This policy applies to data processing by:
The Data Protection Officer at internetstores can be contacted at the above address. Please address inquiries to Maren Frey, Data Protection Officer, or by email to privacy[at]addnature.co.uk.
If you are located in the United Kingdom, you may also contact our UK data protection representative according to Article 27 GDPR:
DP Data Protection Services UK Ltd., Attn: Internetstores
16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
II. Processing of personal data and type and purpose
1. Visiting our website
When you visit our website https://www.addnature.co.uk/ your browser will automatically send certain information used on your device to our website's server. This information will be stored temporarily in a so-called log file. The following data will be automatically collected and stored before it's deleted from the log files after 52 days, and then completely deleted after no more than 2 further months.
- I.P. address of the requesting computer,
- Date and time of the request,
- Name and URL of the file retrieved,
- Website accessed (referrer URL),
- Browser type, version and other information sent by the browser (such as your computer's operating system).
We process this data for the following purposes:
- to ensure a smooth connection to the website,
- to ensure our website is easy to use,
- to analyse system security and stability,
- to detect and prevent attacks on our website,
- to continually improve the website
- for various other statistical and administrative purposes.
The legal basis for this data processing is provided by Art. 6 Para. 1 Clause 1 Letter f GDPR. Our legitimate interest is established by the purposes of the data processing listed above.
We do not use the data collected to draw immediate conclusions about your person. However, in the event of an attack on our network infrastructure, your I.P. address will be used to assert or defend legal claims.
2. When you order as a ‘guest’
If you place an order as a guest through our website, we'll collect and process the following information:
- Your title, first name, surname
- A valid email address
- Postal address
- Telephone number
- Depending on the time of payment, payment data (e.g. bank account)
This information is in addition to other information you give voluntarily (e.g. date of birth). We process this data to:
- identify you as our contract partner
- check the validity of the data
- process your payment
- where applicable, personalise our advertising
- process any warranty claims and to assert any claims against you
- arrange the delivery date of your bike by telephone
The data processing takes place upon your request and is necessary pursuant to Art. 6 Para. 1 Clause 1 Letter b and Letter f GDPR for the purposes above for the performance of a contract, to take steps before entering into a contract as well as our legitimate interests.
We work with the following specialist service provider to send transaction emails relating to your orders and send them the necessary information for your order:
Cheetah Digital Germany GmbH; Speditionstraße 1, 40221 Düsseldorf
The service provider was carefully selected and commissioned by us, is bound by our instructions, and checked regularly, in particular regarding the implementation of appropriate technical and organisational measures to protect data.
Data is not transferred to countries outside of the EEA.
The personal data processed for this order will be stored until the end of the statutory warranty period and automatically deleted immediately afterwards, unless we have an obligation to store the data for a longer period pursuant to Article 6 Para. 1 Clause 1 Letter c GDPR due to retention periods and documentation obligations under tax and commercial law (German Commercial Code [HGB], German Criminal Code [StGB] or German Fiscal Code [A.O.]) or you have given consent to the data being stored for a longer period pursuant to Art. 6 Para. 1 Clause 1 Letter a GDPR.
3. When you create a customer account
When you create a customer account in our online store, we ask you to provide the following data:
- Title, first name, surname
- A valid email address
- A password
- Your postal address
- Telephone number
- Payment data (for example, your bank account).
We also ask for other non-obligatory personal information. This data is collected, stored and processed so we can continually improve your individual shopping experience and offer you convenient features in our online shop. These include access to your personal order history, saved shopping basket items and notes for future purchases as well as being able to:
- identify you as our contract partner
- check the validity of the data entered
- process the payment for your order
- personalise advertising for you
- process any warranty claims and to assert any claims against you
- coordinate the delivery date of your bike by telephone (we'll use your telephone number exclusively for this purpose).
Data processing is carried out on the basis of Art. 6 (1) sentence 1 lit. b DSGVO and Art. 6 (1) sentence 1 lit. f DSGVO due to our legitimate interests for the aforementioned purposes.
We store the personal data collected for registration and login until you submit a deletion request to us. In the event of a request for deletion, we will only retain the necessary information on your orders if storage beyond this is necessary for the fulfilment of the contract on the basis of Article 6 (1) sentence 1 b DSGVO or if we are obliged to store the data for a longer period of time in accordance with Article 6 (1) sentence 1 c DSGVO due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO).
4. When creating customer profiles
When you use our online shop, we create a customer profile for you using your data, in particular
- information about you
- statistical information (e.g. the nature, frequency and intensity of your visits to the website)
- offers, brands and suppliers viewed
- resulting information about your interests
We use this information
- for statistical analyses
- for market research
- to optimise our services
- to send you advertising tailored to your actual or presumed needs and thus not bother you with unwanted or inappropriate advertising
This data processing is necessary according to Art. 6 Para. 1 Clause 1 Letter f GDPR to pursue our legitimate interests and achieve these purposes. These purposes are also served by the storage and analysis of usage data from the online area on a pseudonymised basis.
If you object to the analysis and personalisation of our service and advertising, which you can do at any time, the processing will be stopped and your data will be deleted, unless we have an obligation to store it for a longer period based on Art. 6 Para. 1 Clause 1 Letter b GDPR for the performance of the contract or pursuant to Article 6 Para. 1 Clause 1 Letter c GDPR due to retention periods and documentation obligations under tax and commercial law (German Commercial Code [HGB], German Criminal Code [StGB] or German Fiscal Code [A.O.]).
5. When you use our contact form/ customer services
You can send us general enquiries via the contact form provided on our site. In addition to your title, name and a valid e-mail address, we also ask for the subject and your question. We need this information to be able to answer your enquiry.
Additional personal information such as your address, an order number or your telephone number is not collected unless you provide this information voluntarily.
Data processing for the purpose of contacting us is carried out in response to your enquiry and on the basis of Art. 6 (1) sentence 1 lit. b DSGVO or to protect our legitimate interests pursuant to Art. 6 (1) sentence 1 lit. f DSGVO. Our legitimate interest is to be able to respond to enquiries from our customers and thus to ensure a functioning customer service. functioning customer service.
In order to process your enquiry, we work together with the specialised service provider named below, to whom we transfer personal data required for this purpose.
Salesforce Customercare of Salesforce.com.inc, The Landmark @ One Market, Suite 300, San Francisco, CA 94105 (hereinafter "Salesforce").
We have entered into an order processing agreement with Salesforce for the use of the Salesforce Customer Care software. Through this contract, Salesforce assures us that they process the data in accordance with the General Data Protection Regulation and ensure the protection of the rights of the data subject. The forwarding of personal data to Salesforce takes place on the basis of the binding internal data protection regulations of Salesforce according to Art. 46 para. 2b, 47 DSGVO (so-called Corporate Binding Rules) as well as the standard data protection clauses of the European Commission according to Art. 46 para. 2c) DSGVO. Both sets of rules are anchored in the Salesforce Data Processing Addendum, which we have concluded with Salesforce. In addition, the Salesforce Commerce Cloud is certified by reliable security standards, including PCI-DSS, SOC2, ISO 27001.
For more information on data protection in connection with the Salesforce Commerce Cloud, please refer to the Salesforce Privacy Statement.
The personal data collected by us for the use of the contact form will be deleted after the request you have made has been dealt with, unless we are obliged to store it for a longer period of time pursuant to Article 6 (1) sentence 1 lit. c DSGVO due to tax and commercial law retention and documentation obligations (from HGB, StGB or AO).
6. In connection with our newsletters
As a customer or interested party, we would like to send you our newsletter. If you are already a customer of ours, we will therefore also use your e-mail address to send you our personalised newsletter about similar product offers. If you are not a customer of ours but would still like to receive the newsletter, we only need your e-mail address to send you the newsletter. The sending is based on your explicit consent (Art. 6 para. 1 p. 1 lit. a DSGVO) or, if you are already our customer, based on our legitimate interests in informing you about current product recommendations for you (direct marketing).
If you have given us your express consent to send newsletters (Art. 6 para. 1 p. 1 lit. a DSGVO), we evaluate your user behaviour in connection with our newsletters in order to be able to tailor our advertising approach to your interests and to optimise our offers on our website for you. For this purpose, we use the following specialised service providers to whom we transmit the personal data required for this purpose (order data, product detail pages, checkout activities):
Oracle DMP of Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065 / USA (hereinafter "Oracle").
By using the Oracle DMP product (formerly Oracle Responsys Bluekai), Oracle enables us to present you with relevant and targeted advertising materials and advertisements based on your interests and usage behaviour on our offer and third-party websites, taking into account and evaluating your website usage on different end devices, e.g. laptop, smartphone and PC (so-called cross-device tracking). Furthermore, we receive aggregate statistics on the effectiveness of certain advertising media (e.g. how many people have clicked on or interacted with an advertisement) via the technology. For this purpose, cookies are set on your end devices and pixel tags are implemented on websites that Oracle uses in order to be able to analyse and evaluate your usage behaviour (e.g. clicks) on your various end devices. This creates pseudonymous usage profiles, so-called "cookie IDs", which can be assigned to your respective end devices for cross-device profiling, but not directly to your person. The data collected includes non-personal usage-related data (e.g. clicks on advertisements, websites, time and length of stay) and non-personal browser data (e.g. language setting, screen resolution). Accordingly, they are not identifiable to us.
We have concluded an order processing contract with Oracle for the use of Oracle DMP. Through this contract, Oracle assures that they process the data in accordance with the GDPR and ensure the protection of the data subject's rights. In this context, the processing of personal data by Oracle is carried out on the basis of Oracle's binding internal data protection rules pursuant to Art. 46 (2b), 47 DSGVO (so-called Corporate Binding Rules), which are anchored in the Oracle European Data Processor Agreement that we have concluded with Oracle. In addition, Oracle has implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access. These measures generally comply with the ISO/IEC 27001:2013 standard.
b. Objection to personalisation / revocation of consent/unsubscribing from the newsletter:
You can revoke your consent to the personalisation of our newsletter at any time by sending us an email to service[at]addnature.co.uk. If you do so, we will no longer send you a personalised newsletter but will continue to send you our general newsletter.
Furthermore, it is also possible to unsubscribe from our newsletters completely at any time, e.g. via a link at the end of each newsletter. Alternatively, you can also send your unsubscribe request at any time by e-mail to privacy[at]addnature.co.uk / addnature[at]gdpr-rep.com as well as to service[at]addnature.co.uk. Your personal data collected in connection with and exclusively for the purpose of sending the newsletter will be deleted immediately after unsubscribing.
7. SurveyMonkey survey with sweepstake
We use SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland (hereinafter 'SurveyMonkey') to generate web-based online surveys.
Participation in online surveys is voluntary. If you participate in an online survey, we log your IP address, operating system, device type and other personal information that you provide as part of the survey.
We only collect necessary data and only share this data with third parties in response to regulations or court orders to conduct the survey (SurveyMonkey) and, where applicable, send out prizes.
SurveyMonkey may collect data itself. This can include contact information, usage data, device and browser data, information from 'page tags', referral data and data from third parties and integration partners. We have no influence or control over this. You can find more information about this here.
We have entered into a data processing contract with SurveyMonkey. Through this contract, SurveyMonkey ensures that they will process all data in accordance with data protection regulations and ensure the protection of the rights of the data subject. If SurveyMonkey processes personal data in the USA, this is done based on so-called standard contractual clauses in accordance with Art. 46 Para. 2 c) DSGVO (General Data Protection Regulation), as well as further measures to protect your data. See here for more details.
The legal basis for the data processing described above is your consent in accordance with Article 6(1)(a) DSGVO.
In principle, we store your data concerning a survey or a survey with the possibility of a prize draw for an appropriate period after collection.
If you are uncomfortable with this, you can contact our customer service directly by telephone at any time. You can revoke your consent at any time without reason. Please contact Internetstores GmbH, Friedrichstraße 6, 70174 Stuttgart or via email at service[at]addnature.co.uk or privacy[at]addnature.co.uk / addnature[at]gdpr-rep.com with effect for the future.
You can find more information about cookies used on survey pages here.
III. Data sharing
1. For payment processing
As part of the fulfilment of the contract in accordance with Art. 6 para. 1 p. 1 lit. b DSGVO, we use various payment service providers to process payments. For this processing, it may be necessary for us to forward personal data collected in the payment process, such as name, address, telephone number, e-mail address, credit card or bank account data and transaction data to the payment service provider. In some cases, the payment service providers also collect this data themselves.
Within the framework of the fulfilment of the contract pursuant to Art. 6 para. 1 p. 1 lit. b DSGVO, we use the payment service providers listed below for the processing of payments:
a. Payments with Paypal
We offer payment processing by means of the payment service provider
PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L- 2449 Luxembourg (hereinafter "Paypal").
If you pay with PayPal, you will be redirected to the PayPal website. There you can log in with your account details and complete the payment. If you choose the payment options "direct debit", "credit card" or "purchase on account", you will also be redirected to the PayPal website. There you can complete the payment with or without a PayPal account by providing the payment information. We have no access to personal data collected by PayPal. PayPal is responsible for their processing.
b. Payments by credit card
If you pay by credit card, the payment data you enter will be stored in accordance with Art. 6 Para. 1 S. 1 lit. b DSGVO by
Ingenico GmbH (Pfalzburger Strasse 43-44, 10717 Berlin)
and only passed on to the companies involved in the payment process.
By paying by credit card, you accept the terms and conditions of the payment provider. In this case, we do not collect or store the payment data.
Further information on this can be found in the data protection regulations of your credit card company.
2. For delivery of your order
To ship your order (Art. 6 Para. 1 Clause 1 Letter b GDPR) and make delivery as convenient as possible (Art. 6 Para. 1 Clause 1 Letter f GDPR), we forward the data you provide for your delivery address as well as your email address and where applicable, your telephone number to shipping service providers, who dispatch your consignment solely for the purpose of delivery and notification of delivery. These service providers handle your information subject to data protection laws.
3. For internal administrative and advertising purposes
We are part of the SIGNA Sports Group and a wholly-owned subsidiary of SIGNA Retail GmbH. As such, we sometimes supply personal data (pseudonymous usage profiles) within a contractual relationship to
SIGNA Retail GmbH, Freyung 3, 1010 Vienna (hereafter: "SIGNA")
for analysis and marketing purposes (e.g. Google Analytics and Salesforce DMP). The data is transferred based on Art. 6 Para. 1 Clause 1 Letter f GDPR and to pursue our legitimate interests of a pseudonymous analysis of data by the SIGNA Sports Group.
You can object to the use of your personal data for advertising purposes at any time without stating reasons. In this case, SIGNA will also no longer be able to view your personal data.
4. For coupon offers by Sovendus GmbH
For a coupon offer to be selected, the hash value of your email address and I.P. address is sent pseudonymised and encrypted to:
Sovendus GmbH, Moltkestr. 11, 76133 Karlsruhe (Sovendus)
(Art. 6 Para. 1 f GDPR).
The pseudonymised hash value of the email address is used to consider any possible objection against the advertising by Sovendus (Art. 21 Para. 3, Art. 6 Para. 1 c GDPR). The I.P. address is used by Sovendus solely for data security purposes and is as a rule anonymised after seven days (Art. 6 Para. 1 f GDPR). We also send for billing purposes, the pseudonymised order number, order value with currency, session I.D., coupon code and time stamp to Sovendus (Art. 6 Para. 1 f GDPR).
If you are interested in a coupon offer from Sovendus, have not objected to advertising for your email address and click on the voucher banner displayed in this case, your title, name and email address will be sent encrypted to Sovendus in order to prepare for the coupon (Art. 6 Para. 1 b, f GDPR).
5. For the integration of the Trusted Shops badge
To display our Trusted Shops quality seal and Trusted Shops products to buyers after ordering, the Trusted Shops badge is integrated into this website.
This helps to protect our, in the balancing of various interests, overriding legitimate interest to ensure the optimal marketing of our offering (Art. 6 Para. 1 Clause 1 Letter f GDPR). The trust badge and the services purchased with it are provided by:
Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne
When you access the trust badge, the web server automatically stores a so-called log file which contains, e.g. your I.P. address, date and time of access, data volume transmitted and the requesting provider (access data) and documents this access. This access data is not analysed and will be overwritten automatically no later than seven days after your visit.
Additional personal data is only forwarded to Trusted Shops if, after completing an order, you decide to use Trusted Shops products or if you have already registered to use Trusted Shops products. In this case, the contractual agreement concluded between you and Trusted Shops will apply.
6. To rate our shop using Google reviews
You can rate the purchasing process on our website using the Google reviews survey. If you consent to taking part (Art. 6 Para. 1 Clause 1 Letter a GDPR), you will be sent a survey by Google after delivery of your order. For this purpose, we send the following information about your order
- the order I.D.
- your email address
- the country in which the order will be delivered
- the delivery date for your order
- the Global Trade Item Number so that the review data can be attributed to our item
We send this information to Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter: "Google")
The processing of personal data by Google is carried out under Google's own responsibility on the basis of the standard data protection clauses of the European Commission pursuant to Art. 46 (2c) DSGVO. Google has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access. These Google measures are certified in accordance with the ISO/IEC 27001:2013 standard.
You can withdraw your consent given to us at any time. This has the consequence that we may no longer continue the data processing described above, which is based on this consent, in the future. Further information on Google's data protection in connection with the Google Customer Reviews programme can be found here.
7. When you access integrated YouTube videos
We use, on our website, on the basis of Art. 6 Para. 1 Clause 1 Letter f GDPR and to pursue our legitimate interests of making our website interesting for you, components (videos) from the company
YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA (hereafter: "YouTube"), a company of
Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA (hereafter: "Google").
Here we use the "enhanced data protection mode" option provided by YouTube. If you visit a page which has an embedded video, a connection is established with YouTube’s servers and this content is displayed on the website by a message via your browser.
According to YouTube, in "enhanced data protection mode", your data, in particular which of our internet pages you have visited and device-specific information including the I.P. address, will only be sent to the YouTube server in the USA when you view the video. The data is not sent until you click the video.
If you are logged in to YouTube at the same time, this information will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website.
The processing of personal data by Google is carried out on the basis of the standard data protection clauses of the European Commission in accordance with Art. 46 (2c) DSGVO.
Google has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access.
These Google measures are certified to the ISO/IEC 27001:2013 standard.
8. Google Maps
We use the Google Maps service of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA on our website to display an interactive map. Due to the implementation, Google collects device-related information, log data including the IP address as well as location-related information.
No data is transmitted to Google by simply accessing our website. Only by clicking on the map do you activate the interactive map from Google Maps and thus consent to the transmission of data to Google.
The processing of personal data by Google takes place under Google's own responsibility on the basis of the standard data protection clauses of the European Commission in accordance with Art. 46 (2c) DSGVO. Google has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access. These Google measures are certified in accordance with the ISO/IEC 27001:2013 standard.
Google uses personal data to evaluate the use of the website, to compile reports on website activity and to provide other services associated with the use of the website and the Internet for the purposes of market research and the design of these websites in line with requirements.
Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf.
9. Information on possible risks with data transfers to insecure third countries, in particular the USA.
With the ECJ ruling of 16 July 2020 (C-311/18), the (partial) adequacy decision for the USA according to Art. 45 (1) GDPR, the so-called Privacy Shield was declared null and void.
The USA is thus a so-called unsafe third country. A "third country" is a state outside the European Economic Area (EEA) in which the GDPR is not directly applicable. A third country is considered "insecure" if the EU Commission has not issued an adequacy decision for that country pursuant to Art. 45(1) GDPR confirming that adequate protection for personal data exists in the country. This means that the USA currently does not offer a level of data protection comparable to that of the EU.
In particular, when transferring personal data to the US, there is a risk that US authorities may gain access to personal data on the basis of the surveillance programmes PRISM and UPSTREAM based on Section 702 of FISA (Foreign Intelligence Surveillance Act), as well as on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens do not have effective legal protection against this in the US or the EU.
In this privacy notice, we inform you when and how we transfer personal data to the US or other unsecure third countries. We only transfer your personal data if
- the recipient provides sufficient guarantees in accordance with Art. 46 (1) DSGVO for the protection of the personal data;
- you have expressly consented to the transfer after we have informed you of the risks in accordance with Art. 49 (1) a) DSGVO;
- the transfer is necessary for the performance of contractual obligations between you and us (Art. 49 (1) (b) DSGVO);
- another exception from Art. 49 DSGVO applies.
Guarantees according to Art. 46 (1) of the GDPR can be so-called Binding Corporate Rules, i.e. binding internal data protection regulations of a provider agreed with the supervisory authorities. Likewise, according to Art. 46 (2) (c) of the GDPR, so-called standard contractual clauses issued by the European Commission pursuant to Art. 93 (2) of the GDPR may be considered as suitable guarantees. In these standard contractual clauses, the recipient assures to sufficiently protect the data and thus to guarantee a level of protection comparable to the GDPR. We ensure beforehand that the recipient can also fulfil the agreed guarantees.
At the moment, we base a transfer of data to the USA exclusively on guarantees according to Art. 46 (1) of the GDPR. Should this no longer be possible in the future and we would have to base a transfer of personal data to third parties on your consent pursuant to Art. 49 (1) a) DSGVO, we would only do so temporarily, in particular only until such time as the third parties concerned have either issued binding internal data protection rules pursuant to Art. 46 (2) b), 47 DSGVO or allow the conclusion of standard data protection clauses issued by the European Commission pursuant to Art. 46 (2) c), 93 (2) DSGVO.
10. For other purposes
In addition, we only pass on your personal data to third parties if:
- you have given your express consent to do so in accordance with Art. 6 para. 1 p. 1 lit. a DSGVO,
- there is a legal obligation to pass on the data in accordance with Art. 6 Para. 1 Sentence 1 lit. c DSGVO, as well as
- the disclosure is necessary for the assertion, exercise or defence of legal claims pursuant to Art. 6 (1) sentence 1 lit. f DSGVO and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data.
IV. Cookies and pixel tags
1. What are cookies and pixel tags?
Information is stored in the cookie relating to the specific device used. This does not mean we can immediately establish your identity.
We use pixel tags (also called tracking pixels) in our online offerings. Pixels are small graphics which are integrated using the HTML code of our webpage. The pixel tag does not store or change any information on your device; pixels also do not damage your device and do not contain viruses, Trojans or any other malware. Pixels can send personal data such as your I.P. address, the referrer URL of the website visited, the time the pixel was viewed, the browser used and previously placed cookie information to a web server. As a result, reach measurements and other statistical analyses used to optimise and refine our product selection can also be conducted.
We also use temporary, so-called comfort cookies to optimise the user-friendliness of the website, which are stored on your device for a specific period of time. If you visit our website again in order to use our services, it automatically identifies that you have already visited us and what entries and settings you have made, so that you do not have to input these again. These are usually deleted after a maximum of 30 days. Only ‘comfort cookies’ with language settings are stored for 365 days.
2. What is the legal basis for processing using cookies and pixel tags?
V. Consent Management with OneTrust
Our website uses the consent management service OneTrust of 2020 OneTrust, LLC (Dixon House, 1 Lloyd's Avenue, London EC3N 3DQ, United Kingdom).
In this context, the date and time of the visit, browser information, consent information, device information and IP address of the requesting device are processed. The legal basis is Art. 6 para. 1 p. 1. lit. f DSGVO (legitimate interest). Obtaining and managing legally required consents is considered a legitimate interest in the sense of the aforementioned provision, as the interference with the rights of users as a result of the use of anonymised IP addresses and the involvement of a service provider based in Germany is very low.
OneTrust stores consents and revocations on our behalf and on our instructions. The storage is based on Art. 6 para. 1 p. 1 lit. f DSGVO. Being able to comply with the accountability obligation pursuant to Art. 5 (2) DSGVO is a legitimate interest. Further information on data protection at OneTrust can be found here.
VI. Tracking and targeting
The tracking and targeting measures listed below and used by us are carried out if you have given us your consent for this (see above under IV. 2).
With the tracking measures used, we want to ensure a needs-based design and continuous optimisation of our website.
On the other hand, we use the tracking measures to statistically record the use of our website. Through the targeting measures used, we also want to ensure that you are only shown advertising on your end devices that is oriented to your actual or presumed interests.
The respective data processing purposes and data categories can be found in the description of the corresponding tracking tools. You can revoke or adjust your consent at any time with effect for the future.
We use the online marketing tool Adform from Adform A/S, Wildersgade 10B, 1st sal. DK-1408 Copenhagen, Denmark.. Adform, as a so-called demand side platform, enables us to automate the purchase of advertising inventory and thereby use our advertising budget as efficiently as possible. When you click on an ad, Adform leaves cookies on your machine. Via the cookie ID, Adform records which ads are displayed in which browser and can thus prevent them from being displayed to the same user more than once. In addition, Adform can use cookie IDs to record so-called conversions that are related to ad requests, such as when a user clicks on an Adform ad and later visits the advertiser's website with the same browser and makes a purchase there. This allows us to improve campaign performance reports. Adform cookies do not contain any personal information such as email addresses, names or postal addresses.
We have entered into an order processing agreement with Adform. In it, Adform assures us that they will process the data in accordance with our instructions and ensure the protection of the data subject's rights.
You can find more information about data protection at Adform here.
2. Adobe Media Optimizer
We use the Media Optimizer tool from the Adobe Advertising Cloud of Adobe Systems Software Ireland Limited, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Republic of Ireland.
If you click on an advertisement in a search engine, Adobe Media Optimizer sets cookies which are stored on your computer or other end device. The cookie IDs allow us to track conversions related to specific ads, such as when a user clicks on an ad in a search engine and later visits our website and makes a purchase. This enables us to improve the marketing of our website in the organic search results of internet search engines and thus increase the number of visitors to our website and the conversion rate. In the course of using Adobe Media Optimizer, data, such as in particular the IP address, order value and activities of the user, are transmitted to a server of Adobe Systems Software Ireland Limited and stored there.
We have concluded an order processing agreement with Adobe. In it, Adobe assures us that they will process the data in accordance with our instructions and ensure the protection of the rights of the data subject.
In the event personal data is transferred from Adobe to the USA, this is done on the basis of the standard data protection clauses of the European Commission in accordance with Art. 46 (2c) DSGVO. Adobe has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access.
These Adobe measures are certified to the ISO/IEC 27001:2013 standard.
For more information about Adobe's privacy practices, click here.
3. Channel Pilot
On this website, we use technologies from Channel Pilot Solutions GmbH, Überseeallee 1, 20457 Hamburg to collect and store data from which usage profiles are created using pseudonyms. These usage profiles help us analyse visitor behaviour to improve our website and ensure it’s tailored to the needs of our users. For this purpose, cookies can be used. The pseudonymised usage profiles are not directly combined with personal data about the bearer of the pseudonym.
Further information on data protection at Channel Pilot can be found here.
On this website, we use technologies from Epoq Internet Services GmbH (www.epoq.de) to collect and store data from which usage profiles are created using pseudonyms. These usage profiles facilitate the analysis of visitor behaviour to improve our website and ensure that it is tailored to the needs of users.
For this purpose, cookies can be used. The information produced is sent to a server in Germany, where it is stored. With the Epoq Engine, neither we nor the operator of the respective analysis tool can directly collect personal information which allows us to reveal the identity of the user.
5. Facebook advertising
We use Facebook Website Custom Audiences from Facebook Ireland Limited (4 Grand Canal Square, Dublin 2, Ireland).
This is a marketing service provided by Facebook. It enables us to display individually tailored and interest-based advertising on Facebook to certain groups of pseudonymised visitors to our website who also use Facebook.
A Facebook Custom Audience pixel tag is integrated into our website. This is a Java script code that stores non-personal data about the use of the website. This includes your IP address, the browser used and the source and target pages. This information is transmitted to Facebook servers in the USA.
The transfer of this information to the USA is done so on the basis of the standard data protection clauses of the European Commission pursuant to Art. 46 (2c) DSGVO. Facebook has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access.
The system automatically checks whether you have saved a Facebook cookie. The Facebook cookie is used to automatically determine whether you belong to the target group relevant to us. If you belong to the target group, you will be shown corresponding ads from us on Facebook. During this process, you will not be personally identified either by us or by Facebook through the matching of data.
You can object to the use of the Custom Audiences service on the Facebook website. After logging in to your Facebook account, you will be taken to the settings for Facebook ads.
If you do not have a Facebook account, you can prevent data from being sent to Facebook by clicking on this link. By clicking, a blocking cookie is created in the background to ensure this. No pop-up or similar will appear when the function is triggered.
You can revoke your consent at any time. This has the consequence that we may no longer continue the data processing described above, which is based on this consent, in the future.
6. Google Marketing Platform
We use the Google Marketing Platform on our website, a web analytics and advertising service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google").
The service combines the Google products Google Analytics 360 Suite, Search Ads 360, Display & Video 360, Optimize 360, Tag Manager 360, Attribution 360 and Data Studio. In this context, pseudonymised usage profiles are created and cookies and pixel tags (see above under IV) are used.
The information processed in this way about your use of this website such as
- browser type/version,
- operating system used,
- referrer URL (the previously visited page),
- host name of the accessing computer (IP address),
- time of the server request,
as well as other information about the use of our website. The IP addresses are anonymised so an assignment to your person is not possible (IP masking).
We have concluded order processing agreements with Google for the use of the marketing platform. In these, Google assures that they process the data in accordance with our instructions and ensure the protection of the rights of the data subject. The information may be transferred to third parties if this is required by law or if third parties process this data on our behalf.
Note: The information generated by the cookie about the use of our website (e.g. IP address of the accessing computer, time of access, referrer URL and information about the browser and operating system used) is transmitted to Google servers in the USA and processed there.
The USA are so-called unsafe third countries (see also corresponding section of this data protection declaration). This means that there is no adequacy decision by the European Commission for the USA. Your data is therefore not subject to a level of data protection in the USA comparable to that of the EU. Google does not currently offer any guarantees pursuant to Article 46 of the GDPR that could compensate for this data protection deficit. Your data is therefore exposed to the risk of government access as described in section III. 1.
If you consent to processing by Google, you therefore consent at the same time to your data being transferred to the USA in accordance with Art. 49 (1) a DSGVO.
Further information on data protection in connection with the Google Marketing Platform can be found here.
a. Analytics 360 Suite
By using Google Analytics, Google processes the information on our behalf in order to evaluate the use of the website, to compile reports on the website activities and to provide us with further services associated with the use of the website and the Internet for the purposes of market research and demand-oriented design of these Internet pages.
We only use Google Analytics with IP anonymisation activated. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
We have activated the advertising functions of Google Analytics. This generates reports on target groups, demographic characteristics such as age, gender and interests of site visitors, as well as on our marketing campaigns. The data for this comes from campaigns carried out via Google services, interest-based advertising from Google, the Google Display Network and visitor data from third-party providers. This does not directly reveal your identity to us. With the help of these reports, we can better evaluate user behaviour in connection with our online offers and optimise the addressing of target groups.
If you do not wish your user behaviour to be taken into account in these reports, you can deactivate this, for example, via the ad settings in your own Google account or prevent the collection of data by Google Analytics as described below. You can also limit the collection of data by not logging into your own Google account when you visit our website.
We do not use the Universal Analytics with User ID offered by Google.
If necessary, the collected data will be transferred to third parties if this is required by law or if third parties process the data on our behalf.
The user data collected via cookies is automatically deleted after 14 months.
b. Google Optimize 360
Our website uses the web analysis and optimisation service "Google Optimize 360", which is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google Optimize").
We use Google Optimize to increase the attractiveness, content and functionality of our website by displaying new functions and content to a percentage of our users and statistically evaluating the change in usage. Google Optimize is a sub-service of Google Analytics (see section Google Analytics).
Google Optimize evaluates your use of our website in order to compile reports on optimisation tests and related website activities and to provide us with other services related to website and internet use.
c. DoubleClick Digital Marketing
Within the framework of DoubleClick Digital Marketing, information is collected and analysed in order to optimise advertising. The technologies used enable us to target you with individual interest-related advertising. For example, we record which of our content you were interested in. Based on this information, we can also show you offers on third-party sites that are specifically geared to your interests, as determined by your previous user behaviour. The collection and analysis of your user behaviour is exclusively pseudonymous and does not enable us to identify you.
You can also make settings for the display of interest-based advertising by DoubleClick Digital Marketing via Google's ad settings manager.
7. Google Ads (with remarketing)
We use Google Conversion Tracking and Remarketing Pixel from Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") on our website.
The service enables us to design, statistically record, optimise and play out advertising content in line with demand. To ensure the visibility of our offer, we are dependent on such advertising content.
Google Ads installs a cookie on your computer if you have accessed our website via a Google ad. These cookies lose their validity after 30 days. If you visit certain pages of our website and the cookie has not yet expired, Google and we can recognise that you have clicked on the ad and have been redirected to this page. In addition, we use information about your use of this website that Google collects and analyses on our behalf (see here for more details). This enables us to target you on other websites with content that is relevant to you.
The information generated by the cookie about your use of this website, such as click behaviour on texts and products or interactions with videos, is transmitted to a Google server in the USA and stored there. Google observes the data protection provisions of the "US Privacy Shield" and is registered with the "US Privacy Shield" programme of the US Department of Commerce. In addition, we use the remarketing pixel, which collects and evaluates information about your use of this website. This enables us to target you on other websites with content that is relevant to you. According to Google, the data collected during remarketing is not merged with personal data that may be stored by Google. Google also pseudonymises this data. Tag-based remarketing data is stored for 30 days.
Every Ads customer receives a different cookie. Cookies can therefore not be tracked across Ads customers' websites. The information collected using the conversion cookie is used to create conversion statistics for Ads customers who have opted in for conversion tracking. As an Ads client, we learn the total number of users who clicked on an ad and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information with which we can personally identify you.
In addition, we use the remarketing pixel, which collects and evaluates information about your use of this website. This enables us to address you on other websites with content that is relevant to you. According to Google, the data collected during remarketing is not merged with personal data that may be stored by Google. Google also pseudonymises this data. Tag-based remarketing data is stored for 30 days.
Each Ads customer receives a different cookie. Cookies can therefore not be tracked across Ads customers' websites. The information collected using the conversion cookie is used to create conversion statistics for Ads customers who have opted in for conversion tracking. As an Ads client, we learn the total number of users who clicked on an ad and were redirected to a page tagged with a conversion tracking tag. However, we do not receive any information with which we can personally identify you.
The information generated by the cookie about your use of this website, such as click behaviour on texts and products or interactions with videos, is transmitted to a Google server in the USA and stored there.
The processing of personal data by Google in this regard takes place under Google's own responsibility based on the standard data protection clauses of the European Commission pursuant to Art. 46 (2c) DSGVO. Google has also implemented extensive technical and organisational measures designed to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access. These Google measures are certified in accordance with the ISO/IEC 27001:2013 standard.
Google's privacy information can be found here.
You can prevent the storage of cookies by setting your browser software accordingly (see IV. 3a above) or by making the appropriate settings via our cookie consent tool. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.
Information is not passed on to third parties unless there is a legal obligation to do so or third parties process the data on our behalf (e.g. a computer centre).
For the statistical analysis of data traffic, we use an analysis tool from
webtrekk GmbH, Boxhagener Str. 76-78, 10245 Berlin.
This website uses technologies of
idealo internet GmbH, Zimmerstraße 50, 10888 Berlin, Germany (hereinafter "idealo").
idealo uses tracking technology from
Ingenious Technologies AG, Französische Straße 48, 10117 Berlin,
in order to establish a connection between a click by the user on an advertising medium or a display of an advertising medium (touchpoint) and action by the customer (e.g. a purchase in the online shop or a newsletter registration). At each touchpoint, the browser of the customer's end device sends an HTTP request to the Ingenious server, with which certain information is transmitted. This information includes the website URL on which the advertising material is placed (referrer URL) and, in some circumstances, together with the referrer URL, an individual click ID, the browser ID (user agent) of the end device (including information about the device type and operating system), the IP address of the end device (this IP address is anonymised by Ingenious before storage), HTTP header (data package with various technical information automatically transmitted by your browser), the time of the request and, if already stored on the end device, the cookie with its entire content.
This website uses technologies of
Solute GmbH, Zeppelinstr. 15, 76158 Karlsruhe, Germany (hereinafter referred to as "billiger.de").
12. Advertising marketing
On our website, information about your surfing behaviour (so-called tracking data), among other things, is collected via the tracking instruments described in this section VI. if you have given your consent (see already above under IV. 2 d)). In addition, data about you is collected on this website when you create a customer account and/or purchase goods via this website (customer account/contract and processing data, see above in section II.5). Tracking data may be combined by us with other customer account/contract and settlement data (including via the injection of hashed email addresses, customer IDs into analytics tools such as Google Analytics and the combination of client IDs from analytics tools with other analytics tools such as Google Analytics and Adform).
This is to enable us to offer you more customised advertising and to enable us to better target our marketing spend.
The combined tracking data and customer account/contract and settlement data are only stored by us in pseudonymised form. Personal data such as your name, e-mail address, date of birth etc. are not processed as clear data.
Based on the pseudonymised data, we receive information about your behaviour and consumption preferences. No information on particularly sensitive data (e.g. political views, health, racial or ethnic origin) is formed and no such sensitive data is used in the context of forming preferences.
We may also use this information about your preferences to enable third parties (advertisers) to serve personalised advertisements to you on third-party websites (so-called "publishers"). In this case, the data will not be passed on to the advertisers or the website operators (publishers). Neither we nor the third parties are able to directly assign certain preferences to your person. Furthermore, a minimum number of persons (20 persons) for whom information on preferences is stored by the aforementioned companies must have the same preferences (K-anonymity). The legal basis for the data processing described above is your consent in accordance with Article 6(1)(a) DSGVO.
Insofar as you no longer wish to have tracking data collected across websites for the aforementioned purpose, you can revoke the consent you have given in this regard at any time via the consent management tool we use.
VII. Data subject rights
You have the right:
- pursuant to Art. 7 Para. 3 GDPR to withdraw your consent from us at any time. As a result, we will in future no longer be allowed to continue the data processing based on this consent;
- pursuant to Art. 15 GDPR to ask for information about your personal data processed by us. In particular you can ask for information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to correction, deletion, restriction of processing or objection, the existence of a right to complain, the origin of your data, if this was not collected by us, and about the existence of automated decision-making including profiling and if applicable meaningful information about its details;
- pursuant to Art. 16 GDPR to ask for the immediate rectification of inaccurate or immediate completion of incomplete personal data stored by us;
- pursuant to Art. 17 GDPR to ask for the erasure of your data stored by us, unless the processing is necessary to exercise the right of freedom of expression and information, to meet a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- pursuant to Art. 18 GDPR to ask for the restriction of the processing of your personal data, if the accuracy of the personal data is contested by you, the processing is unlawful and you oppose its erasure and we no longer need the data, but it is required to assert, exercise or defend legal claims or you have objected to the processing pursuant to Article 21 GDPR;
- pursuant to Art. 20 GDPR to ask to receive your personal data which you have provided us in a structured, commonly used and machine-readable format or transmit it to another controller and
- pursuant to Art. 77 GDPR to lodge a complaint with a supervisory authority. As a rule you can contact for this purpose the supervisory authority for your habitual residence, place of work or our headquarters.
VIII. Right to object
If your personal data is processed on the basis of legitimate interests pursuant to Art. 6 Para. 1 Clause 1 Letter f GDPR, you have the right, pursuant to Art. 21 GDPR, to object to the processing of your personal data if there are grounds relating to your situation or you object to direct marketing. In the latter case you have a general right to object which will be acted upon by us without you needing to state grounds relating to your situation.
IX. Data protection
All data transmitted personally by you is transmitted in encrypted form with the customary secure standard TLS (Transport Layer Security). TLS is a secure and tested standard which is also used in online banking. You can recognise a secure TLS connection by among other things the s after http (i.e. https://..) in your browser's address bar or by the padlock symbol at the top of your browser.
We also use suitable technical and organisational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or unauthorised access by third parties. Our security measures are improved continuously in line with technological developments.
This data protection declaration is current as at June 2021.
Due to the development of our website, offers via the website or changes in statutory or regulatory requirements, it may be necessary to amend this data protection declaration. The current data protection declaration as amended can be downloaded at any time from the website https://www.addnature.co.uk/service-information/customer-service/privacy-statement.html and printed out.