Privacy policy of Mister Spex SE

Your contact and what is known as the "controller" responsible for processing your personal data when you visit this website within the meaning of the General Data Protection Regulation (GDPR) is

Mister Spex SE
Hermann-Blankenstein-Str. 24
DE-10249 Berlin
Tel: 0800 472 54 57
Fax: +49 30 (443)123 025
Email: legal@misterspex.co.uk

You may also contact our data protection officer at any time should you have questions about data protection in connection with our products or the use of our website. They can be contacted via the above postal address and at the previously stated email address (to be marked: "FAO data protection officer"). We must emphasise that if using this email address, the contents are not read exclusively by our data protection officer. Should you wish to exchange confidential information, please make direct contact via this email address prior to doing so.

Every time you use our website, we collect access data automatically transmitted by your browser in order to enable your visit to the website. Access data includes the following in particular:

• IP address of the requesting device

• Date and time of request

• Address of accessed website and requesting website

• Information on the browser and operating system used

• Online identifiers (e.g. device IDs, session IDs)

This access data must be processed in order to enable you to visit the website and ensure the uninterrupted functionality and security of our systems. In addition to the purposes set out above, the access data is also temporarily stored in internal log files in order to generate statistical data on the use of our website, to evolve our website based on our visitors' usage patterns (e.g. if the proportion of mobile devices accessing our website increases), and to perform general administrative maintenance on our website.
The legal basis is Article 6(1)(1)(b) of the GDPR, insofar as the page view occurs in the course of the initiation or implementation of a contract, and otherwise Article 6 (1)(1)(f) of the GDPR due to our legitimate interest in maintaining the permanent functionality and security of our systems.
Log files are stored for 20 days before being anonymised and deleted.

There are various ways you can contact us (in particular via contact form, telephone, email). In this context, we process your data exclusively for the purpose of communicating with you.
The legal basis is Article 6(1)(1)(b) of the GDPR, insofar as your information is required to answer your enquiry or to initiate or implement a contract, and otherwise Article 6(1)(1)(f) of the GDPR due to our legitimate interest in you making contact with us and us being able to answer your enquiry. We only make promotional telephone calls if you have given your consent. If you are not an existing customer, we shall only send you promotional emails on the basis of your consent. The legal basis in such instances is Article 6(1)(1)(a) of the GDPR.
The data collected by us when using the contact form is automatically erased once your request has been completely processed, unless we still need your request to fulfil contractual or statutory obligations (cf. section 8 "Storage duration").

During an order process, we collect mandatory data required to process the contract:

• Form of address

• First name and surname

• Date of birth

• Email

• Password

• Invoice and shipping address

Information such as your telephone number is optional so that we may also contact you by these means in the event of queries.
Should you buy contact lenses or prescription glasses from us, we will also collect and store your prescription values. The same will apply if you have a refraction test at one of our stores or at one of our partner opticians. Should the latter be the case, the data will be received directly from the partner optician you visited.
We also offer you various payment options. Depending on the payment method you select in the order process, we will pass on the payment data collected for this purpose to the financial institution handling the payment and, as applicable, to payment service providers contracted by us or selected by you.
The legal basis for the processing is Article 6(1)(1)(b) of the GDPR. Insofar as we process health data (prescription values) from you, the appropriate legal basis is Article 9 (2)(h) of the GDPR.

If you have selected the payment option "purchase on account" or "direct debit" as part of the order process, we will transmit the personal data you specified when placing your order (name, address, email address, date of birth and telephone number, if applicable) as well as information on the corresponding products to Arvato Payment Solutions GmbH (Gütersloher Straße 123, DE-33415 Verl, "Arvato") so that we are able to decide whether we can grant you this payment method (passive payment method control). For this purpose, we are provided with a projection, in particular on payment probabilities as a score value, based on mathematical-statistical methods (in particular, logistic regression approach and comparisons with groups of persons who have shown similar payment behaviour in the past), taking into account address data and prior payment experience.
Article 6(1)(b) and (f) of the GDPR are the legal basis for this processing. Our legitimate interest is to also be able to offer you risky payment methods such as purchase on account.
Further information on data protection can be found in the AfterPay privacy policy.

For extended risk assessment and fraud prevention, we use so-called device tracking by our service provider Arvato Payment Solutions GmbH, Gütersloher Str. 123, 33415 Verl. The data processing described below is based on your consent within the meaning of Art. 6 (1) sentence 1 lit. a) GDPR. Insofar as you have agreed to the setting of cookies when visiting our website, you consent to the fact that,

1. a cookie (i.e. a small text file that is stored locally in the cache of the web browser) and/or a visitor ID is set or generated, which may contain anonymous data of your terminal devices used when visiting the websites (e.g. your screen resolution, operating system version, browser language, anonymized, i.e. shortened IP address) (e.g. my screen resolution or my operating system version) and via which your terminal devices used can be recognized with a certain probability during further visits, and

2. this cookie or visitor ID, together with your data for contract processing (e.g. object of purchase, name, postal address, e-mail address, delivery address, payment method and bank details), is transmitted by us to Arvato Payment Solutions GmbH for the purpose of fraud prevention and abuse detection. Arvato Payment Solutions GmbH uses this data to automatically check whether there are indications of online fraud or other misuse of our online store (e.g. in the form of ordering goods in the online store by taking over your user account, the automated creation of fake user accounts by bots, the use of stolen identities or payment data). Insofar as there are concrete indications of online fraud or other misuse of our online store, we reserve the right to interrupt the relevant order process or to offer only secure payment methods, such as prepayment. The described measures for fraud prevention and misuse detection further help to protect your user account against fraud and misuse of your data.

When you place your order, you can also open a customer account on our website at the same time. You can also create a digital account in our stores. Creating such an account, and thus the conclusion of a user contract for the creation of the customer account, is voluntary and takes place on the basis of Article 6(1)(b) of the GDPR. As long as your customer account exists, the data that you provide in the context of your previous orders will be stored there in addition to your orders. You may terminate your customer account at any time; notification in text form (e.g. email, fax, letter) is sufficient for this.

In order to create a) a guest account or b) a customer account, personal data is requested which we need to a) carry out the order or b) create your customer account and which enables you to open and use your Mister Spex account.
The type of data collected and used depends on the account option you choose. It also depends on whether you use a third-party service, e.g. Google, to log in. The following data may be collected and used to create a customer account:

• First and last name

• E-mail address

• Telephone number

• Date of birth

• Address

• When registering via Google: Google-specific user ID, first name, last name, nickname, email address, profile picture, country

When you select the payment method "credit card", you add a link to your credit card information in your customer account so it is not necessary for you to enter your credit card information every time you place a new order. Storage of this link is in our legitimate interest and for the purpose of offering you this convenience function. It is based on Article 6(1)(f) of the GDPR. In principle, we do not store your credit card data ourselves. Our PCI-DSS-certified payment service provider PAYONE GmbH, Fraunhoferstraße 2-4, DE-24118 Kiel, Germany, is responsible for the storage and processing of credit card information. To prevent abuse in the event of unauthorised access, the full credit card number is never visible in your customer account. Should you wish to delete a credit card from your customer account, you can do so on the "Payment" page. Please note that if you select this payment option, we may contact you and request that you provide us with proof of identity for verification purposes. This serves our legitimate interest as per Article 6(1)(f) of the GDPR to protect you and us from credit card abuse. Of course, we will only use the proof of identity you send us to verify your identity, deleting it after the legal retention period has expired.
Of course, it is also possible to place an order with us without opening a customer account. Should you wish to do so, simply select the option "Order as a guest". If you order from us without creating a customer account, your data will be processed as described above for the fulfilment of the purchase contract and for warranty purposes.
Should you purchase an item at one of our Mister Spex stores to take home immediately, the purchase can be assigned to an existing or new customer account by means of automated matching of your email address. The assignment is voluntary and not a prerequisite for a purchase to be taken home immediately.

When using the online appointment system, personal data is transmitted to the online appointment and customer management system of TerminApp GmbH, Balanstraße 73, DE-81541 Munich. You will be asked to provide certain data in this context, such as your name, email address and, if applicable, your telephone number (depending on the data sheet, further information is possible on a voluntary basis). When you make your first booking, a customer profile is created within the booking system in which the data you have provided is stored. The sole purpose of this is to identify you beyond doubt, process your request and to be able to provide you with information and advice as requested. The legal basis for this processing is Article 6(1)(b) of the GDPR.
You will receive a confirmation of the booking prior to the appointment, as well as an appointment reminder via text and/or email. We process your data exclusively for the purpose of providing the service and to remind you of the upcoming appointment, in order to minimise appointment cancellations as far as possible. The legal basis for this processing is our aforementioned legitimate interest as per Article 6(1)(f) of the GDPR.

We offer you the option of having a video consultation with one of our customer advisers. Our website uses the Timify app from the provider TerminApp GmbH, Balanstr. 73, DE-81541 Munich (hereinafter referred to as "Timify").
To utilise this offer, you can book an appointment via our website (www.misterspex.de/service/videoberatung). The email address you provide when booking an appointment will be sent to Timify and processed in order to send you an email confirming your appointment. In addition, the audio and visual information created during the video consultation will be transmitted to Timify, although it will not be recorded.
The legal basis for this processing is Article 6(1)(b) of the GDPR. Should you also provide special categories of personal data (Article 9 of the GDPR) such as health data during the video consultation, the processing is carried out on the legal basis of Article 9(2)(h) and (3) of the GDPR.
Further information can also be found in the Timify privacy policy.

We offer you the opportunity to try on your glasses online from the comfort of your own home (‘virtual try-on’). To do this, you can either use your camera and try on the glasses live (3D option) or upload a photo (2D option).
For the 3D option, you must allow access to your device's camera. No personal data is processed by us or our service provider during our virtual fitting. Rather, the service merely works as an estimate of a three-dimensional standard face using standard mathematical points that can be found on every face (i.e. without personal data, biometric information or biometric identifiers being collected, processed or otherwise stored). The recording is only processed by your camera for the duration of the virtual fitting. Neither we nor our service provider process, in particular store, the camera recording or biometric information. A connection to your customer account is not technically possible.
If you do not grant access to your camera, you can upload your own photo from your device (2D option). The photo is only stored in the local memory of your browser. Please note that this data will remain even after you close the browser. The deletion period depends on the settings in your browser or the photo can be actively deleted by you.
Trying on glasses virtually is voluntary and not required to purchase glasses.

We will need your pupillary distance ("PD") in order to manufacture your glasses. This may be specified at the time of purchase. Should you not have provided this information at the time of purchase, different options are available to you for providing us with this parameter. Once you have completed the purchase, we will send you an email containing the relevant information.
On the one hand, we offer you the option of printing out a template and taking the PD measurement yourself. In this case, no personal data will be processed.
Alternatively, you may use our Mister Spex app, which is available in the App Store for iOS devices. The aforementioned email will contain a link to this.
Every time you use our app, we collect data automatically transmitted by the app in order to enable the app to function. This data particularly includes:

• IP address of the requesting device

• Date and time of the request

• Information about the operating system and technical information regarding the device

This data processing is required in order to enable the app to function and to ensure the security of our systems. The specified data is also temporarily stored in internal log files for the purposes described above. The data stored in the log files does not enable us to draw any direct conclusions relating to your person – in particular, we only save IP addresses in truncated form. The log files are stored for 30 days and then deleted.
The legal basis for this data processing is our aforementioned legitimate interest as per Article 6(1)(f) of the GDPR.
In order to automatically determine your PD, our app requires access to your device's cameras, including the TrueDepth sensor, in order to capture your face in 3D. You will be asked explicitly to consent to these rights so that you can decide directly here. In this context, we process your image data (full face and side photo) and the corresponding measured values (in particular: pupil distance, fitting height and other necessary facial parameters such as face width, nose shape and ear attachment points). These image data and measured values are stored for a maximum period of three years.
In order to be able to assign this information to your order, your order ID and email address will also be processed in the app.
The legal basis for this aforementioned processing is Article 6(1)(b) of the GDPR, as this is the only way we can produce the matching glasses and fulfil the purchase contract.

You have the opportunity to subscribe to our newsletter, in which we provide you with regular information about innovations to our products and campaigns.
Subscribing to our newsletters utilises the double opt-in procedure, i.e. we will only send you newsletters by email if you confirm, by clicking on a link in our notification email, that you are the owner of the specified email address. If you confirm your email address, we will store your email address, the time of sign-up, and the IP address used during the sign-up process until such time as you unsubscribe from the newsletters. The sole purpose of this storage is to send you the newsletters and be able to prove that you signed up to receive them. You may unsubscribe from the newsletter at any time. Each newsletter contains an unsubscribe link. Alternatively, you may of course also simply send a message using the contact details given above or in the newsletter (e.g. by email or letter). The legal basis for the processing is your consent as per Article 6(1)(1)(a) of the GDPR.
Our newsletters employ customary technologies used to measure interactions with newsletters (e.g. opening email, clicked links). We use this data for general statistical analysis as well as to optimise and evolve our content and customer communications. This is done with the help of small graphical elements embedded in our newsletters (pixels). The legal basis for this is your consent as per Article 6(1)(1)(a) of the GDPR. We want to use our newsletter to share content of maximum relevance to our customers and to better understand the actual interests of our readers. For this reason, the links contained in the newsletters are also provided with parameters so that we can assign your interaction (clicked links) to the respective campaign. This information will be linked to your customer profile for analysis. If you do not want the analysis of usage behaviour, you may unsubscribe from the newsletter service. Data relating to interaction with our newsletters is stored for 13 months and then deleted.

If you make a purchase from us, we will also use your contact details to email you further information about our products that is relevant to you ("existing customer advertising"). This may include, in particular, news, promotions and offers as well as feedback requests and other surveys.
The legal basis for this data processing is Article 6(1)(f) of the GDPR in conjunction with Section 7(3) of the German Act against Unfair Competition (UWG), according to which the data processing is permissible for the exercising of legitimate interests, insofar as this concerns the storage and further use of the data for advertising purposes.
To enable us to provide you with exclusively relevant offers within the scope of the newsletter for existing customers, a customer segmentation is also carried out using the data you provided when placing your order. The legal basis for this is our aforementioned legitimate interest as per Article 6(1)(f) of the GDPR.
You may object to the use of your data for advertising purposes at any time by using a corresponding link in the emails or by notifying the above contact details (e.g. by email or letter), without incurring any costs other than the transmission costs in accordance with the basic tariffs.

You can apply for job vacancies with us using our Workday applicant management system (Workday Limited, The Kings Building, May Lane, Dublin 7, Ireland). The purpose of the data collection is the selection of applicants for the possible establishment of an employment relationship. In particular, we collect the following data for the receipt and processing of your application: first name and surname, email address, application documents (e.g. references, CV), date of earliest possible start and expected salary. The legal basis for the processing of your application documents is Article 6(1)(1)(b) and Article 88(1) of the GDPR in conjunction with Section 26(1)(1) of the German Data Protection Act (BDSG). Insofar as the data is classed as special categories of personal data, such as data on your health, which you yourself communicate to us (e.g. information about a severely disabled person), the processing takes place based on Article 6(1)(1)(b), Article 9, Article 88 of the GDPR, section 26(3)(1) of the German Data Protection Act (BDSG).
We store your personal data after receipt of your application. Should we hire you as an employee, we will store your application data for a maximum period of three years beyond the termination of the relevant employment relationship.
Should we reject your application, we shall store your application data for a maximum period of six months beyond the rejection of your application, unless you give consent (Article 6(1)(1)(a), Article 88 of the GDPR, section 26(1)(1) of the German Data Protection Act) to a longer period of storage or the storage is required for legal or statutory requirements.
We have concluded a processing contract with Workday. Some data is processed on a server in the USA. In the event that personal data is transferred to the USA or other third countries, we have concluded standard contractual clauses with Workday as per Article 46(2)(c) of the GDPR.

The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops Seal of Approval and any reviews collected, as well as to offer Trusted Shops products to buyers after they place an order. The Trustbadge and the services promoted there are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, DE-50823 Cologne, Germany.
When the Trustbadge is called up, the web server automatically saves a server log file entry and documents the call. For example, the log file entry contains your IP address, the date and time of the call, the amount of data transferred and the requesting provider (access data). This access data is not evaluated and will be automatically overwritten at the latest 90 days after the end of your site visit.
This serves to safeguard our predominantly legitimate interests in optimised marketing within the framework of balancing interests by enabling secure purchasing in accordance with Article 6 (1)(1)(f) of the GDPR.
Further personal data (in particular, order data, hashed email address, amount, currency, payment method) is transferred to the Trusted Shops GmbH if, after conclusion of an order, you decide to use Trusted Shops products or have already registered to use them. To this end, automatic processing of personal data from the order data takes place. Whether you as a buyer are already registered for use of a product is automatically checked on the basis of a neutral parameter that uses the email address hashed by a cryptological one-way function. Before it is transmitted, the email address is converted to this hash value, which cannot be decrypted for Trusted Shops. After checking for a match, the system automatically deletes the parameter. Trusted Shops GmbH is responsible for this aforementioned processing. The contractual agreement between you and Trusted Shops shall apply. Further information about the privacy policy of Trusted Shops GmbH can be found here.

We use the review service provided by f Trustpilot A/S, Pilestræde 58, 3rd floor, DK-1112 Copenhagen K, Denmark ("Trustpilot"). This enables us to receive feedback from you in order to be able to improve our offering or our shop or to design it according to customer wishes. _GoBack Once you have placed an order, we will send you an email containing a link which, when you click on it, will take you to the Trustpilot website. You can then submit a review there. Only if you actually click on the link contained in the email will we transmit your hashed email address, your name and your customer number for verification purposes and thus on the basis of our legitimate interest as per Article 6(1)(f) of the GDPR. Posting a review is of course entirely voluntary. Details regarding the collection of data by Trustpilot on its platform can be found in the relevant privacy policy.

Our website offers the option for you to claim coupon offers from Sovendus GmbH, Moltkestr. 11, DE-76133 Karlsruhe ("Sovendus"). When you click on the corresponding banner, the hash value of your email address and your IP address are transmitted to Sovendus. The pseudonymised hash value of the email address is used to take into account any objection to advertising by Sovendus. The legal basis for this processing is Article 6(1)(c) of the GDPR.
We also transmit the pseudonymised order number, session ID, coupon code and time stamp to Sovendus for billing purposes. The legal basis for this processing is Article 6(1)(b) of the GDPR.
For further information on the processing of your data by Sovendus, please refer to the relevant privacy notices.

It is possible that we contact you in the context of product research (in particular for surveys) after you have given us your consent for this (either in the context of a visit to our website or as our newsletter subscriber). In this context, we generally store your e-mail address, the IP address used for registration, the master data you have provided, information you have given us yourself as part of the product research and, if we have conducted the survey by video conference, the recording of this conversation, until we have evaluated the information. The legal basis for the processing of your personal data is Art. 6 para. 1 p. 1 lit. a DSGVO. In the event that only technically necessary personal data (such as the IP address) is collected as part of the survey, the legal basis is our legitimate interest in the feasibility of the survey pursuant to Art. 6 (1) sentence 1 lit. f DSGVO. To conduct the surveys, we work with service providers with whom we have concluded corresponding data protection contracts, e.g. in the event that personal data is processed by service providers in the USA or other third countries.

In addition to processing your data to fulfil the contracts you enter into with us, we also use your data to enable us to exchange information with you about your orders, to communicate with you about specific products or marketing promotions and to recommend products or services that may be of interest to you.

If you have entered into a contract with us, we will treat you as an existing customer. If this is the case, we process your postal contact data in use this method to send you information about new products and services. The legal basis for this is Article 6(1)(f) of the GDPR.

Within the scope of our services, we provide you with information and offers from Mister Spex based on your interests. Even if you have not subscribed to a newsletter, we will send you a limited number of product recommendations, surveys and requests for product reviews. When selecting individual product recommendations, our preference is to use the order data from your previous orders in compliance with the statutory provisions. In accordance with the interaction, the email contains further information on how you can submit a corresponding review. The product review is of course voluntary. The legal basis is Article 6(1)(f) of the GDPR.

We make every effort to make our online shop as attractive as possible for you. In order to prioritise products in which you have an interest, we use technology to optimise the product presentation according to demographic factors associated with your customer profile. For this purpose, we use the services of ODOSCOPE GmbH, Aachener Straße 524-528, DE-50933 Cologne ("ODOSCOPE"). If you have set up a customer account with us and are logged in, we transmit your date of birth to this service provider, which performs an appropriate product ranking for us.
The legal basis for this processing is our legitimate interest in an optimised product presentation in accordance with Article 6(1)(f) of the GDPR.

This website uses cookies and similar technologies (referred to together as "tools") provided either by ourselves or by third parties.
A cookie is a small text file stored by the browser on your device. Cookies are not used to execute programs or load viruses on your computer. Comparable technologies are in particular web storage (local / session storage), fingerprints, tags or pixels. Most browsers are configured to accept cookies and similar technologies by default. As a rule, however, you can adjust your browser settings so that cookies or similar technologies are rejected or are only stored after you have provided your consent. It is possible that some of our services may fail to function properly if you reject cookies or similar technologies.
The tools we use are listed below in our cookie directive, sorted by category. In particular, we wish to inform you about the providers of the tools, the duration for which cookies are stored and the disclosure of the data to third parties. We also explain the cases in which we obtain your voluntary consent to use the tools and how you can withdraw this consent.

We maintain an online presence on social media, allowing us to communicate with existing and potential customers and provide information about our products.
User data is generally processed by social media for market research and marketing purposes. This makes it possible to create user profiles based on users' interests. Cookies and other identifiers are stored on users' computers for this purpose. These user profiles are used as the basis for displaying advertising, for example, on social media, as well as on third-party websites.
As part of maintaining our online presence, we may access information such as statistics on the use of our online presence provided by the social media platforms. These statistics are aggregated and may include, in particular, demographic information and data on the interaction with our online presence and the posts and content distributed via this. Please refer to the list below for details and links to the social media data that we, as operators of the online presence, are able to access.
The legal basis for the data processing is Article 6(1)(1)(f) of the GDPR, based on our legitimate interest in providing effective information to and communication with users, and, as per Article 6(1)(1)(b) of the GDPR, in maintaining contact with our customers, providing them with information, and carrying out the steps required prior to entering into a contract with future and potential customers.
The legal basis of the data processing carried out by social media platforms can be found in their privacy policies. The links below also contain information on how data is processed and how you can object to data processing.
We would like to point out that queries relating to data protection are best resolved by contacting the social media platforms themselves, as only they have access to the data and are able to take direct action: Below is a list containing information about the social media platforms on which we maintain a presence:

• Facebook (USA and Canada: Facebook Inc., 1601 Willow Road, Menlo Park, California 94025, USA; all other countries: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

  • Operation of the Facebook fan page in joint responsibility on the basis of an agreement regarding the joint processing of personal data (so-called Page Insights Addendum regarding the controller)

  • Information about the page insights data to be processed in the case of data protection queries: https://www.facebook.com/legal/terms/information_about_page_insights_data

  • Privacy policy: https://www.facebook.com/about/privacy/

  • Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com.

• Instagram (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

  • Privacy policy: https://help.instagram.com/519522125107875

• Google / YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

  • Privacy policy: https://policies.google.com/privacy

  • Opt-out: https://www.google.com/settings/ads.

• X ( X International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland)

  • Privacy policy: https://x.com/de/privacy.

  • Opt-out: https://x.com/settings/account/personalization.

• LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)

  • Operation of the LinkedIn corporate page in joint responsibility on the basis of an agreement regarding the joint processing of personal data (so-called Page Insights Joint Controller Addendum)

  • Information about the page insights data to be processed in the case of data protection queries: https://legal.linkedin.com/pages-joint-controller-addendum

  • Privacy policy: https://www.linkedin.com/legal/privacy-policy

  • Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

• Xing/Kununu (XING SE, Dammtorstraße 30, DE-20354 Hamburg)

  • Privacy policy / Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

We will generally only disclose the data we collect if

• you have given your express consent as per Article 6(1)(1)(a) of the GDPR

• disclosure as per Article 6(1)(1)(f) of the GDPR is necessary in order to assert, exercise, or defend legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data

• we are legally obliged to disclose it as per Article 6(1)(1)(c) of the GDPR

• this is legally permissible and, as per Article 6(1)(1)(b) of the GDPR, is necessary for the processing of contractual relationships with you or for steps prior to entering into a contract carried out at your request.

Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, this may include data centres that host our website, databases and apps, software providers that provide and further develop corresponding apps for us, IT service providers that maintain our systems, agencies, market research companies, Group companies, payment service providers, newsletter distributors, logistics service providers and consulting firms.
Should we disclose data to our service providers, they may use the data solely for the fulfilment of their tasks. We have carefully selected and commissioned the service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us.
In addition, a transfer of your data may occur in connection with official enquiries, court orders, and legal proceedings if they are deemed necessary for legal prosecution or enforcement.

As explained in this privacy policy, we make use of services offered by providers that may be partly located in "third countries" (outside the EU or the European Economic Area) or process personal data there, i.e. countries that do not have a level of data protection comparable to that in the European Union. Where this is the case and where the European Commission has not adopted an adequacy decision (Article 45 of the GDPR), we have taken precautions to ensure an adequate level of data protection for any transfers of data. These include the European Union's standard contractual clauses and binding internal data protection regulations.
Where this is not possible, we use as the legal basis for data transfers the exceptions set out in Article 49 of the GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract or fulfilment of steps required prior to entering into a contract.
If data is to be transferred to a third country and neither an adequacy decision nor other suitable guarantees are available, there exists the possibility and risk that authorities in the third country (e.g. secret services) may obtain access to the transferred data for the purpose of collecting and analysing it, and that your rights as a data subject may not be enforceable. You will be informed of this when your consent is obtained via the cookie banner.

We generally only store personal data for as long as is necessary to fulfil the purposes for which we have collected the data. We then immediately erase the data, unless we need it until the end of the statutory limitation or warranty period for evidence purposes for civil law claims or due to statutory retention obligations.
For evidence purposes, we must keep contractual data for another three years from the end of the year in which the business relationship with you ends. Any claims shall become statute-barred at the earliest after the statutory period of limitation.
Even after this time, we still need to store some of your data for accounting purposes. We are obliged to do so on the basis of statutory documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act, and the German Securities Trading Act. The periods they stipulate for the retention of documents range from two to ten years.

You are entitled to the rights of a data subject as formulated in Articles 15 to 21, Article 77 of the GDPR at all times:

• Right to revocation of your consent;

• Right to object to the processing of your personal data (Article 21 of the GDPR);

• Right to access your personal data processed by us (Article 15 of the GDPR);

• Right to rectify your personal data that is incorrectly stored with us (Article 16 of the GDPR);

• Right to erasure of your personal data (Article 17 of the GDPR);

• Right to limit the processing of your personal data (Article 18 of the GDPR);

• Right to data portability of your personal data (Article 20 of the GDPR);

• Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR).

In order to assert your rights described here, you may contact us at any times using the contact details given above. This also applies should you wish to obtain copies of guarantees to prove an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.
Your requests regarding your assertion of data protection rights and our replies to these requests will be stored for documentation purposes for a period of up to three years and, in some cases in relation to the assertion, exercise or defence of legal claims, for a longer period. The legal basis is Article 6 (1)(1)(f) of the GDPR, based on our interest in defending against possible civil law claims as per Article 82 of the GDPR, the avoidance of administrative fines as per Article 83 of the GDPR and compliance with our accountability obligations as per Article 5(2) of the GDPR.

You shall have the right to withdraw consent once given to us at any time. Should you do so, we will not continue to process data based on this consent in the future. Withdrawal of consent will not affect the lawfulness of the processing carried out on the basis of the consent prior to withdrawal.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data on grounds relating to your particular situation at any time. Should you object to data processing for direct marketing purposes, you have a general right to object, which we shall comply with even if you do not state any reasons for your objection.

Should you wish to exercise your right to withdraw or object, simply send an informal email to the contact details given above.

Finally, you have the right to file a complaint with a data protection supervisory authority. You may exercise this right before a supervisory authority in the Member State in which you are staying, working or the alleged infringement took place. The responsible supervisory authority in Berlin, the location of our registered office, is: Berlin Commissioner for Data Protection and Freedom of Information, Alt-Moabit 59-61, 10555 Berlin, Germany.

Fundamentally, you have no contractual or statutory obligation to provide us with personal data. However, should you not provide the personal data requested by us for the registration or sales process and marked as mandatory, we may not be able to conclude a contract with you.

We may update this privacy policy from time to time, for example when we update our website or when statutory or official requirements change.