Data protection declaration

Welcome to our website. Below you will find our data protection declaration:


Contents:


I. General information


1. Contact details of the person responsible
2. contact data of our data protection officer


II. Specific information regarding the processing of personal data


1. Visiting our website
2. Cookies
3. Execution of contracts
4. Contact form, e-mail, fax or telephone contact
5. Customer account
6. Live-Help/Chat
7. Direct Marketing
8. Newsletter
9. YouTube
10. Blog
11. Google AdWords
12. Microsoft Bing Ads
13. Twitter Ads
14. Google Analytics
15. IntelliAd
16. Visual Website Optimizer (VWO)
17. Facebook-, Instagram-, YouTube-, Twitter-, Google+ Buttons
18. Facebook-Tracking
19. Cloudflare
20. Single Sign-On and Payment-Services
21. Mixpanel
22. Customer support tools
23. Phone Tracking


III. Rights of the data subject


1. Right to information according to Art. 15 GDPR
2. Right to correction in accordance with Art. 16 GDPR
3. The right to cancellation in accordance with Art. 17 GDPR
4. Right to limitation of processing in accordance with Art. 18 GDPR
5. Right to information in accordance with Art. 19 GDPR
6. Right to Data Transferability Art. 20 GDPR
7. Right of objection according to Art. 21 GDPR
8. Automated decisions in individual cases incl. profiling according to Art. 22 GDPR
9. Right of appeal to a supervisory authority pursuant to Art. 77 GDPR
10. Right to an effective judicial remedy under Article 79 of the GDPR

 

I. General information


1. Contact details of the person responsible


Name: orderbird AG
Str.: Ritterstraße 12-14, Aufg. 3
Postcode, City: 10969 Berlin
Phone: 030 208 983 099
Fax.: 0321 214 681 89
Email: [email protected]


2. contact data of our data protection officer


Name: kedapro UG (haftungsbeschränkt)
Str.: Adlerstraße 63
Postcode, City: 40211 Düsseldorf
Tel.: +49 211 97 63 01 90
Email: [email protected]
Website: https://www.kedapro.com
 

 

II. Specific information regarding the processing of personal data


1. Visiting our website


a) Purpose of data processing


Every time a user accesses a page of our website and every time a file stored on the website is
accessed, access data about this process is stored in a log file. Each data record consists of:
(1) the page from which the file was requested,
(2) the name of the file,
(3) the date and time of the request,
(4) the amount of data transferred,
(5) the access status (file transferred, file not found, etc.),
(6) a description of the type of operating system and web browser used,
(7) referrer URL,
(8) Host name of the accessing computer,
(9) the client IP address.
We use this data to operate our website, in particular to determine the utilization of the website as
well as malfunctions of the website and to make adjustments or improvements. The client IP address
is used for the purpose of transmitting the requested data; it will be made anonymous by deleting the
last digit block (Ipv4) or the last octet (Ipv6) once the technical requirement no longer applies.

b) Duration of storage


The data is stored each time a user accesses a page of our website and each time our website is
accessed and is deleted as soon as it is no longer required for the purpose of collection, which is the
case at the latest three months after the website visit.


c) Legal basis


The temporary storage of the aforementioned data is carried out on the legal basis of Art. 6 para. 1
letter f of the General Data Protection Regulation (hereinafter "GDPR"). The legitimate interest lies in
the provision of our website and the examination of misuse.


d) Possibility of objection and elimination


By refraining from using our website, the data subject may object to the processing and, subject to
the conditions described in more detail in the "Rights" section below, request the deletion of data
collected with regard to him by means of an informal request.

 

2. Cookies


a) Purpose of data processing

In order to make a visit to our website and the order process technically possible, we transfer so-
called cookies to the end device of the person concerned. Cookies are small text files that can be
used to identify the end device of the person concerned, usually by collecting the name of the
domain from which the cookie data was sent, information about the age of the cookie and an
alphanumeric identifier. By storing the cookie on the device used - without interfering with the
operating system - it is recognized again and enables us to make any settings available immediately.
We use this information to adapt our website and services offered to your needs and to accelerate the
access to our website.

b) Duration of storage


The storage period of the various cookies varies, but does not exceed two years. They are stored on
your local device, not on our server, so the actual deletion time depends on how your browser
software is configured. Please refer to the operating instructions of your browser software to find out
how you can delete cookies set by us on specific occasions or automatically.


c) Legal basis


The storage of the aforementioned data is based on Art. 6 para. 1 lit. f GDPR. The legitimate interest
for the setting of cookies is on the one hand to be able to optimize the quality of our website through
an analysis of user behaviour and on the other hand to enable the visit of our website; in particular,
some functions on our website cannot be used without cookies, because otherwise the user and his
settings already made would not be recognized when changing pages, language settings would be
lost and searches could not be executed. Furthermore, the data is stored on the legal basis of Art. 6
para. 1 lit. b GDPR for the execution of possible contracts with the visitor.


d) Possibility of objection and elimination


The person concerned can block the use of cookies in the terminal device used or delete them after
use. Under certain circumstances, however, individual functions of our website may not be usable.
How cookies can be blocked and cookies that have already been saved can be deleted is detailed in
the instructions of your browser software.

3. Execution of contracts


a) Purpose of data processing


Name, address, bank details, e-mail address, telephone number and the client IP address at the time
of placing a customer order are collected, stored and processed for the purpose of establishing or
executing a contract with the visitor, which includes in particular the billing and processing of the
contract.
The personal data will only be passed on to third parties if this is necessary for the execution of the
contract, for example when commissioning a mail order company or using a payment service provider.


b) Duration of storage


The data will be deleted as soon as they are no longer necessary for the purposes for which they were
collected or otherwise processed. This period is five years for personal data subject to § 147 AO
(Abgabenordnung, German Fiscal Code) and ten years for personal data subject to § 257 HGB
(Handelsgesetzbuch, German Commercial Code). The periods begin at the end of the calendar year in
which the data was collected.


c) Legal basis


The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b and lit. c GDPR in order to
fulfil the obligations arising from contracts and to provide the services required for the execution of
the contract.


d) Possibility of objection and elimination


Since we are bound by statutory retention periods and the data must be stored and processed for
contract execution, an objection or deletion is not possible.

 

4. Contact form, e-mail, fax or telephone contact


a) Purpose of data processing


A contact form is available on the website. The person concerned can contact us electronically and we
can process the request. The following data is collected and stored: name, address, e-mail address,
telephone number, date and time of the request and the description of the request.
A user can contact us by e-mail, fax or telephone. We store the data transmitted to us and provided
by the person concerned for processing the request. These data are name, address, e-mail address,
telephone and/or fax number, date and time of the inquiry and the description of the request, if
necessary contract data, if the inquiry takes place in the context of a contract admission or -
completion.
The data will not be passed on to third parties. They are used to process the contact request of the
person concerned.


b) Duration of storage


As soon as the data is no longer necessary to achieve its purpose, it is deleted, which is the case when
the conversation has been completed and the facts have been clarified and there are no contractual
or tax retention periods to the contrary. This period is five years for personal data subject to § 147 AO
and ten years for personal data subject to § 257 HGB. The periods begin at the end of the calendar
year in which the data was collected.


c) Legal basis


The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b GDPR as part of a contract
initiation or fulfilment or in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest of the
responsible person is to be able to process the contact request and to prevent misuse of the contact
request.


d) Possibility of objection and elimination


The person concerned has the right to object to the storage at any time. The data stored for the
operation is then deleted. If a contract has been concluded, the above explanations regarding the
"execution of contracts" shall apply.

 

5. Customer account


a) Purpose of data processing


The person concerned can register a customer account with us by providing personal data that is
transmitted to us. The data entered in the input mask or otherwise collected is stored. These are
name, e-mail address, IP address, date and time of registration. Registration is necessary to provide
certain content and services and also serves to establish and fulfil our contract with the person
concerned.


b) Duration of storage


As soon as the data are no longer necessary to achieve the purpose, they are deleted. If you register
without concluding another contract, this is the case if the registration is deleted or the data is
changed. In the case of a registration, which leads to a further contract conclusion, the data are
deleted as soon as the legal and tax-legal defaults permit a deletion of contract data. This period is
five years for personal data subject to § 147 AO and ten years for personal data subject to § 257
HGB. The periods begin at the end of the calendar year in which the data was collected.


c) Legal basis


The aforementioned data is stored pursuant to Art. 6 para. 1 lit. b GDPR in the context of contract
fulfilment or initiation or pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest is to be able to
provide certain content and services for the benefit of the user.


d) Possibility of objection and elimination


The person concerned has the option of deleting the registration or adapting the data at any time.
The account will be deleted or changed by notifying the contact named under S. I. There is no
possibility of objection or removal of the registration and the data if the registration was used to
establish or execute a contractual relationship; only the account can be deleted here. The account will
be deleted using the above steps.

 

6. Live-Help/Chat


a) Purpose of data processing


A user can also contact us via chat. We store the data transmitted to us and provided by the person
concerned for processing the request. These data are name, e-mail address, date and time of the
inquiry and the description of the request, if necessary contract data, if the inquiry takes place in the
context of a contract admission or - completion.
The data will not be passed on to third parties. They are used to process the contact request of the
person concerned.


b) Duration of storage


As soon as the data is no longer necessary to achieve the purpose, it is deleted, which is the case
when the conversation has been completed and the facts have been clarified and there are no
contractual or tax retention periods to the contrary. This period is five years for personal data subject
to § 147 AO and ten years for personal data subject to § 257 HGB. The periods begin at the end of
the calendar year in which the data was collected.


c) Legal basis


The aforementioned data is stored on the legal basis of Art. 6 para. 1 lit. b GDPR as part of a contract
initiation or fulfilment or in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate interest of the
responsible person is to be able to process the contact request and to prevent misuse of the contact
request.


d) Possibility of objection and elimination


The person concerned has the right to object to the storage at any time. The data stored for the
operation is then deleted. If a contract has been concluded, the above explanations regarding the
keyword "execution of contracts" shall apply.

 

7. Direct Marketing


a) Purpose of data processing


We will use the data received from the data subject in connection with the sale of a product or service
for direct advertising for our services and products. In the case of email addresses, this only applies to
similar goods or services of our own and if the person concerned has not objected to their use, which
is pointed out during data collection (among other things herewith); in addition, the possibility of
objection is pointed out for each use.


b) Duration of storage


As soon as the data are no longer necessary to achieve the purpose, they will be deleted, which is the
case if the person concerned has objected to direct advertising or if the time lapse after the last
advertising measure requires this with reference to the right of objection, which is the case after
twelve months after the last advertising measure.


c) Legal basis


The legal basis for advertising after a purchase of goods or use of services is Art. 6 para. 1 lit. f GDPR.
Direct advertising for sales promotion is of legitimate interest.


d) Possibility of objection and elimination


The person concerned can object to the use at any time for the future without incurring any costs
other than the transmission costs according to the basic tariffs.

 

8. Newsletter


a) Purpose of data processing


It is possible to subscribe to a newsletter. If the person concerned registers for our newsletter, the
data stored regarding the person concerned during registration will be transmitted to us from the
input mask. This is your e-mail address, name, IP address, time and date of registration. The data
collected is required in order to be able to send the newsletter.


b) Duration of storage


The data will be deleted as soon as the data is no longer necessary to achieve the purpose and the
person concerned has unsubscribed from the newsletter. According to this, they are stored for ten
years from the last newsletter dispatch for the purpose of proof in the event of queries regarding
existing consents, taking into account the statute of limitations.


c) Legal basis


The aforementioned data will only be stored on the legal basis of Art. 6 para. 1 lit. a GDPR with prior
consent within the framework of the notification. A possible revocation of the consent at any time
does not affect the legality of the processing of personal data based on the consent until revocation.


d) Possibility of objection and elimination


The use of the data to subscribe to the newsletter can be revoked at any time with effect for the
future by unsubscribing from the newsletter without incurring any costs other than the transmission
costs according to the basic rates. This can be done by informal request to us. If the person
concerned wishes to unsubscribe from the newsletter, he or she will find a correspondingly marked
link in each newsletter, for example, which he or she only has to click on.

 

9. YouTube


a) Purpose of data processing


We use the YouTube embedding function to display and play videos of the provider "YouTube",
YouTube LLC, 901 Cherry Ave, San Bruno, CA 94066, USA, which is represented by Google LLC. 1600
Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
When a YouTube video page is accessed, a connection is established to YouTube's servers, which is
assigned to the user's personal profile and informs them of the pages visited on the website when
they are logged in with their YouTube account. You can prevent this by logging out of your YouTube
account beforehand.


b) Duration of storage


Information on data protection and the storage of personal data at "YouTube" can be found in the
provider's data protection declaration at https://www.google.de/intl/de/policies/privacy.


c) Legal basis


The use of YouTube serves to protect our legitimate interest in an appealing presentation of our
website in accordance with Art. 6 Para. 1 S. 1 lit. f GDPR.


d) Possibility of objection and elimination


At https://adssettings.google.com/authenticated you will find an opt-out function.

 

10. Blog


a) Purpose of data processing


In our blog, in which we publish various articles on topics related to our business, a user can make
public comments.
These are published under the name specified. User name and e-mail address are required, all other
information is voluntary. Furthermore, the IP address is stored.
The storage is necessary in order to be able to defend us against liability claims in cases of possible
publication of illegal content. We need your e-mail address in order to contact you if a third party
should object to your comment as unlawful.

 

b) Duration of storage


The data is stored with each user comment and deleted as soon as it is no longer required for said
purposes, which is the case at the latest three months after the publication of the comment.


c) Legal basis


The aforementioned data is stored in accordance with Art. 6 para. 1 lit. f GDPR. The legitimate
interest lies in the provision of our blog and in order to prevent misuse of the comment function.


d) Possibility of objection and elimination


The person concerned has the right to object to the storage at any time. The data stored for the
operation is then deleted.

 

11. Google AdWords


a) Purpose of data processing


We use Google Adwords to draw attention to our products and services on external websites. For this
purpose, we use ad server cookies, through which certain parameters for measuring success, such as
the insertion of ads or clicks by users, can be measured. If you access our website via a Google ad,
Google Adwords stores a cookie on your device. These cookies usually expire after 30 days and are
not intended to identify you personally. For this cookie, the unique cookie ID, number of ad
impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-
out information (mark that the user no longer wishes to be addressed) are usually stored as analysis
values. These cookies enable Google to recognize your internet browser. If a user visits certain pages of an
Adwords customer's website and the cookie stored on their terminal has not yet expired, Google and
the customer can recognize that the user has clicked on the ad and has been redirected to this page.
Each Adwords customer is assigned a different cookie. Cookies cannot therefore be traced via the
websites of Adwords customers.
We do not collect and process any personal data in the aforementioned advertising measures. We
only receive statistical evaluations from Google. On the basis of these evaluations we can recognize
which of the used advertising measures are particularly effective. We do not receive any further data
from the use of advertising material; in particular, we cannot identify users on the basis of this
information.
Due to the marketing tools used, your browser automatically establishes a direct connection to the
Google server. We have no influence on the extent and the further use of the data which are raised by
the use of this tool by Google and inform you therefore according to our knowledge: By the
integration of AdWords conversion Google receives the information that you visited the appropriate
part of our Internet appearance or clicked an advertisement of ours. If you are registered with a
Google service, Google may associate your visit with your account. Even if you are not registered with
Google or have not logged in, it is possible that the provider may obtain and store your IP address.
For more information about Google AdWords' privacy policy, please visit the following web address
https://policies.google.com/technologies/ads?hl=en


b) Duration of storage


The cookie is valid for 30 days and will be deleted after expiration if you do not delete it yourself - for
example by suitable settings of your browser or manually.


c) Legal basis


The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.


d) Possibility of objection and elimination


You can block the use of cookies; the corresponding steps can be found in the instructions for your
browser software.

 

12. Microsoft Bing Ads


a) Purpose of data processing


We use the conversion tracking technology "Bing Ads" from Microsoft (Microsoft Corporation, One
Microsoft Way, Redmond, WA 98052-6399, USA) to draw attention to our products and services on
external websites. For this purpose, we use ad server cookies, through which certain parameters for
measuring success, such as the insertion of ads or clicks by users, can be measured. If you access our
website via a Bing ad, Bing Ads stores a cookie on your end device. These cookies usually expire after
180 days and are not intended to identify you personally. For this cookie, the unique cookie ID,
number of ad impressions per placement (frequency), last impression (relevant for post-view
conversions) and opt-out information (mark that the user no longer wishes to be addressed) are
usually stored as analysis values.
These cookies enable Microsoft to recognize your internet browser. If a user visits certain pages of a
Bing Ads customer's website and the cookie stored on their end device has not expired, Microsoft
and the customer may recognize that the user has clicked on the ad and has been redirected to this
page. Each Bing Ads customer is assigned a different cookie. Cookies can therefore not be traced via
the websites of Bing Ads customers.
We do not collect and process any personal data in the aforementioned advertising measures. We
only receive statistical evaluations from Microsoft. On the basis of these evaluations we can recognize
which of the used advertising measures are particularly effective. We do not receive any further data
from the use of advertising material; in particular, we cannot identify users on the basis of this
information.
Due to the marketing tools used, your browser automatically establishes a direct connection to the
Microsoft server. We have no influence on the extent and further use of the data collected by
Microsoft through the use of this tool and therefore inform you according to our level of knowledge:
By integrating Bing Ads Conversion, Microsoft receives the information that you have called the
corresponding part of our Internet presence or clicked on an advertisement from us. If you are
registered with a Microsoft service, Microsoft may associate your visit with your account. Even if you
are not registered with Microsoft or have not logged in, it is possible that the provider may obtain and
store your IP address.
For more information about Microsoft Bing Ads' privacy policy, please visit:
https://privacy.microsoft.com/de-de/privacystatement


b) Duration of storage


The cookie is valid for 180 days and will be deleted after expiration if you do not delete it yourself -
for example by suitable settings of your browser or manually.


c) Legal basis


The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.


d) Possibility of objection and elimination


You can block the use of cookies; the corresponding steps can be found in the instructions for your
browser software.

 

13. Twitter Ads


a) Purpose of data processing


We use Twitter's conversion tracking technology "Twitter Ads" (Twitter, Inc., 1355 Market Street, Suite
900, San Francisco, CA 94103, USA) to draw attention to our products and services on external
websites. For this purpose, we use ad server cookies, through which certain parameters for measuring
success, such as the insertion of ads or clicks by users, can be measured. If you access our website via
a Twitter Ad, Twitter Ads stores a cookie on your device. These cookies usually expire after 30 days
and are not intended to identify you personally. For this cookie, the unique cookie ID, number of ad
impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-
out information (mark that the user no longer wishes to be addressed) are usually stored as analysis
values. These cookies enable Twitter to recognize your internet browser. If a user visits certain pages of a
Twitter Ads customer's website and the cookie stored on their device has not yet expired, Twitter and
the customer can recognize that the user has clicked on the ad and has been redirected to this page.
Each Twitter Ads customer is assigned a different cookie. Cookies can therefore not be traced via the
websites of Twitter Ads customers.
We do not collect and process any personal data in the aforementioned advertising measures. We
only receive statistical evaluations from Twitter. On the basis of these evaluations we can recognize
which of the used advertising measures are particularly effective.
We do not receive any further data from the use of advertising material; in particular, we cannot
identify users on the basis of this information.
Due to the marketing tools used, your browser automatically establishes a direct connection to the
Twitter server. We have no influence on the extent and the further use of the data that is collected
through the use of this tool by Twitter and therefore inform you according to our level of knowledge:
By integrating Twitter Ads, Twitter receives the information that you have called the corresponding
part of our Internet presence or clicked on an advertisement from us. If you are registered with a
Twitter service, Twitter can assign your visit to your account. Even if you are not registered on Twitter
or have not logged in, there is a possibility that the provider may obtain and store your IP address.

 

b) Duration of storage


The cookie is valid for 30 days and will be deleted after expiration if you do not delete it yourself - for
example by suitable settings of your browser or manually.


c) Legal basis


The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.


d) Possibility of objection and elimination


You can block the use of cookies; the corresponding steps can be found in the instructions for your
browser software.

 

14. Google Analytics


a) Purpose of data processing


The client IP address is collected for use of the Google Analytics service. This website uses Google
Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called
"cookies", text files which are stored on the end device of the person concerned and which enable an
analysis of the use of the website. The information generated by the cookie about the use of this
website is usually transferred to a Google server in the USA and stored there. However, due to the
activation of IP anonymisation on this website, Google will reduce the IP address of the person
concerned within Member States of the European Union or in other signatory states to the
Agreement on the European Economic Area beforehand. Only in exceptional cases will the full IP
address be transmitted to a Google server in the USA and shortened there. On behalf of the operator
of this website, Google will use this information to evaluate the use of the website, to compile reports
on the website activities and to provide the website operator with further services associated with the
use of the website and the Internet. The IP address transmitted by your browser in the context of
Google Analytics is not merged with other Google data.


b) Duration of storage


As soon as the data are no longer necessary to achieve the purpose, they will be deleted, which is the
case when the anonymisation within the European Union has been completed. This takes less than a
second. The data sent by us and linked with cookies, user IDs (e.g. user ID) or advertising IDs are automatically
deleted after 14 months. Data whose retention period has been reached is automatically deleted
once a month.
For more information, please visit https://www.google.com/analytics/terms/de.html and
https://policies.google.com/?hl=en.


c) Legal basis

The storage of the aforementioned data is based on Art. 6 para. 1 lit. f GDPR. The legitimate interest
lies in the fact that we are able to analyse the use of the website by all users in its entirety without
drawing conclusions about the behaviour of identifiable persons; this enables us to optimise our
website and our offers.


d) Possibility of objection and elimination


The person concerned can prevent the storage of cookies by a corresponding setting of the browser
software; however, we point out to the person concerned that in this case not all functions of this
website may be used in full. Furthermore, the person concerned can prevent the collection of data
generated by the cookie and related to the use of the website (including the IP address) to Google
and the processing of this data by Google by downloading and installing the browser plug-in
available under the following link.

 

15. IntelliAd


a) Purpose of data processing


We use the intelliAd analysis service of intelliAd Media GmbH from Munich as a web analysis service
with bid management. Cookies are used to enable statistical analysis of the use of this website by
those affected. Cookies are small text files that are stored by the Internet browser on the user's
terminal device. However, intelliAd's cookies do not contain any information that makes it possible to
identify a user.
An automatic shortening of the IP address prevents intelliAd from accessing the unabridged IP
address, which thus prevents personal reference.

 

b) Duration of storage


As soon as the data are no longer necessary to achieve the purpose, they are deleted, which is the
case when anonymisation has taken place. For technical reasons, this process takes less than one
second.


c) Legal basis


The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.
The legitimate interest is that we are able to analyse the surfing behaviour of non-identifiable users;
this enables us to optimise our website and our offers.


d) Possibility of objection and elimination


You can block the use of cookies; the corresponding steps can be found in the instructions for your
browser software.

 

16. Visual Website Optimizer (VWO)


a) Purpose of data processing


We use the web analysis service of Visual Website Optimizer, which is operated by Wingfy Software
Pvt Ltd, 14th Floor, KLJ Tower North, Netaji Subhash Place, Pitam Pura, New Delhi 110034, India. The
service sends information to our server in order to understand how the user moves on the website
(e.g. which links he clicks and how he moves the mouse) and how changes to the website, such as the
design, the navigation elements, individual input forms, affect the usage behaviour (such as the length
of stay and use of elements) of those affected. Cookies, i.e. small text files that are stored by the
Internet browser on the user's terminal device, are used to recognize the user. For this purpose, Visual
Website Optimizer collects the IP addresses, but pseudonymizes them immediately after collection in
order to exclude a reference to those affected. Further information can be found at https://vwo.com/
privacy-policy/
.


b) Duration of storage


As soon as the data are no longer necessary to achieve the purpose, they are deleted, which is the
case when the pseudonymisation has taken place. For technical reasons, this process takes less than
one second

c) Legal basis


The storage of the aforementioned data is based on Art. 6 Para. 1 lit. f GDPR and § 15 Para. 3 TMG.
The legitimate interest is that we are able to analyse the surfing behaviour of non-identifiable users;
this enables us to optimise our website and our offers.


d) Possibility of objection and elimination


You can block the use of cookies; the corresponding steps can be found in the instructions for your
browser software.

 

17. Facebook-, Instagram-, YouTube-, Twitter-, Google+ Buttons


a) Purpose of data processing


We do not collect any personal data through buttons on social networks. Nevertheless, we explain the
technical background for the sake of completeness. We only use disabled buttons from Facebook,
Instagram, Twitter, Google+ and YouTube social networks. This means that no data is transmitted to
these networks. By clicking on the buttons, the person concerned decides to activate them and thus
establish a connection to the servers of the operators of the social networks and thus to transmit data
to the servers of the social networks in accordance with the agreement concluded by the person
concerned with the social network. Activation leads to access to social network content. The type,
purpose and scope of data collection and use can be found in the corresponding data protection
declarations of the social networks.
After a second click on the button the user can send his recommendation to the social networks. If the
person concerned wishes to recommend several pages, the consent is required on each page. If the
person concerned wants the social network to have permanent access to his data, the person
concerned can permanently activate the buttons. For this purpose, the appropriate check mark can be
placed under a gear icon with the result that the selected button is always directly active.


b) Duration of storage


Duration of storage is based on the specifications of the operators of the social networks.


c) Legal basis


The operators of the social networks inform those affected about the legal basis.


d) Possibility of objection and elimination


Via the gear icon, via which the person concerned has activated the social media buttons, he can later
also change his consent again and deactivate the buttons.

 

18. Facebook-Tracking


a) Purpose of data processing


We use tracking technology from Facebook Inc. based in the USA on our website. Your IP address is
transmitted to the external provider at the time of your visit, the browser used, the operating system
used and the page you have requested. In addition to us, Facebook Ireland Ltd, 4 Grand Canal
Square, Dublin 2, Ireland is responsible for data processing.
At the same time, a cookie is set that enables us to track how you have found our website - possibly
via advertisements placed by us on Facebook, but also by other means. At the same time it is
recorded whether our advertising measure has led to the conclusion of a contract (so-called
conversion).
The collection of this data is necessary in order to be able to track the effectiveness of our advertising
measures and to enable Facebook to bill us for our advertising measures. In addition, the data is used
to link the information that the local website has been visited to your Facebook profile if you are a
Facebook customer and log in there during or after your visit to our website. Facebook uses this
procedure to determine your interests and preferences in order to present you with tailor-made
advertising.
The data collected in this respect is only made available to us by Facebook in anonymous form; we do
not store any personal data in this context. If, according to Facebook, data is also transmitted to the
USA, this is done on the basis of the so-called Privacy Shield Agreement.


b) Duration of storage


According to Facebook, the data collected in this way is stored for a period of 90 days. After 90 days,
the data will be made anonymous so that it can no longer be associated with you.


c) Possibility of revocation and removal


You can object to the collection of data by deactivating the use of cookies in your browser settings.
However, we would like to point out that this may impair the functionality of our website.

 

19. Cloudflare


a) Purpose of data processing


To protect the website against denial-of-service attacks, we use the services of the US provider
cloudflare Inc.
We entered a data processing agreement with this service provider, which is Privacy Shield certified,
so that it is ensured that the data processed there for us is in safe hands. The transmitted data are IP
address, browser type, operating system used and the file called up in each case.


b) Duration of storage


The data will be deleted immediately after the page is accessed; the data will only be logged by us as
described in the section "Visiting our website".


c) Legal basis


The storage of the aforementioned data is based on Article 6 para. 1 lit f GDPR ("legitimate interest").
The legitimate interest lies in maintaining the deliverability of our website and secure operation.


d) Possibility of objection and elimination


The person concerned can stop the data processing by stopping the use of our website.

 

20. Single Sign-On and Payment-Services


a) Purpose of data processing


We use the following third-party tools to simplify ordering and payment processing:
• PayPal, an offer by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449
Luxembourg;
• Sofort, an offer by Sofort GmbH, München, Theresienhöhe 12, 80339 München.
When calling up the shopping cart, these providers use scripts integrated in our website to check
whether the user is a customer of the respective provider and logged in there. This is done by
matching any cookies stored by the provider in the user's browser.
For this purpose, the IP address, browser used, operating system and the page requested in each
case are transmitted to the third party provider. We only collect data when a customer of a provider
uses the service of the third party and arranges for the personal data stored there - namely the order
and billing address - to be transmitted to us and, if necessary, for the payment process to be
processed in accordance with the user conditions of the service with which the customer has a
contractual relationship.


b) Duration of storage


For our part, only the data that is transferred to us by the third party provider on behalf of the
customer for the purpose of executing the contract will be processed. In this respect, the information
on the duration of storage as stated above for the keyword "performance of the contract" applies.
Insofar as the third party providers process data on behalf of the customer, the storage period results
from the data protection regulations of the respective provider to which reference is made here.


c) Legal basis


The legal basis for processing is Art. 6 para. 1 lit b GDPR, insofar as the data is used to process
contracts via our website. As far as payment services are concerned, the storage is also based on Art.
6 para. 1 lit c GDPR, as the data collected in this way is of tax relevance and thus necessary to fulfil
our tax obligation. Processing is also based on Article 6 (1) (e) GDPR because it serves our legitimate
interest in enabling customers of the relevant service providers to use the services of their contractual
partners and to ensure fast and pleasant contract execution.


d) Possibility of objection and elimination


Since we are bound by statutory retention periods and the data must be stored and processed for
contract execution, an objection or deletion is not possible.

 

21. Mixpanel


a) Purpose of data processing


We evaluate the behaviour of visitors to our website in order to be able to make predictive product
recommendations during the course of the visit. If you register for our newsletter, the selection of the
contents presented in it is also based on the evaluation of previous visits and purchases. At the same
time, we use the information - for example about canceled orders - to improve our interaction with
our users. We use the services of the business-analytics service provider Mixpanel, with whom we
have concluded an order processing agreement. As far as data is transferred to the headquarters of
the order processor in the USA, this is done in compliance with the requirements of the EU-US Privacy
Shield Agreement. The collected data includes the IP address, browser type and operating system of
the user as well as the accessed file(s) and, if you have provided us with this information within the
scope of an order or by registration for our newsletter, name, address, e-mail address and telephone
number.


b) Duration of storage


Mixpanel stores the data on our behalf for a maximum period of one year since the last visit to our
site; we ensure that older data records are deleted or made anonymous by transmitting deletion
requests via the "Engage API" provided by Mixpanel.


c) Legal basis


The legal basis is our legitimate interest in providing our customers with an offer that is effectively
tailored to their needs, Art. 6 para. 1 lit. e GDPR.


d) Possibility of objection and elimination


You can object to the processing by ticking "Yes, I would like to opt out" under this link
 and clicking on the button marked "SAVE". This stores a cookie on
your end device that prevents data from being collected. Please note that you must use the opt-out
option again after you have deleted your cookies or because of the settings of your browser. Please
refer to your browser's operating instructions for further information.

 

22. Customer support tools


a) Purpose of data processing


We use tools from Intercom, Inc. and Zendesk, Inc. based in the USA to communicate with our
customers. During the use the name, the connection identifier of the customer (telephone number, e-
mail address etc.), as well as the communication content are raised by the service provider. These
process the data on the basis of an order processing agreement concluded with us. The data is also
collected and stored by us for the purpose of future direct advertising; in this respect, reference is
made to our explanations on the keyword "direct marketing". As far as data is transferred to the
headquarters of the order processor in the USA, this is done in compliance with the requirements of
the EU-US Privacy Shield Agreement.


b) Duration of storage


The data will be stored for the duration of the contractual relationship with our customer, in the case
of non-customers until the completion of the communication process, unless it is stored for a longer
period for the purpose of direct advertising. If the data is relevant to tax or commercial law, the data
is stored in accordance with § 147 AO for a period of ten years, in accordance with § 257 HGB for a
period of five years, beginning at the end of the year of data collection.


c) Legal basis


The data is collected and stored for the purpose of executing or initiating contracts, Art. 6 para. 1 lit.
b GDPR, for compliance with our tax and commercial storage regulations, Art. 6 para. 1 lit. c GDPR
and due to our legitimate interest in easy access to our customers and efficient organisation and
processing of enquiries, Art. 6 para. 1 lit. e GDPR.


d) Possibility of objection and elimination


If there are no legal storage obligations, you can object to the processing in accordance with the
conditions summarised below under the keyword "rights" and, if necessary, demand deletion of
stored data. An informal notification is sufficient for this purpose.
 

24. Phone Tracking

 

a) Purpose of data processing

Our website uses a service of Matelso GmbH, Stuttgart. If you call a phone number from this website switched by Matelso for us, information about the call is transferred to a web analytics service used by orderbird (e. g. Google Analytics). Matelso also reads cookies set by our analytics service or other parameters of the website you visit, such as referrer, document path, remote user agent. This information is processed by Matelso in accordance with our instructions and stored on servers in the EU. Further information can be found at https://www.matelso.de/privacy.

b) Duration of storage

The cookie is valid for 30 days and will be deleted after expiration if you do not delete it yourself.
 

c) Legal basis

The above data is stored on the legal basis of article 6 paragraph 1 lit. f GDPR and § 15 paragraph 3 TMG. The legitimate interest lies in the fact that it is possible for us to analyse the behaviour of non-identifiable users of our website; this enables us to optimise our website and our offers.
 

d) Possibility of objection and removal

You can prevent the storage of cookies by setting your browser software accordingly; for the necessary steps, please refer to the instructions for your browser software. However, in this case you may not be able to use all the functions of this website to their full extent.

 

III. Rights of the data subject


If personal data are processed by the user on our website, the person concerned has the following
rights against the person responsible in accordance with the GDPR.


1. Right to information according to Art. 15 GDPR


The person concerned has the right to the following information:
(a) processing purposes;
(b) the categories of personal data being processed;
(c) the recipients or categories of recipients to whom the personal data have been or are still being
disclosed, in particular recipients in third countries or international organisations;
d) if possible, the planned duration for which the personal data will be stored or, if this is not possible,
the criteria for determining this duration;
(e) the existence of a right of rectification or deletion of personal data concerning him or of a
restriction on processing by the controller or of a right of opposition to such processing;
(f) the existence of a right of appeal to a supervisory authority;
(g) where the personal data are not collected from the data subject, all available information on the
origin of the data;
(h) the existence of automated decision-making, including profiling in accordance with Article 22(1)
and (4) GDPR, and - at least in these cases - meaningful information on the logic involved and the
scope and intended effects of such processing for the data subject.
(i) where personal data are transferred to a third country or international organisation, the data
subject shall have the right to be informed of the appropriate guarantees in accordance with Article
46 GDPR in relation to the transfer.
We provide the data subject with a copy of the personal data that is the subject of the processing. For
all other copies requested by the data subject, the data processor may charge an appropriate fee on
the basis of the administrative costs.


2. Right to correction in accordance with Art. 16 GDPR


The data subject shall have the right to request the controller to rectify any inaccurate personal data
concerning him/her without delay. Taking into account the purposes of the processing, the data
subject has the right to request the completion of incomplete personal data, including by means of a
supplementary declaration.


3. The right to cancellation in accordance with Art. 17 GDPR


The data subject has the right to require the data controller to delete personal data concerning
him/her without delay and the data controller is obliged to delete personal data without delay if one
of the following reasons applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or
otherwise processed;
b) the data subject withdraws his/her consent on which the processing was based pursuant to Art. 6
para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing;
(c) the data subject opposes processing in accordance with Article 21(1) GDPR and there are no
overriding legitimate grounds for processing or the data subject opposes processing in accordance
with Article 21(2) GDPR;
d) the personal data have been processed unlawfully;
(e) the deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of
the Member States to which the data controller is subject;
f) the personal data was collected in relation to information society services offered pursuant to Art. 8
para. 1 GDPR.


4. Right to limitation of processing in accordance with Art. 18 GDPR


The data subject has the right to require the controller to restrict processing if one of the following
conditions is met:
(a) the accuracy of the personal data is disputed by the data subject for a period which enables the
data controller to verify the accuracy of the personal data,
(b) the processing is unlawful and the data subject refuses to delete the personal data and instead
requests that the use of the personal data be restricted;
(c) the data controller no longer needs the personal data for the purposes of processing, but the data
subject needs them for the purpose of asserting, exercising or defending claims; or
d) the data subject has lodged an objection to the processing pursuant to Art. 21 para. 1 GDPR, as
long as it is not yet clear whether the legitimate reasons of the data subject outweigh those of the
data processor.


5. Right to information in accordance with Art. 19 GDPR


If the data subject has claimed from the data processor a correction with regard to his personal data
in accordance with Art. 16 GDPR, a deletion Art. 17 para. 1 GDPR or a restriction on processing in
accordance with Art. 18 GDPR, and if the data processor has informed all recipients to whom the data
subject's personal data have been disclosed of the data subject's request (unless this was impossible
or disproportionate), the data subject has the right to be informed by the data processor about the
recipients.


6. Right to Data Transferability Art. 20 GDPR


The data subject has the right to receive the personal data concerning him/her that he/she has
provided to a controller in a structured, current and machine-readable format and he/she has the right
to transmit this data to another controller without our interference, provided that
a) processing is based on consent pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a or on a
contract pursuant to Art. 6 para. 1 lit. b GDPR and
(b) processing is carried out by means of automated methods.
The rights and freedoms of other persons must not be affected by this.
When exercising the right to data transferability pursuant to paragraph 1, the data subject has the
right to request that the personal data be transferred directly by us to another data controller, insofar
as this is technically feasible.
The exercise of the right to data transferability does not affect the right to cancellation pursuant to
Art. 17 GDPR. The right to transferability shall not apply to processing necessary for the performance
of a task in the public interest or in the exercise of official authority conferred on the controller.


7. Right of objection according to Art. 21 GDPR


The data subject has the right to object at any time to the processing of personal data concerning
him/her on the basis of Article 6(1)(e) or (f) of the GDPR for reasons arising from his particular
situation; this also applies to profiling based on these provisions.
We no longer process personal data unless we can prove compelling grounds for processing that
outweigh the interests, rights and freedoms of the data subject or the processing serves to assert,
exercise or defend legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to
object at any time to the processing of personal data concerning him/her for the purposes of such
advertising, including profiling in so far as it is related to such direct marketing. If the data subject
objects to the processing for direct marketing purposes, the personal data will no longer be
processed for these purposes.
The data subject may revoke his/her consent at any time. However, the collection and processing that
has taken place up to this point remains legal.


8. Automated decisions in individual cases incl. profiling according to Art. 22 GDPR


The data subject shall not be subject to a decision based exclusively on automated processing -
including profiling - which has legal effect against him or significantly impairs it in a similar manner.
This does not apply if the decision
a) is necessary for the conclusion or performance of a contract between the party concerned and us,
(b) is admissible under Union or Member State law to which we are subject and that law contains
appropriate measures to safeguard the rights, freedoms and legitimate interests of the person
concerned; or
c) with the express consent of the data subject.

These decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1
GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to
protect the rights, freedoms and legitimate interests of the data subject.
In the cases referred to in points a) and c), we shall take appropriate measures to safeguard the rights,
freedoms and legitimate interests of the data subject, including at least the right to obtain the
intervention of a person on our part, to state his own position and to challenge the decision.


9. Right of appeal to a supervisory authority pursuant to Art. 77 GDPR


Without prejudice to any other administrative or judicial remedy, any data subject shall have the right
of appeal to a supervisory authority, in particular in the Member State of his place of residence, his
place of employment or the place of suspected infringement, if the data subject considers that the
processing of personal data concerning him or her is contrary to this Regulation.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the
status and results of the complaint, including the possibility of a judicial remedy under Article 78
GDPR.


10. Right to an effective judicial remedy under Article 79 of the GDPR


Without prejudice to any available administrative or extrajudicial remedy, including the right of appeal
to a supervisory authority under Article 77 GDPR, any data subject shall have the right to an effective
judicial remedy if he considers that his rights under this Regulation have been infringed as a result of
processing of his personal data in breach of the GDPR.
Any action against us or against a processor shall be brought in the courts of the Member State in
which we or the processor have a place of business. Alternatively, such actions may also be brought
before the courts of the Member State in which the person concerned is resident, unless we or the
processor is an authority of a Member State which has acted in the exercise of its sovereign powers.