1. Collection of personal data
1.1 Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour.
1.2 The controller according to Art. 4 para 7 of the EU General Data Protection Regulation (GDPR) is Your Superfoods GmbH, Grünberger Str. 44a, 10245 Berlin, firstname.lastname@example.org (see our imprint). You can reach our data protection officer at email@example.com or at our postal address with the addition "the data protection officer".
1.3 During the mere informative use of our website, we only collect the personal data that your browser transmits to our server. When you view our website, we collect the following data, which is technically necessary for us to display our website and to ensure stability and security:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (concrete page)
- Access status/HTTP status code
- Data volume transferred in each case
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software
The legal basis is Art. 6 para. 1 lit. f GDPR.
1.4 If you contact us, we will store your contact details in order to answer your questions. Depending on how you contact us (email, chat, social media or via the contact form), the contact details may include, for example, your name, postal address, telephone numbers, email address, details of your profiles on social networks (for example, we receive your Facebook ID if you contact us via Facebook), user names and similar contact details. The legal basis is Art. 6 para. 1 lit. b or lit. f GDPR.
1.5 If you register for one of our services, we store personal information about you, for example your first name and surname, the title, your contact details. The legal basis is Art. 6 para. 1 lit. a GDPR.
1.6 When you order something from us, we collect your purchase and payment data. These are, for example, order number, details of the purchased products, details of the payment method, delivery and billing addresses, messages and communications relating to purchases (e.g. revocation statements, complaints and messages to customer service), delivery and payment status, e.g. "Completed" or "Shipped", return status, e.g. "Successfully completed" and details of service providers involved in the execution of the contract. You can pay securely with PayPal, credit card or “Sofortüberweisung”. Payment data are for example: preferred payment method, billing addresses, IBAN and BIC or account number and bank code, credit card data and creditworthiness data. The legal basis is Art. 6 para. 1 lit. b GDPR.
1.7 If you use our services, i.e. order from us, set up a customer account or, for example, participate in the loyalty or bonus system, data is collected that tells us which content, topics and products you are interested in. This enables us to display products that are likely to be relevant to you the next time you search. If you have consented, we receive information and statistics, device and access data and interests of our users from external advertising partners. This information can help us to better understand our users, for example in the context of customer structure analyses and user segmentation. The legal basis is Art. 6 para. 1 p. 1 lit. a GDPR.
1.8 When you communicate with us or other users about products (e.g. evaluations) or other topics, we collect the content of your communications. Product evaluations can be published within our service. The legal basis is Art. 6 para. 1 lit. a or lit. f GDPR.
We currently use social links from the following social networks:
1.10 We also collect data about the current location of your device. If you enable your device's location services for us, we will process the location data collected from your device and provided to us to provide you with location-based services. We also collect location data derived from the IP address of your device (down to city level). This procedure (so-called geolocation) is used by us and many other online shops, for example, in fraud detection to identify suspicious orders (e.g. in certain situations it may be suspicious if the IP address of a country from which you have not yet placed an order is used for an order via your customer account). The legal basis is Art. 6 para. 1 lit. a or lit. f GDPR.
1.11 Finally, when using our services, it is unavoidable that technical data is created and processed in order to provide and display the functions and content offered. Device and access data is generated with every use of an online and mobile service. It does not matter who the provider is. Device and access data includes general device information, such as information about the type of device, the version of the operating system, configuration settings (e.g. language settings, system permissions), information about the Internet connection (e.g. name of the mobile network, connection speed) and the app used (e.g. name and version of the app) as well as identification data (IDs), such as session IDs, cookie IDs, unique device IDs (e.g. Google Advertising ID, Apple Ad ID), third-party account IDs (if you use social plug-ins or social logins or payment via PayPal) and other common internet technologies in order to recognize your web browser, your device or a specific app installation. The legal basis is Art. 6 para. 1 lit. f GDPR.
2. Your rights
You have the following rights in relation to personal data relating to you:
Art. 15 GDPR - Data subject's right to information: You have the right to request confirmation from us as to whether personal data relating to you are being processed and, if so, what these are, as well as the more detailed circumstances of the data processing.
Art. 16 GDPR - Right to rectification: You have the right to demand that we correct any inaccurate personal data relating to you without undue delay. Taking into account the purposes of the processing, you also have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.
Art. 17 GDPR - Right to erasure: You have the right to demand that we delete personal data concerning you without delay.
Art. 18 GDPR - Right to restrict processing: You have the right to demand that we restrict processing.
Art. 20 GDPR - Right to data portability: You have the right, in the event of processing based on consent or for the performance of a contract, to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format, and to transfer this data to another controller without hindrance from us, or to have the data transferred directly to the other controller, insofar as this is technically feasible.
Art. 21 GDPR - Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is necessary for legitimate interests on our part or for the performance of a task carried out in the public interest, or which is carried out in the exercise of official authority. If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
Insofar as we process your personal data for the purpose of direct marketing, you have the right to object to the processing at any time. If you object to the processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Art. 77 GDPR in conjunction with § 19 BDSG (German Federal Data Protection Act) - Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with a supervisory authority at any time, in particular in the member state of your place of residence, place of work or the place of the alleged infringement, if you are of the opinion that the processing of personal data concerning you violates applicable law.
If you have given us consent, you have the right to revoke your consent at any time. All data processing that we have carried out until you revoke your consent will remain lawful in this case. To do so, you can simply click on the link contained in each email and unsubscribe from the email service, make the appropriate setting in your user account or send a message to firstname.lastname@example.org. If you inform us in this message that you do not wish to receive any future e-mails, we will no longer send any messages to the e-mail address you have provided.
3. Data sources
3.1 You provide us with much of the data we process yourself, for example, when you contact us, register or order something from our shop and provide us with your name, email address or postal address. We also receive technical device and access data that is automatically collected by us when you use our services, for example, about which device you are using. We collect further data through our own data analyses and may also receive data about you from third parties, for example from credit agencies and payment service providers.
3.2 In order to expand the range of functions of our website and to make it more convenient for you to use, we use so-called "cookies". With the help of these "cookies", data can be stored on your computer when you call up our website.
Cookies are small text files that are stored on your hard drive associated with the browser you are using and through which certain information flows to the body that sets the cookie (in this case, us). Cookies cannot execute programs or transfer viruses to your computer. They serve to make the internet offer more user-friendly and effective overall.
A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. With regard to their function, cookies are again differentiated between:
-Technical cookies: these are essential to navigate the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes nor do they store which web pages you have visited;
-Performance Cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur during website use; they do not collect information that could identify you - all information collected is anonymous and is only used to improve our website and find out what interests our users;
-Advertising Cookies, Targeting Cookies, Conversion Tracking Cookies : These are used to offer the website user tailored advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
-Sharing cookies: these are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.
You can find an overview of all cookies used here.
4. Data security, data transmission to third countries, storage period and transmission of personal data to third parties
4.1 We use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties (e.g. TSL encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
4.2 Within the scope of our business relationships, personal data may be passed on or disclosed to third party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing will only take place in order to fulfil contractual and business obligations and to maintain your business relationship with us. We will inform you about the respective details of the transfer in the following in the relevant places.
Some third countries are certified by the European Commission through so-called adequacy decisions to have a level of data protection comparable to the EEA standard (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard contractual clauses of the European Commission for the protection of personal data, certificates or recognized codes of conduct.
We use multiple platforms to store and process data: Google Bigquery, Google Cloud Storage, Tableau, Google Analytics, Shopify, Klaviyo, Reveal, Delighted, Metabase.
We not only use the data internally, but also share some with external partners. Broad categories include:
- The CRM tool Zendesk for handling customer inquiries
- The operators of our warehouses: "Byrd" for the EU and "Fulfilment Crowd" for the UK
- Marketing partners and advertising platforms such as Facebook or direct mail companies
- Software systems for the management of data such as "Shopify" or "Klaviyo".
- Web tracking data such as Google Adwords, AspireIQ, Facebook, Proof, Google Analytics.
Our UK site may also contain web trackers from Acuity Afterpay, Amazon, Artsai, Bing, Hotjar, Impact, Justuno, Klaviyo, LinkedIn, Modus, OneTrust, Outbrain, Pinterest, Reddit, Roku, Snapchat, TikTok, Verizon, Youtube, Zendesk.
4.3 We store your data,
- if you have consented to the processing, at most until you withdraw your consent,
- if we need the data for the execution of a contract, at most for as long as the contractual relationship with you exists or legal retention periods run,
- if we use the data on the basis of a legitimate interest, at most for as long as your interest in deletion or anonymisation does not outweigh this.
The legal bases stated in the context of the processing purposes apply accordingly. Third parties engaged by us will store your data on their systems for as long as is necessary in connection with the provision of services for us in accordance with the respective order.
4.4 The following categories of recipients may have access to your personal data:
- Service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data center services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 lit. b or lit. f GDPR, insofar as it does not involve processors;
- Government agencies/authorities, insofar as this is necessary for the fulfilment of a legal obligation. The legal basis for the disclosure is then Art. 6 para. 1 lit. c GDPR.
- Persons employed to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 lit. b or lit. f GDPR.
5. Web analysis
We use analytics tools in the form of tracking software to determine the frequency of use and number of users of our website.
On our website we use Google Analytics of Google LLC ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. Google Analytics is used for web analysis and optimization of use on the website. The information generated by cookies about your use of this website is usually transmitted to a Google server in the USA and stored there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. You can set IP anonymization for Google Analytics on our website. In this case, your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. With the following plug-in you can prevent Google from tracking you: http://tools.google.com/dlpage/gaoptout?hl=d.
The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other Google data. Within the scope of tracking, order data (information about ordered products) is transmitted. The data sent by us and linked to cookies, user recognition (e.g. user ID) or advertising IDs are automatically deleted after 36 months. Information of the third party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. User conditions: http://www.google.com/analytics/terms/de.html Overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html as well as the data protection declaration: http://www.google.de/intl/de/policies/privacy .
The legal basis for the use of Google Analytics is Art. 6 para. 1 lit. a GDPR.
6. Usage-related advertising
The advertising displayed on this website is optimized for you by the anonymous collection and processing of your usage behavior, so that you get ads tailored to your interests. For this purpose, a cookie is stored on your computer. Behavioural targeting is operated by third-party companies that also run advertising for websites of other providers. These third-party companies then create the aforementioned usage profiles themselves using cookies and apply their respective targeting systems to select the collected data for the purpose of user-tailored advertising. These are the following companies:
Our website uses Google AdWords from Google LLC ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA. AdWords is an online advertising program. We use conversion tracking as part of this program. When you click on an ad hosted by Google, a conversion tracking cookie is placed on your system. The cookie allows us and Google to see that you clicked on the ad and were redirected to our website. Conversion cookies are used to generate conversion statistics for AdWords customers who use conversion tracking. You can find more information at: https://www.google.de/policies/privacy/
The use of this service is based on Art. 6 para. 1 lit a) GDPR.
This website uses the remarketing function "Custom Audiences" of Facebook Inc., 1601 South California Avenue, Palo Alto, CA 94304 USA. This function is used to present interest-based advertisements ("Facebook Ads") to visitors of this website when they visit the social network Facebook. In doing so, it is transmitted to the Facebook server that you have visited this website and Facebook assigns this information to your personal Facebook user account. More information at: https://www.facebook.com/about/privacy/
The use of this service is based on Art. 6 para. 1 lit. a GDPR.
Our website uses so-called social plugins ("plugins") from Instagram, which is operated by Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA ("Instagram"). The plugins are marked with an Instagram logo, for example in the form of an "Instagram camera". An overview of the Instagram data policy can be found here: https://help.instagram.com/519522125107875/?helpref=hc_fnav
If you call up a page of our website that contains such a plugin, your browser establishes a direct connection to the servers of Instagram. The content of the plugin is transmitted by Instagram directly to your browser and integrated into the page. Through this integration, Instagram receives the information that your browser has called up the corresponding page of our website, even if you do not have an Instagram profile or are not currently logged in to Instagram. This information (including your IP address) is transmitted by your browser directly to a server of Instagram in the USA and stored there.
If you are logged in to Instagram, Instagram can directly assign your visit to our website to your Instagram account. If you interact with the plugins, for example by clicking the "Instagram" button, this information is also transmitted directly to an Instagram server and stored there. The information will also be published on your Instagram account and displayed to your contacts there.
The use of this service is based on Art. 6 para. 1 lit a) GDPR.
If you do not want Instagram to assign the data collected via our website directly to your Instagram account, you must log out of Instagram before visiting our website using the script blocker "NoScript" (http://noscript.net/).
7. Third party services
As with any larger company, we use external domestic and foreign service providers to conduct our business (e.g. for IT, logistics, telecommunications, sales and marketing). These include:
If you decide to use a payment method offered by "Stripe", the payment will be processed by the payment service provider Stripe Payments Europe Ltd, C/O A&L Goodbody, Ifsc, North Wall Quay, Dublin 1, Ireland (hereinafter "Stripe"), to whom we pass on the information you provided during the ordering process, together with information about your order (name, address, account number, bank code, credit card number, if applicable, invoice amount, currency and transaction number). The transfer of your data takes place exclusively for the purpose of payment processing. You can find more information about Stripe's data protection on the Internet at https://stripe.com/de/privacy.
The compilation of our delivery and the creation of the shipping labels is done by our contractual partner byrd technologies Germany GmbH, Lobeckstraße 36-40, 10969 Berlin. To this partner we transmit the delivery data of the recipient of the goods. The transmission of the data takes place exclusively for the completion of the orders. You can find more information about data protection at byrd at https://getbyrd.com/privacy/ .
8. Concluding remarks
In the context of the further development of data protection law as well as technological or organisational changes, our data protection information is regularly reviewed to determine whether it needs to be adapted or supplemented.
This privacy notice is current as of October 14, 2021.