork, 125 Kingsway, London, WC2B 6NH, United Kingdom (jointly referred to in the following as “TikTok”).We use TikTok Pixel to understand and track visitor activity on our website. The Tiktok Pixel collects and processes information about the visitors to our website or the devices they use (“event data”). This event data is used for targeting our advertisements and improving their delivery as well as for personalised advertising. The data generated in this context may be transferred by TikTok to servers located in third countries for analysis and stored there.Some of this event data is information that is stored in the device you are using. In addition, the TikTok Pixel also uses cookies to store information on the device you are using. Any storage of information by the TikTok Pixel or access to information already stored on your device can only take place with your consent.The legal basis for this data processing is your consent pursuant to Art. 6 para. 1 point a) GDPR. Access to and storage of information on the device is then carried out on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so § 25 para. 1 TTDSG in Germany. We have concluded suitable standard contractual clauses of the European Commission (Implementing Decision (EU) 2021/914) in accordance with Art. 46 para. 2 point c) for In the event that personal data is transferred to TikTok companies based in third countries.The collection and transfer of the event data is performed by us and TikTok as joint controllers. We have entered into a joint controller processing agreement with TikTok which sets out the allocation of data protection obligations between us and TikTok. In particular, we and TikTok have agreed therein

  • that we are responsible for providing you with all information in accordance with Art. 13, 14 GDPR on the joint processing of personal data;
  • that TikTok is responsible for enabling the rights of data subjects under Art. 15 to 20 GDPR with respect to personal data stored by TikTok after joint processing.

You can access the agreement concluded between us and TikTok at https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms.TikTok is the sole data controller for the subsequent processing of the submitted event data. For more information on how TikTok processes personal data, including the legal basis on which TikTok relies and how you can exercise your rights against TikTok, refer to the TikTok Privacy Policy at https://www.tiktok.com/legal/privacy-policy?lang=de-DE.Marketing-Tools.We also use optional tools for advertising purposes (“marketing tools”). Some of the access data collected when using our website is used to create usage profiles, which store your usage behaviour, the advertisements you have viewed or clicked on and, based on this, the classification into advertising categories, interests and preferences in particular. By analysing and evaluating this access data, we are able to present you with personalised advertising, i.e. advertising that corresponds to your actual interests and needs, on our website and on the websites of other providers. For this purpose, we analyse your usage behaviour in order to recognise you on other sites and to address you in a personalised manner based on your use of our site (retargeting).The legal basis for the marketing tools is your consent in accordance with Art. 6 para. 1 point a) GDPR. Access to and storage of information on the device is then based on the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 1 TTDSG in Germany Refer to 3.2.3: “Withdrawal of your consent or change in your preferences” to withdraw your consent.In the event that personal data is transferred to the USA or other third countries, your consent explicitly extends to the transfer of data (Art. 49 para. 1 point a) GDPR). Please refer to section 6 (“Data transfer to third countries”) in regard to the associated risks.The following section contains a more detailed explanation of the tools and the providers used in this context. The data collected may include in particular:

  • the IP address of the machine;
  • the information of a cookie and in the local or session storage;
  • the device identifier of mobile devices (e.g. device ID, advertising ID);
  • referrer URL (previously visited page);
  • pages viewed (date, time, URL, title, length of stay);
  • downloaded files;
  • clicked links to other websites;
  • if applicable, achievement of specific goals (conversions);
  • technical information: operating system; browser type, version and language; device type, brand, model and resolution;
  • approximate location (country and city, if applicable).

The collected data is only stored pseudonymously, which means that no direct conclusions can be drawn about the persons.

3.6.7 META PIXEL

Our website uses the “Meta Pixel” service for marketing purposes, which is provided for persons outside the USA and Canada by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland and for all other persons by Meta Platforms Inc, 1601 Willow Road, Menlo Park, California 94025, USA (jointly “Meta Platforms”).We use Meta Pixels to analyse the general use of our websites and to track the effectiveness of advertising (“conversion tracking”). In addition, we use Meta Pixels to show you personalised advertising messages on the social networks of Meta Platforms (such as Facebook and Instagram) based on your interest in our products (“retargeting”). This also involves target group remarketing by means of Custom Audience. The data generated in this context may be transferred for analysis by Meta Platforms to a server in the USA and stored there.Meta Platforms processes data for this purpose: The service collects the data using JavaScript, cookies and other technologies on our websites. This includes in particular:

  • HTTP header information such as information about the browser used (e.g. user agent, language);
  • information on events such as “page views”, other object properties and buttons clicked by visitors to the website;
  • online identifiers such as, but not limited to, IP addresses and, where provided, Facebook’s business-related identifiers or device IDs (such as mobile operating system ad IDs), as well as ad tracking disable/restriction status information.

The following cookies are set and read by Meta-Pixel for the specified purpose with the respective storage period:

  • „_fbc“ (storage period: 3 months): Usage analysis and retargeting;
  • „_fbp“ (storage period: 3 months): Usage analysis and retargeting;

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 point a) GDPR. Access to and storage of information on the device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section 25 para. 1 TTDSG in Germany. The transfer of your data to the USA and other third countries is based on your explicit consent in accordance with Art. 49 para. 1 point a) GDPR.Meta Platforms acts as our processor for matching, measurement and analytics services, in particular for analysing the use of our website, matching user ID and reporting on our advertising campaigns. We have therefore entered into a data processing agreement. In the event that personal data is transferred from Meta Platforms Ireland Limited to the USA for these purposes, Meta Platforms Ireland Limited and Meta Platforms Inc. have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Article 46 para. 2 point c) GDPR.In addition, we and Meta Platforms are joint controllers in the processing of event data for the targeting of advertisements (through the creation and selection of target groups), the delivery of commercial and transactional messages, the improvement of ad delivery and the personalisation of functions and content within the framework of the use of Meta Pixel. The mutual obligations in this regard have been set out in a joint contract, which can be accessed at the following address: https://www.facebook.com/legal/controller_addendum.In addition, Meta Platforms also processes the event data for the protection and security of Meta Platform products, for research and development purposes and for maintaining the integrity of and improving the products.If you are a member of Facebook or Instagram and have allowed Meta Platforms to do so in your account’s privacy settings, Facebook or Instagram may also associate the information collected about your visit to us to your member account and use it for targeted advertising. You can view and change the privacy settings of your Facebook profile at any time: https://www.facebook.com/settings/?tab=ads. You can prevent the association of data collected outside of Instagram for the display of personalised advertising in Instagram as follows: https://de-de.facebook.com/help/instagram/2885653514995517?locale=de_DE. If you have not consented to the use of Meta Pixels, Meta Platforms will only display generic advertisements that are not selected based on the information collected about you on this website.For further information, especially on our status as joint controllers and contact details, please refer to Meta Platforms Privacy Policy, in particular on the social networks Facebook and Instagram: https://www.facebook.com/about/privacy/.

3.6.8 GOOGLE ADS CONVERSION TRACKING AND ADS REMARKETING

Our websites use the “Google Ads" service, which is offered to persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (jointly “Google”).In Google Ads, we use “Google Ads Conversion Tracking” to record and analyse customer operations defined by us (such as clicking on an ad, page views, downloads). We use “Google Ads Remarketing” to show you individualised advertising messages for our products on Google partner websites. Both services use cookies, JavaScript Pixel and other technologies for this purpose. Google will also process the data to improve and further develop its own products and services, to perform aggregate statistical analysis of conversions, and to improve the quality and accuracy of conversions. Google can transfer the data generated during this process to a server in the USA for evaluation and storage.The following cookies are set by Google:

  • "_gcl_au" (storage period: 90 days): Conversion tracking, storage of ad clicks;
  • "_gcl_aw" (storage period: 90 days): Conversion tracking, storage of ad clicks;
  • " _gac_* (storage period: 90 days) Addition of the Google click identifier in the URL for conversion tracking (auto-tagging).

Legal basis for this data processing is your consent in accordance with Article 6 Paragraph 1 lit. a of the DSGVO. Access to and storage of information in the terminal device is then based on the implementation acts of the ePrivacy Directive of the EU member states, in Germany according to § 25 paragraph 1 TTDSG. Transfer of your data to the USA and other third countries is based on your express consent in accordance with Article 9 Paragraph 1 lit. a of the DSGVO.If you use a Google account, Google may associate your web and app browsing history with your Google account and use information from your Google account to personalise ads, depending on the settings stored in your Google account. You must log out of Google before accessing our website if you do not want this association with your Google account.If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected based on the information collected about you on this website. In addition to withdrawing your consent, you also have the option of deactivating personalised advertising in Google's advertising settings. Further information can be found:

3.6.9 SALESFORCE MARKETING CLOUD

We use the customer relationship management module “Salesforce Marketing Cloud” by Salesforce.com Inc., The Landmark @ One Market Street, Suite 300, San Francisco, California, CA 94105, USA (“Salesforce”) for marketing purposes (e.g. to forward our newsletters and information emails) and for analysis purposes when you visit our website. Salesforce is used to tailor our offerings and services to your interests and to improve our advertising and communications with you. Salesforce uses cookies or other unique identifiers (e.g. cookie IDs) to learn more about your usage patterns on our websites. You may disable this at any time in the cookie settings. Your contact details (e.g. name, address, email address, IP address) are transferred to the Salesforce Marketing Cloud for the purposes mentioned above. The Salesforce Marketing Cloud data is stored and processed on Salesforce servers in the USA. Salesforce undertakes with binding internal data protection rules in accordance with Art. 46 (2) b) and Art. 47 GDPR (so-called Binding Corporate Rules) to maintain an adequate level of data protection even when processing data outside the European Union. Salesforce has also implemented standard contractual clauses (SCCs) in a data processing agreement.For more information about the Salesforce Marketing Cloud and Service and the data processed, visit https://www.salesforce.com/es/company/privacy/.

3.6.10 UNBOUNCE

We use the services of Unbounce Marketing Solutions Inc, 400-401 West Georgia Street, Vancouver BC, Canada, V6B 5A1, (“Unbounce”), which provides “landing pages” for us to create for certain promotions. We use these promotional pages on our website to offer coupon codes, discounts or other benefits to prospective customers and customers and to provide an immediate redirect to our website.The campaign page is hosted by Unbounce and records your IP address, the referrer website, the browser, the user agent, the date and time of your visit, the device used and cookie data (refer also to Section 2.1 of this Privacy Policy). Unbounce uses cookies to measure the success of our promotion page. Your contact details will also be recorded by Unbounce if you complete a contact form on a campaign page.The legal basis for the aforementioned data processing is Art. 6 para. 1 points a), f) GDPR according to our legitimate interests. Our legitimate interest lies in marketing our products and measuring the success rate of our advertising campaigns.Refer to the Unbounce Privacy Policy for more information about data processing.

3.6.11 CRITEO

Our website also uses the remarketing technology by Criteo GmbH, Unterer Anger 3, 80331 Munich (“Criteo”). Criteo uses cookies (“marketing cookies”) and similar technologies and to collect exclusively anonymous data on the usage behaviour of website visitors for marketing purposes.Criteo is therefore able to analyse usage behaviour and on this basis to display targeted product recommendations as suitable advertising banners when other websites are visited. Under no circumstances can the anonymised data be used to personally identify visitors to the website.The data collected by Criteo is used only to improve the offer of advertising. Each banner displayed contains a small “i” (for information) in the bottom right-hand corner, which opens on mouseover and redirects to a page explaining the system when clicked.Refer to the Criteo Privacy Policy for more information in this regard and to object to the anonymous analysis of your usage behaviour if applicable.

3.6.12 A&S MAIL

This website uses technology from a+s Online GmbH, Stuttgarter Straße 41, 71254 Ditzingen, Germany. a+s Online GmbH uses cookies. a+s Online GmbH is an internet advertising service that allows advertisers to target users with advertising through email marketing. a+s Online GmbH is tasked with promoting our website by sending relevant advertising in emails.The legal basis for processing of the user’s data is Art. 6 para. 1 point f) GDPR. Data processing is carried out in each case to preserve our legitimate interests in the optimisation and efficient operation of our website. The data is erased or its processing is restricted or blocked as soon as it is no longer required to achieve the purpose for which it was collected, the data subject has objected to this processing or after 60 days.Refer to the a+s Online GmbH website at as-dialoggroup.de. for more information. Visit track.performancehub.de/opt-out if you wish to object to the use of “PerformanceHub conversion tracking” with effect for the future (“opt out”).

3.6.13 TYPEFORM

This website uses the services of Typeform S.L., Carrer Bac de Roda, 163, 08018 Barcelona (“Typeform”). Typeform is a tool for creating and conducting user surveys that helps us to improve our offerings and service based on your feedback.We use Typeform to include user surveys (e.g. cancellation survey, how do you know LILLYDOO survey) on our website, which respondents complete voluntarily. Typeform processes and stores personal data (e.g. customer number) and survey results when conducting surveys. We have concluded a data processing agreement with Typeform, in which Typeform undertakes to protect the data of our customers, to refrain from its transfer to third parties and, in the event of a transfer of personal data via subcontracted processors or affiliated companies to the USA, to comply with the regulations of the standard contractual clauses in accordance with Art. 46 GDPR.The legal basis for data processing is our legitimate interest in the technically flawless and optimised delivery of our service in accordance with Art. 6 para. 1 point f) GDPR. Refer to the Typeform Privacy Policy for more information about data processing by Typeform.

3.6.14 SESSIONLY

Our website uses the sessionly service, Renata Bognar, Prenzlauer Allee 186, 10405 Berlin (“sessionly”). Sessionly is a rating tool that helps us to conduct surveys with our customers so that we can learn more about how satisfied they are with our products. After your order process, sessionly sets a cookie (“marketing cookies”) to record the products you have purchased and your email address. We then receive this information from sessionly so that we can then send you an email soliciting a product review (refer also to the Newsletter and Promotional Mailings section). This email gives you the opportunity to share your experience with us about our products via sessionly. For more information about sessionly, click here.

3.6.15 JENTIS

We use the services of JENTIS GmbH, Schönbrunner Straße 231, 1120 Vienna ("JENTIS") to analyse the user behaviour of website visitors and to optimise the website. For these purposes, JENTIS receives access to web analysis data, which is measured, stored and processed by the analysis tools in use and JENTIS itself.For analysis purposes, data is transmitted to JENTIS on the one hand, and on the other hand JENTIS independently collects data on our behalf relating to the browser environment or the behaviour of the visitor. JENTIS only processes data that cannot be traced back to a person by JENTIS. The synthetically generated client ID set by JENTIS is used for pseudonymisation, so that no allocation to a person can take place via the usage behaviour of website visitors to third parties. Before storage, your IP address is either shortened in such a way that the reference to a person no longer exists or, after comparison of a geo-database, completely removed and replaced by an artificial value.The legal basis for the server-side transmission of the browser data synthetically generated by the JENTIS server, such as the client ID without IP address, to third-party servers, i.e. the pseudonymous analysis of user behaviour, is Art. 6 para. 1 lit. f DSGVO. For technical reasons, for the purposes of IT security and to fulfil user interests as well as for the economic operation of our online offer, this is absolutely necessary in the sense of § 25 para. 2 no. 2 TTDSG.You can find more information on data processing by Jentis at: https://www.jentis.com/en/privacy-policy/.

3.6.16 Innkeepr

As soon as you have given your consent to the use of advertising/tracking cookies, Innkeepr is used on our website. Innkeepr is a web analysis service of Innkeepr UG, Senefelderstraße 35, 09126 Chemnitz, Germany, which makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus analyze your activities across devices. This creates statistics that we can use to improve our offer and make it more interesting for you. The legal basis for our use of Innkeepr is your consent in accordance with Art. 6 para. 1 lit. a GDPR.
Innkeepr uses cookies that are stored on your computer and enable us to analyze your use of our website. The information collected in this way is stored exclusively on servers within Germany.
Inkeepr sets the following cookies for the specified purpose with the respective storage duration:
We use Innkeepr without recording IP addresses, so that the data we collect cannot be directly linked to a person.

• „tjs_userData” (storage period: 1 year): Defines a browser-specific ID to identify a new click in the same browser;
• „tjs_sessionData” (storage period: 1 year): Defines a browser-specific ID to identify a new session in the same browser.


You can find more information in Innkeepr's privacy policy: Innkeepr

3.6.17 Pinterest Ads

We use the tracking technology of the social network Pinterest, a service offered for users within the European Economic Area by Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland and for all other users by Pinterest Inc, 651 Brannan Street, San Francisco, California 94107, USA (together "Pinterest").

We use Pinterest tags to analyse the general use of our websites and to track the effectiveness of ads on Pinterest ("conversion tracking"). It also enables us to display personalised advertising on Pinterest to visitors to our online offering who have already shown an interest in our offering and our content and are Pinterest members ("retargeting"). For this purpose, a so-called retargeting tracking code from Pinterest is integrated on our site, which informs Pinterest when you visit our website that you have accessed our website and which parts of our offer you are interested in (e.g. specific product in the shop or newsletter registration). This tracking method also involves target group remarketing by ActALike Audiences.

The following cookies are set and read by Pinterest for the specified purpose with the respective storage duration:
• _pinterest_sess (storage period: 1 year): For logging in to Pinterest; if you log out, the authentication tokens are deleted, but the cookies remain; logged-out user IDs are used to optimise usage and measurability;
• _pinterest_ct (storage period: 1 year): contains a user ID and the timestamp at which the cookie was created;
• _pinterest_ct_rt (storage period: 1 year): Contains a user ID and the timestamp at which the cookie was created;
• _epik (storage period: 1 year): Identification as a user so that the Pinterest tag can find a match;
• _derived_epik (storage period: 1 year): to simplify future matching on pages.
• _pin_unauth (storage period: 1 year): First-party cookie for grouping actions across pages.
• _pinterest_ct_ua (storage period: 1 year): Third-party cookie for cross-page grouping of actions.
• _routing_id (storage period: 1 year): Ensures that you are redirected to the latest version of Pinterest.com.

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. Access to and storage of information in the end device then takes place on the basis of the implementation laws of the ePrivacy Directive of the EU member states, in Germany according to § 25 para. 1 TTDSG.

We are jointly responsible with Pinterest Europe for the collection of your data. The mutual obligations have been set out in a joint contract, which can be accessed at the following address: Pinterest Business Advertising and Joint Responsibilities

The data collected in this context may be transferred by Pinterest to a server in the USA for analysis and stored there. In the event that personal data is transferred to the USA, Pinterest has concluded standard contractual clauses.

If you are logged into your Pinterest account when you visit our website, Pinterest can link this information to your Pinterest account and also use it for its own advertising purposes. In addition to revoking your consent, as a Pinterest member you can deactivate the collection of data for the display of interest-based advertising on Pinterest at any time in your Pinterest account settings. If you have not consented to the use of Pinterest Ads, Pinterest will only display general advertising that has not been selected based on the information collected about you on our website.

For more information on how Pinterest Europe processes personal data, including the legal basis on which Pinterest Europe relies and the ways in which data subject rights can be exercised against Pinterest Europe, please refer to Pinterest's privacy policy.

3.6.18 WISEPOPS

As soon as you have given your consent to the use of advertising/tracking cookies, Wisepops will be used on our website. Wisepops is a service provided by Wisepops, Inc., 87 Boulevard Suchet, 75016 Paris, France, which enables the creation and display of pop-ups on our website. Wisepops processes meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times) and contact data (e.g. email addresses, telephone numbers) in the EU.The processing is carried out on the basis of your consent. The legal basis for the processing is Art. 6 (1) 1 lit. a GDPR.Wisepops uses cookies, which are stored on your computer, to ensure the functionality of the pop-ups. The information collected in this way is stored exclusively on servers within the EU.For more information, please see the Wisepops privacy policy.

3.7 SOCIAL MEDIA PLUGINS AND EXTERNAL MEDIA

We also use social network tools that are used to log in to the website with an existing account or to share posts and content via these networks (“social media plugins”), as well as other external media, such as embedded videos or maps.Unless otherwise stated, the legal basis for this is your consent pursuant to Art. 6 para. 1 sentence 1 point a) GDPR, which is provided by you in the consent banner or in the specific tool by specifically allowing its use via an overlay. In these cases, access to and storage of information on the device is subject to consent and takes place on the basis of the implementation laws of the ePrivacy Directive of the EU Member States, so Section § 25 para. 1 TTDSG in Germany.Refer to 3.2.3: “Withdrawal of your consent or change in your preferences” to withdraw your consent. In the event that personal data is transferred to the USA or other third countries, your consent explicitly extends to the transfer of data (Art. 49 para. 1 sentence 1 point a GDPR). Please refer to section 6 (“Data transfer to third countries”) in regard to the associated risks.

3.7.1 FACEBOOK PLUGINS

Our website uses social media plugins (such as the Like button) by the social network Facebook, which is offered by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland for users outside the USA and Canada and by Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA (jointly “Facebook”) for all other users.For data protection reasons, no personal data is initially transferred to the social network when you visit our website. The plugin will not be activated until you provide consent, which will enable a direct contact between your browser and the social network. This prevents data from being transferred to the network and stored there without your knowledge. Your data will be processed as follows once you have given your consent:Facebook receives information that you have accessed the corresponding subpage of our online presence. This takes place regardless of whether you have an account with Facebook and are logged in there. If you are logged in to Facebook, this data is directly associated with your account. If you activate the plug-in and, for example, link to the page, Facebook also saves this information – including the date and time ¬– in your user account and shares this publicly with your contacts. You must log out prior to activating the plugin if you do not want this association with your Facebook profile.Facebook stores this data as user profiles, which it uses them for the purposes of advertising, market research and/or needs-based design of its website. Evaluations of this kind are performed in particular (also for users who are not logged in) to display needs-based advertising and to inform other users of the social network about your activities on our website.The data generated in this context may be transferred by Facebook to a server in the USA and stored there.In addition to withdrawing consent, you may also deactivate advertising based on social operations in the advertising preferences if you are a Facebook member.Refer to the Facebook Privacy Policy for more information in this regard.

3.7.2 YOUTUBE VIDEOS

We have embedded videos on our website that are stored on YouTube and can be played from our websites if you have consented. YouTube is a multimedia service of YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA (“YouTube”), which is offered to persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and to all other persons by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (jointly “Google”).We have activated YouTube’s privacy-enhanced mode. This means that Google receives less usage information and also does not personalise the video recommendations and advertisements. However, information is stored in the local storage and session storage of your device, in particular your device ID and other information regarding the playback of the video, which can be retrieved by Google.The following cookies may be set by YouTube:

  • “PREF” (storage period: 8 months): Storage of settings such as autoplay and video size.

The following information is stored in the local storage:

  • "yt-remote-device-id" (storage period: 1 year): Stores user preferences when retrieving a YouTube video;
  • "yt-player-headers-readable" (storage period: 1 month): Used to determine optimal video quality based on the visitor's device and network settings;
  • "yt.innertube::requests" (storage time: 1 day): Registers a unique ID to keep statistics of the videos from YouTube that the user has watched.
  • "yt.innertube::nextId" (storage duration: 1 day): Registers a unique ID to keep statistics of the videos from YouTube that the user has watched.
  • "yt-remote-connected-devices" (storage time: 1 day): Stores the user settings when retrieving a YouTube video.
  • "yt-player-bandwidth" (storage duration: 1 month): Used to determine the optimal video quality based on the visitor's device and network settings.

The following information is stored in the session storage:

  • "yt-remote-session-app" (storage duration: session): Saves the user settings when retrieving a YouTube video;
  • “yt-remote-cast-installed” (storage duration: session): Stores the user settings when retrieving a YouTube video integrated on other web pages;
  • “yt-remote-session-name” (Storage duration: Session): Stores the user's input when retrieving a YouTube video;
  • “yt-remote-cast-available” (storage duration: session): Stores the user's input when retrieving a YouTube video embedded on other web pages;
  • “yt-remote-fast-check-period” (storage duration: session): Stores the user settings when retrieving a YouTube video.

By visiting our website, YouTube and Google receive the information that you have accessed the corresponding subpage of our website. This takes place regardless of whether or not you are logged in to YouTube or Google. YouTube and Google use this data for the purposes of advertising, market research and the needs-based design of their websites. If you access YouTube on our website while you are logged into your YouTube or Google profile, YouTube and Google can also associate this event with the respective profiles. You must log out of Google before accessing our website if you do not want this information to be associated.In addition to withdrawing your consent, you may also deactivate personalised advertising in Google's advertising settings. In this case, Google will only display non-personalised advertising.Refer to Google’s Privacy Policy for more information, which also applies to YouTube.

3.7.3 GOOGLE MAPS

Our website uses the map service Google Maps, which is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland for persons from the European Economic Area and Switzerland and by Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (jointly “Google”) for all other persons.In order for the Google map material we use to be integrated and displayed in your web browser, your web browser must establish a connection to a Google server – which may also be located in the USA – when you access our website.By integrating the map material, Google receives the information that a page of our website was accessed from the IP address of your device. If you access the Google map service on our website while you are logged into your Google profile, Google can also associate this event with your Google profile. You must log out of Google before accessing our contact page if you do not want the information to be associated with your Google profile. Google stores your data and uses it for purposes of advertising, market research and personalised presentation of Google Maps.Refer to the Google Privacy Policy and the the Additional Terms of Use for Google Maps for more information.

4. Online presence in social networks

We maintain online presences in social networks, among others in order to communicate with customers and interested parties and to inform them about our products. The user data is ordinarily processed by the individual social networks for market research and advertising purposes. This may result in the creation of usage profiles based on the user interests. Cookies and other identifiers are stored on the computers of the data subjects for this purpose. Advertisements (for example) are then placed on the social networks but also on third-party websites based on these usage profiles.

It is possible that we may access information such as statistics on the use of our online presences as part of the operation of our online presences. This information is provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region) as well as data on interaction with our online presences (e.g. likes) and the posts and content disseminated in this way. Doing so may also yield information about the interests of users and which content and topics are particularly relevant to them. We can also use this information to adapt the design and our activities and content on the online presence and to ensure it is optimised for our audience. Kindly refer to the list below for details and links to the social network data that we, as operators of the online presences, can access. These statistics are generally collected and used as joint controllers.

The legal basis for data processing is Art. 6 para. 1 sentence 1 point f) GDPR in accordance with our legitimate interest in effective information and communication with users, or Art. 6 para. 1 sentence 1 point b) GDPR in order to stay in contact with and inform our customers and to take steps prior to entering into a contract with interested parties.

If you have an account with the social network, it is possible that we can see your publicly available information and media when we access your profile. In addition, the social network may allow us to contact you. This can take place by means of direct messages or posted messages. Communication via the social network is the responsibility of the social network as a messenger and platform service.

Please refer to the privacy policies of the individual social networks for the legal basis of data processing carried out by the social networks on their own responsibility. The following links also provide further information on the respective data processing and the options to object.

Kindly take note that the most efficient way to exercise data protection requests is with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. Where you contact us with your request, we will forward your request to the provider of the social network. Below is a list with information on the social networks on which we operate online presences:

  • Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland).
  • Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
  • Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)
  • Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)
  • LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
  • Xing/Kununu (XING SE, Dammtorstraße 30, 20354 Hamburg)
  • Pinterest

5. Disclosure of data

The data collected by us will only be transferred if

  • you have given your explicit consent in this regard accordance with Art. 6 para. 1 sentence 1 point a) GDPR;
  • disclosure is necessary for the assertion, exercise or defence of legal claims pursuant to Art. 6 (1) sentence 1 point f) GDPR and there is no reason to assume that you have an overriding interest worthy of protection in preventing the disclosure of your data;
  • we are legally obliged to disclose data according to Art. 6 para. 1 sentence 1 point c) GDPR or
  • this is legally permissible and necessary according to Art. 6 para. 1 sentence 1 point b) GDPR for the performance of contractual relationships with you or to take steps at your request prior to entering into a contract.

Some of the data processing may be carried out by our service providers. In addition to the service providers mentioned in this Privacy Policy, this may include, in particular, data centres that store our website and databases, software providers, IT service providers that maintain our systems, agencies, market research companies, group companies and consulting companies. Where we disclose data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound to our instructions, have implemented appropriate technical and organisational measures to protect the rights of the data subjects and are regularly monitored by us.

In addition, disclosure is permissible in connection with official enquiries, court orders and legal proceedings where compliance is necessary for legal prosecution or enforcement.

6. Data transfer to third countries

As explained in this Privacy Policy, we use services whose providers are partly located in “third countries” (outside the European Union or the European Economic Area) or process personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union. Where this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, we have implemented appropriate safeguards to ensure an adequate level of data protection for any data transfers. These include, among others, the standard contractual clauses of the European Union or binding internal data protection policies.

Where this is not possible, we base the transfer of data on exceptions to Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of the contract or to take steps at your request prior to entering into a contract.

If a transfer to a third country is intended and no adequacy decision or appropriate safe-guards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) can gain access to the transferred data in order to collect and analyse it, and that the exercise of your data subject rights cannot be guaranteed. You will be notified in these cases when your consent is obtained in the consent banner.

7. Storage period

As a rule, we only store personal data for as long as necessary to fulfil the purposes for which it was collected. We erase the data without delay after this time, unless we require the data until the end of the statutory limitation period for evidence purposes to exercise claims under civil law or due to statutory retention obligations.

For evidence purposes, we must retain contract data for three years from the end of the year in which the business relationship with you ends. Any claims become time-barred at the earliest at this point according to the statutory limitation period.

Even after this, we are still required to store some of your data for accounting reasons. We are obliged to do so because of legal documentation obligations that may arise from the German Commercial Code (HGB), the German Fiscal Code (AO), the German Banking Act (KWG), the German Money Laundering Act (GwG) and the German Securities Trading Act (WpHG). The periods specified in this legislation for the retention of documents are between two and ten years.

8. Your rights, in particular withdrawal and objection

You are entitled to the rights of the data subject enshrined in Art. 15 – 21, Art. 77 GDPR at any time:

  • right to withdraw your consent;
  • right to object to the processing of your personal data (Art. 21 GDPR);
  • right to information about your personal data processed by us (Art. 15 GDPR);
  • right to obtain rectification of your personal data stored by us that is incorrect (Art. 16 GDPR);
  • right to erasure of your personal data (Art. 17 GDPR);
  • right to restrict the processing of your personal data (Art. 18 GDPR);
  • right to data portability of your personal data (Art. 20 GDPR);
  • right to lodge a complaint with a supervisory authority (Art. 77 GDPR).

You may contact us at any time using the contact details above to exercise your rights as described here. This also applies if you wish to receive copies of safeguards to prove an adequate level of data protection. We will comply with your data protection request, provided that the legal requirements are met in each case.

Your enquiries concerning the exercise of data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and for longer periods in individual cases for the establishment, exercise or defence of legal claims. The legal basis is Art. 6 para. 1 sentence 1 point f) GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling our accountability obligations under Art. 5 para. 2 GDPR.

You have the right to withdraw your consent at any time. This means that we will no longer process the data based on this consent in the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent until its withdrawal.

Where we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. If you object to the processing of your data for direct marketing purposes, you have a general right to object, which we will implement even when reasons are not stated.

It is sufficient to send a message to the contact details provided above without adherence to formal requirements if you wish to exercise your right of withdrawal or objection.

Finally, you have the right to lodge a complaint with a data protection supervisory authority. For example, you may exercise this right vis-à-vis a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement. The competent supervisory authority at our registered address in Frankfurt am Main is the Hessian Commissioner for Data Protection and Freedom of Information, Gustav-Stresemann-Ring 1, 65189 Wiesbaden.

9. Changes to the privacy policy

We may update this Privacy Policy from time to time, for example if we make changes to our website or in the event of amendments to the legal or regulatory requirements.