1. Controller and Data Protection Officer
Responsible within the meaning of the General Data Protection Regulation (GDPR) for the processing of personal data on this website is:
SmartStore AG
Kaiserstr. 63–65
44135 Dortmund
Germany
Represented by the Management Board, Pavlos
Tsulfaidis
Telephone: +49 231 5335-0
Fax: +49 231 5335-101
E-mail:
info@smartstore.com
Data Protection Officer:
Mr Murat Cakir
SmartStore AG
Kaiserstr. 63–65
44135
Dortmund
Germany
E-mail: muratc@smartstore.com
The Data Protection Officer can be contacted at the postal address above (attn. Murat Cakir) or via the e-mail address provided above.
2. Collection and storage of personal data
a) Storage of access data in server log files
You can visit our website without actively providing information about yourself. When you access our website, however, certain information is automatically transmitted by the browser used on your end device to our website’s server and temporarily stored in so-called server log files. This includes in particular:
-
IP address of the requesting end device
-
Date and time of access
-
Name and URL of the file accessed
-
if applicable, amount of data transmitted
-
Website from which access occurs (referrer URL)
-
Browser used
-
if applicable, the operating system of your end device
-
Name of the access provider
Processing is carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR. Our legitimate interest lies in ensuring IT security, preventing misuse, analyzing errors as well as the stability and security of our digital services. The processing of the server log files is necessary in order to detect attacks on our systems, remedy technical faults and ensure the permanent functionality of our website.
The data is not evaluated for the purpose of identifying you personally.
Further information on cookies, web analytics services and plugins used on our website can be found below under sections 5 and 6 of this privacy policy.
b) Contact form and e-mail
Our website offers you the possibility of quick electronic contact with us, in particular via a contact form and by e-mail.
If you contact us, we process the personal data you provide (e.g. name, e-mail address, if applicable telephone number and other voluntary information) exclusively for the purpose of processing your inquiry and any follow-up questions.
The only mandatory information in the contact form is a valid e-mail address so that we know who the inquiry is from and can answer it. The provision of additional data is optional.
The legal basis for data processing is—depending on the type of inquiry—Art. 6(1) sentence 1 lit. b GDPR insofar as your inquiry is aimed at the conclusion or performance of a contract, and otherwise Art. 6(1) sentence 1 lit. f GDPR due to our legitimate interest in effectively processing inquiries. If you have expressly consented to being contacted, processing is additionally based on Art. 6(1) sentence 1 lit. a GDPR.
The data arising in connection with contacting us will be deleted as soon as it is no longer required to achieve the purpose for which it was collected and no statutory retention obligations prevent this. Data will not be passed on to third parties unless this is necessary in individual cases to process your inquiry or is required by law.
c) User account
You have the option of creating a user account (customer account) on our website. The personal data collected during registration can be seen from the respective registration form.
The personal data you enter as part of registration are—subject to the provisions under section 4—processed exclusively for the internal administration of your user account, the processing of any orders and the provision of the functions associated with the user account.
As part of registration, we also store the IP address assigned by your Internet service provider as well as the date and time of registration. The storage of this data is based on Art. 6(1) sentence 1 lit. f GDPR and serves our legitimate interest in preventing misuse of our services, ensuring the security of our systems and, if necessary, enabling clarification of legal violations or criminal offenses. This data is not passed on to third parties unless we are legally obliged to do so or the disclosure serves law enforcement.
Opening a user account is voluntary. The legal basis for processing the registration data is Art. 6(1) sentence 1 lit. b GDPR insofar as the user account is required for initiating or performing a contract, and, where applicable, Art. 6(1) sentence 1 lit. a GDPR, if you have additionally consented to certain functions.
Access to your user account is only possible after entering your personal password. Please keep your access data confidential and close the browser window when you have finished using our website, especially if you share the end device with other persons.
You may delete your user account at any time. You can either do this yourself via a corresponding function in your user account or inform us of your deletion request by e-mail to info@smartstore.com or via the contact form on our website. In this case, we will delete your user account and the associated data insofar as no statutory retention obligations prevent this.
d) Newsletter subscription
If you subscribe to our newsletter, we use your e-mail address provided by you, which is necessary for this purpose, to send you our newsletter regularly and to inform you about current offers, products and news.
The legal basis for sending the newsletter is your expressly granted consent pursuant to Art. 6(1) sentence 1 lit. a GDPR in conjunction with Section 7(2) no. 3 UWG.
Registration for our newsletter takes place in the so-called double opt-in procedure: after your registration, you will receive a confirmation message at the e-mail address provided, in which you are asked to confirm your registration. Only after this confirmation will your address be added to the mailing list.
As part of the registration process, in addition to the e-mail address you provide, the IP address assigned by the Internet service provider as well as the date and time of registration and confirmation are stored. This logging is carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR, for the purpose of proving the consent given as well as to prevent and clarify misuse of the e-mail address.
The personal data collected in connection with the newsletter are used exclusively for sending the newsletter and tailoring its content. In addition, we may inform you by e-mail if this is necessary for the operation of the newsletter service or for a corresponding registration (e.g. in the event of changes to the newsletter offer or technical adjustments).
You can revoke your consent to receive the newsletter and the associated data processing at any time with effect for the future, for example via the unsubscribe link contained in every newsletter or by sending a message to info@smartstore.com. After the revocation has been made, your e-mail address will be deleted from the newsletter mailing list, insofar as no statutory retention obligations prevent deletion.
e) Review reminder by e-mail with consent
If you have given us your express consent pursuant to Art. 6(1) sentence 1 lit. a GDPR, we will use your e-mail address to send you one or more reminder e-mails after your order, inviting you to submit a review through the review system we use.
You can revoke your consent to receive such review reminders at any time with effect for the future. For this, a short message to us is sufficient, for example by e-mail to info@smartstore.com. After your revocation, no further review reminders will be sent.
f) E-mail advertising without newsletter subscription
1. Advertising based on your consent
If you have given us your express consent to this pursuant to Art. 6(1) sentence 1 lit. a GDPR, we will use your e-mail address to occasionally send you information and offers on products or services from our range that may be of interest to you.
You can revoke this consent at any time with effect for the future, for example by sending a message to info@smartstore.com.
2. Advertising to existing customers pursuant to Section 7(3) UWG
Independently of consent, we reserve the right to use your e-mail address, within the legal requirements of Section 7(3) UWG, for direct advertising for our own similar goods or services if:
- we have received your e-mail address in connection with the sale of a good or service,
- we use this address for direct advertising for our own similar goods or services, and
- you have not objected to this use.
When collecting the e-mail address and at each use for this purpose, we will inform you that you can object to the use of your e-mail address for advertising purposes at any time without incurring costs other than the transmission costs according to the basic rates. You can declare your objection in particular via an unsubscribe link provided in the respective e-mail or by sending a message to info@smartstore.com.
g) Postal advertising with consent
If you have given us your express consent to this pursuant to Art. 6(1) sentence 1 lit. a GDPR, we reserve the right to use your first and last name, your postal address as well as—if you have provided us with this information within the contractual relationship—your title, academic degree, year of birth and your professional, industry or business designation for our own advertising purposes, for example for sending information and offers on our products or services by letter post.
You can revoke your consent to the use of the aforementioned data for postal advertising at any time with effect for the future, for example by sending a message to info@smartstore.com. After a revocation, no further postal advertising will take place on the basis of the revoked consent.
3. Data security and SSL encryption
We use the widely used SSL or TLS encryption method for visiting our website. The highest level of encryption supported by your browser is always used. As a rule, this is 256-bit encryption. If your browser does not support this, 128-bit encryption is used instead.
You can recognize an encrypted connection by the closed display of the lock symbol in your browser’s address line and by the fact that the address line begins with “https://”.
In addition, we use technical and organizational security measures to protect your data against manipulation, loss, destruction or unauthorized access by third parties. Our security measures are continuously reviewed, adapted and improved in line with technological progress.
4. Transfer of data
In principle, your personal data is not transmitted to third parties unless it is permissible in the cases listed below. We only pass on personal data if
-
you have given your express consent to this (Art. 6(1) sentence 1 lit. a GDPR),
-
the disclosure is necessary for the assertion, exercise or defense of legal claims (Art. 6(1) sentence 1 lit. f GDPR) and no overriding legitimate interest in non-disclosure exists,
-
there is a legal obligation to do so (Art. 6(1) sentence 1 lit. c GDPR), or
-
the disclosure is necessary for the performance of pre-contractual measures or for the performance of a contract with you (Art. 6(1) sentence 1 lit. b GDPR).
4.1 Use of service providers (processing on behalf under Art. 28 GDPR)
To fulfill contractual or pre-contractual obligations as well as for technical and organizational support of our business operations, we use carefully selected service providers in compliance with data protection law. We have concluded processing agreements with these service providers in accordance with Art. 28 GDPR in each case.
Within the framework of this processing on behalf, personal data is processed exclusively on our instructions and to the extent necessary for the respective service.
We currently use the following service providers:
a) Microsoft Office 365 / Exchange Online
Service: E-mail communication, calendar and contact management
Provider: Microsoft Corporation
Processed data: E-mail contents, contact information, calendar data
Server location: EU / EEA and, if applicable, third countries (in particular USA)
Privacy policy: https://www.microsoft.com/en-us/privacy/privacystatement
b) Weclapp
Service: Accounting, merchandise management, CRM and ERP
Provider: weclapp SE
Processed data: Data required for accounting and merchandise management (contact and communication data, quotations, orders, invoices)
Server location: Germany
Privacy policy: https://www.weclapp.com/en/privacy/
c) Brevo (formerly Sendinblue)
Service: E-mail marketing, newsletter dispatch, direct communication
Provider: Brevo / Sendinblue GmbH
Processed data: E-mail addresses and contact and usage data required for dispatch
Server location: EU and, if applicable, third countries (in particular USA), depending on sub-processors used
Privacy policy: https://www.brevo.com/legal/privacypolicy/
4.2 Creditworthiness checks
If you have given us your express consent to this pursuant to Art. 6(1) sentence 1 lit. a GDPR, we may obtain credit information from a business information company in order to safeguard our legitimate interests.
For this purpose, we only transmit the personal data required for the creditworthiness check (e.g. name, address, date of birth). The business information company then provides us with information on the statistical probability of a payment default. This information may contain score values based on scientifically recognized mathematical-statistical methods, in which, among other things, address data is included.
We use the creditworthiness information exclusively for an appropriate decision on the establishment, performance or termination of a contractual relationship.
You can revoke your consent to the creditworthiness check at any time with effect for the future.
4.3 Transfer in the context of payment processing
To process payments, we pass on personal data only to the extent required for the respective payment method:
-
When paying by bank transfer, the required data is transmitted to the bank or credit institution commissioned by you in accordance with Art. 6(1) sentence 1 lit. b GDPR.
-
When paying by credit card, direct debit, instant transfer or other online payment methods, the data necessary for payment processing is transmitted directly to the respective payment service provider used. In these cases, we do not store your full payment data.
The respective payment service providers will inform you separately about their data processing as part of the payment process.
5. Cookies
Our website uses cookies and similar technologies to enable the technical provision of the website, to make its use more convenient and—if consent has been obtained in accordance with the respective applicable legal requirements—to statistically analyze the use of our website or to provide certain functions.
Cookies are small text files that are stored on your end device and can contain certain information. When you revisit our website, we can recognize your browser again.
By “cookies and similar technologies” we understand in particular also local storage technologies (e.g. Local Storage), tracking pixels, scripts, fingerprinting technologies and comparable methods by which information can be stored or read on your end device.
5.1 Types of cookies
a) Technically necessary cookies
These cookies are required to provide the basic functions of our website (e.g. shopping cart functions, language selection, login management). Their storage and access to the end device take place pursuant to Section 25(2) no. 2 TDDDG. Subsequent processing of personal data takes place on the basis of Art. 6(1) sentence 1 lit. f GDPR, as we have a legitimate interest in providing the website securely, stably and in a functional manner.
Without these cookies, the website cannot be used in full.
b) Functional and convenience cookies (optional)
These cookies enable extended functions such as storing settings or form contents.
Their processing takes place only if you have consented to this (Art. 6(1) sentence 1 lit. a GDPR, Section 25(1) TDDDG).
c) Analysis and statistics cookies (optional)
These cookies serve the statistical analysis of the use of our website, for example to optimize our offering.
Storage and access to these cookies takes place only with your consent (Art. 6(1) sentence 1 lit. a GDPR, Section 25(1)
TDDDG).
5.2 Storage duration
-
Session cookies are automatically deleted after the end of your browser session.
-
Temporary cookies remain on your end device for a specified period of time and are automatically deleted after this period has expired. They enable us to recognize your browser and your settings when you visit again.
5.3 Processed data
As part of cookie use, the following information may be processed, among other things:
-
Browser type and browser version
-
Operating system used
-
Referrer URL
-
IP address of the accessing end device (shortened or anonymized, if used)
-
Time of the server request
5.4 Cookie settings and revocation
You can configure your browser settings so that you
-
are informed about the setting of cookies,
-
allow cookies only in individual cases,
-
exclude the acceptance of cookies for certain cases or in general,
-
as well as activate the automatic deletion of cookies when closing the browser.
Please note that completely disabling technically necessary cookies may impair the functionality of some areas of the website.
If cookies have been set on the basis of your consent, you can revoke this at any time with effect for the future. The revocation can be made via your browser’s cookie settings or—if available—via our consent management tool.
5.5 Managing your consents
We use a consent management system to manage your consents. Non-technically required cookies and comparable technologies are activated only after your express consent.
You can revoke or change your consent at any time with effect for the future via the cookie settings. Refusing or revoking consent is just as easy as giving it.
6. Programs for web analytics and newsletter tracking
We use web analytics and marketing tools on our website—provided you have consented to this—for the statistical evaluation of use and to optimize our offering. Processing takes place exclusively on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR in conjunction with Section 25(1) TDDDG. You can revoke your consent at any time with effect for the future via our consent management tool.
6.1 Web analytics tools
1) Google Analytics
Our website uses—on the basis of your consent—Google Analytics, a web analytics service from:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
(“Google”)
Transmission to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, cannot be ruled out. Insofar as personal data is transmitted to the USA, the transmission is carried out on the basis of the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework pursuant to Art. 45 GDPR, provided that Google is certified accordingly. In addition, standard contractual clauses pursuant to Art. 46 GDPR may apply.
Google Analytics uses cookies (see section 5) which make it possible to analyze your use of the website. The information generated by the cookies, in particular:
-
Browser type / version,
-
Operating system used,
-
Referrer URL,
-
IP address of the accessing end device (shortened/anonymized if enabled),
-
Time of the server request,
is transmitted to Google servers and stored there.
We use Google Analytics with IP anonymization activated, so your IP address is shortened within the EU or the EEA before transmission. According to Google, the full IP address is transmitted to the USA only in exceptional cases before anonymization takes place within the EU/EEA.
Google processes the data on our behalf in order to:
-
evaluate the use of the website,
-
create reports on website activities,
-
provide other services associated with website use.
The transmitted IP address is not merged with other Google data.
Deactivation option: You can deactivate Google Analytics at any time via our consent management tool or additionally install the browser add-on provided by Google: https://tools.google.com/dlpage/gaoptout?hl=en
Further information: Google privacy policy: https://policies.google.com/privacy
Information on Analytics: https://support.google.com/analytics/answer/6004245
2) Google Tag Manager
We use the Google Tag Manager.
The Google Tag Manager itself:
-
sets no cookies,
-
does not itself process personal data under its own responsibility,
-
serves exclusively to manage tracking tags.
However, the Tag Manager triggers other tags which may in turn process data (e.g. Google Analytics). Deactivation at the domain or cookie level remains in place and is adopted for all tags implemented via the Tag Manager.
3) Google Ads Remarketing
We use—based on your consent—the remarketing function of Google Ads in order to be able to show you interest-based advertising on other websites within the Google network.
For this purpose, Google analyzes your usage behavior on our website (e.g. visited subpages) in order to determine the probability of which content interests you. For this purpose, Google stores cookies on your end device which:
-
recognize the browser or the end device,
-
enable recognition on other websites,
-
deliver interest-based advertising within the Google advertising network.
The cookies do not enable direct identification of your person; rather they recognize the browser or end device used.
Here too, data may be transmitted to the USA. If Google is certified under the EU-U.S. Data Privacy Framework, the transfer is based on the adequacy decision pursuant to Art. 45 GDPR. In addition, standard contractual clauses pursuant to Art. 46 GDPR may apply.
You can revoke your consent at any time via the consent management tool.
Further information: https://policies.google.com/technologies/ads
4) Microsoft Clarity
Our website uses—if you have consented to this—the web analytics and session recording service Microsoft Clarity, provided by:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
USA
For users in the EU, processing is additionally carried out via:
Microsoft Ireland Operations Ltd.
One Microsoft Place
South County Business Park
Leopardstown, Dublin 18
Ireland
Microsoft Clarity uses cookies and similar technologies to analyze usage behavior on our website. The following are recorded, among other things:
-
mouse movements and scrolling behavior,
-
interactions with page contents,
-
session sequences (session recordings, including screen interactions),
-
technical data such as browser type, operating system, screen resolution,
-
IP address (shortened/anonymized if carried out by Microsoft Clarity),
-
timestamps and click paths.
Storage and access to information on your end device take place only with your consent pursuant to Section 25(1) TDDDG. Subsequent processing of personal data takes place on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
Transfer of data to the USA
It cannot be ruled out that data is transmitted to the USA. Safeguarding is carried out on the basis of the Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR and additional technical security measures by Microsoft. Nevertheless, a lower level of data protection may exist in the USA compared with the EU.
Purpose of processing
The analysis serves to:
-
understand the use of our website,
-
improve the user guidance,
-
identify technical problems,
-
optimize the overall offering.
Storage duration
Session data is usually stored for up to 30 days; aggregated usage data may be stored for up to 1 year.
Revocation option
You can deactivate Microsoft Clarity at any time via our consent management tool.
Further information: Microsoft privacy policy: https://privacy.microsoft.com/en-us/privacystatement
Clarity privacy page: https://clarity.microsoft.com/privacy
5) Umami
We additionally use the privacy-friendly open-source web analytics tool "Umami", which we operate under our own responsibility on our own servers. Umami sets no cookies and processes exclusively technical data in pseudonymized form.
No user profiling across websites or devices and no integration of external tracking service providers take place.
Legal basis
Storage and access to information on your end device take place pursuant to Section 25(2) no. 2 TDDDG, since no cookies or comparable technologies are used. Subsequent processing of personal data is carried out on the basis of Art. 6(1) sentence 1 lit. f GDPR, since we have a legitimate interest in statistical evaluation to optimize our website.
Processed data
Umami only collects:
-
anonymized or pseudonymized IP address (shortened),
-
page views and time spent,
-
browser type and operating system,
-
referrer URL,
-
screen resolution,
-
timestamps of the requests.
The data is processed exclusively for statistical purposes and generally enables no direct identification of individual persons.
Storage duration
The statistical data is stored on our own servers. The storage period is usually 6–12 months, depending on internal settings; afterwards the data is automatically deleted or anonymized.
No transfer of data to third parties
Since we host Umami entirely ourselves, no transfer to third parties takes place. In particular, there is no transfer to third countries (USA).
6.2 Newsletter tracking
Our newsletters may contain so-called tracking pixels. These are small graphics that are retrieved from our server when the newsletter is opened and enable us to:
-
determine whether and when a newsletter was opened,
-
which links were clicked,
-
statistically evaluate the reach of the newsletter campaign.
Collection and evaluation are carried out on the basis of your consent (Art. 6(1) sentence 1 lit. a GDPR) in connection with the newsletter and the tracking contained in it.
The data collected in this process is stored and evaluated by us and may be processed as part of technical provision by service providers used.
Revocation
You can revoke your consent to the newsletter including tracking at any time with effect for the future:
-
via the unsubscribe link in every newsletter or
-
by sending a message to info@smartstore.com
After revocation, dispatch will be stopped and the personal data collected in connection with newsletter tracking will be deleted, insofar as no statutory retention obligations prevent this.
7. Social plugins
We integrate social media plugins of various providers on our website in order to increase the visibility of our company and to enable you to interact with content. Integration takes place only with your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR as well as the storage and access to information on your end device pursuant to Section 25(1) TDDDG. Without your consent, no social media plugins are loaded and no data is transmitted to the respective providers (“opt-in solution”).
7.1 Functionality and responsibility
If you access a page on which an embedded social plugin is integrated, it is only actively loaded if you expressly allow this in the upstream consent banner (e.g. by clicking an enable button or selection in the consent management tool). Only after activation does your browser establish a direct connection to the servers of the respective provider.
The provider of the social media service receives in particular:
-
your IP address,
-
date and time of the request,
-
browser type and version,
-
information about the page content you accessed,
-
if applicable, device information.
If you are logged in with the respective provider, your visit can be assigned directly to your user account. Interactions, such as pressing a “Like” or “Share” button, are also transmitted to the provider and processed there.
For certain social plugins there is joint responsibility within the meaning of Art. 26 GDPR (e.g. for Facebook plugins). For further processing of the data, the respective providers are generally independently responsible. In certain cases, joint responsibility pursuant to Art. 26 GDPR may exist insofar as a corresponding agreement has been concluded with the provider.
7.2 Transfer of data to third countries
When using social media plugins, personal data may be transferred to providers located in third countries, in particular in the USA.
The transfer takes place on the basis of Standard Contractual Clauses of the EU Commission (Art. 46 GDPR) and—if the respective provider is certified accordingly—additionally on the basis of an adequacy decision pursuant to Art. 45 GDPR. Nevertheless, a lower level of data protection compared to the EU cannot be completely ruled out.
7.3 Objection and revocation
You can revoke your consent at any time with effect for the future via our consent management tool. This ends the transmission to the providers and cookies already set by the respective service are deactivated via the consent management tool or can be deleted via the browser settings.
If you want to prevent social media providers from assigning visits to our pages to your personal profile, log out of the corresponding services before accessing our website.
7.4 Notes on individual social media services
1) Facebook (Meta Platforms Ireland Ltd.)
We use plugins of the social network Facebook/Meta, in particular the buttons:
-
“Like”,
-
“Share”.
Provider:
Meta Platforms Ireland Ltd.
4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
By loading the plugin or providing consent via the consent management tool, Meta receives the information that you have accessed our website. Meta can process the transmitted data in particular for the following purposes:
-
creation of usage and interest profiles,
-
personalized advertising within the Meta ecosystem,
-
market research and analysis purposes,
-
displaying your interactions within the network.
If you are logged into your Facebook account, Meta can assign your visit to our website directly to your profile. If you want to prevent this, please log out of your Facebook account before visiting our website.
Further information:
Meta/Facebook privacy policy:
https://www.facebook.com/privacy/policy/
8. Data protection information for online meetings, telephone conferences and webinars via “Microsoft Teams”
Below we inform you about the processing of personal data in connection with the use of Microsoft Teams (“Teams”) for telephone and video conferences, online meetings, presentations and webinars (collectively below: “online meetings”).
8.1 Purpose of processing
We use “Microsoft Teams” to conduct internal and external online meetings. The processing of personal data serves the planning, conducting and follow-up of these meetings as well as general business communication.
8.2 Controller and service provider used
“Microsoft Teams” is a service within Microsoft 365, provided by:
Microsoft Ireland Operations Ltd.
One Microsoft Place
South County Business Park
Leopardstown, Dublin 18
Ireland
Transfer to the parent company Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA, may occur, in particular in the context of operation and support processes.
A contract for processing on behalf pursuant to Art. 28 GDPR is in place with Microsoft. For any data transfers to third countries, the EU Commission’s standard contractual clauses (Art. 46 GDPR) are also used.
Please note: To the extent Microsoft processes personal data for its own purposes, this occurs under Microsoft’s own data protection law responsibility. We have no influence on these data processings.
Further data protection information from Microsoft: https://www.microsoft.com/en-us/privacy/privacystatement
8.3 Types of data processed
When using “Teams”, the following categories of personal data may be processed—depending on which functions you use:
a) User and account information
-
Display name
-
E-mail address
-
Profile picture (optional)
-
preferred language
-
organization affiliation (if available)
b) Meeting metadata
-
Date and time
-
Meeting ID
-
Meeting URL
-
Role in the meeting (organizer, participant, guest)
-
Telephone number (if participating by dial-in)
c) Communication data
-
Chat messages
-
shared files
-
reactions and status messages
-
text content entered in the meeting
d) Audio, video and screen sharing data
To enable audio and video transmission, “Teams” processes the audio and video data of your end device.
You can switch off the microphone and camera yourself at any time.
e) Recordings (optional)
If online meetings are recorded, we will inform you in advance.
The recording takes place exclusively with your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR.
If you do not want to be recorded, you can either refuse to participate in the meeting or leave the meeting. Deactivating the camera or microphone does not prevent recording, if such a recording takes place.
f) Logging / chat storage
Chat contents or relevant meeting results may be stored to document meeting results insofar as this is necessary to conduct or follow up the meeting. Processing is based on Art. 6(1) sentence 1 lit. f GDPR (legitimate interest in documenting business processes).
8.4 Legal bases for processing
Processing of your data in the context of online meetings takes place—depending on the type of meeting—on the basis of:
-
Art. 6(1) lit. b GDPR
if the meeting is necessary to perform a contract or to initiate a contractual relationship (e.g. customer discussions, support appointments). -
Art. 6(1) lit. f GDPR
if we have a legitimate interest in efficiently conducting online meetings and business communication. -
Art. 6(1) lit. a GDPR
if consent is present for certain processings, in particular for recordings of meetings.
Our legitimate interest lies in the efficient implementation of online meetings as well as internal and external business communication.
8.5 Transfer of data to third countries
When using Microsoft Teams, a transfer of personal data to the USA cannot be ruled out.
The transfer takes place on the basis of:
-
Standard Contractual Clauses (SCC),
-
technical and organizational security measures by Microsoft.
Despite these measures, a lower level of data protection compared to the EU cannot be completely ruled out.
8.6 Storage duration
Personal data is generally stored only for as long as this is necessary for conducting and following up the online meeting or statutory retention obligations exist. Recordings are stored only if consent is present, and only for the intended purpose.
Chat contents—if necessary for documenting the meeting—are stored on the basis of Art. 6(1) sentence 1 lit. f GDPR only for as long as the purpose of documentation requires, or statutory retention obligations exist.
8.7 Your rights
You have at all times the rights pursuant to Art. 15 to 21 GDPR, in particular:
-
information,
-
rectification,
-
erasure,
-
restriction of processing,
-
objection to data processing,
-
revocation of consent granted.
9. Data protection notice for appointment bookings via Microsoft Bookings
Below we inform you about the processing of personal data in connection with the use of the online appointment booking system “Microsoft Bookings” (hereinafter: “online booking”).
9.1 Purpose of processing
We use Microsoft Bookings to efficiently organize appointment arrangements between interested parties, customers and our employees and to provide them via our website. Processing of personal data is carried out for planning, conducting and managing your appointment booking.
Processing is carried out on the basis of Art. 6(1) sentence 1 lit. b GDPR insofar as the appointment booking serves the implementation of pre-contractual measures or a contract, as well as on the basis of Art. 6(1) sentence 1 lit. f GDPR due to our legitimate interest in efficient appointment organization.
9.2 Controller and service provider used
Microsoft Bookings is part of Microsoft 365 and is provided by:
Microsoft Ireland Operations Ltd.
One Microsoft Place
South County Business Park
Leopardstown, Dublin 18
Ireland
Transfer to the parent company in the USA may occur in particular as part of operation and technical provision:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
USA
An processing agreement pursuant to Art. 28 GDPR exists with Microsoft, which also includes the use of EU Standard Contractual Clauses (SCC) to ensure an adequate level of data protection (Art. 46 GDPR).
Please note:
Insofar as Microsoft processes personal data for its own business purposes, Microsoft acts as an independent controller. We have no influence on this data processing insofar as Microsoft acts independently as a controller.
Microsoft’s privacy policy can be accessed at:
https://www.microsoft.com/en-us/privacy/privacystatement
9.3 Types of data processed
As part of an appointment booking via Microsoft Bookings, the following personal data may be processed—depending on the information provided:
a) Master data
-
Name / display name
-
E-mail address
-
Telephone number (optional)
-
preferred language
b) Appointment metadata
-
Date and time of the appointment
-
Duration of the appointment
-
Type of appointment (e.g. consultation, support, initial discussion)
-
Assignment to the respective employee
-
Confirmation and reminder information
c) Optional information
You can voluntarily provide additional information in the free text field to prepare the appointment content. This information is not mandatory.
d) System and log data
-
IP address (if applicable, shortened),
-
access time,
-
browser type and version,
- Operating system
This data is processed as part of the technical operation of the system.
9.4 Legal bases for processing
Processing of your data is carried out—depending on the context—on the following legal bases:
-
Art. 6(1) lit. b GDPR
if the appointment arrangement is necessary for the performance of a contract or for the performance of pre-contractual measures. -
Art. 6(1) lit. f GDPR
if we have a legitimate interest in efficient organization and management of appointments via a digital booking system. -
Art. 6(1) lit. a GDPR
insofar as you have given consent for certain optional processing, in particular when processing voluntary additional information via free-text fields, insofar as this is not required for appointment processing.
Our legitimate interest lies in efficient organization and management of appointments as well as improving internal processes.
9.5 Transfer of data to third countries
A transfer of personal data to the USA may occur as part of the use of Microsoft Bookings. Safeguarding takes place by concluding standard contractual clauses (Art. 46 GDPR) and through additional technical and organizational measures by Microsoft.
A level of data protection fully equivalent to that of the EU cannot be guaranteed despite these measures.
9.6 Storage duration
Your personal data is generally stored only for as long as this is necessary for appointment processing and any follow-up.
Log data is stored for a limited period in order to ensure IT security and for error analysis.
Voluntary additional information will be deleted after completion of the appointment, unless it is required for conducting or documenting business processes or statutory retention obligations exist.
9.7 Your rights
You have at all times the rights pursuant to Art. 15 to 21 GDPR, in particular:
-
information,
-
rectification,
-
erasure,
-
restriction of processing,
-
objection (Art. 21 GDPR),
-
revocation of consent given.
10. Use of HubSpot
We use the CRM, contact management, registration and marketing automation system HubSpot on our website. HubSpot supports us in managing user inquiries, communication, marketing processes and in optimizing our online offering.
Service provider and relevant entities:
HubSpot Germany GmbH
Unter den Linden 26, 10117 Berlin, Germany
HubSpot Ireland Ltd. (main office for EU customers)
One Dockland Central, Dublin 1, Ireland
HubSpot Inc. (US parent company)
25 First Street, 2nd Floor, Cambridge, MA 02141, USA
We have concluded a contract with HubSpot for processing on behalf pursuant to Art. 28 GDPR, including Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR to safeguard possible data transfers to the USA.
10.1 Purpose of processing
HubSpot is used by us for:
-
management of interested party, customer and communication data (CRM),
-
processing of contact inquiries via forms,
-
management of newsletter subscriptions,
-
execution and automation of marketing campaigns,
-
analysis of user behavior as part of tracking and marketing functions (only with consent),
-
provision of download forms, event registrations and landing pages,
-
statistical evaluation of website usage as part of the functions used and only insofar as consent exists,
-
optimization of our support and sales processes.
10.2 Types of data processed
Depending on the interaction, the following personal data may be processed:
a) Master data
-
Name, first name
-
E-mail address
-
Telephone number (optional)
-
Organization / company
-
professional position (optional)
b) Communication and interaction data
-
Contents of contact inquiries
-
E-mail opens and click behavior (only with newsletter consent)
-
Appointment booking information
-
Registrations for events, downloads or webinars
c) Usage and device data (only with consent)
- IP address (if applicable, shortened),
- browser and system information,
- visited pages and click paths,
- timestamps,
- interactions on landing pages
- (in each case only within the framework of consent for tracking and marketing functions or for the technical provision of the respective HubSpot function)
This data is used for processing inquiries, managing communication processes and—where consent exists—for conducting marketing and analysis measures. Tracking and marketing cookies are set exclusively on the basis of your consent (Art. 6(1) lit. a GDPR, Section 25(1) TDDDG).
10.3 Legal bases for processing
Processing of your data by HubSpot is carried out—depending on the purpose—on the following legal bases:
a) Art. 6(1) lit. b GDPR
to perform a contract or to carry out pre-contractual measures
(e.g. processing inquiries, support, appointment arrangements).
b) Art. 6(1) lit. f GDPR
to safeguard our legitimate interest in
efficient customer management as well as improving internal communication and administrative processes.
c) Art. 6(1) lit. a GDPR
if you consent to analysis or marketing measures (e.g. tracking, newsletter).
Without your consent, no marketing or tracking measures via HubSpot take place.
10.4 Transfer of data to the USA
Since HubSpot Inc. is headquartered in the USA, a transfer of personal data to the USA may occur in the context of using HubSpot.
This transfer is carried out on the basis of:
-
the Standard Contractual Clauses (SCC) of the EU Commission (Art. 46 GDPR),
-
additional technical and organizational safeguards implemented by HubSpot.
A level of data protection fully equivalent to that of the EU cannot be guaranteed despite these measures.
10.5 Storage duration
In principle, the data is stored for as long as it is necessary for the purposes stated.
This includes:
-
CRM data: for the duration of the business relationship and beyond within the framework of statutory retention obligations or until a legitimate deletion request,
-
marketing tracking data: until you revoke your consent,
-
newsletter data: until you unsubscribe from the newsletter,
-
contact inquiries: until final processing, insofar as no statutory retention obligations exist.
10.6 Objection, revocation and rights
You can:
-
revoke your consent to processing at any time with effect for the future,
-
object to the processing of personal data pursuant to Art. 6(1) lit. f GDPR,
-
request the deletion or transfer of your data,
-
or obtain information about the data stored.
If you have questions about data processing via HubSpot, you can contact us at any time.
11. LinkedIn (Social media plugin and LinkedIn Insight Tag)
11.1 Integration of LinkedIn functions
Social media functions of the LinkedIn network may be integrated on our website.
The provider for users in the EU is:
LinkedIn Ireland Unlimited Company
Wilton Plaza, Wilton Place
Dublin 2, Ireland
Parent company:
LinkedIn Corporation
2029 Stierlin Court
Mountain View, CA 94043
USA
Integration takes place exclusively on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR in conjunction with Section 25(1) TDDDG. Without your consent, the LinkedIn modules are not loaded.
If you access a page on which a LinkedIn plugin (e.g. Recommend button, share function) is integrated, and you have consented via the consent management system, your browser establishes a connection to LinkedIn’s servers. In this process, among other things, the following data is transmitted:
-
IP address (if applicable, shortened)
-
Date and time of the page access
-
URL of the visited page
-
Browser type and version
- Operating system and device information
If you are logged in to your LinkedIn account at the same time, LinkedIn can assign the visit directly to your user account.
We receive no personal data from LinkedIn as part of the use of the social plugins; if applicable, we only receive aggregated statistical evaluations.
Further information can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy
11.2 LinkedIn Insight Tag and conversion tracking
We use—if you have consented to this—the LinkedIn Insight Tag. This tool enables conversion tracking, retargeting and aggregated evaluations of the use of our web presence and the performance of LinkedIn advertising campaigns.
Responsible entity for tracking
-
LinkedIn Ireland Unlimited Company Wilton Plaza, Wilton Place, Dublin 2, Ireland
-
Possible: Transfer of data to LinkedIn Corporation (USA)
Safeguarded via Standard Contractual Clauses (SCC) pursuant to Art. 46 GDPR
11.2.1 Processed data
Depending on your consent, the Insight Tag collects the following information:
-
URL and referrer URL
-
IP address (usually shortened or pseudonymized)
-
device and browser characteristics (user agent, screen resolution etc.)
-
timestamps
-
page views and click/navigation interactions on the website
-
anonymized demographic evaluations (aggregated)
11.2.2 Purpose of processing
We use the Insight Tag to:
-
measure the success of our LinkedIn advertising campaigns (“conversion tracking”),
-
create target group statistics
(e.g. industries, job titles, company sizes—exclusively aggregated), -
obtain anonymized insights into visitor behavior,
-
carry out retargeting, i.e. to display interest-based advertising to visitors of our website on LinkedIn.
LinkedIn does not pass on any personal data to us, but only aggregated evaluations.
11.2.3 Storage and deletion periods
The storage duration of the data is based on LinkedIn’s specifications. Further processing is carried out by LinkedIn under its own data protection policies. Further information can be found in LinkedIn’s privacy policy.
11.2.4 Legal basis
Use takes place exclusively with your consent pursuant to:
-
Art. 6(1) sentence 1 lit. a GDPR
-
Section 25(1) TDDDG (consent for storing and reading information on end devices, in particular cookies)
You can revoke your consent at any time via our consent management tool.
11.2.5 Objection / opt-out
You can additionally object to processing by LinkedIn via the following page: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
11.3 Note on joint responsibility (Art. 26 GDPR)
For certain processing operations in connection with the LinkedIn Insight Tag, there is joint responsibility between us and LinkedIn pursuant to Art. 26 GDPR, in particular for the collection and transmission of event data in the context of conversion tracking and reach measurement.
LinkedIn is otherwise independently responsible for further processing of the data, in particular for processing for its own purposes such as profile creation and advertising purposes.
The agreement on joint responsibility is available under the following link: https://legal.linkedin.com/pages-joint-controller-addendum
12. Integration of YouTube videos
On our website we embed videos from the YouTube service, a service of:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
Parent company:
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
USA
Integration takes place on the basis of your consent pursuant to Art. 6(1) sentence 1 lit. a GDPR in conjunction with Section 25(1) TDDDG using the so-called "two-click procedure" or YouTube's "privacy-enhanced mode".
12.1 Functionality of the two-click solution
On our pages, initially only a static preview image is displayed. A connection to YouTube or Google is only established if you actively click on the preview image and thus give your consent to the transfer of data.
Only from this point onward:
-
may your IP address be transferred to YouTube/Google,
-
are cookies potentially set,
-
are device data and browser information transmitted,
-
can YouTube recognize which of our subpages you have visited.
Without your consent given via the click, no connection to YouTube is established.
12.2 Processed data
After your consent and clicking on the video, the following data may be transmitted and processed, among other things:
-
IP address
-
device and browser information
-
referrer URL (the page on which the video is embedded)
-
time of access
-
approximate location-related data, insofar as this can be determined by Google
-
usage data in connection with video playback (e.g. playback start, playback duration, interactions in the player)
If you are logged into your YouTube or Google account, Google may assign this data to your account.
This depends on your Google account settings: https://policies.google.com/technologies/partner-sites?hl=en
12.3 Legal basis
Since YouTube regularly sets cookies and comparable technologies during playback, processing only takes place after your consent pursuant to:
-
Art. 6(1) sentence 1 lit. a GDPR
-
Section 25(1) TDDDG (access to information on the end device)
Without consent, the embedded YouTube video is not activated and thus, in principle, no data is transmitted to Google in the context of embedding.
12.4 Purposes of processing
We embed YouTube in order to:
-
provide you with videos directly on our website,
-
convey content more clearly,
-
reduce the load on our server resources,
-
optimize the stability and performance of the website.
Integration takes place exclusively on the basis of your consent, since YouTube’s own analysis and tracking functions may be used.
12.5 Transfer of data to third countries
When using YouTube, personal data may be transferred to the USA.
The transfer takes place on the basis of:
-
the EU Commission’s Standard Contractual Clauses (SCC) (Art. 46 GDPR),
-
additional technical and organizational measures by Google.
A fully EU-equivalent level of protection cannot be guaranteed.
12.6 Storage duration
The storage duration of personal data is based on Google/YouTube’s privacy policies. Some cookies may exist for up to two years; others are session cookies. Further information on storage duration can be found in Google’s privacy policy: https://policies.google.com/privacy
13. Use of MyFonts web fonts
On our website, we use fonts (“web fonts”) from the provider MyFonts, a business unit of Monotype
Imaging Holdings Inc.
Provider:
Monotype Imaging Holdings Inc.
600 Unicorn Park Drive
Woburn, MA 01801
USA
The use of MyFonts web fonts serves to ensure a consistent and visually appealing presentation of our content as well as the technically stable operation of our website.
13.1 Legal basis
Processing takes place on the basis of Art. 6(1) sentence 1 lit. f GDPR, since we have a legitimate interest in a consistent, fast and technically clean presentation of our online content.
Consent is not required insofar as only technically necessary requests are made for the provision of the web fonts.
13.2 MyFonts Visitor Tracking (“Page View Tracking”)
Due to the licensing conditions, we are obliged to integrate so-called page view tracking. For this purpose, a tracking script is loaded from MyFonts which counts the number of page views (“page views”). The purpose is purely for billing (determining web font use according to the license model).
In this process, MyFonts may collect information about your end device:
-
IP address (usually shortened)
-
time of page access
-
retrieved URL
-
technical information about browser and operating system
According to the provider, direct identification of users does not take place. According to its information, MyFonts processes the IP address only in shortened form, so that there is no personal reference.
13.3 Transfer to third countries
Since MyFonts is operated by a US company, a transfer of technical data to the USA cannot be ruled out.
Processing takes place exclusively for the purpose of license billing. The transfer is carried out on the basis of the standard contractual clauses pursuant to Art. 46 GDPR.
13.4 No storage of personal data by us
We ourselves store no personal data in connection with the integration of MyFonts web fonts from this processing operation.
Transfer to MyFonts occurs for technical reasons when your browser loads the font.
13.5 Data protection information of the provider
Further information on the purpose, scope and legal bases of data processing by MyFonts can be found at: https://www.monotype.com/legal/privacy-policy/web-font-tracking-privacy-policy
14. Your rights as a data subject
When processing your personal data, you are entitled to the following rights under the General Data Protection Regulation (GDPR). You can assert these rights at any time against the controller.
a) Right of access (Art. 15 GDPR)
You have the right to request free information about whether we process personal data about you and—if so—to receive information about:
-
the categories of data processed,
-
the purposes of processing,
-
the recipients or categories of recipients,
-
the planned storage duration or the criteria for determining it,
-
the existence of further data subject rights (rectification, erasure, restriction, objection),
-
the existence of a right to lodge a complaint with a supervisory authority,
-
the origin of your data if it was not collected from you,
-
the existence of automated decision-making including profiling, as well as meaningful information about its logic and effects,
-
the appropriate safeguards under Art. 46 GDPR in the event of transfers to third countries.
b) Right to rectification (Art. 16 GDPR)
You have the right to request without delay the rectification of personal data concerning you that is inaccurate. You may also request the completion of incomplete data.
c) Right to erasure (Art. 17 GDPR)
You have the right to request the deletion of your personal data in accordance with Art. 17 GDPR.
The right does not exist insofar as processing is necessary:
-
to exercise the right to freedom of expression and information,
-
to comply with a legal obligation,
-
for reasons of public interest, or
-
for the assertion, exercise or defense of legal claims.
d) Right to restriction of processing (Art. 18 GDPR)
You can request the restriction of processing if:
-
you contest the accuracy of the data,
-
processing is unlawful and you request restriction instead of erasure,
-
we no longer need the data, but you require it to enforce legal claims, or
-
you have objected to processing (Art. 21 GDPR) while it is not yet established whether our legitimate reasons prevail.
e) Right to be informed (Art. 19 GDPR)
If you have exercised your right to rectification, erasure or restriction of processing, we are obliged to inform all recipients to whom personal data has been disclosed of this rectification or erasure or restriction of processing, unless this is impossible or involves disproportionate effort. You also have the right to be informed about these recipients.
f) Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format and to request that we transmit this data to another controller, insofar as this is technically feasible.
g) Right to withdraw consent (Art. 7(3) GDPR)
You have the right to withdraw consent you have given us at any time with effect for the future.
Withdrawal does not affect the lawfulness of processing already carried out until the withdrawal.
After withdrawal, we will delete the data concerned insofar as no other legal basis for processing exists.
h) Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
You have the right to lodge a complaint with a competent data protection supervisory authority if you are of the opinion that the processing of your personal data violates the GDPR.
The right to lodge a complaint exists without prejudice to other administrative or judicial remedies.
15. Duration of storage of personal data
We generally store personal data only for as long as this is necessary for the respective processing purposes.
After the respective purpose no longer applies—especially after full performance of the contract—we delete personal data without delay, provided that:
-
their further storage is not required to comply with statutory retention obligations,
-
you have not given consent to storage beyond that, and
-
no legitimate interest on our part exists in continued processing (e.g. defense against legal claims, securing evidence).
15.1 Statutory retention obligations
Due to statutory requirements, we must retain certain personal data for specified periods. This includes in particular:
-
Commercial and tax law retention periods pursuant to Sections 147 AO, 257 HGB
(retention period regularly 6 or 10 years)
15.2 Storage duration due to legitimate interest
A legitimate interest in storage may exist in particular for:
-
the enforcement or defense of legal claims (regularly up to 3 years pursuant to Sections 195 ff. BGB),
-
the documentation of business transactions,
-
IT security purposes and misuse detection.
After these periods have expired, the data will be deleted or anonymized insofar as no further legal obligations exist.
15.3 Deletion upon withdrawal or objection
-
If you give us consent and later withdraw it, we delete the data insofar as no other legal basis for processing exists.
-
If you lodge an objection to processing based on legitimate interest, we delete the data unless compelling legitimate grounds prevent this.
16. SmartStore Account “Forum”, “Blogs” and “Community Marketplace – SCM”
To use our community platform at community.smartstore.com—consisting of forum, blogs and the SmartStore Community Marketplace (“SCM”)—it is necessary to create a SmartStore account.
Use of these services requires that during registration you accept the General Terms and Conditions (GTC) applicable in each case as well as this privacy policy.
16.1 Purpose of processing
Personal data is processed for:
-
provision and administration of your SmartStore account,
-
use of community functions (posts, comments, reviews, messages),
-
publication of content in forum and blog,
-
participation in the SmartStore Community Marketplace (“SCM”) as a user, plugin provider or service provider,
-
communication between users and between users and SmartStore,
-
misuse detection, security monitoring and system stability.
16.2 Types of data processed
In the context of registration and use of the community modules, the following data is processed:
a) Registration data
-
Username (publicly visible)
-
E-mail address
-
Password (encrypted)
-
optional profile information (e.g. avatar, signature, location, website)
b) Usage data
-
Posts, comments, blog posts
-
Reviews and interactions
-
private messages (if used)
-
uploaded files or content
-
timestamps and activity information
c) System and security data
-
IP address during registration and use
-
log and protocol data
-
device and browser information
This data is required to ensure the functionality, security and integrity of the community platform.
16.3 Legal basis
Processing of personal data takes place on the basis of:
-
Art. 6(1) lit. b GDPR
for performance of the user agreement and for provision of the SmartStore account, -
Art. 6(1) lit. f GDPR
for safeguarding our legitimate interests in a secure, integrity-oriented and functional community platform,
in particular for misuse and fraud prevention.
16.4 Visibility and publication
Insofar as you publish content in the forum, in blogs or in the SCM (e.g. posts, comments, plug-in entries), this is visible to other users. You are responsible for the content you make publicly available.
Private messages within the platform are visible only to the users involved and are generally not viewed by SmartStore, unless this is legally required for compelling security reasons.
16.5 Storage duration
-
Your user account remains active until you delete it or request deletion.
-
Public content (e.g. forum posts) can—insofar as technically possible—be anonymized if you have your account deleted.
-
Log and security data is stored for a limited period that is required to safeguard our security interests.
-
Legal retention obligations remain unaffected.
16.6 Voluntary information
All information beyond the required data (profile information, avatars, personal texts, etc.) is voluntary and can be changed or removed by you at any time.
16.7 Obligation to comply with the GTC
Use of the SmartStore account as well as the forum, blog and SCM modules requires that you:
-
accept the respective applicable GTC and
-
comply with the community rules.
In the event of violations, we reserve the right to take measures such as warnings, restrictions or blocking of the account.
17. Right to object (Art. 21 GDPR)
You have the right to object at any time to the processing of your personal data, insofar as this
-
is based on Art. 6(1) sentence 1 lit. f GDPR (legitimate interest), and
-
your objection arises from reasons relating to your particular situation.
In this case, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing serves the assertion, exercise or defense of legal claims.
Objection to direct advertising
If your personal data is processed for direct advertising, you have the right pursuant to Art. 21(2) GDPR to object at any time to processing for the purposes of such advertising. This also applies to associated profiling insofar as it is connected with such direct advertising.
If you object to processing for direct advertising purposes, your personal data will no longer be processed for these purposes. No special justification is required for this.
Form of objection
If you wish to exercise your right to object, an informal notice is sufficient, e.g. by e-mail to: info@smartstore.com
18. Currency and changes to this privacy policy
We reserve the right to adapt this privacy policy if technical developments, legal changes or new functions of our website or our services make this necessary. The current version of the privacy policy can be accessed at any time on our website at https://smartstore.com/en/privacy-policy/. Changes take effect upon their publication, unless expressly stipulated otherwise.
19. Hosting and Content Delivery Networks (CDN)
Our website is operated on servers of an external hosting service provider. Use of this service provider is necessary in order to provide our website securely, stably and with high performance.
As part of hosting, the service provider processes, on our behalf, among other things:
-
IP addresses,
-
access requests,
-
server and security logs,
-
metadata relating to HTTP requests,
-
other technical usage data.
Processing is carried out exclusively for the purposes of provision and maintenance of technical operation, IT security and error reporting. The legal basis for this is Art. 6(1) sentence 1 lit. f GDPR in conjunction with Art. 28 GDPR.
If we use a Content Delivery Network (CDN) (e.g. Azure CDN, Cloudflare, AWS CloudFront) to speed up content delivery, technical data may be temporarily routed via the CDN provider’s servers. This is carried out exclusively for the purpose of fast and secure delivery of our content.
20. Security measures pursuant to Art. 32 GDPR
We take technical and organizational measures in accordance with Art. 32 GDPR to protect your personal data against loss, misuse, unauthorized access, manipulation or destruction.
This includes in particular:
-
encrypted data transmission (TLS / SSL),
-
access restrictions and role models,
-
firewall and intrusion detection systems,
-
regular security updates and patches,
-
data protection training for our employees,
-
privacy-friendly default settings (privacy by default),
-
structured backup and recovery concepts.
These measures are regularly reviewed, further developed and adapted to the state of the art.
21. Notes on use by minors
Our online offering is addressed exclusively to persons of legal age or companies (B2B). We knowingly do not collect personal data from minors under the age of 16.
If we become aware that personal data of a minor has been processed without a legal basis, we will delete this data without delay.
22. Automated decision-making and profiling
Automated decision-making within the meaning of Art. 22 GDPR does not take place with us as a matter of principle.
Insofar as tools used by third parties (e.g. Google Analytics, HubSpot, LinkedIn Insight Tag) enable a form of profiling, this is carried out exclusively:
-
after your express consent (Art. 6(1) lit. a GDPR) and
-
in pseudonymized or aggregated form.
Decisions producing legal effects concerning individuals are not made solely by automated means.