Privacy policy

We, INUVET GmbH (hereinafter: "Inuvet", "we", or "us"), take the protection of your personal data seriously and would like to inform you here about data protection within our company.

Within the scope of our data protection responsibility, we have been imposed obligations, inter alia, by the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: "GDPR"), to ensure the protection of personal data of the data subject affected by processing (we will also refer to you as the data subject hereinafter as "Customer", "User", or "Data Subject").

Insofar as we decide, either alone or jointly with others, on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration, and legal basis of the processing (cf. Art. 13 and Art. 14 GDPR). With this declaration (hereinafter: "Privacy Policy"), we inform you about how your personal data is processed by us.

1. Definitions

Following the model of Art. 4 GDPR, the following definitions form the basis of this Privacy Policy:

• "Personal Data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data, or by reference to information about their physical, physiological, genetic, psychological, economic, cultural, or social identity characteristics. Identifiability may also be given by linking such information or other supplementary knowledge. The origination, form, or embodiment of the information is irrelevant (photos, video, or audio recordings can also contain personal data).

• "Processing" (Art. 4 No. 2 GDPR) means any operation or set of operations which is performed on personal data, whether or not by automated means (i.e., technology-assisted). This includes in particular the collection (i.e., the obtaining), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data, as well as the modification of a target or purpose originally underlying a data processing operation.

• "Controller" (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• "Third Party" (Art. 4 No. 10 GDPR) means a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data; this also includes other legal persons belonging to the group.

• "Processor" (Art. 4 No. 8 GDPR) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular according to its instructions (e.g., IT service provider). In terms of data protection law, a processor is not a Third Party.

• "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Controller & Contact

2.1 The Controller for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR is us:

INUVET GmbH

Berner Weg 7–25

79539 Lörrach

Germany

E-mail: info@inuvet.com

Phone: +49 7621 57915-10

Fax: +49 7621 57915-12

2.2 If you wish to assert your rights or have questions or comments on the collection and processing of your personal data that this Privacy Policy cannot answer, or if you would like more detailed information on any point, please contact the contact point mentioned above.

3. Data Collection upon Contacting Us

3.1 If you contact us by email, telephone, via a messenger service, or via a contact form, your email address, your name, your telephone number, and all other personal data you provided during the contact will be stored by us so that we can contact you to answer your question.

3.2 We delete this data as soon as storage is no longer necessary. If statutory retention periods exist, the data remains stored, but we restrict the processing.

4. Data Subject Rights

The following data subject rights are available to you:

4.1. Right of Access

4.1.1 You have the right, to the extent of Art. 15 GDPR, to receive information from us about the personal data concerning you.

4.1.2 This requires a request from you, which must be sent either by email or by post to the addresses provided above (see 2.1).

4.2 Right to Object to Data Processing and Withdrawal of Consent¹

4.2.1 Pursuant to Art. 21 GDPR, you have the right to object at any time to the processing of personal data concerning you. We will stop processing your personal data unless we can demonstrate compelling legitimate g²rounds for the processing which override your interests, rights, and freedoms, or if the processing serves for the establishment, exercise, or defense of legal claims.

4.2.2 Pursuant to Art. 7 para. 3 GDPR, you have the right to withdraw your consent – i.e., your voluntary, informed, and unambiguous will, made understandable by a statement or other clear affirmative action, that you agree to the processing of the personal data concerned for one or more specific purposes – at any time, if you have given such consent (even before the GDPR came into force, i.e., before 25 May 2018). This means that we may no longer continue the data processing based on this consent in the future.

4.2.3 In this regard, please contact the contact point provided above (see 2.1).

4.3 Right to Rectification and Erasure

4.3.1 Insofar as personal data concerning you is inaccurate, you have the right, pursuant to Art. 16 GDPR, to request immediate rectification from us. Please contact the contact point provided above (see 2.1) with a request in this regard.

4.3.2 Under the conditions mentioned in Art. 17 GDPR, you have the right to request the erasure of personal data concerning you. Please contact the contact point provided above (see 2.1) with a request in this regard. The right to erasure is particularly available to you if the data in question is no longer necessary for the collection or processing purposes, if the data storage period (see C. 7.) has expired, an objection exists (see 4.2.), or unlawful processing is present.

4.4 Right to Restriction of Processing

4.4.1 Subject to the provisions of Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data from us.

4.4.2 Please contact the contact point provided above (see 2.1) with a request in this regard.

4.4.3 The right to restriction of processing is particularly available to you if the accuracy of the personal data is disputed between you and us; in this case, the right is available to you for a period required to verify the accuracy. The same applies if the successful exercise of a right to object (see 4.2.) is still disputed between you and us. This right is also particularly available to you if you have a right to erasure (see 4.3.) and you request restricted processing instead of erasure.

4.5. Right to Data Portability

4.5.1 Subject to the provisions of Art. 20 GDPR, you have the right to receive from us the personal data concerning you which you have provided to us, in a structured, commonly used, and machine-readable format.

4.5.2 Please contact the contact point provided above (see 2.1) with a request in this regard.

4.6 Right to Lodge a Complaint with the Supervisory Authority

4.6.1 Pursuant to Art. 77 GDPR, you have the right to lodge a complaint about the collection and processing of your personal data with the competent supervisory authority.

4.6.2 You can reach the competent supervisory authority at the following contact details:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg (The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg)

Postfach 10 29 32

70025 Stuttgart

E-mail: poststelle@lfdi.bwl.de

5. Purpose

5.1 We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations, and only to the extent required. Insofar as the processing of personal data is based on Art. 6 para. 1 sentence 1 lit. f GDPR, the mentioned purposes also constitute our legitimate interests.

5.2 We can only make our contractual services available to you if, when using them, certain data about you that is necessary for the fulfilment of the contract and the operation of our online portal is collected by us.

5.3 We collect this data only if it is necessary for the fulfilment of the contract between you and us (Art. 6 para. 1 lit. b GDPR). Furthermore, we collect this data if it is necessary for the functionality of the portal or the contractual service and your interest in the protection of your personal data does not override this (Art. 6 para. 1 lit. f GDPR).

5.4 The processing of protocol data ("Server-Log-Files") serves statistical purposes and the improvement of the quality of our website, in particular the stability and security of the connection (the legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR).

5.5 The processing of contact form data is carried out for the handling of customer inquiries (the legal basis is Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR).

5.6 The processing of newsletter data is carried out for the purpose of sending the newsletter. The remaining provisions for sending our newsletters can be found under section 8.

5.7 Processing of your personal data for purposes other than those described only takes place insofar as a legal regulation permits this or you have consented to the changed purpose of the data processing.

5.8 In the event of further processing for purposes other than those for which the data was originally collected, we will inform you of these other purposes before the further processing and provide you with all further relevant information for this.

6. Duration of Storage & Erasure

6.1 We delete your personal data as soon as they are no longer necessary for the purposes for which we collected or used them (see 5.). As a rule, we store your personal data for the duration of the usage or contractual relationship. Your data is generally stored only on our servers in Germany, subject to any disclosure that may take place according to the regulations in sections 10-17.

6.2 Storage may, however, take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings.

6.3 Third parties employed by us (see sections 8, 10-17) will store your data on their system for as long as is necessary in connection with the provision of the service for us in accordance with the respective order.

6.4 Legal requirements for the retention and erasure of personal data remain unaffected by the above (e.g., $\S 257$ HGB or $\S 147$ AO). When the storage period prescribed by the statutory provisions expires, the personal data is blocked or erased, unless further storage by us is necessary and there is a legal basis for it.

7. Website

When using the websites for informational purposes, the following categories of personal data are collected, stored, and further processed by us:

7.1 "Log Files"

Our online shop is operated via the Shopify platform, a service of Shopify International Ltd., 2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland. Detailed information on the use and transfer of your data by this service can be found under Section 23 of this Privacy Policy. As part of the operation of our online shop, technical log data is stored by Shopify to ensure the security, stability, and functionality of our web offering. These log data include in particular:

• the page from which the page was requested (so-called Referrer URL)*

• the name and URL of the requested page

• the date and time of the request

• the description of the type, language, and version of the web browser used*

• the IP address of the requesting computer, which is shortened so that a personal reference can no longer be established

• the amount of data transferred

• the operating system*

• the browser type*

• the message whether the request was successful (access status/Http status code)

• the GMT time zone difference

• system and application logs (e.g., technical access, error messages, system events)

• store activity logs (e.g., access by apps and users)

*The data is only stored by us if your browser transmits this data to us.

7.2"Contact Form Data"

When using contact forms, the data transmitted through them is processed (e.g., first and last name, email address, telephone number, and the time of transmission).

8. Registration & User Account

8.1 If you wish to use our services via our online portal, you must register by providing a valid email address, a self-chosen password, the phone number, your postcode, country, and your full first and last name and create a corresponding user account. The provision of the aforementioned data is mandatory; all other information can be provided voluntarily by using our online portal.

8.2 When you use our online portal, we store your data necessary for the performance of the contract, including payment details, until you permanently delete your access. Furthermore, we store the voluntary data provided by you for the time of your use of the online portal, unless you delete it beforehand. All details can be managed and changed in the protected customer area. The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR.

8.3 Our online portal allows the use of various user types (e.g., veterinarians and pet owners). These are equipped with different authorisations and can, depending on the implementation, view data from other user types. In no case will data be passed on to unauthorised Third Parties.

8.4 User Type "Veterinarian": Consent for Publication and Data Transfer

8.4.1 With their registration and participation in our "Recommendation Program," users of the "Veterinarian" type also consent to the use and provision of their data within the scope of our "Veterinarian Recommendation Program". If you register as a veterinarian or veterinary facility in our database, we process the personal data transmitted by you (e.g., name, practice name, address, telephone number, email address, opening hours, specialisation areas) on the basis of your explicit consent pursuant to Art. 6 para. 1 lit. a GDPR.

8.4.2 This data is used to display your practice on our website in a public veterinarian database and/or in an interactive map or list, which is publicly accessible to interested users. The purpose is to support consumers in finding suitable veterinary contact points.

8.4.3 Additionally, we may transfer your contact details to interested consumers, provided they send us a targeted inquiry, for example, for the referral of a veterinarian in their region. The transfer takes place exclusively for this purpose and on the basis of your consent.

8.4.4 Your consent can be revoked at any time with effect for the future. The revocation can be made informally by email to info@inuvet.com. In the event of revocation, your data will be removed from the public display and our referral database.

8.4.5 Further information on the processing of your data and your rights as a data subject (e.g., right to access, rectification, erasure, restriction of processing, data portability, and complaint to a supervisory authority) can be found in the general notes in this Privacy Policy.

9. Newsletter

9.1 With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers. The advertised goods and services are named in the declaration of consent.

9.2 We use the so-called double opt-in procedure for subscribing to our newsletter. This means that after your registration, we send you an email to the provided email address, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within one month, your information will be automatically deleted after one month. In addition, we store the respective times of registration and confirmation. The purpose of the procedure is to be able to prove your registration and, if necessary, to investigate a possible misuse of your personal data.

9.3 Mandatory information for sending the newsletter is your email address, postcode, country, and practice name. The provision of further, separately marked data is voluntary and is used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is Art. 6 para. 1 sentence 1 lit. a GDPR.

9.4 You can revoke your consent to receive the newsletter and unsubscribe from the newsletter at any time. You can declare the revocation by clicking on the link provided in every newsletter email, by email to info@inuvet.com, or by a message to the contact details provided in the imprint.

9.5 The newsletter is sent by the dispatch service provider Salesforce Marketing Cloud.

9.6 We use Salesforce Marketing Cloud on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR and a Data Processing Agreement pursuant to Art. 28 para. 3 sentence 1 GDPR.

9.7 Salesforce Marketing Cloud uses this information for sending and evaluating the newsletter on our behalf. Our legitimate interest in the processing of your data is also covered by these purposes. Furthermore, Salesforce Marketing Cloud can, according to its own information, use this data for the optimisation or improvement of its own services, e.g., for the technical optimisation of the dispatch and the display of the newsletters. However, Salesforce Marketing Cloud does not use the data of our newsletter recipients to write to them directly or to pass them on to Third Parties.

9.8 The privacy policy of Salesforce Marketing Cloud can be found at:

https://www.salesforce.com/de/company/legal/privacy/#privacy-statement

9.9. We point out that we evaluate your user behaviour when sending the newsletter. For this evaluation, the emails sent contain so-called web beacons or tracking pixels, which are single-pixel imag³e files stored on our website. For the evaluations, we link the data mentioned in $\S 3$ and the web beacons with your email address and an individual ID. The data is collected exclusively in a pseudonymised form, meaning the IDs are not linked to your other personal data, and direct personal identifiability is excluded.

9.10 You can object to this tracking at any time by clicking on the separate link provided in every email or by informing us via another contact method. The information is stored for as long as you are subscribed to the newsletter. After unsubscribing, we store the data purely statistically and anonymously. Such tracking is also not possible if you have disabled the display of images by default in your email program. In this case, the newsletter will not be displayed to you completely, and you may not be able to use all functions. If you manually display the images, the tracking mentioned above takes place.

10. Personalised Advertising and Retargeting

10.1 We use technologies for personalised advertising and retargeting on our website to display advertisements tailored individually to your interests – both on our website and on Third-Party websites or in social networks.

10.2 For this purpose, with your consent, information about your usage behaviour on our website, such as pages visited or products viewed, is collected and processed. This is usually done via cookies, pixels, or comparable tracking technologies. The data obtained in this way can be combined with further information from Third-Party sources (e.g., your user profile on Google or Meta) to provide personalised advertising content for you.

10.3 The processing is carried out exclusively on the basis of your explicit consent pursuant to Art. 6 para. 1 lit. a GDPR and $\S 25$ para. 1 TTDSG (for the setting of cookies/trackers), which you can give via our Consent Management Tool (Cookie Banner).

10.4 The services used may also transfer data to servers outside the European Union (e.g., in the USA). In these cases, the transfer is carried out on the basis of suitable safeguards pursuant to Art. 44 et seq. GDPR, in particular Standard Contractual Clauses or within the framework of the EU–U.S. Data Privacy Framework, if applicable.

10.5 You can revoke your consent at any time with effect for the future by changing the settings in our Consent Banner or deactivating personalised advertising via the respective services.

10.6 Further information on the specific services used (e.g., Google Ads Remarketing, Bing, Hotjar, etc.) and on data processing by Third Parties can be found in the corresponding sections of this Privacy Policy.

11. Cookies

11.1 We use cookies on our websites. Cookies are small text files that are assigned and stored on your hard drive by the browser you use through a characteristic string of characters, and through which certain information flows to the party setting the cookie. Cookies cannot run programs or transmit viruses to your computer and therefore cannot cause damage. They serve to make the overall internet offering more user-friendly and effective, and thus more pleasant for you.

11.2 Cookies can contain data that enables the recognition of the device used. In part, however, cookies also only contain information about certain settings that are not personally identifiable. However, cookies cannot directly identify a user.

11.3 A distinction is made between session cookies, which are deleted again as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, a distinction is made between cookies as follows:

• "Technical Cookies": These are strictly necessary to navigate the website, use basic functions, and ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited;

  "Performance Cookies": These collect information about how you use our website, which pages you visit and, for example, whether errors occur when using the website; they do not collect information that could identify you – all collected information is anonymous and is only used to improve our website and find out what interests our users;

• "Advertising Cookies", "Targeting Cookies": These are used to offer the website user demand-oriented advertising on the website or offers from Third Parties and to measure the effectiveness of these offers; Advertising and Targeting Cookies are stored for a maximum of 13 months;

• "Sharing Cookies": These are used to improve the interactivity of our website with other services (e.g., social networks); Sharing Cookies are stored for a maximum of 13 months.

11.4 Any use of cookies that is not strictly technically necessary constitutes data processing that is only permitted with your explicit and active consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. This applies in particular to the use of Advertising, Targeting, or Sharing Cookies. Furthermore, we only disclose your personal data processed by cookies to Third Parties if you have given an explicit consent to this pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

11.5 Our website uses our Consent Technology to obtain your consent for the storage of certain cookies on your terminal equipment or for the use of certain technologies and to document this in compliance with data protection regulations.

When you enter our website, a connection is established to our servers to obtain your consents and other declarations regarding cookie use. We then store a cookie in your browser to be able to assign the granted consents or their revocation to you. The data collected in this way is stored until you request us to delete it, delete the cookie yourself, or the purpose for data storage ceases to apply. Mandatory legal retention obligations remain unaffected.

The use of our Consent Technology is carried out to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

12. Contract Data Processing & Data Transfer

12.1 It may happen that contracted service providers are used for individual functions of our services and our online portal. As with any larger company, we also use external domestic and foreign service providers for the execution of our business transactions (e.g., for the areas of IT, logistics, telecommunications, sales, and marketing). These act only according to our instructions and have been contractually obliged within the meaning of Art. 28 GDPR to comply with the data protection provisions.

12.2 The following categories of recipients, who are usually Processors, may gain access to your personal data:

• Service providers for the operation of our websites and our online portal and the processing of the data stored or transmitted by the systems (e.g., for data centre services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as they are not Processors;

• State bodies/authorities, insofar as this is necessary to fulfil a statutory obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;

• Persons employed for the execution of our business operations (e.g., auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the formation of joint ventures). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

12.3 Regarding the guarantees of an adequate level of data protection when transferring data to Third Countries, see Section 13.

12.4 Furthermore, we only transfer your personal data to Third Parties if you have given an explicit consent to this pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

12.5 If personal data from you is transferred by us to affiliated companies or transferred by them to us (e.g., for advertising purposes), this is done on the basis of existing contract processing relationships.⁶

 

13. Transfer to Third Countries⁷

13.1 Within the framework of our business relationships, your personal data may be transferred or disclosed to Third-Party companies. These may also be located outside the European Economic Area (EEA), i.e., in Third Countries. Such processing takes place exclusively for the fulfilment of contractual and business obligations and for maintaining your business relationship with us. We will inform you below of the respective details of the transfer at the relevant points.

13.2 The European Commission certifies to some Third Countries, through so-called Adequacy Decisions, a level of data protection that is comparable to the EEA standard (a list of these countries and a copy of the Adequacy Decisions can be obtained here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions). However, in other Third Countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. Where this is the case, we ensure that data protection is adequately guaranteed. This is possible through binding corporate rules, Standard Contractual Clauses of the European Commission for the protection of personal data, certificates, or recognised codes of conduct. If you would like to receive more detailed information on this, please contact the contact point specified in Section 2.1.

14. Google Analytics

14.1 This website uses Google Analytics, a web analysis service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are stored on your computer and enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, in the event that IP anonymisation is activated on this website, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website use and internet use to the website operator.

14.2 The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data.

14.3 You can prevent the storage of cookies by setting your browser software accordingly; however, we point out to you that in this case you may not be able to fully use all functions of this website. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

14.4 This website uses Google Analytics with the extension "_anonymizeIp()". This means that IP addresses are processed in a shortened form, which excludes personal identifiability. Insofar as the data collected about you has a personal reference, this is immediately excluded and the personal data is immediately deleted.

14.5 We use Google Analytics to analyse the use of our website and to regularly improve it. Through the statistics obtained, we can improve our offer and make it more interesting for you as a user. For the exceptional cases in which personal data is transferred to the USA, a contract has been concluded with Google using the EU Standard Contractual Clauses and further measures for the protection of personal data have been taken. The legal basis for the use of Google Analytics is Art. 6 para. 1 sentence 1 lit. f GDPR.

14.6 Information on the Third-Party provider:

Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001.

• User Terms: http://www.google.com/analytics/terms/de.html

• Privacy Policy: http://www.google.de/intl/de/policies/privacy

15. Google Ads Conversion

15.1 We use the offer of Google Adwords to draw attention to our attractive offers on external websites with the help of advertising materials (so-called Google Adwords). We can determine, in relation to the data of the advertising campaigns, how successful the individual advertising measures are. We thus pursue the interest of showing you advertising that is of interest to you, making our website more interesting for you, and achieving a fair calculation of advertising costs.

15.2 These advertising materials are delivered by Google via so-called "Ad Servers". For this purpose, we use Ad Server Cookies, through which certain parameters for measuring success, such as the display of the ads or clicks by the users, can be measured. If you reach our website via a Google ad, a Google Adwords cookie is stored on your PC. These cookies usually lose their validity after 30 days and are not intended to identify you personally. Analysis values such as the Unique Cookie ID, the number of Ad Impressions per placement (Frequency), the last impression (relevant for post-view conversions), and opt-out information (marking that the user no longer wishes to be contacted) are usually stored for this cookie.

15.3 These cookies enable Google to recognise your Internet browser. If a user visits certain pages of an Adwords customer's website and the cookie stored on their computer has not yet expired, Google and the customer can recognise that the user clicked on the ad and was redirected to this page. A different cookie is assigned to each Adwords customer. Cookies can therefore not be tracked across Adwords customers' websites. We ourselves do not collect and process any personal data in the mentioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can recognise which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising materials, in particular, we cannot identify the users based on this information.

15.4 Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our knowledge: By integrating AdWords Conversion, Google receives the information that you have accessed the corresponding part of our website or clicked on an ad from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out and store your IP address.

15.5 You can prevent participation in this tracking procedure in various ways: a) by setting your browser software accordingly, in particular, suppressing Third-Party cookies will result in you not receiving ads from Third-Party providers; b) by deactivating cookies for conversion tracking, by setting your browser to block cookies from the domain "www.googleadservices.com", https://www.google.de/settings/ads, whereby this setting will be deleted if you delete your cookies; c) by deactivating the interest-based ads of the providers who are part of the self-regulation campaign "About Ads", via the link http://www.aboutads.info/choices, whereby this setting will be deleted if you delete your cookies; d) by permanent deactivation in your browsers Firefox or Google Chrome under the link http://www.google.com/settings/ads/plugin. We point out that in this case you may not be able to fully use all functions of this offer.

15.6 The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR. Further information on data protection at Google can be found here: http://www.google.com/intl/de/policies/privacy and https://services.google.com/sitestats/de.html. Alternatively, you can visit the Network Advertising Initiative (NAI) website at https://thenai.org/.

15.7 Google has a certification according to the "EU-US Data Privacy Framework" (DPF). The DPF is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards in data processing in the USA. Every company certified under the DPF undertakes to adhere to these data protection standards. You can obtain further information on this from the provider at the following link: https://www.dataprivacyframework.gov/list

15.8 The transfer of data to [Google Analytics / Google Ads / Meta Ads] does not take place directly from the user's browser (Client) with us, but server-side via a so-called proxy solution using Stape.io. Tracking data is first sent to our own server, before it is controlled, possibly shortened, and then forwarded to the respective Third-Party providers.

Through this server-side tracking (Server-Side Tagging), we increase data security, reduce the direct data transfer by Third-Party scripts in the browser, and retain full control over what information is transmitted.

Stape.io does not process the data for its own purposes but serves exclusively as a technical service provider on our behalf. The use is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you can give via our Consent Banner.

Further information on the function and data protection of Stape.io can be found at:

https://stape.io/privacy-policy

16. Google Ads Remarketing

16.1 We use functions of Google Ads Remarketing on our website, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

16.2 With the help of Google Ads Remarketing, we can display targeted advertisements on other websites within the Google network to users who have already visited our website and expressed interest in certain offers. For this purpose, Google uses cookies or similar technologies to enable the recognition of the respective user across devices.

16.3 The use of this service only takes place with your explicit consent pursuant to Art. 6 para. 1 lit. a GDPR, which you can give via our Consent Banner.

16.4 The data collected within the scope of Google Ads Remarketing can be transferred to servers of Google LLC in the USA and processed there. Google relies on the Standard Contractual Clauses (SCC) of the EU Commission and the EU-U.S. Data Privacy Framework, if applicable, for international data transfers.

16.5 You can prevent collection by Google at any time by withdrawing your consent in the Cookie Banner or deactivating personalised advertising in your Google account:

https://adssettings.google.com/

16.6 Further information on data protection at Google can be found at:

https://policies.google.com/privacy

16.7 The transfer of data to [Google Analytics / Google Ads / Meta Ads] does not take place directly from the user's browser (Client) with us, but server-side via a so-called proxy solution using Stape.io. Tracking data is first sent to our own server, before it is controlled, possibly shortened, and then forwarded to the respective Third-Party providers.

Through this server-side tracking (Server-Side Tagging), we increase data security, reduce the direct data transfer by Third-Party scripts in the browser, and retain full control over what information is transmitted.

Stape.io does not process the data for its own purposes but serves exclusively as a technical service provider on our behalf. The use is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you can give via our Consent Banner.

Further information on the function and data protection of Stape.io can be found at:

https://stape.io/privacy-policy

17. Google Tag Manager

17.1 We use the Google Tag Manager on our website, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

17.2 The Google Tag Manager is used to manage so-called website tags via a unified interface. Tags are small code elements that are used, e.g., to measure user behaviour, to integrate other services (e.g., Google Analytics or marketing tools), or to control cookies. The Tag Manager itself does not create user profiles, does not store cookies, and does not perform its own analysis. It merely ensures the loading and triggering of other tags, which may collect personal data.

17.3 The processing is carried out on the basis of Art. 6 para. 1 lit. f GDPR. Our legitimate interest lies in the efficient management of the services used on our website. If a corresponding consent for the use of analysis or marketing services has been granted, the processing also takes place on the basis of Art. 6 para. 1 lit. a GDPR.

17.4 Further information on the Google Tag Manager can be found in the usage guidelines of Google:

https://marketingplatform.google.com/about/tag-manager/use-policy/

17.5 The transfer of data to [Google Analytics / Google Ads / Meta Ads] does not take place directly from the user's browser (Client) with us, but server-side via a so-called proxy solution using Stape.io. Tracking data is first sent to our own server, before it is controlled, possibly shortened, and then forwarded to the respective Third-Party providers.

Through this server-side tracking (Server-Side Tagging), we increase data security, reduce the direct data transfer by Third-Party scripts in the browser, and retain full control over what information is transmitted.

Stape.io does not process the data for its own purposes but serves exclusively as a technical service provider on our behalf. The use is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you can give via our Consent Banner.

Further information on the function and data protection of Stape.io can be found at:

https://stape.io/privacy-policy

18. Tracify

18.1 We use the web analysis service Tracify on our website or on parts of our website to record the use of our website by its visitors and to evaluate and optimise the effectiveness of our advertising/marketing measures. Tracify is a web analysis service of Tracify GmbH with its registered office at Agnes-Pockels-Bogen 1, 80992 Munich. Tracify GmbH acts for us as a Processor on the basis of a Data Processing Agreement pursuant to Art. 28 GDPR.

18.2 Tracify enables an analysis of website use and the Customer Journey without storing cookies or other information on the user's terminal equipment, but exclusively based on browser and device information such as the user's IP address, the configuration of the respective User-Agent (User-Agent-String),¹¹ usage data, order information, contact data, the screen resolution, the installed fonts and plugins, and the processor of the respective device.

18.3 The information transmitted to Tracify is completely and irreversibly anonymised immediately after transmission, so that a personal reference is excluded. Only the anonymised, aggregated information is evaluated.

18.4 Data processing when using Tracify takes place entirely in Germany; there is no data transfer to unsafe Third Countries without an adequate level of data protection.

18.5 The legal basis for the use of Tracify is our legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR in a needs-based design of the website and in the evaluation and optimisation of our marketing measures.

19. Salesforce Data & Marketing Cloud

19.1 This website uses Salesforce Data & Marketing Cloud, web analysis services of Salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany. ("Salesforce").

19.2 Salesforce Data Cloud (formerly Genie) is a platform for the real-time processing and analysis of customer data. Pseudonymised usage and interaction data from various sources are merged to create a consistent and current customer profile. This data is used exclusively for the optimisation of user experiences, personalisation of offers, and for the improvement of our marketing. The processing is carried out on the basis of our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, as it serves the economic optimisation of our online offering. Data processing takes place within the EU or on the basis of suitable safeguards, such as Standard Contractual Clauses (SCC).

19.3 Salesforce Marketing Cloud is a cloud-based marketing tool that is used for the creation, management, and evaluation of personalised marketing campaigns. Pseudonymised data on the use of our website, purchases, or reaction to emails are processed here to provide targeted information on products and promotions. The use of this service is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR, provided you have expressly consented to the use of cookies or email marketing. The data is processed in secure data centres; any transfers to Third Countries are carried out in compliance with the applicable data protection requirements, in particular by concluding EU Standard Contractual Clauses.

19.4 Salesforce.com Germany GmbH acts as a Processor. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR has been concluded. Data transfers to Third Countries are based on Standard Contractual Clauses or Binding Corporate Rules.

20. Stape.io

20.1 We use Stape.io on our website, a server-side tracking tool of Stape Inc., 30 N Gould St Ste R, Sheridan, WY 82801, USA, to process analysis and marketing data in a more privacy-friendly manner.

20.2 In contrast to conventional client-side tracking (e.g., via JavaScript tags in the browser), with server-side tracking, data is first sent to our own tracking server (e.g., via Google Tag Manager Server-Side Container). From there, it is controlled and possibly pseudonymised before being forwarded to Third-Party services such as Google Analytics or Meta Ads.

20.3 The use of Stape.io serves to improve loading speed, accuracy, and data security when using web analysis and marketing tools.

20.4 The processing of your data is carried out on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR, which you can give via our Consent Banner. Without your consent, no transfer to tracking or marketing services takes place.

20.5 Stape.io itself does not store or analyse personal data for its own purposes. The servers may also be located outside the EU, in particular in the USA. In these cases, the transfer of your data is carried out on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR, which have been contractually agreed with Stape, to ensure an adequate level of data protection.

20.6 Further information on data protection at Stape.io can be found at:

https://stape.io/privacy-policy

21. Bing Ads (Microsoft Advertising)

21.1 We use the Conversion Tracking of Microsoft Advertising (Bing Ads) on our website, a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

21.2 A cookie is placed on your terminal equipment if you have reached our website via a Microsoft Bing ad. This allows Microsoft and us to recognise that someone has clicked on an ad, been redirected to our website, and reached a previously defined target page (conversion measurement).

21.3 The data processing is carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with $\S 25$ para. 1 TTDSG, which you can give via our Consent Banner. You can revoke your consent at any time with effect for the future by changing the settings in our Cookie Consent Tool.

21.4 Microsoft can also transfer certain data to the USA. In these cases, the transfer is carried out on the basis of the EU Standard Contractual Clauses (SCC) and, if applicable, the EU–U.S. Data Privacy Frameworks (DPF). We point out that despite these measures, a residual risk of an inadequate level of data protection in the USA cannot be completely ruled out.

21.5 Further information can be found in Microsoft's privacy policy:

https://privacy.microsoft.com/de-de/privacystatement

22. Hotjar

22.1 We use Hotjar, a web analysis service of Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta.

22.2 Hotjar enables us to better understand user behaviour on our website (e.g., clicks, scrolling behaviour, mouse movements) in order to make our online offering more user-friendly. For this purpose, Hotjar uses cookies and similar technologies. The collected information is pseudonymised and not used to identify individual users.

22.3 The processing is carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with $\S 25$ para. 1 TTDSG. You can revoke your consent at any time via the settings in our Cookie Consent Tool.

22.4 More detailed information on data processing by Hotjar can be found at:

https://www.hotjar.com/legal/policies/privacy

23. Outbrain

23.1 We use the recommendation service Outbrain on our website, operated by Outbrain Inc., 39 West 13th Street, 3rd Floor, New York, NY 10011, USA.

23.2 Outbrain displays recommended content and advertising to you based on your previous usage behaviour. For this purpose, Outbrain uses cookies or similar technologies that create pseudonymous usage profiles.

23.3 The processing is carried out exclusively on the basis of your consent pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with $\S 25$ para. 1 TTDSG, which you can give via our Consent Banner. You can revoke your consent at any time with effect for the future via our Cookie Consent Tool.

23.4 Since Outbrain has its headquarters in the USA, data may be transferred to a Third Country. Such a transfer is carried out in compliance with the applicable data protection regulations, in particular on the basis of the EU Standard Contractual Clauses (SCC) and – where applicable – the EU–U.S. Data Privacy Frameworks (DPF). We point out that despite these measures, a residual risk of an inadequate level of data protection in the USA cannot be ruled out.

23.5 Further information on data protection at Outbrain can be found here:

https://www.outbrain.com/legal/privacy

24. Shopify

24.1 Our online shop is operated via the Shopify platform, a service of Shopify International Ltd., 2nd Floor, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland.

24.2 Shopify provides us with the technical infrastructure for the operation of the shop, payment processing, and secure storage of data. Personal data (e.g., name, address, email address, payment information, order data) is processed on our behalf.

24.3 Shopify may also transfer certain data to affiliated companies in Canada and the USA. For Canada, an Adequacy Decision of the EU Commission exists. For the USA, the transfer is carried out on the basis of the EU Standard Contractual Clauses (SCC) and, if applicable, the EU–U.S. Data Privacy Frameworks (DPF). We point out that despite these measures, a residual risk of an inadequate level of data protection in the USA cannot be ruled out.

24.4 The processing of your personal data by Shopify is carried out for the performance of the contract (Art. 6 para. 1 lit. b GDPR) and on the basis of our legitimate interest in a secure and efficient online shop operation (Art. 6 para. 1 lit. f GDPR).

24.5 Further information on data protection at Shopify can be found here:

https://www.shopify.com/legal/privacy

25. Data Security

We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or against unauthorised access by Third Parties, ta¹³king into account the state of the art, the implementation costs, and the nature, scope, context, and purpose of the proce¹⁴ssing as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in accordance with technological developments.

 

26. No Automated Individual Decision-Making (including Profiling)

We do not intend to use personal data collected from you for a procedure for automated individual decision-making (including profiling).

---

27. Legal Obligation to Transmit Certain Data

We may under certain circumstances be subject to a special statutory or legal obligation to provide the lawfully processed personal data to Third Parties, in particular public bodies (Art. 6 para. 1 sentence 1 lit. c GDPR).

---

28. Miscellaneous

In the context of the further development of data protection law as well as technological or organisational changes, our data protection notices are regularly reviewed for the need for adjustments or additions. You will be informed of any changes.