PRIVACY POLICY

INFORMATION REGARDING THE COLLECTION OF PERSONAL DATA AND CONTACT DETAILS OF THE CONTROLLER

We are pleased that you are visiting our website and thank you for your interest. In the following, we will inform you about how your personal data is handled when you use our website. Personal data is any data with which you can be personally identified.

The data processing on this website in the sense of the General Data Protection Regulation (GDPR) is carried out by:

Smilodox GmbH & Co. KG
Max-Brauer-Allee 48
22765 Hamburg

Telephone: 040 88167933

Email: info@smilodox.com

GENERAL INFORMATION

DATA COLLECTION WHEN VISITING OUR WEBSITE

When you use our website for informational purposes only, i.e., if you do not register or otherwise transmit information to us, we only collect the data that your browser transmits to our server (so-called "server log files"). When you access our website, we collect the following data, which is technically necessary for us to display the website to you:

• Our visited website
• Date and time of access
• Amount of data sent in bytes
• Source/reference from which you reached the page
• Browser used
• Operating system used
• IP address used (if applicable: in anonymized form)

Processing is carried out in accordance with Art. 6 Para. 1 lit. f GDPR based on our legitimate interest in improving the stability and functionality of our website. The data will not be passed on or used in any other way. However, we reserve the right to retrospectively check the server log files if there are concrete indications of illegal use.

HOW LONG DO WE STORE YOUR DATA?

In some parts of this privacy policy, we inform you how long we or the companies that process your data on our behalf store your data. If no such information is provided, we store your data until the purpose of the data processing ceases, you object to the data processing, or you withdraw your consent to the data processing.

In the event of an objection or withdrawal, we may, however, continue to process your data if at least one of the following conditions is met:

We have compelling legitimate grounds for continuing the data processing that override your interests, rights, and freedoms (only in the case of an objection to data processing; if the objection is to direct marketing, we cannot provide legitimate grounds).

The data processing is necessary for the establishment, exercise, or defense of legal claims (does not apply if your objection is directed against direct marketing).

We are legally obliged to retain your data. In this case, we will delete your data as soon as the condition(s) no longer apply.

SSL OR TLS ENCRYPTION

When you enter your data on websites, place online orders, or send emails via the Internet, you must always expect that unauthorized third parties may access your data. There is no complete protection against such access. However, we do everything in our power to protect your data as best as possible and to close security gaps as far as we can.

An important protective mechanism is the SSL or TLS encryption of our website, which ensures that data you transmit to us cannot be read by third parties. You can recognize the encryption by the lock icon in front of the entered internet address in your browser and by the fact that our internet address begins with https:// and not with http://.

DATA PROCESSING IN THE MOBILE APP

If you use our Smilodox app (iOS/Android), the following app-specific information applies in addition to the above explanations. The controller is the same as above (Smilodox GmbH & Co. KG). The app is used for shopping, account management, wish lists, and push notifications.

What data do we collect in the app?

Identifiers: Customer ID (upon registration), device/session IDs (e.g., for analytics and
crash reports).
Contact details: Name, email address, phone number, physical address (when using address
management in the app).
Usage data: App events (e.g., product views, shopping cart, checkout, wish list) and search
queries in the app – only with consent to usage analysis.
Purchase history: Purchase/checkout events for analytical purposes – only with consent to usage
analysis.
Location (approximate): approximate location derived from IP/GeoIP (e.g., country/city) for
analytics/diagnostics.
Diagnostic data: Crash and error reports (device/operating system, technical logs) for app
stability; essential and active by default (no opt-out in the app).
Push token: Device token for push notifications (Expo/Klaviyo), if you have granted appropriate
permissions.

Purposes and legal bases

Contract (Art. 6 para. 1 lit. b GDPR): Account, shopping cart, checkout, order processing
(Shopify).
Consent (Art. 6 para. 1 lit. a GDPR): Usage analysis (PostHog, incl.
search/product/checkout events) and marketing/push (Klaviyo). You can withdraw consent for
usage analysis and marketing at any time in the app under Account → Privacy & Security and
Notifications.
Legitimate interest (Art. 6 para. 1 lit. f GDPR): Security and fraud prevention, insofar as not
already covered by contract or consent.
Tracking/Marketing: We do not track you across other apps or websites for advertising
purposes. We only send marketing push notifications with your consent.

Recipients / Processors (App)

PostHog (usage analysis; consent): Events only if analysis consent is activated; upon registration,
possibly linked to email/customer ID (disclosed).
Sentry (crash/error reports; essential): Active by default; device/OS, no content.
Shopify: Account, shopping cart, checkout (contract).
Klaviyo: Push marketing (consent); device token and preferences.
Firebase (backend for push registration): Technical forwarding of push tokens to
Klaviyo; order processing.

Transfers to third countries

As with our website, data may also be transmitted in the app to providers in the USA (e.g.,
PostHog, Sentry, Klaviyo, Firebase/Google). Where we use processors, we use Standard
Contractual Clauses (SCC) and supplementary measures, as far as offered by the provider. For
details on the respective providers, please refer to their privacy policies.

Storage duration and deletion (App)

We store app data only as long as necessary for the purposes mentioned above or as required by
legal obligations. You can request the deletion of your data via Account → Delete account in the
app or by email to support@smilodox.com.

Your rights (App)

The rights mentioned under "YOUR RIGHTS" (access, rectification, erasure,
restriction, objection, withdrawal of consent, complaint to the supervisory authority) also apply
to data processed in the app. You can adjust or withdraw your consents directly in the app under
Account → Privacy & Security and Notifications. The deletion of your account and associated
data is possible via Account → Delete account in the app or by email to
support@smilodox.com.

ENCRYPTED PAYMENT TRANSACTIONS

Payment data, such as account or credit card numbers, are particularly sensitive. Therefore, payment transactions with common payment methods on our site are exclusively carried out via an encrypted SSL or TLS connection.

DATA TRANSFER TO THE USA

We also use tools on our website from companies that transfer and store your data in the USA and may further process it there. This is particularly important for you because your data in the USA does not enjoy the same protection as within the EU, where the General Data Protection Regulation (GDPR) applies. For example, US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. It is therefore possible that US authorities (e.g., intelligence services) process, evaluate, and permanently store your data on US servers for surveillance purposes. We have no influence on these processing activities.

YOUR RIGHTS

Objection to data processing

IF YOU READ IN THIS PRIVACY POLICY THAT WE HAVE LEGITIMATE INTERESTS FOR PROCESSING YOUR DATA AND THEREFORE BASE THIS ON ART. 6 PARA. 1 S. 1 LIT. F) GDPR, YOU HAVE THE RIGHT TO OBJECT THERETO PURSUANT TO ART. 21 GDPR. THIS ALSO APPLIES TO PROFILING BASED ON THE AFOREMENTIONED PROVISION. THE PREREQUISITE IS THAT YOU STATE REASONS FOR THE OBJECTION THAT ARISE FROM YOUR PARTICULAR SITUATION. A JUSTIFICATION IS NOT REQUIRED IF THE OBJECTION IS DIRECTED AGAINST THE USE OF YOUR DATA FOR DIRECT MARKETING.

THE CONSEQUENCE OF THE OBJECTION IS THAT WE MAY NO LONGER PROCESS YOUR DATA. THIS ONLY DOES NOT APPLY IF ONE OF THE FOLLOWING CONDITIONS IS MET:

WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS.

THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

THE EXCEPTIONS DO NOT APPLY IF YOUR OBJECTION IS DIRECTED AGAINST DIRECT MARKETING OR AGAINST PROFILING CONNECTED THERETO.

Further rights

Withdrawal of your consent to data processing

Many data processing operations are based on your consent. You give this, for example, by checking a corresponding box in online forms before sending the form, or by allowing certain cookies when you visit our website. You can withdraw your consent at any time without giving reasons (Art. 7 Para. 3 GDPR). From the time of withdrawal, we may no longer process your data. The only exception: We are legally obliged to store the data for a certain period of time. Such retention periods exist in particular in tax and commercial law.

Right to complain to the competent supervisory authority

If you believe that we are violating the General Data Protection Regulation (GDPR), you have the right to complain to a supervisory authority in accordance with Art. 77 GDPR. You can contact a supervisory authority in the Member State of your habitual residence, your place of work or the place of the alleged infringement. The right to complain exists in addition to administrative or judicial remedies.

Right to data portability

Data that we process automatically on the basis of your consent or in fulfillment of a contract must be handed over to you or a third party in a common, machine-readable format if you request it. We can only transfer the data to another controller if this is technically feasible.

Right to information, deletion, and rectification of data

According to Art. 15 GDPR, you have the right to receive free information about which personal data we have stored about you, where the data originated, to whom we transmit the data, and for what purpose it is stored. If the data is incorrect, you have a right to rectification (Art. 16 GDPR); under the conditions of Art. 17 GDPR, you may request that we delete the data.

Right to restriction of processing

In certain situations, you can request that we restrict the processing of your data in accordance with Art. 18 GDPR. The data may then – apart from storage – only be processed as follows:

• with your consent
• for the assertion, exercise or defense of legal claims
• to protect the rights of another natural or legal person
• for reasons of an important public interest of the European Union or a Member State

The right to restrict processing exists in the following situations:

• You have disputed the accuracy of your personal data stored by us and we need time to verify this. Here, the right exists for the duration of the review.
• The processing of your personal data is unlawful or was unlawful in the past. Here, the right exists as an alternative to the deletion of the data.
• We no longer need your personal data, but you need them for the exercise, defense or assertion of legal claims. Here, the right exists as an alternative to the deletion of the data.
• You have lodged an objection pursuant to Art. 21 Para. 1 GDPR and now your and our interests must be weighed against each other. Here, the right exists as long as the outcome of the weighing has not yet been determined.

HOSTING AND CONTENT DELIVERY NETWORKS (CDN)

External Hosting

Our website is hosted on a server of the following internet service provider (hoster):

Shopify International Limited Victoria Buildings
1-2 Haddington Road
Dublin 4, D04 XN32, Ireland

We use the shop system of the service provider Shopify International Limited for the purpose of hosting and displaying the online shop, based on processing on our behalf. All data collected on our website is processed on Shopify's servers. Within the framework of the aforementioned services of Shopify, data may also be transmitted for further processing on behalf of Shopify Inc., 150 Elgin St, Ottawa, ON K2P 1L4, Canada, Shopify Data Processing (USA) Inc., Shopify Payments (USA) Inc. or Shopify (USA) Inc. In the event of data being transmitted to Shopify Inc. in Canada, an adequate level of data protection is ensured by the adequacy decision of the European Commission. Further information on Shopify's data protection can be found on the following website: https://www.shopify.de/legal/datenschutz. Shopify has also included a Data Processing Addendum in its General Terms and Conditions. The Data Processing Addendum can be found at: https://www.shopify.com/legal/dpa Further processing on servers other than those mentioned above by Shopify will only take place within the scope communicated below.

Was a data processing agreement concluded with the hoster or are Standard Contractual Clauses (SCC) used?

Yes. We have concluded a data processing agreement with Shopify. This is a contract required by data protection law that ensures that Shopify processes the personal data of our website visitors only according to our instructions and in compliance with the GDPR.

How do we process your data?

The host stores all data of our website. This includes all personal data that is collected automatically or through your input. This may include: your IP address, pages accessed, names, contact details and inquiries, as well as meta and communication data. In processing data, our host complies with our instructions and processes data only to the extent necessary to fulfill its service obligations to us.

On what legal basis do we process your data?

Since we use our website to address potential customers and maintain contact with existing customers, the data processing by our host serves to initiate and fulfill contracts and is therefore based on Art. 6 para. 1 lit. b) GDPR. Furthermore, it is our legitimate interest as a company to provide a professional internet presence that meets the necessary requirements for security, speed, and efficiency. In this respect, we also process your data on the basis of Art. 6 para. 1 lit. f) GDPR.

Microsoft Azure

What is Microsoft Azure?

A cloud hosting provider

Who processes your data?

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

Has a data processing agreement been concluded with Microsoft?

Yes.

Where can you find more information about data protection at Microsoft?

https://privacy.microsoft.com/de-de/privacystatement

On what basis do we transfer your data to the USA and other third countries?

Microsoft adheres to the European Commission's standard contractual clauses (cf. https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses)

How do we process your data?

As a cloud hosting service, Microsoft Azure stores certain data from our website. This includes certain personal data, e.g., your IP address, pages accessed, names, contact details and inquiries, as well as meta and communication data. In addition to the cloud function of the service, we also use functions for loading scripts and applications within the service. When processing data, the service provider processes data only to the extent necessary to fulfill its service obligations to us.

On what legal basis do we process your data?

Since we use our website to address potential customers and maintain contact with existing customers, the data processing by our cloud hosting service provider serves to initiate and fulfill contracts and is therefore based on Art. 6 para. 1 lit. b) GDPR. Furthermore, it is our legitimate interest as a company to provide a professional internet presence that meets the necessary requirements for security, speed, and efficiency. In this respect, we also process your data on the basis of Art. 6 para. 1 lit. f) GDPR.

Shopify CDN

What is Shopify CDN?

Shopify CDN is a Content Delivery Network (CDN).

Who processes your data?

Fastly Inc., San Francisco, CA, USA

Has a data processing agreement been concluded with Fastly Inc.?

Yes.

Where can you find more information about data protection at Fastly Inc.?

https://www.fastly.com/de/privacy/

On what basis do we transfer your data to the USA?

Fastly Inc. has implemented compliance measures for international data transfers. These apply to all worldwide activities in which Fastly Inc. processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). More information can be found at https://www.fastly.com/de/data-processing

How do we process your data?

As part of using Shopify for our website, we use the services of Fastly Inc. The global Content Delivery Network ensures that all content we provide online reaches you quickly, even if large amounts of data have to be moved over long distances. This is made possible by Fastly Inc., with all its technical capabilities and servers around the world, being placed between our website and your browser, analyzing data traffic, and filtering out malicious data before it reaches our server. In doing so, Fastly Inc. also comes into contact with personal data collected via our website. In addition, the company may use cookies or other technologies to recognize internet users. Data processing by Cloudfront always serves exclusively the purpose of enabling fast data traffic.

On what legal basis do we process your data?

We have a legitimate interest in providing our website visitors with the fastest and most efficient online offering possible. Data processing therefore takes place on the basis of Art. 6 para. 1 lit. f) GDPR.

Cloudflare

What is Cloudflare?

Content Delivery Network (CDN) with Domain Name System (DNS)

Who processes your data?

Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA

Has a data processing agreement been concluded with Cloudflare?

Yes

Where can you find more information about data protection at Cloudflare?

https://www.cloudflare.com/privacypolicy/

On what basis do we transfer your data to the USA?

Based on the standard contractual clauses of the European Commission (cf. https://www.cloudflare.com/media /pdf/cloudflare-customer-dpa.pdf)

How do we process your data?

As part of using Shopify for our website, we use Cloudflare's services. The global content delivery network ensures that all content we provide online reaches you quickly, even if large amounts of data have to be moved over long distances. This is made possible by Cloudflare, with all its technical capabilities and servers around the world, being placed between our website and your browser, analyzing data traffic, and filtering out malicious data before it reaches our server. In doing so, Cloudflare also comes into contact with personal data collected via our website. In addition, the company may use cookies or other technologies to recognize internet users. Data processing by Cloudflare always serves exclusively the purpose of enabling fast data traffic.

On what legal basis do we process your data?

We have a legitimate interest in providing our website visitors with the fastest and most efficient online offering possible. Data processing therefore takes place on the basis of Art. 6 para. 1 lit. f) GDPR.

AWS Cloudfront

What is Cloudfront and why do we use Cloudfront?

Cloudfront is a Content Delivery Network (CDN).

Who processes your data?

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg (AWS)

Has a data processing agreement been concluded with Cloudfront?

Yes.

Where can you find more information about data protection at Cloudfront?

https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice__German_Translation.pdf

On what basis do we transfer your data to the USA?

AWS has implemented compliance measures for international data transfers. These apply to all worldwide activities in which AWS processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). More information can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

How do we process your data?

As part of using Shopify for our website, we use the services of Cloudfront. The global content delivery network ensures that all content we provide online reaches you quickly, even if large amounts of data have to be moved over long distances. This is made possible by Cloudfront, with all its technical capabilities and servers around the world, being placed between our website and your browser, analyzing data traffic, and filtering out malicious data before it reaches our server. In doing so, Cloudfront also comes into contact with personal data collected via our website. In addition, the company may use cookies or other technologies to recognize internet users. Data processing by Cloudfront always serves exclusively the purpose of enabling fast data traffic.

On what legal basis do we process your data?

We have a legitimate interest in providing our website visitors with the fastest and most efficient online offering possible. Data processing therefore takes place on the basis of Art. 6 para. 1 lit. f) GDPR.

USE OF COOKIES

Our website places cookies on your device. These are small text files that serve various purposes. Some cookies are technically necessary for the website to function at all (necessary cookies). Others are required to perform certain actions or functions on the site (functional cookies). For example, without cookies, it would not be possible to use the benefits of a shopping cart in an online shop. Still other cookies serve to analyze user behavior or optimize advertising measures. If we use third-party services on our website, e.g., for processing payments, these companies may also place cookies on your device when you access the website (so-called third-party cookies).

How do we process your data?

Session cookies are only stored on your device for the duration of a session. As soon as you close the browser, they disappear on their own. Permanent cookies, on the other hand, remain on your device if you do not delete them yourself. This can, for example, lead to your user behavior being analyzed permanently. You can influence how your browser handles cookies via its settings:

Do you want to be informed when cookies are set?
Do you want to exclude cookies generally or for specific cases?
Do you want cookies to be automatically deleted when you close the browser?

If you deactivate or do not allow cookies, the functionality of the website may be limited.

If we use cookies from other companies or for analysis purposes, we will inform you about this in this privacy policy. We will also ask for your consent in this regard when you access our website.

On what legal basis do we process your data?

We have a legitimate interest in ensuring that our online services can be used by visitors without technical problems and that all desired functions are available to them. The storage of necessary and functional cookies on your device therefore takes place on the basis of Art. 6 para. 1 lit. f) GDPR. We use all other cookies on the basis of Art. 6 para. 1 lit. a) GDPR, provided you give us corresponding consent. You can revoke this at any time with effect for the future. If you have consented to the placement of necessary and functional cookies when asked for consent, the storage of these cookies will also take place exclusively on the basis of your consent.

Cookie consent with CCM19

What is CCM19?

Updatable software for cookie consent, monitoring, and control

Who processes your data?

Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn

Has a data processing agreement been concluded with CCM19?

Yes

Where can you find more information about data protection at CCM19?

https://www.ccm19.de/datenschutzerklaerung.html

How do we process your data?

We use CCM19 to obtain your consent for storing cookies on your device and to document it in compliance with data protection regulations. When you visit our website and close the CCM19 cookie window requesting consent, the following data is transmitted to the company:

• Your IP address in anonymized form
• Date and time of consent
• Your browser's user agent
• The URL from which the consent was sent
• An anonymous, random, and encrypted key
• Your consent status, which serves as proof of consent

In addition, CCM19 stores a cookie in your browser to associate the given consents or their revocation with your browser. All collected data is stored until the cookies are no longer needed, you delete the CCM19 cookie, or you request us to delete the data. This does not apply if we are legally obliged to retain the data.

On what legal basis do we process your data?

We are legally obliged to obtain the consent of our website visitors for the use of certain cookies. To fulfill this obligation, we use CCM19. The legal basis for data processing is therefore Art. 6 para. 1 lit. c) GDPR.

CONTACT

We offer the following options for contacting us:

Gorgias

What is Gorgias?

Cloud-based customer support platform offering helpdesk ticketing, live chat, and customer service support functions

Who processes your data?

Gorgias Inc., 611 Mission St FL 6 San Francisco, CA, 94105-3536 United States

Has a data processing agreement been concluded with Gorgias?

Yes

Where can you find more information about data protection at Gorgias?

https://www.gorgias.com/privacy/privacy

On what basis do we transfer your data to the USA?

Gorgias has established internal company policies to ensure GDPR-compliant data transfer (cf. https://www.gorgias.com/privacy/gdpr)

How do we process your data?

We use Gorgias for communication with our customers. If you send us an inquiry via the platform, you only need to provide your email address. We store your message and email address until the expiry of the statutory retention period. If there is no such period, we delete your data at your request or once your inquiry has been definitively processed. If you submit your question via the chat window, the same applies, except that your IP address is stored instead of your email address.

On what legal basis do we process your data?

As a company, we have a legitimate interest in being able to process customer inquiries quickly and efficiently. The processing of your data is therefore based on Art. 6 para. 1 lit. f) GDPR.

Contact Form

You can send us a message via the contact form on this website.

How do we process your data?

We store your message and the information from the form to process your inquiry, including follow-up questions. This also applies to the contact details provided. We will not pass on your data to other persons without your consent.

How long do we store your data?

We delete your data as soon as one of the following occurs:

• Your inquiry has been definitively processed.
• You request us to delete the data.
• You withdraw your consent to storage.

This only does not apply if we are legally obliged to retain the data.

On what legal basis do we process your data?

If your inquiry is related to our contractual relationship or serves the implementation of pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b) GDPR. In all other cases, it is our legitimate interest to process inquiries addressed to us effectively. The legal basis for data processing is therefore Art. 6 para. 1 lit. f) GDPR. If you have consented to the storage of your data, Art. 6 para. 1 lit. a) GDPR is the legal basis. In this case, you can revoke your consent at any time with future effect.

Inquiry by email, phone, or fax

You can send us a message by email or fax or call us.

How do we process your data?

We store your message and the contact details you provided or the transmitted phone number to process your inquiry, including follow-up questions. We will not pass on your data to other persons without your consent.

How long do we store your data?

We delete your data as soon as one of the following occurs:

• Your inquiry has been definitively processed.
• You request us to delete the data.
• You withdraw your consent to storage.

This only does not apply if we are legally obliged to retain the data.

On what legal basis do we process your data?

If your inquiry is related to our contractual relationship or serves the implementation of pre-contractual measures, we process your data on the basis of Art. 6 para. 1 lit. b) GDPR. In all other cases, it is our legitimate interest to process inquiries addressed to us effectively. The legal basis for data processing is therefore Art. 6 para. 1 lit. f) GDPR. If you have consented to the storage of your data, Art. 6 para. 1 lit. a) GDPR is the legal basis. In this case, you can revoke your consent at any time with future effect.

REGISTRATION FUNCTION

To use certain functions or offers on our website, you must register. This requires providing your email address and, if applicable, other personal data.

How do we process your data?

We store the data you provide during registration and use it to provide you with the function or offer for which you have registered. If there are any changes regarding the offer or function, we will use your email address to inform you. We also use your email address to make you further contractual offers, if applicable.

How long do we store your data?

We delete your data as soon as one of the following occurs:

• The purpose of the data processing has ceased.
• You request us to delete the data.
• You withdraw your consent to storage.

This only does not apply if we are legally obliged to retain the data.

On what legal basis do we process your data?

We store and use your data to fulfill the user relationship established upon registration and, if applicable, to initiate further contracts. The legal basis is therefore Art. 6 para. 1 lit. b) GDPR.

RATING AND COMMENT FUNCTION

We use the following tools to provide a rating and comment function:

Reviews.io

What is Reviews.io?

Rating seal and online service for obtaining and managing customer feedback

Who processes your data?

REVIEWS.io 2020 GmbH, Stralauer Allee 6, 10245 Berlin

Was a data processing agreement concluded with Reviews.io?

Yes

Where can you find more information about data protection at TrustPilot?

https://www.reviews.io/front/data-protection

How do we process your data?

Our website features a Reviews.io rating seal. Through this seal, reviews of our company by our customers are displayed and made accessible to other website visitors. When you visit our website, the Reviews.io provider learns, due to the integrated seal, that our website was visited via your IP address. Additionally, TrustPilot collects the language settings on your device to display the seal in the appropriate national language.

On what legal basis do we process your data?

We have a legitimate interest in promoting our offers with a verifiable presentation of customer reviews. The basis for data processing is therefore Art. 6 para. 1 lit. f) GDPR. If you have consented to data processing, we process your data exclusively on the basis of Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with future effect.

TrustPilot

What is TrustPilot?

Rating seal and online service for obtaining and managing customer feedback

Who processes your data?

Trustpilot A/S, Pilestræde 58, 5, 1112 Copenhagen, Denmark

Was a data processing agreement concluded with TrustPilot?

Yes

Where can you find more information about data protection at TrustPilot?

https://de.legal.trustpilot.com/for-reviewers/end-user-privacy-terms

How do we process your data?

Our website features a TrustPilot rating seal. Through this seal, reviews of our company by our customers are displayed and made accessible to other website visitors. When you visit our website, the TrustPilot provider learns, due to the integrated seal, that our website was visited via your IP address. Additionally, TrustPilot collects the language settings on your device to display the seal in the appropriate national language.

On what legal basis do we process your data?

We have a legitimate interest in promoting our offers with a verifiable presentation of customer reviews. The basis for data processing is therefore Art. 6 para. 1 lit. f) GDPR. If you have consented to data processing, we process your data exclusively on the basis of Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with future effect.

ANALYTICS TOOLS AND ADVERTISING

We use the following tools to analyze the behavior of our website visitors and to show you advertising:

Google Analytics

What is Google Analytics?

Tool for analyzing user behavior by Google Ireland Ltd.

Who processes your data?

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Was a data processing agreement concluded with Google Analytics?

Yes

Where can you find more information about data protection at Google Analytics?

https://support.google.com/analytics/answer/6004245?hl=de

On what basis do we transfer your data to the USA?

Based on the standard contractual clauses of the European Commission (https://privacy.google.com/businesses/compliance)

How can you prevent data collection?

Among other things, with a browser plugin: https://tools.google.com/dlpage/gaoptout?hl=de

How do we process your data?

We are always interested in optimizing our web offering for visitors to our website and in placing advertising optimally. Google Analytics helps us with this, a tool that analyzes user behavior and thus provides us with the necessary data basis for adjustments. Through this tool, we receive information about the origin of our visitors, their page views, and their time spent on the pages, as well as the operating system they use.

Standard processing

To collect data, Google Analytics uses cookies, device fingerprinting, or other technologies for user recognition. The data is transmitted to Google servers in the USA and, with the help of the also collected IP address, aggregated into a profile that can be assigned to you or your device.

You can prevent Google from processing your data by installing a browser plugin provided by Google itself: https://tools.google.com/dlpage/gaoptout?hl=de.

IP anonymization

We have activated the "IP anonymization" function within Google Analytics. For you, this means that Google shortens your IP address (from the EU or the EEA) before transmitting it to the USA. Only in exceptional cases does Google transmit the full IP address to servers in the USA and shortens it there.

Demographic characteristics

We use the "demographic characteristics" function of Google Analytics to display suitable advertisements to visitors of our website within the Google advertising network. As a result, reports can be created that contain statements about the age, gender, and interests of our site visitors. This data comes from Google's interest-based advertising and from third-party visitor data. It is not possible to assign the collected data to specific individuals.

You can deactivate the function in the settings of your Google account.

E-commerce tracking

We use the "e-commerce tracking" function of Google Analytics. This allows us to analyze the purchasing behavior of our website visitors and improve our online marketing campaigns. E-commerce tracking records, for example, your orders, average order values, shipping costs, and the time from viewing to purchasing a product. Google can aggregate the data under a transaction ID and assign it to you or your device.

How long do we store your data?

According to Google, user- and event-level data associated with cookies, user identifiers (e.g., User-IDs), or advertising IDs are deleted or anonymized after 14 months (cf. https://support.google.com/analytics/answer/7667196?hl=de).

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise consented to data processing by Google Analytics, the sole legal basis is Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with future effect.

Klar Attribution

We use the services of Klar (Klar Insights GmbH, Marktstr. 18, 80802 Munich, Germany) on our website. Klar collects, processes, and stores data for reach measurement and statistical analysis on this website and its subpages on our behalf. This collection is based on the following legal grounds:

• If no user consent is given, the data is collected anonymously, i.e., without the collection of personal or personally identifiable data, and in groups, i.e., by random assignment of the collected data to groups of users. Therefore, it is not possible to draw conclusions about individual users. This anonymous collection is absolutely necessary according to § 25 para. 2 no. 2 TTDSG to optimize business costs and thus guarantee the desired service.
• If user consent is given according to Art. 6 para. 1 sentence 1 a GDPR and § 25 para. 1 sentence 1 TTDSG, the data to be processed is collected on a user-related basis.

Different cookies are used for the aforementioned different collection methods to ensure the respective collection method.

Cookie - Objection

To generally object to the use of Klar, please use this Link. This will set a cookie named "do_not_track" from the domain "smilodox.com". Please do not delete this, otherwise it cannot be guaranteed that you will not be tracked by Klar.

Information on data protection and data use by Klar can be found on the following website: https://www.getklar.com/data-protection

Hotjar

What is Hotjar?

Tool for analyzing user behavior

Who processes your data?

Hotjar Ltd., Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta

Was a data processing agreement concluded with Hotjar?

Yes

Where can you find more information about data protection at Hotjar?

https://www.hotjar.com/privacy

How can you prevent data collection?

You can deactivate the tool here: https://www.hotjar.com/opt-out

How do we process your data?

We are always interested in optimizing our web offering for users and placing advertisements optimally. Hotjar helps us with this, a tool that analyzes user behavior and thus provides us with the necessary data basis for adjustments. Specifically, Hotjar processes website visitor data as follows:

Among other things, it records which click and scroll movements users make with the mouse and how long the mouse pointer remains at a certain spot. From the collected data of all users, the tool then creates so-called heatmaps, which make visible which website areas are particularly popular.

It tells us how long users remained on a subpage of our website and when they left the page.

It can obtain direct feedback from you as a website visitor.

If users have started to fill out our contact form, the tool records at which point they stopped entering data (so-called conversion funnels).

To recognize you as a user, Hotjar places cookies on your device or reads information stored on it via so-called device fingerprinting.

If you do not want Hotjar to collect your data, you can deactivate the tool. Hotjar Ltd. offers two options for this at the following link: https://www.hotjar.com/opt-out.

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise agreed to data processing by Hotjar, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. You can revoke your consent at any time with effect for the future.

Microsoft Bing Ads

What is Microsoft Bing Ads?

Tool for analyzing and tracking user behavior

Who processes your data?

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

Has a data processing agreement been concluded with Microsoft?

Yes

Where can you find more information about data protection at Microsoft?

https://privacy.microsoft.com/de-de/privacystatement

On what basis do we transfer your data to the USA and other third countries?

Microsoft adheres to the standard contractual clauses of the European Commission (cf. https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses)

How can you prevent data collection?

You can deactivate the tool here: https://account.microsoft.com/privacy/ad-settings/signedout?lang=de-DE

How do we process your data?

We are always interested in optimizing our website for users and placing advertisements optimally. Microsoft Bing Ads helps us with this. It is a tool that analyzes user behavior and thus provides us with the necessary data basis for adjustments. Specifically, Microsoft Bing Ads processes website visitor data as follows:

A cookie is stored on your computer by Microsoft Bing Ads if you have reached our website via a Microsoft Bing advertisement. Microsoft Bing Ads and we can thus recognize that someone has clicked on an advertisement, was directed to our website, and reached a predefined target page (conversion page). We only know the total number of users who clicked on a Bing advertisement and were then redirected to the conversion page. No personal information about the user's identity is disclosed.

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise agreed to data processing by Hotjar, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. You can revoke your consent at any time with effect for the future.

Meta Pixel

What is Meta Pixel?

Tool for analyzing user behavior that measures the effectiveness of advertising on Meta platforms.

We use Meta Pixel in connection with Instagram and Facebook.

Who processes your data?

Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland

Has a data processing agreement been concluded with Meta?

Yes

Where can you find more information about data protection at Meta?

https://de-de.facebook.com/about/privacy/

On what basis do we transfer your data to the USA and other third countries?

Meta adheres to the standard contractual clauses of the European Commission (cf. https://www.facebook.com /legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381)

How can you prevent data processing?

If you have a Meta account: Deactivate individual data processing operations here https://www.facebook.com/privacy/center/.

If you do not have a Meta account: Deactivate usage-based advertising from Meta on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com/de/praferenzmanagement/

How do we process your data?

We use the Meta Pixel on our website. This analytics tool helps us learn more about the behavior of our website visitors after they click on one of our ads on a Meta platform. This allows us to measure how effective our advertising is and to tailor future advertising measures based on the insights gained. The data that Meta collects via the Pixel is anonymous for us as the operator of this website. Therefore, we cannot identify you as a visitor. However, the data is stored and processed by Meta. Meta uses the Pixel to establish a connection to your Meta account and also uses the data to display advertisements itself both within and outside its network (cf. Meta Data Use Policy). In the course of storage and processing, Meta also transfers the data to the USA and other third countries.

If you have a Meta account, you can deactivate individual data processing operations here https://www.facebook.com/privacy/center/.

If you do not have a Meta account: Deactivate usage-based advertising from Meta on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com/de/praferenzmanagement/

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise agreed to data processing by Meta, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. You can revoke your consent at any time with effect for the future.

TikTok Pixel

What is TikTok Pixel?

Tool for analyzing user behavior that measures the effectiveness of advertising on the TikTok platform

Who processes your data?

TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

Has a data processing agreement been concluded with TikTok?

Yes

Where can you find more information about data protection at TikTok?

https://ads.tiktok.com/i18n/official/policy/privacy

On what basis do we transfer your data to the USA and other third countries?

TikTok adheres to the standard contractual clauses of the European Commission (cf. https://ads.tiktok.com/i18n/official/policy/privacy )

How can you prevent data processing?

Deactivate usage-based advertising from TikTok on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com/de/praferenzmanagement/

How do we process your data?

We use the TikTok Pixel on our website. This analytics tool helps us learn more about the behavior of our website visitors after they click on one of our ads on TikTok. This allows us to measure how effective our advertising is and to tailor future advertising measures based on the insights gained. The data that TikTok collects via the Pixel is anonymous for us as the operator of this website. Therefore, we cannot identify you as a visitor. However, the data is stored and processed by TikTok. In the course of storage and processing, TikTok also transfers the data to the USA, China, and other third countries.

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise agreed to data processing by TikTok, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. You can revoke your consent at any time with effect for the future.

Shopify Pixel

What is Shopify Pixel?

Tool for analyzing user behavior for the purpose of optimizing marketing campaigns and analyses

Who processes your data?

Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Has a data processing agreement been concluded with Shopify?

Yes

Where can you find more information about data protection at Shopify?

https://www.shopify.com/de/legal/datenschutz

On what basis do we transfer your data to the USA and other third countries?

Shopify has established internal policies to ensure GDPR-compliant data transfer (cf. https://www.shopify.com/de/legal/datenschutz )

How can you prevent data processing?

Deactivate usage-based advertising from Shopify on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com/de/praferenzmanagement/

How do we process your data?

We use the Shopify Pixel on our website. This analytics tool helps us learn more about the behavior of our website visitors. This allows us to measure how effective our advertising is and to tailor future advertising measures based on the insights gained. In the course of storage and processing, Shopify also transfers data to the USA and other third countries.

On what legal basis do we process your data?

In the event that you have, for example, consented to the storage of cookies or otherwise agreed to data processing by Shopify, Art. 6 para. 1 lit. a) GDPR is the sole legal basis. You can revoke your consent at any time with effect for the future.

USE OF CUSTOMER DATA FOR DIRECT ADVERTISING

Subscription to our email newsletter

If you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information for sending the newsletter is your email address. The provision of further data is voluntary and is used to address you personally. For sending the newsletter, we use the so-called double opt-in procedure, which ensures that you only receive newsletters if you have expressly confirmed your consent to receive the newsletter by clicking on a verification link sent to the provided email address.

By activating the confirmation link, you give us your consent for the use of your personal data in accordance with Art. 6 para. 1 lit. a) GDPR. In this case, we store your IP address registered by the Internet Service Provider (ISP) as well as the date and time of registration to be able to trace any possible misuse of your email address at a later date. The data collected by us when you register for the newsletter will be used strictly for the intended purpose. You can unsubscribe from the newsletter at any time via the link provided in the newsletter or by sending a message to the controller mentioned above. After unsubscribing, your email address will be immediately deleted from our newsletter distribution list, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is legally permitted and about which we inform you in this statement.

We use the following service provider for sending our newsletter:

Klaviyo

What is Klaviyo?

Service for sending newsletters and analyzing recipient behavior

Who processes your data?

Klaviyo, Inc., Boston, Massachusetts, USA

Has a data processing agreement been concluded with Klaviyo?

Yes

Where can you find more information about data protection at Klaviyo?

https://www.klaviyo.com/legal/privacy-policy

On what basis do we transfer your data to the USA?

Based on the standard contractual clauses of the European Commission (cf. https://www.klaviyo.com/legal/data-processing-agreement)

How do we process your data?

We use Klaviyo for our newsletter delivery. The service manages newsletter subscriber data for us, sends our newsletter, and analyzes our newsletter campaigns.

If you would like to receive our newsletter, we require your email address. We will also use a confirmation email (double opt-in procedure) to verify that you are indeed the owner of this email address. We do not collect any further data, or only on a voluntary basis. We use your data exclusively for sending the newsletter. It will be stored on a Klaviyo server in the USA.

If we send a newsletter via Klaviyo and you open it, a file contained in the newsletter automatically connects to Klaviyo's servers. This way, the service learns that the newsletter has been opened and registers all clicks on the links it contains. In addition, Klaviyo collects technical information such as the time of access, IP address, browser type and operating system.

You can unsubscribe from the newsletter at any time.

How long do we store your data?

After you have unsubscribed, your data will be deleted from the newsletter distribution list. In some circumstances, we may also add your email address to a blacklist; this is necessary, for example, if you have objected to receiving advertising from us. In this case, the legal basis for storage is Art. 6 Para. 1 lit. f) GDPR.

Furthermore, we reserve the right to delete the data at any time after the purpose of collection has ceased or at our own discretion.

On what legal basis do we process your data?

By registering for the subscriber list, you consent to data processing by Klaviyo. This processing is therefore lawful on the basis of Art. 6 Para. 1 lit. a) GDPR. You can withdraw your consent by unsubscribing from the newsletter or by sending us an informal notification. For us, this means that we are no longer permitted to send you newsletters from that point onwards.

Registration for contact via SMS

If you register for contact via SMS, we will regularly send you information about our offers via text message to your phone. The only mandatory information for sending SMS is your phone number. The provision of further data is voluntary and is used to address you personally. For SMS dispatch, we use the so-called double opt-in procedure, which ensures that you only receive contact via SMS once you have confirmed your consent to receive SMS by means of a verification mechanism.

By verifying your phone number, you give us your consent for the use of your personal data in accordance with Art. 6 Para. 1 lit. a) GDPR. The data we collect when you register for contact via SMS is used strictly for the intended purpose. You can unsubscribe from SMS notifications at any time via the mechanism provided in the respective text message or by sending a corresponding message to the controller mentioned above. After successful unsubscription, your phone number will be immediately deleted from our SMS distribution list, unless you have expressly consented to further use of your data or we reserve the right to further use of data that is legally permissible and about which we inform you in this declaration.

We use the following service provider for sending our SMS:

SMSBump

What is SMSBump?

Service for sending text messages via SMS

Who processes your data?

SMSBump Ltd, Sofia, Bulgaria as a subsidiary of YOTPO, 400 Lafayette Street, New York, NY 10003, USA

Has a data processing agreement been concluded with YOTPO?

Yes

Where can you find more information about data protection at YOTPO?

https://www.yotpo.com/privacy-policy/

On what basis do we transfer your data to the USA?

Based on the standard contractual clauses of the European Commission (see https://www.yotpo.com/privacy-policy/)

How do we process your data?

We use SMSBump for our SMS dispatch. The service manages subscriber data for us and sends our SMS messages.

If you would like to receive our SMS messages, we require your phone number. We will also use a confirmation (double opt-in procedure) to verify that you are indeed the owner of this phone number. We do not collect any further data, or only on a voluntary basis. We use your data exclusively for sending SMS messages.

Your data may be transferred to the USA by SMSBump in certain circumstances. We have no influence over this data processing.

You can unsubscribe from SMS messages at any time.

How long do we store your data?

After you have unsubscribed, your data will be deleted from the distribution list. In some circumstances, we may also add your phone number to a blacklist; this is necessary, for example, if you have objected to receiving advertising from us. In this case, the legal basis for storage is Art. 6 Para. 1 lit. f) GDPR.

Furthermore, we reserve the right to delete the data at any time after the purpose of collection has ceased or at our own discretion.

On what legal basis do we process your data?

By registering for the subscriber list, you consent to data processing by SMSBump. This processing is therefore lawful on the basis of Art. 6 Para. 1 lit. a) GDPR. You can withdraw your consent by unsubscribing from SMS messages or by sending us an informal notification. For us, this means that we are no longer permitted to send you SMS messages from that point onwards.

Chatarmin: WhatsApp Marketing

What is Chatarmin?

Chatarmin is a solution for WhatsApp marketing.

Data processing by:
Chatarmin acts as our data processor according to Art. 28 GDPR.

Legal Basis and Data Protection
Consent pursuant to Art. 6 Para. 1 lit. a) GDPR

How do we use Chatarmin?
We use Chatarmin to send advertisements and information about our products. We evaluate your user behavior to provide you with even more relevant information.

Data Transfer and Processing:
Chatarmin acts as our data processor according to Art. 28 GDPR. Furthermore, there are other sub-contractors.

Unsubscription and Data Storage:
You can unsubscribe from the WhatsApp service at any time. After unsubscribing, your data will be removed from our distribution list. In certain cases, your phone number may also be blacklisted to prevent future advertising. This is based on Art. 6 Para. 1 lit. f) GDPR. Legal basis of your
consent: By registering, you agree to the processing of your data by SMSBump, based on Art. 6 Para. 1 lit. a) GDPR. This consent can be withdrawn at any time by unsubscribing from WhatsApp or by sending an informal message to us.

Postal advertising

We send you advertising by post. For dispatch, we use the following service provider:

DHL GmbH

Sträßchensweg 10

53113 Bonn

Has a data processing agreement been concluded with DHL?

Yes. We have concluded a data processing agreement with DHL GmbH.

How do we process your data?

We store your name and address and use both for sending advertising.

How long do we store your data?

We delete your data as soon as one of the following occurs:

• The purpose of data processing ceases.
• You request us to delete the data.
• You withdraw your consent to receive postal advertising.

This does not apply if we are legally obliged to retain the data.

On what legal basis do we process your data?

If you have consented to data processing, the processing is carried out exclusively on the basis of Art. 6 Para. 1 lit. a) GDPR. You can withdraw your consent at any time for the future. If more specific regulations apply, we will inform you of these during data collection. These regulations then take precedence over those mentioned here.

FURTHER PLUGINS AND TOOLS

YouTube (with extended data protection)

What is YouTube?

Video platform

Who processes your data?

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Where can you find more information about data protection at YouTube?

https://www.youtube.com/intl/ALL_de/howyoutubeworks/our-commitments/protecting-user-data/?gclid=EAIaIQobChMIztKuysSW-gIVjgwGAB0euwPlEAAYASAAEgLBXfD_BwE

How do we process your data?

You can watch YouTube videos on our website. In doing so, Google, as the provider of YouTube, collects and stores certain information about you. However, since we use YouTube in extended data protection mode, this only happens when you start a video. Specifically, the following happens in this case:

1. Google's servers are informed which of our pages have been visited by your device. If you are logged into your YouTube account while browsing, Google can directly assign your browsing behavior to your personal profile. If you do not want this, you must log out of your YouTube account before continuing to browse the Internet.
2. Google receives information about visitors to our website via cookies, device fingerprinting or similar recognition technologies. On this basis, the company then creates video statistics, makes its application more attractive to users and prevents attempted fraud.
3. Your data may also be processed beyond this. However, we have no knowledge of the details. Nor can we influence the processing.

Even if you do not start a YouTube video on our website, Google establishes a connection to its DoubleClick network and possibly also to other partners. The extended data protection mode therefore does not mean that Google does not process any data from you at all when you visit our website.

On what legal basis do we process your data?

If you have consented to data processing, we process your data exclusively on the basis of Art. 6 Para. 1 lit. a) GDPR. You can withdraw your consent at any time. From the time of withdrawal, we are no longer permitted to process your data.

Google reCAPTCHA

What is Google reCAPTCHA?

Test tool for distinguishing between humans and computers from Google Ireland Ltd.

Who processes your data?

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Where can you find more information about data protection at Google?

https://policies.google.com/privacy?hl=de

On what basis do we transfer your data to the USA?

Google adheres to the standard contractual clauses of the European Commission (https://privacy.google.com/businesses/compliance)

How do we process your data?

With Google reCAPTCHA, we check whether data entered into forms on our website comes from a human or a computer. For you, this means that the test tool analyzes your behavior as a visitor to our website based on various characteristics. The analysis does not begin only when you use the test tool, but already when you access our website. Various data is collected, e.g., the

IP address, the time spent on our website, and mouse movements made. The data is forwarded to Google.

On what legal basis do we process your data?

If you have consented to data processing, we process your data exclusively on the basis of Art. 6 Para. 1 lit. a) GDPR. You can withdraw your consent at any time. From the time of withdrawal, we are no longer permitted to process your data.

Polyfill.io

We use technologies from "The Financial Times Ltd.", based in London, England, on our website. The use serves to display our website. The technology enables us to display our content in the best possible quality even on older browser versions. If you load a website that uses Polyfill technology, your browser downloads all necessary Polyfill files to display the website optimally in your browser. To provide the Polyfills, the service receives certain technical information from your browser, including browser details, connection data (such as your IP address) and the URL of the website that sent the request to the service. This information is used to determine which Polyfills are needed by your browser for the optimal display of the website. The use of polyfill.io is in the interest of optimizing the website display of our online offers. This constitutes a legitimate interest. The basis for data processing is therefore Art. 6 Para. 1 lit. f) GDPR.

Further information on data protection at jQuery can be found at https://www.polyfill.io/v3/privacy-policy/

Google Web Fonts (local hosting)

We use fonts from the US company Google on our website. We have installed the fonts locally, so that no connection to Google's servers takes place when you visit our website.

Further information on Google Web Fonts can be found at https://developers.google.com/fonts/faq and in Google's privacy policy: https://policies.google.com/privacy?hl=de

jQuery

We use technologies from the US company jQuery on our website. The use serves to display our website. For this purpose, the browser you use connects to the servers of the jQuery Foundation ("jQuery.org"). This informs the jQuery Foundation that our website has been accessed via your IP address. The use of jQuery is in the interest of optimizing the loading speeds of our online offers. This constitutes a legitimate interest. The basis for data processing is therefore Art. 6 Para. 1 lit. f) GDPR.

Further information on data protection at jQuery can be found at https://openjsf.org/wp-content/uploads/sites/84/2021/04/OpenJS-Foundation-Privacy-Policy-2019-11-15.pdf

Other tools provided by Shopify

On our website, we also use apps offered via the Shopify App Store to, among other things, make our offer user-friendly and process orders. Details of the apps we use are as follows:

• VariantImageAutomator & Swatch King operated by StarApps Studio serve to improve the presentation of products on the website. An overview of this app and its appearance can be found here: https://apps.shopify.com/variant-image-automator & here https://apps.shopify.com/variant-swatch-king. Privacy policy of the app: https://variant-image-automator.starapps.studio/pages/privacy-policy
• GemPages Landing Page Builder operated by GemPages is used for user-friendly design of our sales pages. An overview of this app and its appearance can be found here https://apps.shopify.com/gempages . Privacy policy of the app: https://gempages.net/pages/privacy?utm_medium=referral&utm_content=privacy_page&utm_campaign=app-listing
• Wishlist Plus operated by Swym Corporation serves the user-friendly design of the sales process by providing a wish list. An overview of this app and its appearance can be found here https://apps.shopify.com/swym-relay. Privacy policy of the app: https://swym.it/privacy/
• Ultimate Search operated by SoBooster serves the user-friendly design of the sales process through improved search and filter functions. An overview of this app and its appearance can be found here https://apps.shopify.com/ultimate-search-and-filter-1. Privacy policy of the app: https://sobooster.com/legal/privacy
• GOAFFPRO operated by GoAffPro serves to provide affiliate marketing. An overview of this app and its appearance can be found here https://apps.shopify.com/goaffpro . Privacy policy of the app: https://goaffpro.com/privacy
• Geo:Pro Geolocation Redirects operated by NexusMedia serves to improve user experience by redirecting to a suitable website language in connection with the geographical location. An overview of this app and its appearance can be found here https://apps.shopify.com/easylocation. Privacy policy of the app: https://cdn.shopify.com/s/files/1/0240/9283/files/Privacy_policy_v1.1.pdf?15486165569758792356
• Advanced Bundle Product operated by MGworx LLC serves the possibilities to present products and content on the website. An overview of this app and its appearance can be found here https://apps.shopify.com/grouped-products. Privacy policy of the app: https://www.mageworx.com/privacy-policy-apps
• AWIN Affiliate Marketing operated by Awin Ltd. serves to provide affiliate marketing. An overview of this app and its appearance can be found here https://apps.shopify.com/awin-advertiser-tracking. Privacy policy of the app: https://www.awin.com/de/datenschutzerklarung
• Live Shopping & Video Streams by channelize.io operated by BigStep Technologies Pvt. Ltd. serves to equip the website with live-streaming eCommerce experiences. An overview of this app and its appearance can be found here https://apps.shopify.com/live-stream-shopping. Privacy policy of the app: https://channelize.io/privacy-policy
• EasyLockdown - Wholesale Locks operated by NexusMedia serves for product page management. An overview of this app and its appearance can be found here https://apps.shopify.com/easylockdown. Privacy policy of the app: https://cdn.shopify.com/s/files/1/0240/9283/files/Privacy_policy_v1.1.pdf?15486165569758792356
• Selly - Promotion & Pricing operated by Treedify - Selly United serves for product selection to combine desired products. An overview of this app and its appearance can be found here https://apps.shopify.com/selly. Privacy policy of the app: https://treedify.com/privacy-policy
• Transcy: AI Language Translate operated by OneCommerce serves to translate the website. An overview of this app and its appearance can be found here: https://apps.shopify.com/transcy-multiple-languages. Privacy policy of the app: https://onecommerce.io/privacy-policy/

An overview of all applications provided by Shopify and further information can be found here.

E-COMMERCE AND PAYMENT PROVIDERS

Customer and Contract Data

How do we process your data?

When we enter into a contract with you, we require certain personal data from you. We collect, process, and use this data only to the extent necessary to establish our legal relationship, define its content, or modify it. If you can only use our services via our website or if the services are billed via the website, we also collect usage data if this is necessary to enable you to use our offer or to bill for the service used.

How long do we store your data?

We store your data until our legal relationship ends, unless we are legally obliged to retain the data for longer.

On what legal basis do we process your data?

We store your data to fulfill the contract with you or to carry out pre-contractual measures. The legal basis for data processing is therefore Art. 6 Para. 1 lit. b) GDPR.

Data transfer for goods shipping

How do we process your data?

When you order goods from us, we transfer your data to companies we commission with the delivery and/or through which we process the payment. Only data necessary for the commissioned company to execute the specific order is transferred. If we want to share further data, we will obtain your consent. We do not share your data for advertising purposes.

On what legal basis do we process your data?

We share your data to fulfill the contract we have concluded with you. The legal basis for data processing is therefore Art. 6 Para. 1 lit. b) GDPR.

Transfer of personal data to shipping service providers for the purpose of coordinating a delivery date / delivery announcement

DHL

If the delivery of the goods is carried out by the transport service provider DHL Paket GmbH, Sträßchensweg 10, 53113 Bonn, we will pass on your e-mail address to DHL before the delivery of the goods, after your express consent in accordance with Art. 6 Para. 1 lit. a) GDPR, for the purpose of coordinating a delivery date or announcing the delivery. Consent can be revoked at any time with effect for the future towards us or towards the transport service provider DHL.

If you have not given your consent, we will only pass on the recipient's name and delivery address to DHL for delivery purposes in accordance with Art. 6 Para. 1 lit. b) GDPR, as described above. The transfer only takes place to the extent necessary for the delivery of the goods.

We have concluded a contract for order processing with DHL GmbH. Further information on data protection at DHL can be found here https://www.dhl.de/de/toolbar/footer/datenschutz.html

Payment services

To enable you to conveniently pay for your purchases on our website, we use the services of payment providers, i.e., external companies that process payments for us. You can find out which specific ones these are in the list at the end of this section.

How do we process your data?

For the payment process, you must provide certain personal data, such as your name, bank details, or credit card number. We pass this data on to the respective payment service. The respective contractual and data protection provisions of the respective services apply to the transaction itself.

On what legal basis do we process your data?

We pass on your data to fulfill the contract we have concluded with you. The legal basis for data processing is therefore Art. 6 Para. 1 lit. b) GDPR. In addition, we have a legitimate interest in processing purchases as quickly, conveniently, and securely as possible. The legal basis in this respect is also Art. 6 Para. 1 lit. f) GDPR. If you have consented to the transfer of your data, the data processing is based on Art. 6 Para. 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future.

Which payment services do we use?

Shopify Payments / Shop Pay

What is Shop Pay?

Online payment service from Shopify with the involvement of the technical service provider Stripe Payments

Who processes your data?

Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

and

Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland

Where can you find more information about data protection at Shopify Payments?

https://www.shopify.com/de/legal/datenschutz

and

https://stripe.com/de/privacy

On what basis do we transfer your data to the USA and other third countries?

Shopify has established internal company policies to make data transfer GDPR-compliant (cf. https://www.shopify.com/de/legal/datenschutz )

Stripe adheres to the European Commission's standard contractual clauses (cf. https://stripe.com/de/legal/dpa)

PayPal

What is PayPal?

Online payment service

Who processes your data?

PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg

Where can you find more information about data protection at PayPal?

https://www.paypal.com/de/webapps/mpp/ua/privacy-full

On what basis do we transfer your data to the USA?

PayPal adheres to the European Commission's standard contractual clauses (cf. https://www.paypal.com/de /webapps/mpp/ua/pocpsa-full)

Klarna

What is Klarna?

Payment service

Who processes your data?

Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden

Where can you find more information about data protection at Klarna?

https://www.klarna.com/de/datenschutz/

Google Pay

What is Google Pay?

Mobile payment system from the US company Google

Who processes your data?

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Where can you find more information about data protection at Google Pay?

https://policies.google.com/privacy

On what basis do we transfer your data to the USA?

Google adheres to the European Commission's standard contractual clauses (cf. https://support.google.com/publisherpolicies/answer/10437486?hl=de)

Amazon Pay

What is Amazon Pay?

Online payment service from Amazon

Who processes your data?

Amazon Payments Europe S.C.A., 38 Avenue J.F. Kennedy, 1855 Luxembourg, Luxembourg

Where can you find more information about data protection at Amazon Pay?

https://pay.amazon.de/help/201212490?ld=APDELPADirect

Shop Pay

What is Shop Pay?

Online payment service from Shopify

Who processes your data?

Shopify International Limited, Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Where can you find more information about data protection at Shop Pay?

https://www.shopify.com/de/legal/datenschutz

On what basis do we transfer your data to the USA and other third countries?

Shopify has established internal company policies to ensure GDPR-compliant data transfer (cf. https://www.shopify.com/de/legal/datenschutz )

DATA PROCESSING ON SOCIAL MEDIA

What is Social Media?

By Social Media, we mean the social networks on which we have created publicly accessible profiles. You can find out which specific social networks these are below, under the respective networks.

Who processes your data?

The respective operating companies of the social networks. You can find the individual operators below for each network.

How is your data processed?

The operators of social networks are generally able to collect and evaluate comprehensive data about the behavior of visitors and users of the network. We are unable to track all processing operations in the social networks we use, which is why further processing operations not listed here may be carried out by the operators of the social networks. Further information can be found in the terms of use and data protection declarations of the respective social networks.

The processing of your data may be triggered by your visiting the social network's website or our profile page there. Even if you access a website that uses certain network content, such as Like or Share buttons, data may already be transferred to the operators of the social network. If you are a user of the social network yourself and are logged into your user account, your visit to our profile page can be assigned to your account by the operator of the social network. Even if you have not registered a user account yourself or are not logged in, the operator of the network may still collect your personal data, for example, by collecting your IP address or setting cookies. With this data, the operators can create user profiles tailored to your behavior and interests and show you interest-based advertising within and outside the network. If you are a registered user of the network, interest-based advertising can also be displayed on all devices on which you are or have been logged in.

On what legal basis is your data processed?

Our profiles in social networks are intended to ensure the widest possible online presence for our company. As a company, we have a legitimate interest in this. The data processing is therefore lawful according to Art. 6 para. 1 lit. f GDPR.

The data processing operations and analyses carried out by the operators of the social networks themselves may be based on other legal grounds. These must be specified by the operators of the social networks.

Who is responsible for processing your data and how can you assert your rights?

When you visit one of our profiles on social networks, we are jointly responsible with the operator of the respective network for the data processing operations triggered by this visit. In principle, you can assert your rights against both us and the operator of the respective network.

Despite the joint responsibility with the operators of the social networks, our influence on the data processing operations of the respective operator is limited and is primarily governed by the operator's specifications.

How long is your data stored?

If we collect data via our profiles in social networks, it will be deleted from our systems as soon as the purpose for its storage ceases to apply, you request us to delete it, or you revoke your consent to storage. Stored cookies remain on your device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on how long the operators of social networks store your data that the operators collect for their own purposes. You can obtain information on this directly from the operator of the respective social network, for example, in the respective privacy policy.

Which social media do we use?

Facebook

What is Facebook?

A social network

Who processes your data?

Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Is your data transferred to third countries?

Yes, to the USA and also to other third countries

Where can you find more information about data protection on Facebook?

https://www.facebook.com/about/privacy/

Where can you, as a Facebook user, adjust your advertising settings?

As a registered Facebook user, you can adjust your advertising settings in your user account. To do this, click on the following link and log in:
https://www.facebook.com/settings?tab=ads.

Instagram

What is Instagram?

A social network specializing in photos and videos

Who processes your data?

Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland

Is your data transferred to third countries?

Yes

Where can you find more information about data protection on Instagram?

https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram-Help-Center&bc[1]=Policies% 20and%20Reports

Where can users adjust their privacy settings?

As a registered Instagram user, you can adjust your privacy settings in your user account. To do this, click on the following link and log in: https://www.instagram.com/accounts/privacy_and_security/

TikTok

What is TikTok?

A social network specializing in videos

Who processes your data?

TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland

Where can you find more information about data protection on TikTok Pixel?

https://ads.tiktok.com/i18n/official/policy/privacy

On what basis do we transfer your data to the USA and other third countries?

TikTok adheres to the European Commission's standard contractual clauses (cf. https://ads.tiktok.com/i18n/official/policy/privacy )

Where can users adjust their privacy settings?

As a registered TikTok user, you can adjust your privacy settings in your user account. To do this, click on the following link and log in: https://support.tiktok.com/en/account-and-privacy/account-privacy-settings

YouTube

What is YouTube?

A social network in the form of an online video portal

Who processes your data?

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Is your data transferred to third countries?

Yes

Where can you find more information about data protection on YouTube?

https://policies.google.com/privacy?hl=de

Where can users adjust their privacy settings?

https://policies.google.com/privacy?hl=de#infochoices