Privacy Policy

Introduction

With the following privacy policy, we would like to inform you about what types of your personal data (hereinafter also referred to as "data") we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both within the provision of our services and in particular on our websites, in mobile applications, and within external online presences, such as our social media profiles (collectively referred to as "online offering").

The terms used are not gender-specific.

Last updated: September 14, 2022

Table of Contents

1. Introduction
2. Controller
3. Overview of Data Processing
4. Relevant Legal Bases
5. Security Measures
6. Transfer of Personal Data
7. Data Processing in Third Countries
8. Deletion of Data
9. Use of Cookies
10. Business Services
11. Provision of the Online Offering and Web Hosting
12. Contact and Inquiry Management
13. Web Analysis, Monitoring, and Optimization
14. Plugins and Embedded Functions and Content
15. Changes and Updates to the Privacy Policy
16. Rights of Data Subjects
17. Definitions of Terms

Controller

K. & N. Schurwoll GmbH
Holzbachstr. 14
56249 Herschbach

Authorized Representative:
Marcel Krah
Email: info@schurwollprodukte.de

Overview of Data Processing

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of Processed Data:

• Inventory data
• Payment data
• Contact data
• Content data
• Contract data
• Usage data
• Meta/communication data

Categories of Data Subjects:

• Customers
• Interested parties
• Communication partners
• Users
• Business and contractual partners

Purposes of Processing:

• Provision of contractual services and customer service
• Contact inquiries and communication
• Security measures
• Reach measurement
• Tracking
• Office and organizational procedures
• Management and response to inquiries
• Feedback
• Profiles with user-related information
• Provision of our online offering and user-friendliness
• Information technology infrastructure

Relevant Legal Bases

Below you will find an overview of the legal bases of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. If more specific legal bases are relevant in individual cases, we will inform you of these in the privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR): The data subject has given their consent to the processing of personal data concerning them for one or more specific purposes.
• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR): The processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures that are taken at the request of the data subject.
• Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR): The processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR): The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG). The BDSG contains specific provisions on the right to access, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and the transmission and automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG), in particular with regard to the establishment, performance, or termination of employment relationships as well as the consent of employees. State data protection laws of the individual federal states may also apply.

Security Measures

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different likelihoods and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as the access, input, transfer, ensuring availability, and separation of the data. Furthermore, we have established procedures that ensure the exercise of data subject rights, the deletion of data, and responses to data threats. Moreover, we consider the protection of personal data already during the development or selection of hardware, software, and procedures, in accordance with the principle of data protection, through technology design and data protection-friendly default settings.

TLS Encryption (https): To protect your data transmitted via our online offering, we use TLS encryption. You can recognize encrypted connections by the prefix https:// in the address line of your browser.

Transfer of Personal Data

In the course of our processing of personal data, it may happen that the data is transferred to other entities, companies, legally independent organizational units, or persons or disclosed to them. The recipients of this data may include, for example, service providers tasked with IT or providers of services and content that are integrated into a website. In such cases, we comply with the legal requirements and, in particular, conclude corresponding contracts or agreements that serve to protect your data with the recipients of your data.

Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)), or if the processing takes place in the context of the use of services of third parties or the disclosure or transfer of data to other persons, entities, or companies, this will only occur in accordance with the legal requirements.

Subject to explicit consent or contractually or legally required transfer, we process or allow the data to be processed only in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications, or binding internal data protection regulations (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en).

Deletion of Data

The data processed by us will be deleted in accordance with the legal requirements as soon as their permitted consent is revoked or other permissions cease to apply (e.g., if the purpose of the processing of this data has ceased to apply or they are no longer necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or the protection of the rights of another natural or legal person.

Our data protection notices may also include further information on the retention and deletion of data, which take precedence for the respective processing.

Use of Cookies

Cookies are small text files or other storage markers that store information on end devices and read information from end devices. For example, to store the login status in a user account, a shopping cart content in an e-shop, the accessed content, or the used functions of an online offering. Cookies can also be used for different purposes, e.g., for the functionality, security, and comfort of online offerings, as well as for the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with the legal requirements. Therefore, we obtain prior consent from users, except when this is not required by law. Consent is not required, in particular, if the storage and reading of the information, i.e., also of cookies, are absolutely necessary in order to provide the users with a telemedia service (i.e., our online offering) that they have expressly requested. The revocable consent will be clearly communicated to the users and will contain the information on the respective cookie use.

Notes on Legal Bases for Data Protection: The legal basis on which we process the personal data of users using cookies depends on whether we ask users for consent. If users consent, the legal basis for processing their data is the declared consent. Otherwise, the data processed using cookies will be processed on the basis of our legitimate interests (e.g., in the business operation of our online offering and its improvement of usability) or, if necessary, in order to fulfill our contractual obligations, if the use of cookies is necessary for this purpose. The purposes for which the cookies are processed by us are explained in the course of this privacy policy or within the framework of our consent and processing procedures.

Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed their end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved, or preferred content can be displayed directly when the user visits a website again. Likewise, the data collected with the help of cookies can be

• Shopware Analytics

  Purpose of processing:

  Together with our store software service provider, we evaluate certain information from our customer base under joint responsibility (e.g. customer group, pages visited, click paths, date and time of the visit, information about the end device used (resolution, resolution density, operating system), referrer URL, information about the browser used, locale, search queries and time zone). This information is processed by an external service provider and forwarded to us in approximate real time so that we can monitor the use of our website and improve our offerings.

  Legal basis:

  Art. 6 para. 1 letter f GDPR

  Data categories:

  Derived from core and contact data (the customer group, no individual customer data), usage data, connection data

  Recipients of the data:

  shopware AG, Ebbinghoff 10, 48624 Schöppingen, Germany (as joint controller), IT service provider

  The essence of joint responsibility:

  The joint responsibility exists between us and shopware AG; the data is collected in our store and then transferred to servers of shopware or its service providers; with the exception of obtaining your consent for the use of cookies or comparable technologies and the fulfillment of these information obligations, all obligations, in particular the implementation of the rights of data subjects, are the responsibility of shopware AG, which you can reach at legal@shopware.com. You can also assert your data subject rights with us; we will then forward your request to shopware AG accordingly. shopware AG can derive behavior patterns on our store from the data collected, but cannot assign this data to you as a person.

  Intended third country transfer:

  None

  Do we store or read personal data on your end device based on your consent?

  Yes, see Consent Management for details.