Privacy policy

This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions, and content as well as external online presences, e.g., our social media profiles (hereinafter collectively referred to as the “online offering”). With regard to the terminology used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Here you can change your data protection settings

Controller

Types of Data Processed

• Inventory data (e.g., names, addresses).
• Content data (e.g., text entries, photographs, videos).
• Usage data (e.g., websites visited, interest in content, access times).
• Meta/communication data (e.g., device information, IP addresses).

Categories of Data Subjects

Visitors and users of the online offering (hereinafter we also refer to the data subjects collectively as “users”).

Purpose of Processing

• Provision of the online offering, its functions and content.
• Responding to contact requests and communicating with users.
• Security measures.
• Reach measurement/marketing.

Definitions

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.

“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant Legal Bases

In accordance with Article 13 GDPR, we inform you of the legal bases of our data processing. Unless the legal basis is specified in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR; the legal basis for processing to perform our services and contractual measures as well as responding to inquiries is Article 6(1)(b) GDPR; the legal basis for processing to comply with our legal obligations is Article 6(1)(c) GDPR; and the legal basis for processing to protect our legitimate interests is Article 6(1)(f) GDPR. In cases where vital interests of the data subject or another natural person require the processing of personal data, Article 6(1)(d) GDPR serves as the legal basis.

Security Measures

We implement appropriate technical and organizational measures in accordance with Article 32 GDPR, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

Measures include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access, input, transfer, availability, and separation of the data. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and response to data risks. We also take data protection into account during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Article 25 GDPR).

Cooperation with Processors and Third Parties

If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit it to them, or otherwise grant them access to the data, this is done only on the basis of a legal permission (e.g., if a transfer of the data to third parties, such as payment service providers, is required for the performance of the contract pursuant to Article 6(1)(b) GDPR), if you have given your consent, if there is a legal obligation, or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties to process data on the basis of a so-called “data processing agreement,” this is done on the basis of Article 28 GDPR.

Transfers to Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of the use of services by third parties or disclosure, or transfer of data to third parties, this will only take place if it is necessary to fulfill our (pre)contractual obligations, based on your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the special conditions of Articles 44 et seq. GDPR are met. This means the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a level of data protection equivalent to that of the EU (e.g., for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).

Rights of Data Subjects

You have the right to request confirmation as to whether data concerning you is being processed, to access this data, and to obtain further information and a copy of the data in accordance with Article 15 GDPR.

In accordance with Article 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data.

In accordance with Article 17 GDPR, you have the right to request the immediate deletion of data concerning you, or alternatively, in accordance with Article 18 GDPR, to request restriction of processing.

You have the right to receive the data concerning you that you have provided to us in accordance with Article 20 GDPR and to request its transmission to other controllers.

Furthermore, in accordance with Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.

Right of Withdrawal

You have the right to withdraw consent granted in accordance with Article 7(3) GDPR with effect for the future.

Right to Object

You may object at any time to the future processing of your data in accordance with Article 21 GDPR. In particular, the objection may be made against processing for direct marketing purposes.

Cookies and Right to Object to Direct Marketing

“Cookies” are small files stored on users’ devices. Various pieces of information can be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, or “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offering and closes their browser. For example, the content of a shopping cart in an online shop or a login status can be stored in such a cookie. “Permanent” or “persistent” cookies remain stored even after the browser is closed. For example, a login status can be saved if users visit the site again after several days. Similarly, user interests can be stored in such a cookie for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by providers other than the controller operating the online offering (otherwise, if only the controller’s cookies are used, they are called “first-party cookies”).

We may use both temporary and permanent cookies and explain this in our privacy policy.

If users do not wish cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. Excluding cookies may lead to functional limitations of this online offering.

A general objection to the use of cookies used for online marketing purposes can be declared for many services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by disabling them in the browser settings. Please note that not all functions of this online offering may then be available.

Deletion of Data

The data we process will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this privacy policy, the data we store will be deleted as soon as they are no longer required for their intended purpose and there are no legal retention obligations preventing deletion. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means the data will be locked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons.

According to legal requirements in Germany, data is retained, in particular, for 10 years in accordance with §§ 147 (1) AO, 257 (1) No. 1 and 4, (4) HGB (books, records, management reports, accounting documents, trade books, tax-relevant documents, etc.), and for 6 years according to § 257 (1) No. 2 and 3, (4) HGB (business correspondence).

According to legal requirements in Austria, data is retained, in particular, for 7 years according to § 132 (1) BAO (accounting documents, receipts/invoices, accounts, documents, business papers, income and expenditure statements, etc.), for 22 years in connection with real estate, and for 10 years for documents related to electronically provided services, telecommunications, broadcasting, and television services provided to non-business customers in EU member states, and for which the Mini-One-Stop-Shop (MOSS) is used.

Business-Related Processing

Additionally, we process
- Contract data (e.g., contract subject, duration, customer category).
- Payment data (e.g., bank details, payment history)
from our customers, prospects, and business partners for the purpose of providing contractual services, customer service, marketing, advertising, and market research.

Order Processing in the Online Shop and Customer Account

We process our customers' data in the course of order processes in our online shop to enable them to select and order the chosen products and services, as well as to process payment and delivery or execution.

The processed data includes master data, communication data, contract data, payment data, and the individuals affected by the processing include our customers, prospects, and other business partners. The processing is carried out for the purpose of providing contractual services in the operation of an online shop, billing, delivery, and customer services. For this purpose, we use session cookies to store the shopping cart contents and persistent cookies to store the login status.

The processing is based on Article 6 (1) lit. b (performance of order processes) and c (legally required archiving) GDPR. The data marked as necessary is required for the establishment and fulfillment of the contract. We disclose the data to third parties only in the context of delivery, payment, or as required by law to legal advisors and authorities. Data will only be processed in third countries if necessary for the performance of the contract (e.g., at the customer's request for delivery or payment).

Users can optionally create a user account, in which they can view their orders. During registration, the required mandatory information is provided to the users. The user accounts are not public and cannot be indexed by search engines. If users cancel their user account, their data related to the user account will be deleted, unless its retention is necessary for commercial or tax reasons according to Article 6 (1) lit. c GDPR. Information in the customer account will remain until its deletion, followed by archiving in case of a legal obligation. It is the users' responsibility to back up their data before the contract ends if they cancel their account.

In the context of registration and re-logins, as well as using our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's interest in protection from misuse and other unauthorized use. This data is generally not shared with third parties unless it is necessary to assert our claims or there is a legal obligation under Article 6 (1) lit. c GDPR.

Deletion takes place after the expiration of legal warranty and comparable obligations. The necessity of data retention is reviewed every three years; in the case of legal archiving obligations, deletion takes place after their expiration (end of commercial (6 years) and tax (10 years) retention obligations).