Privacy Policy

I. General Information

If you have any questions or concerns regarding data protection, you can contact us as the data controller or our data protection officer at any time.

1. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR), as well as the Federal Data Protection Act (BDSG), is

Model Car World GmbH
Boettgerstraße 14
65439 Flörsheim
Germany

Phone: +49 (0) 6145 3501-0
Email: [email protected]

as well as its subsidiaries:

BB Services GmbH
Boettgerstraße 14
65439 Flörsheim
Germany

Phone: +49 (0) 6145 3501-100
Email: [email protected]

BREKINA Modellspielwaren GmbH
Zeppelinstr. 8
79331 Teningen
Germany

Phone: +49 (0) 7663 93270
Email: [email protected]

Speidel Replicars GmbH
Hafnerstr. 59
72131 Ofterdingen
Germany

Phone: +49 (0) 74 73 - 922 209 0
Email: [email protected]

hereinafter referred to as the corporate group.

2. Contact Information of the Data Protection Officer

If you have any questions about data protection, requests, and/or need more information about the data processing of the corporate group, please contact our data protection officer:

Jean-Claude Endert, LL.M., M.A.
TÜV SÜD Akademie GmbH
Business Unit Data Protection Consulting Services
Westendstraße 160
80339 Munich

Email: [email protected], [email protected]

3. Supervisory Authority

If you believe that the processing of your personal data by the corporate group is not carried out properly, you have the right to contact a supervisory authority in the Member State of your residence, workplace, or the location of the alleged infringement. The supervisory authority responsible according to Art. 55 GDPR is …

The Hessian Commissioner for Data Protection and Freedom of Information

Prof. Dr. Alexander Roßnagel

P.O. Box 31 63
65021 Wiesbaden

Gustav-Stresemann-Ring 1
65189 Wiesbaden

Phone: 06 11/140 80
Email: [email protected]
Homepage: https://www.datenschutz.hessen.de

II. General Information on Data Processing

1. General Information on Data Processing and Scope of Application

In general, the corporate group processes your personal data only to be able to display content and services for a functioning website. The collection of your personal data takes place when you create an account with us. This privacy policy applies to all pages of our online offering.

2. Definitions

a) Definitions according to Art. 4 GDPR:

Personal data: all information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Examples include contact data, communication data, billing data.

Processing: any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Recipient: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

Third party: a natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

b) "Need-to-Know Principle":

· Each data-processing employee should only be able to access those data sets and execute programs that are truly necessary for the performance of their tasks.

3. Legal Bases for the Processing of Your Data

The legal basis for the processing of your personal data arises from Art. 6 (1) of the EU General Data Protection Regulation (GDPR).

a) In cases where your consent is required for the processing of your personal data, this is based on Art. 6 (1) lit. a GDPR.

b) If the processing of your personal data is necessary for the performance of a contract or pre-contractual measures, Art. 6 (1) lit. b GDPR serves as the legal basis.

c) Art. 6 (1) lit. c GDPR is the legal basis if your personal data are processed for the fulfillment of legal obligations by the corporate group.

d) For the protection of vital interests, Art. 6 (1) lit. d GDPR serves as the legal basis.

e) For tasks carried out in the public interest, Art. 6 (1) lit. e GDPR applies.

f) Where the processing of personal data is necessary for the purposes of the legitimate interests pursued by the corporate group or by a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1) lit. f GDPR serves as the legal basis.

Legitimate interests may arise in the course of service provision; including direct marketing activities, direct communication with website users, and the provision of technical support where necessary.

Furthermore, such grounds may also arise from internal operations such as the handling of administrative tasks or ensuring the proper functioning of the websites.

They may also result from the corporate group's efforts to achieve synergy effects by centrally providing various services.

g) In the case of an application for employment, the legal basis is derived from Art. 88 (1) GDPR in conjunction with § 26 (1) sentence 1 BDSG . Insofar as the data relates to special categories of personal data (such as data relating to your health) that you yourself provide to us (e.g., information about severe disability), processing is carried out on the legal basis of Art. 9 (2) lit. b GDPR in conjunction with § 26 (3) BDSG.

4. Categories of Recipients

Employees of the corporate group according to the "Need to Know" principle
Service providers supporting the corporate group in all areas (Assurance, Business Development, IT, Operations, HR, and Finance)
Social networks, if applicable

5. Description of the Data and Purpose of Processing

We process the following personal data:

Data for access management (login credentials)
e.g., email address, password [encrypted so that no employee has access to your personal password]

Purpose:

To use and implement the website

Provision of customer support, regardless of the contact method used (email correspondence, phone contact, etc.)

Legal basis: Art. 6 para. 1 lit. b GDPR

User data
such as your display name, email address

Purpose:

For use and implementation of the website

Provision of customer support, regardless of the contact method used (email correspondence, phone contact, etc.)

To comply with legal obligations, regulatory requirements, or respond to requests from government authorities. Mainly financial regulatory inquiries.

To protect the corporate group and the rights of this company as well as the rights of affiliated parties. In addition, the recording and disclosure of data may be required to: (a) protect your and the public’s safety and privacy, (b) protect our legal rights, our security, or our property, or (c) minimize our risk or that of affiliated parties.

Also for your and our security, and to improve services and the functionality of the website. This includes surveys, your voluntary feedback, reporting of potential malfunctions, or input from service providers and partners.

For the purpose of conducting marketing communications by the corporate group, which are based on voluntary consent and/or agreement to the transmission of registration or login data. Marketing communication includes communication via email, telephone, or postal mail.

Legal basis: Art. 6 para. 1 lit. b, c, f GDPR

Settings data
such as whether you have registered your phone number for SMS communication

Purpose:

To fulfill the Terms of Service for this platform.

To comply with legal obligations, regulatory requirements, or respond to requests from government authorities. Mainly financial regulatory inquiries.

For the purpose of transferring assets in case we sell and/or merge the company or its assets in whole or in part.

Legal basis: Art. 6 para. 1 lit. b, c, f GDPR

Device data
such as device ID, operating system

Purpose:

Provision of customer support, regardless of the contact method used (email correspondence, phone contact, etc.)

Legal basis: Art. 6 para. 1 lit. b, f GDPR

Network data
such as IP address, referrer (the originating website through which the user accessed the current website or file)

Purpose:

For use and implementation of the website

To comply with legal requirements, regulatory obligations, or respond to inquiries from government authorities. Mainly financial regulatory inquiries.

Also for your and our security, and to improve services and website functionality. This includes surveys, your voluntary feedback, the reporting of possible malfunctions, training of our employees or of service providers and partners.

For the purpose of carrying out marketing communications by the corporate group, based on voluntary consent or agreement to the transmission of registration or login data. This can be general or personalized based on user behavior and activity data. Marketing communication includes communication via email, SMS, telephone, or chat messages, potentially also via third-party messenger services or by postal mail.

Legal basis: Art. 6 para. 1 lit. b, c, f GDPR

Localization data
such as country of origin, language

Purpose:

For use and implementation of the website

Provision of customer support, regardless of the chosen contact method (email communication, phone contact, etc.)

Also for your and our security, and to improve services and website functionality. This includes surveys, your voluntary feedback, reporting of possible malfunctions, training of our employees or of service providers and partners.

Legal basis: Art. 6 para. 1 lit. b, c, f GDPR

Personally identifiable data
such as address, date of birth

Purpose:

To enable order processing

For use and implementation of the website

For the purpose of age verification, fraud and money laundering prevention

Fulfillment of the terms and conditions for this platform

Provision of customer support, regardless of the chosen contact method (email communication, phone contact, etc.)

To comply with legal requirements, regulatory obligations, or respond to inquiries from government authorities. Mainly financial regulatory inquiries.

To protect the corporate group and the rights of this company, as well as the rights of affiliated parties. Furthermore, the recording and sharing of data may be required in order to: (a) protect your and the public’s safety and privacy, (b) protect our legal rights, security or property, or (c) minimize our risk or that of affiliated parties.

For the purpose of carrying out marketing communications by the corporate group, based on voluntary consent or agreement to the transmission of registration or login data. Marketing communication includes communication via email, SMS, and phone, or chat messages, possibly also through third-party messengers or by postal mail.

To conduct the application process and to establish an employment relationship

Legal basis: Art. 6 para. 1 lit. b, c, f GDPR; in case of an application: Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG

Partner information
such as advertising banners you clicked to reach us

Purpose:

Legal basis: Art. 6 para. 1 lit. f GDPR

6. Duration of Data Storage and Deletion

The corporate group generally deletes your personal data once the purpose of storage no longer applies. The data mentioned above is mandatory for using and implementing the website, as well as fulfilling the terms and conditions. However, extended storage may arise from European or national legislation, regulations, or other provisions to which the corporate group is subject. Such data will only be deleted once the corresponding retention periods derived from the aforementioned legal sources expire. An exception applies only if the stored data is required for the performance or conclusion of a contract. For example, retention periods of up to ten years are legally stipulated for certain data due to tax regulations.

7. Where is the Data Processed?

In the case of Model Car World, your data is processed in data centers within the European Union.

In the case of BB Services, the server is located in the USA (Silicon Valley, California) until the end of September 2024. After that, these data will also be migrated to a server located within the European Union.

III. Information on the necessary data processing and transfer

1. Group Companies

All collected and personal data will be made available within the Group and to partner companies in accordance with the "need to know" principle.

a) Description and Scope of Data Processing
All data that is processed when visiting the website, among other things, and is mentioned in this privacy policy at the appropriate place, is available to both companies of the group for the purposes described below:

b) Legal Basis for Data Processing
Art. 6 para. 1 lit. f GDPR and thus our legitimate interest in being able to offer you our services in a comprehensive, continuous, and trend-aware manner form the legal basis for data processing.

c) Purpose of Data Processing
The website itself and the products offered are provided through cooperation within the group of companies. This requires that all personal data and, for example, data collected by cookies are always available to all companies. Only in this way is it possible to carry out necessary work, e.g., on the programming code of the website, and to coordinate it so that it functions smoothly for all customers. For example, information about how many customers are logged in and active at what time is relevant for the group of companies in order to be able to make adjustments to the current server capacities if necessary. Furthermore, information about which browser type prospective customers and customers prefer to use our offers with is also important, for example, so that the relevant employees can make programming adjustments if necessary in the event of upcoming browser updates.

d) Duration of Storage
If specific stored data needs to be deleted by one company of the group, it will also be irreversibly deleted by the other company.

e) Possibility of revocation, objection, and removal
In the case of personal data processed in connection with Art. 6 (1) (a) GDPR and thus with the customer's consent, revocation is sufficient to prohibit further processing. In the case of data processed in connection with Art. 6 (1) lit. b GDPR and thus by means of a contract, termination of the usage agreement concluded with the company of the group of companies is required to terminate data processing. In order to terminate the processing of data in connection with Art. 6 (1) lit. f GDPR, an objection by the customer with future effect is required.

2. Hosting of Our Website

When you visit the website, certain information is automatically generated and stored, including on the pages of the group of companies.

When you visit our website, our web server (the computer on which this website is hosted) automatically stores data such as

the address (URL) of the accessed webpage
browser and browser version
the operating system used
the address (URL) of the previously visited page (referrer URL)
the hostname and IP address of the device from which access occurs
date and time

in files (web server log files).

We usually delete the data in web server log files at regular intervals—the exact time depends on the respective configuration rules. These can be time- or size-based.

We do not pass on this data, but cannot rule out the possibility that this data may be viewed in the event of illegal behavior.

3. Contact Form and Email Contact

a) Description and Scope of Data Processing
There are contact forms on the websites of the group of companies. If a customer uses this option to contact us, the data entered in the input mask is transmitted and stored not only by the contacted company, but also by the partner company. This initially includes the contact details (email, first and last name, telephone number) and the request (subject and message). It also includes the IP address.

Alternatively, contact can be made via email. In this case, the personal data transmitted with the email will also be stored.

In both cases, the data will not be passed on to third parties. The data will be used exclusively by the corporate group for customer communication.

b) Legal Basis for Data Processing
The data sent via the contact form or email is stored and used for the purpose of handling customer inquiries and related technical administration. The legal basis for this data processing is the legitimate interest of the corporate group in responding to customer inquiries in accordance with Art. 6 para. 1 lit. f GDPR.

If the customer's contact aims at concluding a contract, then Art. 6 para. 1 lit. b GDPR additionally serves as the legal basis for the processing.

c) Purpose of Data Processing
The purpose of both the contact form and the use of the email address is to provide visitors, prospects, or customers with a simple and convenient way to contact the corporate group directly. This is primarily to answer questions or to initiate pre-contractual measures.

d) Duration of Storage
Once the dialogue with the customer has ended, meaning that it is clear to both parties that no further clarification is needed and the purpose of data collection has been fulfilled, the data will be deleted. Deletion will only be postponed if legal retention periods prevent it.

e) Possibility of revocation, objection, and deletion
The customer can revoke their consent to data processing at any time. The contact form or the email address may also be used for this purpose. In this case, the dialogue will be terminated immediately.

4. Service Providers

Description and Scope of Data Processing
The group of companies works with a number of external service providers who perform services or process data on its behalf (contract processing). They perform processing activities in all specialist departments (assurance, business development, IT, operations, HR, and finance). These service providers or contract processors are listed in a regularly updated list, which can be viewed upon justified request.

1. Legal Basis for Data Processing
Art. 6 para. 1 lit. b GDPR – the performance of contracts between the customers, the corporate group, and the listed service providers/processors – forms the legal basis for data processing.

2. Purpose of Data Processing
Only by transferring personal data can individual services be provided to customers.

3. Duration of Storage
The listed service providers, like the corporate group, delete your personal data after successful completion of the agreed services, unless legal obligations require longer retention periods.

5. Google Fonts

a) Description and Scope of Data Processing
Google Fonts is integrated on some websites of the corporate group. When these fonts are loaded, a connection to Google's servers may be established, through which the browser of the visiting user transmits various data to Google. This includes browser and device data as well as the user’s IP address, which is considered personal data. As a result, the integration of Google Fonts may lead to the transfer of personal data to Google’s servers in the USA.

b) Legal Basis for Data Processing
Art. 6 para. 1 lit. f GDPR – our legitimate interest in search engine optimization, improved loading times, reduced administrative effort, and consistent cross-device display.

c) Purpose of Data Processing
The processing serves to easily and uniformly integrate a large number of fonts on the website and to create an appealing visual presentation for the user.

6. Google Tag Manager

a) Description and Scope of Data Processing
Google Tag Manager is integrated into the websites of the group of companies. When you access our website via this service, additional personal data is processed. Data categories processed: technical connection data of the server access (IP address, date, time, page accessed, browser information). Purpose of processing: Triggering, controlling, and managing other services on our website. Data is transferred to the processor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. This may also involve the transfer of personal data to a country outside the European Union. The transfer of data to the USA is based on Art. 45 GDPR in conjunction with the adequacy decision C(2023) 4745 of the European Commission, as the data recipient has committed to complying with the data processing principles of the Data Privacy Framework (DPF).

b) Legal Basis for Data Processing
Article 6(1)(f) GDPR and thus our legitimate interest in the secure and functioning operation of the technical systems, compliance with legal and contractual obligations.

c) Purpose of Data Processing
The purpose of processing is to trigger, control, and manage other services on our website.

7. Google Analytics/ Google Analytics e-commerce measurement

a) Description and Scope of Data Processing
Google Analytics is integrated into the websites of the group of companies. When you access our website via this service, additional personal data is processed. Data categories processed: technical connection data of the server access (IP address, date, time, page accessed, browser information) and data about the use of the website as well as the logging of clicks on individual elements. In connection with Google Analytics, we also use the "e-commerce measurement" function . With the help of e-commerce measurement, the website operator can analyze the purchasing behavior of website visitors in order to improve its online marketing campaigns. This involves collecting information such as orders placed, average order values, shipping costs, and the time from viewing to purchasing a product. This data can be summarized by Google under a transaction ID that is assigned to the respective user or their device. Data is transferred to the independent controller Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA. The legal basis for the transfer of data to Google LLC is A transfer of personal data to a country outside the European Union is also conceivable. The transfer of data to the USA is based on Art. 45 GDPR in conjunction with the adequacy decision C(2023) 4745 of the European Commission, as the data recipient has committed to comply with the data processing principles of the Data Privacy Framework (DPF).

b) Legal Basis for Data Processing
Your consent pursuant to Art. 6 (1) (a) GDPR.

c) Purpose of Data Processing
The purpose of the processing is to analyze usage behavior and optimize content.

8. Google Ads

a) Description and Scope of Data Processing
Google Ads is integrated on the corporate group’s websites. Google Ads allows the corporate group to display advertisements in Google search results or on third-party websites when users enter specific search terms (keyword targeting). Additionally, targeted advertising can be displayed based on Google’s user data (e.g., location and interests) (audience targeting). To measure the success of Ads campaigns, Google sets a cookie on the company’s website. This reads and stores the IP address and user interactions of those who accessed the company’s site via the ad.

b) Legal Basis for Data Processing
Your consent in accordance with Art. 6 para. 1 lit. a GDPR.

c) Purpose of Data Processing
Google Ads is Google’s online advertising platform. It enables the creation of online ads to reach users at the exact moment they show interest in your products or services. As the website operator, the corporate group can evaluate this data quantitatively, e.g., by analyzing which search terms triggered the ads and how many clicks resulted from them.

9. Google Ads Remarketing

a) Description and Scope of Data Processing
The corporate group’s websites use Google Ads Remarketing. This allows us to assign users who interact with our online offering to specific target groups in order to display interest-based ads to them within the Google advertising network (remarketing or retargeting). It is important to note that remarketing differs from web tracking (such as Google Analytics). While web tracking allows for tracking user activity on a single website (1st party tracking), remarketing enables cross-site tracking of user activity (3rd party tracking).

b) Legal Basis for Data Processing
Your consent in accordance with Art. 6 para. 1 lit. a GDPR.

c) Purpose of Data Processing
Google Ads Remarketing allows us to assign users who interact with our online offering to specific target groups and subsequently display interest-based advertisements to them in the Google advertising network (remarketing or retargeting).

10. Google Conversion Tracking

a) Description and Scope of Data Processing
The corporate group’s websites use Google Conversion Tracking. With this tool, Google and the corporate group can determine whether a user has performed specific actions. For example, the corporate group can analyze which buttons on the website are clicked and how often, or which products are viewed or purchased most frequently.

b) Legal Basis for Data Processing
Your consent in accordance with Art. 6 para. 1 lit. a GDPR.

c) Purpose of Data Processing

These details are used to create conversion statistics. The corporate group learns the total number of users who clicked on their ads and what actions they performed.

11. Meta Pixel (formerly Facebook Pixel)

a) Description and Scope of Data Processing
Meta Pixel is integrated on the corporate group’s websites. When accessing our website via this service, additional personal data is processed. The data categories processed include data about the use of the website and the logging of clicks on individual elements.

b) Legal Basis for Data Processing
Your consent pursuant to Art. 6 para. 1 lit. a GDPR.

c) Purpose of Data Processing
The purpose is to analyze user behavior, evaluate the effectiveness of online marketing activities, and select online advertising on other platforms, automatically determined using real-time bidding based on user behavior.

12. Klar

a) Description and Scope of Data Processing
We use the services of Klar (Klar Insights GmbH, Marktstr. 18, 80802 Munich, Germany) on our website. Klar collects, processes, and stores data on this website and its subpages for statistical analysis on our behalf.

b) Legal Basis for Data Processing
Your consent pursuant to Art. 6 para. 1 lit. a GDPR.

c) Purpose of Data Processing
We use Klar to analyze how you use the website, compile reports about activities on our web offering, and provide other services related to website usage to improve user-friendliness.

13. Newsletter Distribution via Klaviyo

a) Description and Scope of Data Processing
It is possible to subscribe to the corporate group’s newsletter on the website. The data entered into the form is transmitted to the controller. This includes: first name, last name, email address, IP address of the registering computer, date and time of registration. Your email address will be stored and used for marketing purposes until you unsubscribe from the newsletter. Unsubscribing is possible at any time using the unsubscribe link in the newsletter. The subscription process uses a double opt-in procedure — you will receive an email asking for confirmation. This ensures that no one can sign up using someone else's email address. The user’s IP address and the registration timestamp are stored to prevent misuse. Newsletters are sent via the technical service provider Klaviyo, to whom your registration data is transmitted. Note that your data is generally transmitted to and stored on a Klaviyo server in the USA. Klaviyo sends the newsletters on behalf of the corporate group and does not use or share this data with third parties.

b) Legal Basis for Data Processing
If user consent is present, the legal basis is Art. 6 para. 1 lit. a GDPR. This consent is also required for any post-registration processing such as measuring open and click rates and storing those results in user profiles for further processing.

c) Purpose of Data Processing
The processing of personal data is for the purpose of sending our regular newsletters and for our own marketing purposes.

14. Email Direct Marketing to Existing Customers

a) Description and Scope of Data Processing
If you have placed an order with us, we process your provided email address to recommend products that match your previous purchases. Such newsletters without explicit consent will only be sent if:

we received your email address in connection with the sale of a product or service,
we only promote our own similar products or services,
you have not objected to the use, and
you were informed of your right to object both at the time of collection and each time it is used.

The newsletter is also sent in this case via the technical service provider Klaviyo (see above).

b) Legal Basis for Data Processing
For existing customers, direct marketing may rely on the legitimate interests of the controller or a third party under Art. 6 para. 1 sentence 1 lit. f GDPR. Recital 47 sentence 7 explicitly recognizes direct marketing as a legitimate interest. The advertisement must be necessary in the interest of the company or a third party, and this interest must not be overridden by the interests of the recipient. This balance includes what a reasonable recipient can and does expect.

c) Purpose of Data Processing
The processing of personal data is for the purpose of sending our regular newsletters and for our own marketing purposes.

15. Microsoft Ads

a) Description and Scope of Data Processing
Microsoft Ads is integrated into the websites of the group of companies. Microsoft Ads enables the group of companies to display advertisements in Microsoft search engines or on third-party websites when the user enters certain search terms in Microsoft (keyword targeting). Furthermore, targeted advertisements can be displayed based on user data available to Microsoft (e.g., location data and interests) (target group targeting). To help us measure the success of the ad campaign, Microsoft sets cookies when you click on an ad and land on our website. These cookies read and store the IP address and interactions (e.g., product views or saving a product to a wish list) of users who have come to the company's website via an ad. This also makes it possible to track whether the user has performed certain actions, such as a purchase.

b) Legal Basis for Data Processing
Your consent in accordance with Art. 6 (1) (a) GDPR.

c) Purpose of Data Processing
Microsoft Ads is Microsoft's online advertising program. It is used to create online ads to reach users at the exact moment they show interest in our products or services. As the website operator, the group of companies can evaluate this data quantitatively, for example by analyzing which search terms led to the display of the ads and how many ads led to corresponding clicks and purchases.

16. Microsoft Clarity

a) Description and Scope of Data Processing
Microsoft Clarity is integrated into the group of companies' websites. Microsoft Clarity enables the group of companies to record (input fields are masked) and evaluate user sessions. To do this, Microsoft Clarity uses cookies and enables an analysis of user behavior with the help of a pseudonymous user ID. Pseudonymous data such as mouse movements and performance data are evaluated. The data processed includes usage data (pages visited in our web shop, interests, access times), meta/communication data (device information, IP addresses), location data (geographical position of devices or persons), and movement data (mouse and scroll movements) in pseudonymized form. The data is already collected in pseudonymized form by Microsoft, in particular through IP masking. All users of our web shop who have consented to the use of our cookie consent service are data subjects of this data processing.

b) Legal Basis for Data Processing
Your consent in accordance with Art. 6 (1) (a) GDPR.

c) Purpose of Data Processing
Microsoft Clarity is used on the website for optimization and analysis purposes. The group of companies can evaluate recorded sessions to identify and correct errors on the website and to improve the user experience.

17. consentmanager.net

a) Description and Scope of Data Processing
This website uses consentmanager.net (Eppendorfer Weg 183, 20253 Hamburg, Germany) to manage your consent. A cookie is set to store your consent or revocation thereof. Processing is based on the legal obligation to provide evidence of your consent to certain cookies and tracking measures. This ensures that cookies and services, as well as related analysis and tracking tools, are activated in accordance with your preferences. These settings can be adjusted at any time via the "Cookie settings" link at the bottom of the website. The data processed includes the cookie ID, your consent status, your IP address, and the time.

b) Legal Basis for Data Processing
The legal basis for processing is Art. 6 (1) (c) GDPR in conjunction with Art. 7 (1) GDPR, insofar as the processing serves to fulfill the legally standardized documentation requirements for the granting of consent. Otherwise, Art. 6 (1) (f) GDPR is the relevant legal basis. Our legitimate interests in processing lie in storing user settings and preferences regarding the use of cookies and evaluating consent rates.

c) Purpose of Data Processing
In order to be able to offer the mandatory function of a consent banner on the website, the group of companies uses the provider consentmanager.net. This technology ensures that users can make individual settings and that only the accepted services are activated.

IV. Information on Data Protection and Your Rights

1. Your Rights as a Data Subject

a) Right of Access (Art. 15 GDPR): You have the right to know whether and which personal data we process about you. Upon request, we will provide a summary of the personal data. We have up to 30 days to respond to your request.
b) Right to Rectification (Art. 16 GDPR): If you inform us that your data is incorrect or incomplete, we will verify and correct it promptly.
c) Right to Erasure (Art. 17 GDPR): We will delete your personal data upon request unless there are legal grounds against it. Deletion always applies to future processing.
d) Right to Restriction of Processing (Art. 18 GDPR): Upon request, we will restrict processing of your data if any of the conditions specified in the regulation are met.
e) Right to Notification (Art. 19 GDPR): We will inform recipients of your personal data (e.g., processors) about any rectification, restriction, or erasure requests.
f) Right to Data Portability (Art. 20 GDPR): Upon request, we will provide your data in a common, machine-readable format or transmit it to another controller.
g) Right to Object (Art. 21 GDPR): You may object to the processing of your personal data based on legal grounds (e.g., Art. 6 para. 1 lit. e or f GDPR) if justified under the regulation.
h) Right to Withdraw Consent (Art. 7 GDPR): You may withdraw your previously given consent under Art. 6 para. 1 lit. a GDPR at any time with effect for the future.
i) Right Not to Be Subject to Automated Decision-Making (Art. 22 GDPR): You have the right not to be subject to decisions based solely on automated processing — including profiling.
j) Right to Lodge a Complaint (Art. 77 GDPR): If you believe your data is being processed unlawfully or your rights are otherwise violated, you may contact your competent supervisory authority (see section I.3 above) or another authority. A list of German supervisory authorities can be found at:
https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

2. International Data Transfers

As a general rule, recipients of personal data must be based in the European Union (EU) or the European Economic Area (EEA). In some exceptional cases, it is intended to transfer personal data to a third country. Third countries are countries outside the European Economic Area, i.e. outside the European Union and outside Iceland, Liechtenstein, and Norway. Personal data may only be transferred to a country outside the European Union if an adequate level of data protection is guaranteed there. If the EU Commission has not determined adequacy by means of a corresponding decision, a transfer may only take place if appropriate safeguards are in place. Adequacy decisions within the meaning of Art. 45 GDPR certify that third countries have an adequate level of data protection. In such cases, personal data may be transferred to that country on the basis of a legal basis without further measures.

As described above (section II.7), data is transmitted both within the EU and to the USA.

From the end of May 2026, data transfers will take place exclusively within the EU.

V. Information on Cookies and Social Media Plugins

Detailed information about the cookies and plugins used on the corporate group’s websites, their use and storage, and how to object to them, can be found in our Cookie Policy.

VI. Amendments to this Privacy Policy

This privacy policy may be changed due to new legal requirements. Therefore, the corporate group recommends that users regularly review this privacy policy for possible changes and/or additions.