Toggle Nav
Cart
DE
Search
4.83
Account
Settings
Language
bannerstop (EN) Store View

Privacy Policy

Thank you for visiting our website. Below we would like to inform you about the processing of data during your visit and use of our site.

 

I. Name and address of the controller and the data protection officer

The controller in accordance with the applicable data protection regulations is:

bannerstop GmbH
Habsburgerring 1
50674 Cologne
Germany

Managing Directors: Luca Philip Oertel, Marius Lüxmann, Niclas Waldecker

Phone: +49 (0)221 1679380
Fax: +49 (0)221 16793829

E-Mail: [email protected]

 

Data Protection Officer:

bannerstop GmbH
Helena Fee Willmann
Habsburgerring 1
50674 Cologne
Germany

E-Mail: [email protected]

 

Representative of the Data Protection Officer:
Lisa Eich

E-Mail: [email protected]

 

II. General information on data processing

1. Scope of processing of personal data

We collect and use personal data (hereinafter referred to as personal data) of our users mainly only to the extent necessary

  • to provide a functioning website
  • for the execution of our services
  • if there is user consent.

An exception applies in cases where it is not possible to obtain prior consent for factual reasons and the processing of data is permitted by legal provisions.

2. Legal basis for the processing of personal data

Below you will find an overview of the main legal bases of the General Data Protection Regulation (GDPR):

In the processing of personal data

  • based on the consent of the data subject, Art. 6 para. 1 lit. a of the General Data Protection Regulation (GDPR) is the legal basis;
  • which serves to fulfill a contract with the data subject, Art. 6 para. 1 lit. b GDPR is the legal basis.
  • which are necessary for the execution of pre-contractual measures, Art. 6 para. 1 lit. b GDPR is the legal basis;
  • which are necessary for the fulfillment of a legal obligation imposed on us, Art. 6 para. 1 lit. c GDPR serves as the legal basis;
  • which are necessary for vital interests of the data subject or other natural persons, Art. 6 para. 1 lit. d GDPR is the legal basis.
  • which are necessary for the safeguarding of a legitimate interest of our company or a third party and which prevail over the interests, fundamental rights, and fundamental freedoms of the data subject, Article 6 paragraph 1 letter f GDPR serves as the legal basis for processing.

3. Deletion of data and duration of storage

In principle, we delete or block personal data as soon as the reason for storage ceases to exist. However, storage may occur if provided for by European or national legislation in regulations, laws, or other provisions of union law to which we are subject. The blocking or deletion of data also occurs when a storage period prescribed by the cited regulations expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

4. Recipients of the collected data

The recipient of the data collected through the website is the designated controller. In addition, the processors (web host, technical support) have access to the data collected through the website. However, compliance with legal regulations is ensured through data processing contracts that we enter into with our processors based in the EU. In addition to the so-called processors, we also use service providers strictly necessary for the fulfillment of the contract (e.g., credit institutions, transport companies, etc.). The transmission of data to third countries occurs only to the extent that we inform you below.

5. Necessity to provide personal data

In the context of our online store, the provision and storage of your personal data are necessary for the execution of the contract. Without the communication of this necessary data, unfortunately, we cannot process your order.

6. Profiling

We do not make any automated decisions through our website. An automated evaluation of personal data for the assessment of personal characteristics (profiling) occurs only to the extent that it is necessary for the analysis of website visits in aggregated form, and no decisions with legal effects are derived.

 

III. Provision of the website and creation of log files

1. Scope of data processing

With each access to our website, our system automatically collects data and information from the computer system of the requesting computer.

The following data is collected:

  1. Information about the type and version of the browser
  2. The user's operating system
  3. The user's IP address
  4. Date and time of access, first and last visit
  5. Website from which the user accesses
  6. Websites that are called by the user's system through our website

The data is also stored in the log files (log files / record of all or certain processes on a computer system) of our system. No storage of this data occurs together with other personal data of the user.

2. Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6 paragraph 1 letter f GDPR (our legitimate interest).

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary to allow the delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

The storage in log files occurs to ensure the operation of the website. In addition, the data is needed to optimize the website and ensure the security of our computer systems.

Our legitimate interest in data processing under Article 6 paragraph 1 letter f GDPR also resides in these purposes. Since it is not possible for us to trace back the IP address to a natural person without further information, and since an IP address is not a sensitive data, it is immediately deleted after the visit to the website and we need it to offer our website, our interest prevails over that of the data subject.

4. Duration of storage

The collected data is deleted as soon as it is no longer necessary for the purpose of its collection (provision of the website). In the case of storage of data in log files, this occurs at most after seven days. Further storage is possible. In this case, the IP addresses of users are deleted or anonymized, so that it is no longer possible to associate the requesting client.

5. Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files is strictly necessary for the operation of the website. Therefore, there is no possibility of objection by the user.

 

IV. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are sets of data that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows for a unique identification of the browser on subsequent access to the website.

We use cookies to make our website more user-friendly. Some elements of our website require that the requesting browser can be identified even after a page change.

We use the following cookies:

Name Provider Category Function Duration of storage Type
PHPSESSID Magento Necessary cookies This information is necessary for a user to remain logged in to a website without having to enter their username and password for every page visited. Without this cookie, a user cannot access areas of the website that require authenticated access. Session 1st Party
private_content_version Magento Necessary cookies Adds a random unique number and a timestamp to pages with customer content to prevent them from being cached on the server. 1 day 1st Party
persistent_shopping_cart Magento Necessary cookies Stores the key (ID) of the persistent shopping cart to allow the cart to be restored for an anonymous buyer. 1 day 1st Party
form_key Magento Necessary cookies A security measure that adds a random string to all form submissions to protect data from Cross-Site Request Forgery (CSRF) attacks. 1 day 1st Party
store Magento Necessary cookies Monitors the specific store view/location chosen by the buyer. 1 day 1st Party
login_redirect Magento Necessary cookies Stores the landing page that the customer navigated to before being prompted to log in. 1 day 1st Party
mage-messages Magento Necessary cookies Monitors error messages and other notifications displayed to the user, such as the cookie consent message and various error messages. The message is removed from the cookie after being displayed to the buyer. 1 day 1st Party
mage-cache-storage Magento Necessary Cookies This cookie is used in relation to load balancing. It optimizes the response time between the visitor and the website by distributing the traffic load across multiple network connections or servers. It is used to optimize the website loading speed. This is done by pre-loading some procedures in the visitors' browsers. 1 day 1st Party
mage-cache-storage-section-invalidation Magento Necessary Cookies This cookie is used in relation to load balancing. It optimizes the response time between the visitor and the website by distributing the traffic load across multiple network connections or servers. It is used to optimize the website loading speed. This is done by pre-loading some procedures in the visitors' browsers. 1 day 1st Party
mage-cache-sessid Magento Necessary Cookies The value of this cookie triggers the cleaning of the local cache. 1 day 1st Party
product_data_storage Magento Necessary Cookies Stores the configuration for product data related to recently viewed / compared products. 1 day 1st Party
user_allowed_save_cookie Magento Necessary Cookies Indicates whether the buyer allows the saving of cookies. 1 day 1st Party
mage-translation-storage Magento Necessary Cookies Stores translated content, if the buyer wishes. 1 day 1st Party
mage-translation-file-version Magento Necessary cookies Stores the version of the translated content file. 1 day 1st party
section_data_ids Magento Microsoft Bing - Clarity Stores personalized information related to actions initiated by the buyer, such as viewing the wishlist, checkout information, etc. 13 months 1st party
recently_viewed_product Magento Necessary cookies Collects information about the products viewed by the visitor - this is used to optimize the visitor's navigation on the site. Permanent 1st party
recently_viewed_product_previous Magento Necessary cookies Collects information about the products viewed by the visitor - this is used to optimize the visitor's navigation on the site. Permanent 1st party
recently_compared_product Magento Necessary cookies This cookie is used to determine which products the visitor has viewed. This information is used to promote related products and optimize advertising effectiveness. Permanent 1st party
recently_compared_product_previous Magento Necessary cookies Collects information about the products viewed by the visitor - this is used to optimize the visitor's navigation on the site. Permanent 1st party
_ga Google Analytics Google Analytics Records a unique ID used to generate statistical data on how the visitor uses the site. 2 years 3rd Party
_gid Google Analytics Google Analytics Records a unique ID that is used to generate statistical data on how the visitor uses the website. 1 day 3rd Party
_gat Google Analytics Google Analytics Used by Google Analytics to throttle request rates. 1 day 3rd Party
_GRECAPTCHA Google reCAPTCHA Google reCAPTCHA This cookie is used to distinguish between humans and bots. This is beneficial for the website to generate valid reports on the usage of its site. 179 days 3rd Party
CONSENT Magento Necessary cookies Used to recognize if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for the website's GDPR compliance. 2 years 1st Party
CookieConsent Microsoft Microsoft Bing - Clarity Stores the user's cookie consent status for the current domain 1 year 3rd Party
mage-cache-timeout Magento Necessary cookies This cookie is necessary for the caching function. A cache is used by the website to optimize the response time between the visitor and the site. The cache is usually stored in the visitor's browser. NaN 1st Party
rc::a rc::b rc::c Google reCAPTCHA Google reCAPTCHA These cookies are used to distinguish between people and bots. This is beneficial for the website to create valid reports on site usage. Session, Persistent Third Party
test_cookie Google Ads Google Ads Used to check if the user's browser supports cookies. It does not contain identifying features. 1 Day Third Party
_clck Microsoft Microsoft Bing - Clarity Collects data on navigation and user behavior on the website. This data is used to create statistical reports and heatmaps for the site owner. 1 Year Third Party
__cltk Microsoft Microsoft Bing - Clarity Records statistical data on user behavior on the website. It is used by the site operator for internal analysis. Session Third Party
c.gif Microsoft Microsoft Bing - Clarity Collects data on navigation and user behavior on the website. This data is used to create statistical reports and heatmaps for the site owner. Session Third Party
CLID Microsoft Microsoft Bing - Clarity Collects data on navigation and user behavior on the website. This data is used to create statistical reports and heatmaps for the site owner. 1 Year Third Party
collect Google Analytics Google Analytics Used to send data about the device and visitor behavior to Google Analytics. Tracks the visitor across all devices and marketing channels. Session Third Party
_gcl_au Google Ads Google Ads It is used by Google Ads to provide a range of advertising products such as real-time bids from third parties. Permanent 1st Party
_uetsid Microsoft Microsoft Bing - Clarity Collects data on visitor behavior across multiple websites to present more relevant ads - This also allows the website to limit the number of ads. It is used to track visitors across multiple websites to present relevant advertising based on visitor preferences. 1 Day / Persistent 3rd Party
_uetsid_exp Microsoft Microsoft Bing - Clarity Contains the expiration date for the cookie with the corresponding name. Permanent 3rd Party
_uetvid Microsoft Microsoft Bing - Clarity It is used to track visitors across multiple websites to present relevant advertising based on visitor preferences. 13 Months / Persistent 3rd Party
_uetvid_exp Microsoft Microsoft Bing - Clarity Contains the expiration date for the cookie with the corresponding name. Permanent 3rd Party
ads/ga-audiences Google Ads Google Ads It is used by Google AdWords to re-target visitors who are likely to become customers due to their online behavior across various websites. Session 3rd Party
ANONCHK Microsoft Microsoft Bing - Clarity Records data on visitors from multiple visits and across multiple websites. This information is used to measure the effectiveness of advertising on websites. 1 Day, at least one Session 3rd Party
MUID Microsoft Microsoft Bing - Clarity Often used by Microsoft as a unique user ID. The cookie allows tracking users by synchronizing the ID across many Microsoft domains. 1 year 3rd Party
pagead/1p-user-list/# Google Ads Google Ads Tracks whether the user has shown interest in certain products or events across multiple websites and recognizes how the user navigates between sites. This is used to measure advertising campaigns and facilitates the payment of referral commissions between sites. Session 3rd Party
pagead/landing Google Ads Google Ads Tracks the conversion rate between the user and the ads on the site - This is used to optimize the relevance of advertising on the site. Session 3rd Party
SM Microsoft Microsoft Bing - Clarity Records a unique ID that identifies the user's device during repeated visits to sites using the same advertising network. The ID is used to enable targeted advertising. Session 3rd Party
SRM_B Microsoft Microsoft Bing - Clarity Tracks user interaction with the site's search feature. This data can be used to present relevant products or services to the user. 1 year 3rd Party
VISITOR_INFO1_LIVE YouTube YouTube Attempts to estimate users' bandwidth on pages with embedded YouTube videos. 179 days / 6 months 3rd Party
YSC, yt.innertube::nextId YouTube YouTube Register a unique ID to track the statistics of YouTube videos viewed by the user. Session / Persistent Third party
Stores user preferences for the video player with embedded YouTube videos YouTube YouTube ytidb::LAST_RESULT_ENTRY_KEY, yt-remote-cast-available, yt-remote-cast-installed, yt-remote-connected-devices yt-remote-device-id, yt-remote-fast-check-period, yt-remote-session-app, yt-remote-session-name Session / Persistent Third party
bs_livechat_init_flyout Magento Necessary cookies Cookies needed to use the live chat bannerstop. 1 year First party
_pk_id Matomo Matomo cookie Stores a unique visitor ID. 13 months First party
_pk_ses Matomo Matomo cookie Session cookies temporarily store data for the visit. 30 minutes First party
_pk_ref Matomo Matomo cookie Stores information for attribution (the referrer that brought the visitor to the site). 6 months First party
_pk_testcookie Matomo Matomo cookie Temporary cookie to check if a visitor's browser supports cookies (set only in Internet Explorer). Temporary cookie that expires almost immediately after being set. NaN First party
mtm_cookie_consent Matomo Matomo Cookie Records the visitor's consent to Matomo tracking. 30 years 1st part
_pk_uid Matomo Matomo Cookie If enabled, this cookie assigns the same ID to the same visitor navigating through all your domains and subdomains, so that Matomo can recognize users across devices and sessions. 13 months 1st part
XSRF-TOKEN CloudLab CloudLab A security measure that attaches a random string to all form submissions to protect data from Cross-Site Request Forgery (CSRF) attacks. Session 3rd part
printq_datacenter_session CloudLab CloudLab This information allows the website to associate users with a possible previous session and grants access to previous projects. Session 3rd part
amcookie_allowed Magento Necessary cookies Stores the consent decision regarding cookies and third-party providers. 1 day 1st part
amcookie_policy_restriction Magento Necessary cookies Stores the consent decision regarding cookies and third-party providers. 1 day 1st part

 

When you visit our website, users are informed via a banner about cookies regarding the use of cookies or tools for analytical purposes and are referred to this privacy policy. In this context, a notice is also provided on how to prevent the storage of cookies in the browser settings. The following data is stored in relation to the cookie banner:

  • Your consent ID
  • Moment of your consent
  • List of cookie categories selected by you

2. Legal basis for data processing

The legal basis for the processing of personal data through the use of our cookie banner and technically necessary cookies pursuant to § 25 paragraph 2 TDDDG is Article 6 paragraph 1 letter c DSGVO and Article 6 paragraph 1 letter f DSGVO. The legal basis for the processing of personal data through the use of cookies that are not technically necessary (for example, cookies for analytical purposes) is, in the presence of specific user consent, Article 6 paragraph 1 letter a DSGVO, in addition to our legitimate interest.

3. Purpose of data processing

The purpose of using technically necessary cookies is to enable the use of our websites. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognized even after a page change (for example, the shopping cart function). The data of users collected through technically necessary cookies is not used to create user profiles.

The purpose of non-strictly necessary cookies is to simplify or improve the use of websites for users. The use of cookies and analytical tools occurs with the aim of improving the quality of our website and its content. In this way, we learn how the website is used and can continuously optimize our offering.

The precise purpose of using analytical tools and advertising trackers is indicated in the following points.

In the aforementioned purposes also lies our legitimate interest in the processing of personal data pursuant to Article 6 paragraph 1 letter f DSGVO.

The data collected within the framework of consent in the cookie banner is used exclusively to take into account cookie preferences for future visits. The storage of this information is necessary to fulfill our legal obligations and to provide you with a user-friendly experience.

4. Duration of storage, possibility of objection and deletion

Cookies are stored on the user's computer and transmitted to us by the same. Therefore, as a user, you also have full control over the use of cookies. By modifying the settings in your Internet browser, you can deactivate or limit the transmission of cookies. Cookies already stored can be deleted at any time. This can also occur automatically. If cookies are deactivated for our website, not all functions of the website may be usable.

 

V. Web analysis by us via Matomo

1. Scope of data processing

We use the open-source software tool Matomo (formerly PIWIK) on our website to analyze the browsing behavior of our users. The software sets, after user consent via our cookie banner, a cookie on the user's computer (for cookies see above). When individual pages of our website are opened, the following data is stored:

  1. Two bytes of the IP address of the user's system making the request
  2. The visited web page
  3. The website from which the user arrived at the visited page (referrer)
  4. The subpages that are opened from the visited page
  5. The time spent on the web page
  6. The frequency of access to the web page

The software operates exclusively on the servers of our website. The storage of users' personal data occurs only there. There is no transmission of data to third parties.

The software is configured in such a way that IP addresses are not stored completely, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to associate the abbreviated IP address with the requesting computer.

Further information on the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/.

2. Legal basis for data processing

The legal basis for analysis via Matomo is our legitimate interest pursuant to Article 6 paragraph 1 letter f. DSGVO or the user's consent, Article 6 paragraph 1 letter a DSGVO in conjunction with § 25 TDDDG.

3. Purpose of data processing

The processing of users' personal data allows us to analyze the browsing behavior of our users. Thanks to the evaluation of the collected data, we are able to gather information about the use of individual components of our website. This helps us to continuously improve our website and its usability. In these purposes also lies our legitimate interest in the processing of data pursuant to Article 6 paragraph 1 letter f DSGVO. Thanks to the anonymization of the IP address and local storage, as well as the user-friendly data protection settings in Matomo, the interest of users in the protection of personal data is adequately taken into account, so that our legitimate interests prevail over the rights and freedoms of the data subject.

4. Duration of storage / possibility of revocation and deletion

Data is deleted as soon as it is no longer necessary for our recording purposes. In our case, this occurs after 14 months.

5. Possibility of objection and deletion

Cookies are stored on the user's computer and transmitted to us by the same. Therefore, as a user, you also have full control over the use of cookies. By modifying the settings in your Internet browser, you can deactivate or limit the storage of cookies. Cookies already stored can be deleted at any time. This can also occur automatically. If cookies are deactivated for our website, not all functions of the website may be usable.

You can also deactivate web analysis via Matomo through the following link (Opt-Out):

Further information on the privacy settings of the Matomo software can be found at the following link: https://matomo.org/docs/privacy/

 

VI. Advertising trackers (third parties)

1. Microsoft Advertising (formerly Microsoft BING Ads)

a) Scope of data processing

This website uses the conversion tracking of Bing Ads (Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA). In the use of MS Bing Ads, data such as IP address, device and browser data, time of access, and information on visit and usage behavior are collected. If, for example, you clicked on a Bing ad, a cookie will be set on your computer. Through the used cookie, Microsoft creates pseudonymous usage profiles to measure the success of our advertising campaigns and to show targeted advertising.

b) Legal basis

The legal basis is Article 6 paragraph 1 letter a DSGVO in conjunction with § 25 paragraph 1 TDDDG, your consent that you provided to us via our consent banner and that can be revoked at any time.

Microsoft is located in the United States and is certified under the EU-US Data Privacy Framework (DPF) (see https://www.dataprivacyframework.gov/participant/6474). The adequacy decision is an agreement between the EU and the United States aimed at ensuring compliance with European data protection legislation in the processing of data in the United States. Data processing is also based on standard contractual clauses of the EU Commission. More details are also available here: https://learn.microsoft.com/de-de/compliance/regulatory/offering-eu-model-clauses

c) Purpose of data processing

The purpose of data processing is the analysis and optimization of our marketing and our offerings. Microsoft Advertising allows us to display advertisements when the user enters certain keywords on Bing (keyword targeting). Additionally, we can run targeted advertising campaigns based on user data collected by Microsoft (e.g., location data and interests) (audience targeting). We can analyze this data, for example, by examining which terms led to the display of our advertisements. The purpose of data processing is therefore to measure the success of our advertising campaigns, analyze user behavior, display personalized ads, and create pseudonymous profiles for managing and optimizing advertising measures.

d) Options for objection

You can revoke the consent given at any time. If you do not wish to participate in the tracking process described, you can also refuse the setting of necessary cookies through your browser settings. Deactivation can also occur via the following link: http://choice.microsoft.com/de/opt-out

Further information on data protection and the cookies used by Microsoft Advertising is available on Microsoft's website: https://privacy.microsoft.com/de-de/privacystatement

2. Google Analytics

a) Scope of data processing

Our website uses Google Analytics, a web analytics service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Analytics uses so-called "cookies" and web beacons, which allow us to analyze your use of the website. Google processes this information on our behalf so that we can evaluate your use of the website, generate reports on website activity, and provide additional services related to website and internet usage. The following data is collected: IP address (shortened and anonymized), date and time of access, duration of visit, page visited, source of visitors (e.g., referring website), device information (browser type, operating system, screen resolution).

The collected data is transferred to servers in the United States and stored there. However, the IP address transmitted by your browser in the context of Google Analytics is shortened by activating IP anonymization on our website before transmission within the EU/EEA. If a transfer to the United States occurs, it is based on the EU Commission's adequacy decision on the EU-US Data Privacy Framework (DPF). With this decision, for US companies certified under the DPF, such as Google LLC, a level of data protection comparable to that of the EU applies. We have also entered into a data processing agreement with Google under Art. 28 of the GDPR. User and event-level data linked to cookies, user identifiers (e.g., user ID), and advertising IDs (e.g., DoubleClick cookies, Android advertising ID, IDFA) are deleted no later than 14 months after their collection.

b) Legal basis

Processing takes place under Art. 6 para. 1 lit. a of the GDPR based on the consent voluntarily provided through our consent banner. Without your active consent, no analysis takes place through Google Analytics.

c) Purpose of data processing

The data collected through Google Analytics serves the following purposes:

  • Analysis of user behavior to improve the functionality and usability of our website
  • Optimization of content and marketing measures
  • Evaluation of the reach and impact of campaigns

The data helps us better understand website usage and develop relevant content.

d) Options for objection

You can revoke your consent to the use of Google Analytics at any time with effect for the future via our consent banner or modify it. You can also prevent the saving of cookies through an appropriate setting of your browser software. In this case, however, not all features of this website may be available.

Additionally, you can prevent the collection of data generated by cookies and related to your use of the website (including your IP address) by Google, as well as the processing of such data by Google, by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de

Further information on the terms of use and data protection of Google Analytics is available at:

3. Google Ads

a) Scope of data processing

We use "Google Ads" on our website, a service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

When you access our website through a Google ad, Google Ads stores a cookie on your device. This cookie contains certain analytical values such as a unique cookie ID, the number and timing of ad impressions, the last impression (relevant for so-called post-view conversions), and any opt-out information, your IP address (if necessary shortened), information about the browser and device.

Google can recognize through this cookie whether a user has clicked on an ad and subsequently visited a specific landing page. Cookies are not used for personal identification. Each Ads customer is assigned their own cookie. Therefore, tracking across different websites is not possible. Cookies generally have a limited validity (typically 30 days).

We only receive aggregated and statistical evaluations from Google, based on which we can measure the effectiveness of our ads. Personal data of users is not transmitted to us, so we cannot identify them.

As part of the service, your browser automatically establishes a direct connection to Google's server. This allows Google to become aware, if necessary, that you clicked on a corresponding ad or visited a specific page. If you are logged into Google, the visit can be associated with your account. Even if you are not logged in, it is possible that Google processes your IP address (if necessary in an anonymous form).

Since the transfer of personal data to the United States is not excluded, we have agreed with Google on standard contractual clauses under Art. 46 para. 2 lit. c of the GDPR to ensure an adequate level of protection. Additionally, the transfer occurs based on the EU-US Data Privacy Framework (DPF), for which Google LLC is certified. This adequacy decision ensures an adequate level of data protection.

b) Legal basis

The processing of your data takes place based on your consent under Art. 6 para. 1 sentence 1 lit. a of the GDPR, which is obtained through our consent banner and can be revoked at any time with effect for the future.

c) Purpose of data processing

The aim of using Google Ads is to show you personalized advertisements based on your interests and to analyze the effectiveness of our advertising campaigns (measuring and analyzing ad clicks and conversion rates). This way we can improve and make our marketing measures more relevant (optimizing our advertising activities).

d) Opt-out options

You can revoke your consent at any time through our consent banner. Additionally, you have several options to oppose the collection and processing of data within Google Ads:

  • Browser settings: You can prevent the saving of cookies by deleting existing cookies and disabling the saving of new cookies in your browser settings.
  • Blocking specific domains: You can configure your browser to block cookies from the domain www.googleadservices.com (https://www.google.de/settings/ads).
  • Opt-out for interest-based advertising: You can disable interest-based advertising on the page https://optout.aboutads.info .

Please note that the settings made may be reset if you delete your cookies.

Further information on Google's use of data and your individual setting options is available at:

4. YouTube

a) Scope of data processing

On our website, we integrate videos from the "YouTube" platform, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

When you start playing a YouTube video with your consent, cookies are set that collect information about user behavior. These include, among other things, your IP address, device information (screen resolution, browser type), videos viewed and time of viewing, referral URL, any information about your Google account (if you are logged into Google). According to YouTube, this data is used, among other things, for creating video statistics, improving usability, and preventing abusive activities.

If you are logged into Google, YouTube can directly associate your visit to our site with your account. To avoid this, you should log out of your Google account before playing the video. Google creates usage profiles based on this data and uses them for advertising purposes, market research, and/or to design its services according to needs - even for non-logged-in users.

Using YouTube may involve the transfer of personal data to Google LLC servers in the United States. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF). Based on the adequacy decision under Art. 45 of the GDPR, a sufficient level of data protection applies to certified U.S. companies like Google.

The transfer of data to the United States is therefore legally permitted, provided you have given your consent to processing via YouTube. Additionally, Google uses so-called standard contractual clauses to further ensure data security.

Further information on data processing by Google and YouTube is available at: https://policies.google.com/privacy

b) Legal basis

The legal basis for processing your personal data is your explicit consent under Art. 6 para. 1 sentence 1 lit. a GDPR. Without active consent, no video will be loaded and no connection to YouTube will be established.

Please note: for transfers to third countries like the United States, for which there is no adequacy decision and no adequate safeguards, there is a risk for your data. U.S. authorities (especially intelligence services) may access your data without effective legal remedies available. A level of data protection comparable to that of the GDPR cannot be guaranteed.

c) Purpose of data processing

The integration of YouTube videos serves to present our content in a multimedia way and to make our website more user-friendly and informative (e.g., through explanatory videos, product presentations, etc.). The data collected through cookies is used by Google to provide and optimize the service, as well as for creating usage statistics, profiling, and displaying personalized advertisements. We have no control over this further processing.

d) Opt-out options

You can revoke your consent at any time through our consent banner. Additionally, you have the right to oppose the creation of usage profiles by Google. You can also control, by logging out of your Google account or through the privacy settings in your Google account, what data Google and YouTube collect and how it is used. More information is also available here: https://myaccount.google.com/privacy

Since this data processing occurs through Google, please contact Google directly to exercise your right to object.

5. Google reCAPTCHA

a) Scope of data processing

We use the reCAPTCHA service from Google Ireland Limited (Google), Gordon House, Barrow Street, Dublin 4, Ireland, to protect against cyber attacks via bots. Google Ireland Limited is part of the Google corporate group headquartered at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The following data is processed by Google:

  • Page integrating reCAPTCHA
  • Referrer URL
  • User's IP address
  • End device settings (language, browser, location)
  • Duration of the visit
  • Mouse movements and keys pressed
  • Screen and window resolution
  • Time zone

Google calculates, based on user activities, how likely it is that the user is a human. Google sets - if not already present - a cookie in the user's browser and creates a fingerprint of the user that is recognized on other sites as well. More information is also available above in the cookie section. According to Google, the IP address is not combined with other Google data unless the user is logged into their Google account during use.

It is possible that Google Ireland also transmits data to the parent company in the United States. The parent company Google LLC is certified as a U.S. company under the EU-U.S. Data Privacy Framework. There is an adequacy decision under Art. 45 of the GDPR, so the transfer of personal data can also take place without further guarantees or additional measures.

b) Legal basis

We use Google reCAPTCHA based on your consent (Art. 6 para. 1 lit. a) GDPR in conjunction with § 25 para. 1 TDDDG) and our legitimate interest in cybersecurity (Art. 6 para. 1 lit. f) GDPR. You can revoke your consent at any time with effect for the future via our general contact channels. Additionally, you can delete all Google cookies and object to the processing of data. To obtain the deletion of data collected by Google, the user must contact Google support directly at https://support.google.com/?hl=en&tid=331732704293 contact.

Further information on the processing of data by Google reCAPTCHA can be found in Google's privacy policy https://policies.google.com/privacy?hl=en e https://www.google.com/recaptcha/

c) Purpose of data processing

Google reCAPTCHA serves to distinguish between human users and automated accesses (bots). The use protects our systems from cyber attacks. Here lies our legitimate interest, which outweighs your interests as a user, as you have the freedom to use our services.

 

VII. Newsletter / Advertising Emails / Messages

1. Description and scope of data processing

In the context of the order, you provide your email address. This email address or any new email addresses provided later will be used by us to send advertising emails for further products from Bannerstop GmbH, without the need for your consent.

There is also the possibility to subscribe to a free newsletter by clicking on an opt-in box. In this context, we also use your email address. In detail:

When you subscribe to our newsletter, we regularly send you information about our offers, services, and events (direct advertising). We use the so-called Double-Opt-In method. This means that we only send the newsletter via email after the user has explicitly consented to the sending of the newsletter and the tracking and analysis of the newsletter, and has subsequently clicked on an authentication link sent via email. This ensures that the provided email address actually belongs to the consenting party. Within the scope of consent, the user is informed about the use of data.

Advertising emails and newsletters are encrypted during transport, provided that your email provider supports TLS (Transport Layer Security) encryption.

In the context of sending the newsletter, we collect the following data:

  • Email address
  • Date and time of registration
  • Consent status
  • Delivery status of newsletter emails (successful/unsuccessful and date and time of delivery)
  • Openings of newsletter emails (date and time)
  • Bounces (failed deliveries, technical reasons)
  • Unsubscriptions (date and time of unsubscription)
  • Clicks on contained links (date, time, clicked link)

2. Legal basis for data processing

The legal basis for data processing without consent is § 7 para. 3 UWG. The legal basis after subscribing to the newsletter is Art. 6 para. 1 lit. a GDPR (your consent). The legal basis for storing the consent status is Art. 6 para. 1 lit. c) GDPR (legal obligation).

3. Purpose of data processing

The collection of your email address serves to send direct advertising or to deliver the newsletter. The additional data we collect in the context of sending the newsletter serves to protect against abuse and to demonstrate the consent given. Additionally, for statistical analysis purposes, it can be verified whether and when a newsletter email/ad was opened and which links may have been clicked. This serves to optimize our newsletter or advertising offering.

4. Recipients of the data

We use the company Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, for sending the newsletter, a company based in Germany that operates for us on the basis of a processing contract.

5. Duration of storage / right to object and deletion

Data is deleted as soon as it is no longer necessary for the purpose of its collection. Therefore, your email address will be kept as long as the newsletter subscription is active or until you object to direct advertising.

If you no longer wish to receive advertising emails or newsletters, you always have the option to object to the use of your email address for these purposes.

After unsubscribing from the newsletter, we will retain the associated registration data (e.g., registration date, confirmation, and unsubscription) for up to three years, in order to fulfill our proof obligations for legitimate sending. After that, this data will be deleted unless there are legal retention obligations.

For this purpose, each newsletter and each advertising email contains a corresponding link. You can also contact us at the specified address and object to the use of your email address, which occurs without consent. If you have given consent, you can revoke it at any time informally. After unsubscribing from the newsletter or objecting to direct advertising, the email address will be immediately removed from our newsletter/advertising distribution list, unless you have expressly consented to further use of your data or we reserve a use of the data that is legally permitted and of which we inform you in this statement.

6. Rights of the data subject

Regardless of the revocation of your consent to send the newsletter, you have the rights of the data subjects mentioned in this privacy policy under the GDPR. These include in particular the right to access, rectification, deletion, restriction of processing, as well as the right to data portability and the right to lodge a complaint with a supervisory authority.

 

VIII. Online store / execution of the contract

We provide an online store on our website, through which you can purchase our products.

1. Scope of data processing

a) Execution of the purchase

If you purchase products through our online store, we need the following personal data for the execution of the contract:

  • First and last name
  • Email address
  • Address / Country

In addition, we retain your consent to the terms and conditions along with the IP address and the date of submission of the consent statements.

b) Other forms

As part of our store, we also offer the following forms that you can use voluntarily.

  • Product samples
  • Precheck
  • Quick request
  • Callback request
  • Assembly
  • Live chat tickets
  • Complaints
  • Premium customer
  • Advertising material

We collect the mandatory data that you can find in the respective forms. These are marked with an asterisk.

2. Legal basis

The legal basis for data processing is Art. 6 para. 1 lit. b) GDPR (conclusion and execution of the contract), Art. 6 para. 1 lit. c GDPR (legal obligation), Art. 6 para. 1 lit. f GDPR (legitimate interest) and if you have provided us with consent for specific data processing Art. 6 para. 1 lit. a GDPR.

3. Purpose of data collection

The purpose of data processing is to process your request, or to execute the contract, for which we also have a legitimate interest. As part of the conclusion of the contract, we are obliged to process certain data to fulfill our legal obligations (e.g., under tax law, the HGB, etc.). Additional technical data serves to demonstrate your consents and to protect against abuse of our systems.

4. Data transfer

For the fulfillment of the contract, we transfer your data to the shipping company responsible for delivery, to the extent necessary for the delivery of the ordered goods. Depending on the payment service provider you choose in the ordering process, we transfer the collected payment data (including cart content, prices) to the credit institution responsible for payment and, if applicable, to the payment service providers we have commissioned or to the selected payment service. In part, the selected payment service providers also collect this data independently if you create an account with them.

In this case, you will need to log in to the payment service provider with your credentials in the ordering process. The privacy policy of the respective payment service provider applies. We transmit the data (e.g., cart amount) on the basis of Art. 6 para. 1 lit. b) GDPR for the fulfillment of the contract, as the payment service provider can only process the transaction if it receives the necessary information from us. This concerns all data that is strictly necessary for processing the payment. Since payment service providers act independently, we do not enter into any processing contract with them.

We use in detail:

 

4.1. Mondu

We offer our business customers the following payment methods via Mondu:

  • Purchase on invoice
  • Installment payment
  • Direct debit

If you choose this payment method, we will initially transfer the credit to the collaborating financial institution Mondu Financial Services B.V., which will transfer the credit to Mondu Capital S.à r.l. Mondu GmbH, Unter den Linden 16, 10117 Berlin (hereinafter "Mondu") mediates the purchase on invoice. As part of the transaction processing, Mondu also performs a credit check. Mondu acts fully responsibly.

If you have selected this payment method, we will transmit the following personal data to Mondu:

  • First and last name
  • Email address
  • Billing address
  • Delivery address
  • IP address including browser and device information
  • Cart number
  • Payment amount

The processing of data serves to process the selected payment method. The collected data cannot be used or stored for purposes other than those listed. The legal basis for the processing of personal data is Art. 6 para. 1 lit. b) GDPR and also Art. 6 para. 1 lit. f) GDPR. Since you choose the payment service provider yourself, you are transparently informed about the processing of data and the processing of payment through a professional payment service provider is also in your interest, our legitimate interests prevail over your rights and freedoms.

During the purchasing process, Mondu performs an identity and credit check and verifies whether the customer in question has open invoices through Mondu's purchase on invoice or has exceeded a payment limit. These processes are outside our area of influence. In this context, Mondu or partner companies commissioned by Mondu may transmit your personal data to credit agencies (information agencies), such as SCHUFA Holding GmbH, and receive information from them, as well as any information on creditworthiness based on mathematical-statistical methods. For this purpose, your payment data is transmitted to information agencies pursuant to Art. 6 para. 1 lit. f GDPR based on Mondu's legitimate interest in determining your payment capacity and preventing fraud. The result of the credit check regarding the statistical probability of insolvency is used by Mondu to decide on the provision of the respective payment method. Upon successful completion of the ordering process, Mondu will send you an email with the relevant information about your purchase. Otherwise, you can choose an alternative payment method. The servers of some of the service providers used by Mondu are located in the United States and other countries outside the European Union and thus in unsafe third countries. In these cases, Mondu ensures adequate protection of your personal data through contractual regulations or other recognized instruments. The retention period is the length of time during which the collected data is stored for processing. Data is deleted as soon as it is no longer necessary for the stated processing purposes.

Further information on Mondu's data protection regulations is available at: https://www.mondu.ai/de/gdpr-notification-for-buyers/

 

4.2. Paypal

The PayPal and PayPal Express payment methods are managed by PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg as the data controller. If you have selected this payment method, you must transmit the following personal data to PayPal (Europe) S.à r.l. & Cie, S.C.A. to complete the payment processing:

  • Cart number
  • Total order amount
  • Order details
  • Delivery address
  • Billing address

If you have registered your PayPal account in our store, you can also access (via PayPal) your PayPal account email address.

At bannerstop, PayPal directly transmits the information whether the selected payment method has been accepted or not.

The processing of data serves to process the selected payment method. The collected data cannot be used or stored for purposes other than those listed. The legal basis for the processing of personal data is Art. 6 para. 1 lit. b) GDPR and Art. 6 para. 1 lit. f) GDPR. Since you choose the payment service provider yourself, you are transparently informed about the processing of data and the processing of payment through a professional payment service provider is also in your interest, our legitimate interests prevail over your rights and freedoms.

Further information on PayPal's data protection is available at https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE. Otherwise, you can contact PayPal (Europe) S.à r.l. & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg directly.

 

4.3. Payone

Payments made by credit card, Giropay, Sofortüberweisung (Klarna), and PayPal are processed through PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main (hereinafter: "PAYONE"). PAYONE is therefore a responsible company under data protection law.

For payment processing, we transmit personal data to PAYONE in relation to the payment process. The categories of data transmitted depend on the chosen payment method.

The legal basis for the associated data processing is Art. 6 para. 1 lit. b GDPR, as the processing of your data is necessary for the fulfillment of the agreement regarding the payment of your purchase through a payment service supported by PAYONE. In addition, the processing of data occurs based on legitimate interest pursuant to Art. 6 para. 1 lit. f) GDPR. The legitimate interests particularly concern the prevention of payment defaults (protection against economic risks), simplifying payment processes, and optimizing costs in the interest of all. Since you choose the payment service provider yourself, you are transparently informed about the processing of data and the processing of payment through a professional payment service provider is also in your interest, our legitimate interests prevail over your rights and freedoms.

In the processing of payments through PAYONE, your data may also be transmitted to service providers in third countries outside the European Economic Area (USA, Japan, and China). We inform you that in these countries there may be a lower level of data protection than within the EU/EEA. PAYONE transmits personal data to third countries only if necessary for the fulfillment of contractual obligations or to safeguard legitimate interests or if otherwise required by law. To ensure an adequate level of data protection in third countries, there are either an adequacy decision from the EU Commission or adequate and appropriate safeguards in the form of EU standard contractual clauses or there is a legal exception (Art. 49 GDPR) that justifies the transmission of data even in the absence of an adequacy decision or appropriate safeguards.

Further information on data protection at PAYONE is available at https://a.storyblok.com/f/64176/x/eb06cbbb08/payone-information-zu-datenverarbeitung-gemaess-art-14-dsgvo-2021-08.pdf and at https://www.payone.com/DE-de/datenschutz.

5. Retention period / right to object

We will delete your personal data after the cessation of the above-mentioned purpose, unless we are legally obliged to retain it (for example, for tax reasons under the tax code or VAT law). As a rule, we must retain invoices and accounting documents for 10 years, commercial and business letters for 6 years. Regarding your rights to object, please read the section "Your rights as a data subject."

 

IX. Registration / Customer account

If you wish to open a customer account, you can voluntarily register on our website.

1. Description and scope of data processing

The following data is collected and stored as part of the registration process:

  • First and last name
  • Email address
  • Phone number
  • Address / Country

At the time of registration, the following data is also stored:

  • The user's IP address
  • Date and time of registration

Within the customer account, it is therefore possible to permanently store additional data (e.g., contact details) for the execution of the contract.

2. Legal basis for data processing

The legal basis is your consent pursuant to Art. 6 para. 1 lit. a GDPR. Additionally, there is also a legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. This particularly applies to the technical data collected at the time of registration. If the registration is necessary for the fulfillment of a contract to which the user is a party or for the execution of pre-contractual measures, the additional legal basis is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

Opening a customer account serves to simplify the execution of the contract or to simplify the ordering process for the user. Especially for regular orders, it is in the user's interest not to have to provide all contact details again each time. This requires, due to the remote data connection, a customer registration so that they can be recognized by our system. The collection of additional technical data serves to protect against abuse. Our legitimate interest is also found in the above.

4. Duration of storage / right to object

If you wish to delete your customer account, please send us an email to [email protected]. We will delete the account immediately.

If the data is necessary for the fulfillment of a contract or for the execution of pre-contractual measures, early deletion of the data is only possible to the extent that there are no contractual or legal obligations opposing deletion.

 

X. Contact form and contact via email

1. Description and scope of data processing

Our website has a contact form that can be used for electronic contacts. If a user uses this option, the data entered in the input mask is transmitted and stored. This data includes:

  • First and last name
  • Email address

At the time of sending the message, the following data is also stored:

  • IP address
  • Date and time of sending

For data processing, in case of using the contact form, reference is made to this privacy policy.

Alternatively, you can contact the provided email address. In this case, the user's personal data transmitted with the email is stored.

The data is used exclusively for processing the conversation.

2. Legal basis for data processing

The legal basis for data processing is Art. 6 para. 1 lit. f GDPR (our legitimate interest). If the contact via email aims at concluding a contract, the additional legal basis for processing is Art. 6 para. 1 lit. b GDPR.

3. Purpose of data processing

The processing of personal data serves exclusively to manage the contact. Here is also the legitimate interest necessary for data processing. The other personal data processed during the sending process serves to prevent abuse of the contact form and to ensure the security of our IT systems. Since you have the freedom to contact us and we inform transparently about data processing, our legitimate interests in data processing prevail over your rights and freedoms.

4. Duration of storage

The data is deleted as soon as it is no longer necessary for the purpose of its collection. For the personal data of the input mask of the contact form and those transmitted via email, this occurs when the respective conversation with the user has ended. The conversation is considered concluded when it is clear from the circumstances that the matter in question has been definitively clarified.

The personal data collected during the sending process will be deleted at the latest after a period of seven days.

 

XI. Chat

If you have questions about our products or need assistance, we offer you a live chat. For our live chat, we use a service called tawk.to, Inc., 187 E Warm Springs Rd, SB298, Las Vegas, Nevada 89119, USA (hereinafter: tawk.to). The messages you send us may be stored in the tawk.to ticket system or may be responded to by our employees in the live chat. Alternatively, you can also use our telephone support.

1. Scope of data processing

When you use the chat function, we collect and store the following data:

  • Name
  • Email address
  • IP address
  • Browser
  • Content of the communication / Your request (chat contents)
  • Date / Time of the chat
  • Data voluntarily provided by the user (e.g., for subsequent contact)
  • Technical information (browser type, device type, language settings, referral URL)

The transfer of data to the United States is based on the standard contractual clauses of the EU Commission (Form 2 'Standard contractual clauses for processors') and is carried out in an encrypted manner. Details are available here: https://www.tawk.to/privacy-policy/ e https://www.tawk.to/data-protection/gdpr/.

Further information is available in the tawk.to privacy policy: https://www.tawk.to/privacy-policy/ e https://www.tawk.to/data-protection/

If you use our phone support, we store the data you provide. We may also store, for documentation purposes, the time and date and the content of your request.

2. Legal basis

The legal basis for using the chat is Art. 6 para. 1 lit. f) GDPR (our legitimate interest in effective and quick customer service). If you use the chat to conclude a contract or to clarify pre-contractual questions, Art. 6 para. 1 lit. b) GDPR is the additional legal basis. The same applies to the processing of data by phone support.

3. Purpose of data processing

The purpose of data processing is to process your request and the associated communication, as well as to provide customer service as effectively and quickly as possible through individual consultations and, if necessary, tracking support requests to improve our offering or fulfill the contract. The further collection of technical data during the use of our chat serves to protect against abuse and the security of our IT systems. Here lies our legitimate interest as well. Since you have the freedom to use our chat and we transparently inform about data processing, our interests prevail over your rights and freedoms.

4. Duration of storage / right to object

Chat conversations will be deleted 30 days after the first storage. If you wish for an early deletion, please contact us via our email or contact form.

 

XII. Trusted Shops

To display our Trusted Shops quality seal - and any reviews collected, as well as for the offer of Trusted Shops products for buyers after an order - the Trusted Shops Trustbadge is integrated on this website. The Trustbadge and the advertised services are an offer from Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne.

1. Scope of data processing

When the Trustbadge is called, the web server automatically stores a so-called server log file, which contains, for example, your IP address, the date and time of the request, the amount of data transferred, and the requesting provider (access data), information about the browser, any order information, and documents the request.

Further personal data is only transferred to Trusted Shops if you have given your consent, if you decide to use Trusted Shops products after completing an order, or if you have already registered for use. In this case, the contractual agreement made between you and Trusted Shops applies.

2. Legal basis

The legal basis is our legitimate interest under Art. 6 para. 1 lit. f) GDPR, insofar as only static content (logo, seal image) is called. The integration of the Trusted Shops quality seal and the associated data processing only occurs with your prior consent under Art. 6 para. 1 lit. a) GDPR, which you provide through our consent management tool.

3. Purpose of data processing

Data processing occurs for the following purposes:

  • Visibility and display of the Trusted Shops quality seal
  • Integration of customer reviews
  • Technical provision and security of the application
  • Enabling the protection of Trusted Shops buyers after purchase
  • Possible sending of evaluation invitations (only with your active consent after purchase)

Trusted Shops acts – to the extent necessary for the display of the seal or for providing functions such as buyer protection – as an independent controller under data protection law.

We use the seal for marketing purposes of our offering and to ensure quality in the interest of the user. The user can get an idea of our seriousness through the evaluations and inform themselves about our services from other buyers. Here lies our legitimate interest.

4. Duration of storage / right to object

The retention period of the processed data depends on the specific purpose, in particular:

  • IP addresses and technical access data are processed only in the short term and exclusively to ensure secure operation.
  • Your data related to buyer protection or an invitation to rate is retained only to the extent necessary for the execution of the service.
  • Cookies and similar technologies from Trusted Shops are set only with your consent and can be revoked at any time via our consent tool.

You have the right to revoke any consent already given at any time with effect for the future. A corresponding revocation is possible through our cookie settings.

Further information on the data protection statement of Trusted Shops GmbH can be found at the following address: https://www.trustedshops.de/impressum-datenschutz/#datenschutz

 

XIII. Social Media

On our website, we offer buttons for Facebook, Instagram, and Twitter. We would like to point out that these are simple links. If you click on one of the buttons, you leave our website. If you wish to inform yourself about the subsequent processing of data, please read the privacy policy of the respective provider.

 

XIV. Content Delivery Network & Web Application Firewall

1. Description and scope of data processing

We use Cloudflare on our website, a service of Cloudflare, Inc., 101 Townsend St, 94107 San Francisco, United States, Email: [email protected], website: https://www.cloudflare.com/de-de/. Personal usage data, such as your IP address and the times of your visits to our website, browser and device information, transmitted content (requested files, scripts), any security and performance log data are transmitted to the nearest Cloudflare server to identify and monitor failures or abuses of our online offerings and to ensure the functionality of our website.

Cloudflare is a US company. There may be a transfer of personal data to the United States. Cloudflare is certified under the EU-U.S. Privacy Shield framework, thus ensuring an adequate level of data protection according to Art. 45 GDPR. Alternatively, Cloudflare ensures compliance with data protection provisions through standard contractual clauses and additional contractual and organizational measures.

2. Legal basis for data processing

The legal basis is our legitimate interest under Art. 6 para. 1 lit. f. GDPR.

3. Purpose of data processing

The purpose of data processing is to ensure the functionality and lasting security of our systems and to provide you with the content of our website quickly and without interruptions. Cloudflare operates a so-called content delivery network, which, in addition to distributing the website across multiple servers, also provides security functions. In summary, these are the following purposes:

  • Stable delivery of the content of our website
  • Protection against attacks
  • Optimized loading times
  • Error analysis and technical support in case of access problems

In these purposes also resides our legitimate interest, which outweighs your rights and freedoms, as we have no other means to achieve the pursued purposes and the data processing is ensured through standard contractual clauses and the adequacy decision.

4. Duration of retention / possibility of revocation and removal

Data is generally processed and retained only for as long as necessary for the mentioned purposes (operational security, performance). Cloudflare retains log data generally in the short term, for example for hazard prevention or analysis purposes, unless there are contrary legal retention obligations.

Further information on data processing can be found in Cloudflare's privacy policy at the following address: https://www.cloudflare.com/privacypolicy/.

 

XV. Rights of the data subject

If your personal data is processed, you are a data subject under the GDPR and have the following rights:

1. Right of access

You can request confirmation from us whether personal data concerning you (hereinafter referred to as "your data") is being processed by us.

If such processing is ongoing, you can request information on the following:

  1. the purposes for which your personal data is processed;
  2. the categories of personal data that are processed;
  3. the recipients or categories of recipients to whom your data has been or will be disclosed;
  4. the expected duration of retention of your data or, if specific information cannot be provided, the criteria for determining the duration of retention;
  5. the existence of a right to rectification or deletion of your data, a right to restriction of processing by us, or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information on the source of the data, if the personal data has not been collected from the data subject;
  8. the existence of automated decision-making, including profiling under Article 22 paragraphs 1 and 4 of the GDPR and - at least in these cases - significant information about the logic involved, as well as the significance and expected consequences of such processing for the data subject.

You have the right to request information if your data is transferred to a third country or to an international organization. In this context, you can request to be informed about the appropriate safeguards under Article 46 of the GDPR in relation to the transfer.

2. Right to rectification

You have the right to rectify and/or complete your data if it is inaccurate or incomplete. We must proceed with the rectification without delay.

3. Right to restriction of processing

You may request the restriction of processing of your data under the following conditions:

  1. If you contest the accuracy of your data for a period that allows us to verify the accuracy of the data;
  2. The processing by us is unlawful, you refuse the deletion of your data by us and instead request the restriction of use;
  3. We no longer need your data for the purposes of processing, but you need it to assert, exercise or defend legal rights, or
  4. If you have objected to the processing under Article 21 paragraph 1 of the GDPR and it is not yet clear whether our legitimate grounds override your grounds.

If the processing of your data has been restricted, it may be processed - apart from its storage - only with your consent or to assert, exercise or defend legal rights or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or a Member State.

If the restriction of processing has been imposed under the above-mentioned conditions, you will be informed by us before the restriction is lifted.

4. Right to erasure

a) Obligation to erase

You may request that your data be erased without delay. We are obliged to erase this data without delay if one of the following reasons applies:

  1. Your data is no longer necessary for the purposes for which it was collected or processed in another manner.
  2. You revoke your consent on which the processing is based under Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a of the GDPR, and there is no other legal basis for the processing.
  3. You object to the processing under Article 21 paragraph 1 of the GDPR and there are no overriding legitimate grounds for the processing, or you object under Article 21 paragraph 2 of the GDPR.
  4. Your data has been processed unlawfully.
  5. The erasure of your data is necessary to comply with a legal obligation under Union law or the law of the Member States to which we are subject.
  6. Your data has been collected in relation to the services of the information society under Article 8 paragraph 1 of the GDPR.

b) Information to third parties

If we have made your data public and we are obliged under Article 17 paragraph 1 of the GDPR to erase it, we take appropriate measures (also of a technical nature) to inform the controllers who also process your data that you have requested the erasure of all links to your data or copies or replications of this personal data.

c) Exceptions

The right to erasure does not exist to the extent that processing is necessary:

  1. for the exercise of the right to freedom of expression and information;
  2. to comply with a legal obligation requiring processing under Union law or the law of the Member States to which we are subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
  3. for reasons of public interest in the area of public health under Article 9 paragraph 2 letters h and i, as well as Article 9 paragraph 3 of the GDPR;
  4. for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes under Article 89 paragraph 1 of the GDPR, insofar as the right mentioned in section a) makes it impossible or seriously impairs the achievement of the objectives of that processing, or
  5. to assert, exercise or defend legal rights.

5. Right to information

If you have asserted the right to rectification, erasure or restriction of processing against us, we are obliged to inform all recipients to whom your personal data has been communicated of the rectification, erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort for us.

You have the right to be informed by us about these recipients.

6. Right to data portability

You have the right to receive your data from us in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from us, provided that

  1. the processing is based on consent under Article 6 paragraph 1 letter a GDPR or Article 9 paragraph 2 letter a GDPR or on a contract under Article 6 paragraph 1 letter b GDPR and
  2. the processing is carried out by automated means.

You also have the right for your data to be transmitted to another controller, to the extent that this is technically feasible. However, the freedoms and rights of other persons must not be compromised.

This right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

7. Right to object

You have the right to object at any time to the processing of your data, which is carried out under Article 6(1)(e) or (f) GDPR, for reasons related to your particular situation; this also applies to profiling based on these provisions.

We will no longer process your data unless we can demonstrate overriding legitimate grounds for the processing that outweigh your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes; this also applies to profiling, to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

You have the option to exercise your right to object in relation to the use of information society services - regardless of Directive 2002/58/EC - through automated procedures that use specific techniques.

8. Right to withdraw consent regarding data protection

You have the right to withdraw your consent statements regarding data protection at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority if you believe that the processing of your data violates data protection law.

The supervisory authority with which the complaint has been lodged informs you, as the complainant, about the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

 

XVI. IT Security

To protect the security of your data during transmission, we use the so-called TLS encryption method (128-bit key, TLS 1.3), which you can recognize by the padlock icon in the address bar of the URL of our website. Additionally, we protect our IT systems with firewalls and antivirus.

 

Date: April 2026  

Contact