Privacy Notice


1. Data Controller

Brooklyn Soap GmbH, Paulinenallee 32, 20259 Hamburg ("Brooklyn Soap", "we", "us") is the operator of the website and responsible under data protection law. The following privacy policy describes where and for what purposes we collect and use personal data from visitors to the website.


2. Usage Data

When accessing the website, access data transmitted to us by your internet browser is automatically stored in a log file on our server. This is the following data record:

  • the previously visited page (so-called referrer URL)
  • Name of the file
  • Date and time of the request
  • Amount of data transferred
  • the access status (file transferred, file not found, etc.)
  • Web browser used
  • Operating system used
  • Complete IP address of the accessing computer

This data is stored by us for the purposes of system security, in particular to defend against attempted attacks on our web servers, in our legitimate interest in ensuring IT security in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. The IP address is deleted 30 days at the latest.

We may engage third parties to provide us with certain services on the website and the offers listed below. These third parties may have access to your data as data processors. However, the third parties will generally process your data in our interest and on our behalf and only for the purposes stated in this Privacy Notice.


3. Order fulfillment

We use a captcha tool to prevent misuse of our services. This allows us to ensure that a person and not a bot actually wants to use our services. If data is processed in this context, this is based on Art. 6 para. 1 lit. f) GDPR. Our legitimate interest lies in ensuring the security of our IT systems.

When you place an order with us, we process your personal data based on Art. 6 para. 1 lit. b) GDPR, which we require for order processing, contract fulfillment and, if necessary, for processing returns. This includes providing your name, email address, delivery address, billing address and payment information, if applicable. If you have created a user account with us and participate in the Loyalty Rewards program (see below), we also process this information as part of order processing.

If you select a third-party provider such as PayPal, Payone or Klarna for payment processing, you will be redirected to the corresponding pages of the providers. The respective third-party provider is responsible for data protection. For further information on data processing, please contact the respective payment service provider directly. 

We also pass on your contact details to shipping service providers such as DHL for the purpose of shipping the ordered goods. The data processing is based on Art. 6 para. 1 lit. b) GDPR. 

In addition, we may process your data for fraud prevention, credit checks or the assertion, enforcement or defense of legal claims based on Art. 6 para. 1 lit. f) GDPR, in particular if there are problems with payment processing. Our legitimate interest is the effective enforcement of or defense against legal claims. 

We also use service providers who provide us with technical support in the context of order processing and user administration as processors bound by instructions and who receive personal data from you in this context. These include 8returns UG for returns processing and Shopify International Ltd. Ireland ("Shopify") as the operator of our online store software. As part of the use of Shopify, data may also be transferred to Shopify Inc, a Canadian company based at 151 O'Connor Street, Ground floor, Ottawa, ON, K2P 2L8, Canada. An adequacy decision of the EU Commission exists for Canada, so that an adequate level of data protection is guaranteed. Further subcontractors used by Shopify can be  here.

As part of Shopify's Content Delivery Network (CDN), your IP address may be transmitted to the respective third-party provider (see Shopify's subcontractors). This is done solely for the purpose of ensuring that the website functions quickly and effectively and the loading times are reduced. Websites without a CDN may load very slowly, which we want to avoid in the interests of user satisfaction. You can find more information about the Shopify CDN here.

As part of the order processing, you are obliged to provide the fields marked as mandatory, otherwise we will not be able to conclude or fulfill the contract with you. However, you will not suffer any disadvantages if you do not provide the optional information.

We store your data, insofar as it is not used for advertising purposes, until the expiry of statutory retention periods under tax and commercial law. If your data is used for advertising purposes, we will store it until you object to its use for advertising purposes or revoke your consent to receive our newsletter.


4. Contacting us / sending emails

If you contact us (e.g. by e-mail or telephone), we may store this communication and the personal data you provide to process your request. To contact you during our business hours, we use the live chat tool of the provider Tidio Ltd ("Tidio") and our e-mail software from Klaviyo Inc ("Klaviyo") and Zendesk, Inc ("Zendesk").

We will only use personal data for the purpose specified by you when you submit the data. If it is necessary to transfer information or documents to third parties, we will remove all personal data not required for the stated purpose. If an exchange with third parties outside the EU is necessary to process your request, we will use appropriate organizational and technical measures to protect your data in accordance with European standards. Klaviyo and Zendesk are certified in the EU-US Data Privacy Framework, so that there is an adequacy decision by the EU Commission for this data transfer.

The legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR for general inquiries. If an inquiry concerns the performance of a contract to which you are a party or the implementation of pre-contractual measures taken in response to your inquiry, Art. 6 para. 1 sentence 1 lit. b) GDPR is the correct legal basis.

If the information from a contact request is no longer required, we will delete it.


5. User Account and Loyalty Rewards Program

You can create a user account, which you can use to process orders quickly and easily. For this purpose, your name, your email address and a password chosen by you will be processed as part of the registration process. The legal basis for this is Art. 6 para. 1 lit. b) GDPR, as a user relationship and a benefit contract is established between you and us. Optionally, you can add further data to your user account, in particular your address and telephone number. This data processing is based on your consent in accordance with Art. 6 para. 1 lit. a) GDPR, which you can revoke at any time, e.g. by deleting the corresponding information.

When you create a user account, you automatically participate in our Loyalty Rewards Program. This means that you can collect points for certain activities, e.g. newsletter registration or orders, and, depending on your individual "member level", receive benefits from us, in particular discounts, for future orders. 

We will inform you at regular intervals by email about your points balance and send you the corresponding discount codes. We send these emails based on the existing user relationship with you in accordance with Art. 6 para. 1 lit. b) GDPR. If you would also like to receive our regular newsletter, you must subscribe to it separately by registering for the newsletter.

Your email address is also used as part of the registration process to validate and ensure the accuracy of the data via the double opt-in procedure. This means that after submitting your registration, you will receive an email with a code to the email address you provided. Your user account will only be activated once you have entered the code. This data processing is also based on Art. 6 para. 1 lit. b) GDPR.

In addition to the data required for registration, we also process transaction data (including loyalty points earned and redeemed, discounts, items purchased, order history and value of goods) to calculate your loyalty point value and member level and to grant you the benefits of the Loyalty Rewards program. Based on your individual transaction data and your user profile, we create customer information and exclusive discounts that correspond to your presumed interests and purchasing behavior. This is the main purpose of the user relationship, so that the data processing is based on Art. 6 para. 1 lit. b) GDPR. This is not an automated decision-making process within the meaning of Art. 22 GDPR. 

If you have given us your consent to the use of cookies and other tracking technologies in the cookie banner, we will also use this data to create and enrich your user profile. In this case, the data processing is based on your consent in accordance with Art. 6 para. 1 lit. a) GDPR.

In addition, in the event of violations of the terms of use of the Loyalty Rewards program, we may process your data to prevent fraud or to assert, enforce or defend legal claims based on Art. 6 para. 1 lit. f) GDPR. Our legitimate interest is the effective enforcement of or defense against legal claims. 

For the implementation of the Loyalty Rewards Program, we use the external service provider Yotpo Ltd. with headquarters in Israel and the UK, which may access your data for maintenance and support purposes and as part of data hosting. The EU Commission has issued adequacy decisions for Israel and the UK to ensure an adequate level of data protection. If the data is also accessed by other Yotpo companies from third countries (outside the EEA) for which there are no adequacy decisions by the EU Commission, EU standard contractual clauses have been agreed with Yotpo to ensure an adequate level of data protection. Yotpo also assures that sufficient guarantees to ensure an adequate level of data protection, in particular standard contractual clauses, have also been concluded with the subcontractors used by Yotpo (available here). We have contractually obligated Yotpo to comply with European data protection regulations. Further data recipients can be found in the respective sections of this Privacy Notice for the relevant data processing, e.g. order processing, making contact or sending newsletters.

You are not obliged to create a user account and thus to provide your data. You can also shop in our store without creating a user account. If you would like to participate in our Loyalty Rewards Program, the data processing that is not based on your consent is, however, necessary for the conclusion and execution of the user contract; if you do not provide your data, you will unfortunately not be able to participate in the loyalty program.

Your data will generally be stored for the duration of your membership of the Loyalty Rewards program. Data for which there is a statutory retention period will only be deleted after the retention period has expired. If data processing is based on your consent, the data will also be deleted if you withdraw your consent. In the event of legal disputes, we will also retain your data until the legal proceedings have been concluded.


6. Newsletter

If you subscribe to our newsletter, you must give your consent to the processing of personal data required for this. To subscribe to the newsletter, you must provide an email address. This email address is used exclusively for sending the newsletter. The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the right to withdraw your consent at any time, e.g. via the link provided in the newsletter, without affecting the lawfulness of processing based on consent before its withdrawal. In this case, you will no longer receive the newsletter.

If you register for the newsletter, the IP address of the accessing system and the date and time of registration and email verification are also collected during registration. This data is processed exclusively for the purpose of being able to trace possible misuse of an email address and the consent given. The legal basis for the processing of the data described above is Art. 6 para. 1 sentence 1 lit. f) GDPR.

We use Klaviyo and Zendesk to send and analyze newsletters. This enables us to analyze the use of the newsletter by recipients. Among other things, it is possible to analyze how many recipients have opened a newsletter message, in which country, with which type of end device (desktop or mobile device) and with which email client the newsletter message was opened and how often links in the newsletter were clicked on. The use of Klaviyo and Zendesk also involves the transfer of data to the USA as a third country. Klaviyo and Zendesk are certified under the EU-US Data Privacy Framework, meaning that the EU Commission has issued an adequacy decision for this data transfer.

The data processing is carried out in accordance with Art. 6 para. 1 lit. a) GDPR based on your consent by subscribing to the newsletter. You can withdraw this consent at any time by unsubscribing from the newsletter. This does not affect the lawfulness of the processing carried out based on your consent until you withdraw it.

In addition to the above, we send our newsletter to customers who have already purchased a product from us (existing customers) based on Art. 6 para. 1 lit. f) GDPR. The content of this newsletter is information about our own similar products and services for the goods already ordered (direct advertising for our own similar goods). Our legitimate interest is to inform our existing customers about news and new products of interest to them.

You can object to this data processing at any time, in particular by using the unsubscribe link in the footer of each newsletter. This will not incur any costs other than the transmission costs according to the basic rates.


7. Cookies and Tracking

Technically necessary cookies are used on our website, which are essential for the proper operation of the website. Insofar as personal data is processed in this context, this is done based on Art. 6 para. 1 lit. f) GDPR in our legitimate interest in the functionality of our website.

We use cookies in particular to manage the consents that you can give via our cookie banner. This ensures that cookies requiring consent are only set after consent has been given and the cookie banner is not displayed again. These cookies are necessary for this purpose. Any data processing is carried out based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR in proper consent management.

In addition, with your consent pursuant to Art. 6 para. 1 lit. a) GDPR, we may set and use cookies to collect information on a pseudonymous basis about how visitors use our website, how they navigate through the website and which areas of the website and which products our visitors are interested in. This allows us to improve our website and the online experience of our visitors. This enables personalization, usage analysis and functional features. We can also measure the success of advertisements and display interest-based advertising. This consent may also include the transfer of data to service providers in third countries (e.g. USA), with the risk that local authorities may process your data for control and monitoring purposes, including without the possibility of legal recourse, Art. 49 para. 1 lit. a) GDPR. A more detailed description of the individual cookies can be found in our cookie consent management, which you can access at any time via the cookie banner or via Privacy Settings.

You can revoke your cookie consent at any time, e.g. via Privacy Settings in the footer area of this website. Data processing based on this consent is permitted until you withdraw your consent.

You can also deactivate the use of cookies for reach measurement and advertising purposes via the deactivation page of the Network Advertising Initiative and also via the US website or the European website. If you exclude the use of cookies, you may not be able to use some areas of the website or only to a limited extent.

A detailed list of the cookies we use, the recipients and the storage period can be found in our cookie and data protection settings and in the following sections of this Privacy Notice.


8. Google applications

This website uses various applications from Google Ireland, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"):

Google Tag Manager

Google Tag Manager is a solution with which so-called website tags can be managed via an interface and thus, for example, Google Analytics and Google marketing services can be integrated into our online offering. The Tag Manager itself does not process any personal user data.

Google Analytics

Google Analytics uses cookies, which are stored on your computer and enable your use of the website to be analyzed. The information generated by these cookies (e.g. about the time, place and frequency of your use of this website) is usually transferred to a Google server in the USA and stored there. Online identifiers (including cookie identifiers), internet protocol addresses and device identifiers as well as identifiers assigned by the customer are passed on to Google. The code "anonymizeIp" has been added to Google Analytics on this website. This code causes the last 8 bits of the IP addresses to be deleted, and your IP address is therefore recorded in a shortened form (so-called IP masking). Your IP address will be shortened by Google before transmission within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

Google Advertising Network (Google Ads, Campaign Manager, conversion measurement)

These applications allow us to display ads for and within our online offering in a more targeted manner or to present users only with ads that potentially match their interests. If, for example, a user is shown ads for products that they have shown an interest in on other online offers, this is referred to as remarketing. For these purposes, when our and other websites on which the Google advertising network is active are accessed, a code from Google is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file records which websites the user has visited, which content they are interested in and which offers the user has clicked on, as well as technical information about the browser and operating system, referring websites, time of visit and other information about the use of the online offer. The information collected with the help of the conversion cookie is used by Google to create conversion statistics for us. We may find out the total number of users who clicked on our ad and were redirected to a page with a conversion tracking tag. As far as we are aware, user data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the user's name or email address, for example, but processes the relevant data in relation to cookies within pseudonymous user profiles. This means that, from Google's point of view, the ads are not managed and displayed for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and we cannot rule out the possibility that it will be stored on Google servers in the USA. 

Data transfer to third countries

The use of Google results in the transfer of data to the USA. Among other things, this can lead to unauthorized access to your personal data or to the restriction of your rights as a data subject. However, Google LLC is listed in the EU-US Data Privacy Framework, so that there is currently an adequacy decision by the EU Commission for the transfer of data.

Legal basis and right of withdrawal

The legal basis for the processing of personal data using the cookies and tracking technologies from Google is your declaration of consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, which you can give in the cookie banner or the data protection settings. Consent to data processing can be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal, e.g. via the privacy settings in the footer area of this website.

You can also prevent data processing by making the appropriate settings in your browser ("Do not track"). In addition, you can prevent Google from collecting the data generated by the cookies about your use of the websites and the processing of this data by Google by downloading and installing the browser plug-in available here under "Display settings", "Extension for Campaign Manager deactivation". 

Further data processing by Google

When using Google tools, it cannot be ruled out that the cookies set by Google may also collect other personal data in addition to the truncated IP address. We would like to point out that Google may transfer this information to other recipients and that it may be processed on behalf of Google. We have no influence on the scope and further use of the data and therefore inform you according to our level of knowledge: By integrating Campaign Manager, Google receives the information that you have accessed the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out your IP address and store it.

For more information on the use of data by Google, setting, storage and deactivation options, please refer to Google's privacy policy and the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).


9. Meta applications

We use the "Facebook pixel" of the social network Facebook, which is operated by Meta Platforms, Inc. ("Meta"), for the analysis, optimization and economic operation of our website services. 

The information generated by the pixel about your use of this website is transmitted to a Facebook server in the USA and stored there. With the help of the Facebook pixel, it is possible for Facebook to determine the visitors of our online offer as a target group for the display of ads (so-called "Facebook ads"). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined based on the websites visited) that we transmit to Facebook. With the help of the Facebook pixel, we also want to ensure that our Facebook ads correspond to the potential interest of users and are not annoying. With the help of the Facebook pixel, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website by clicking on a Facebook ad (so-called "conversion").

The processing of data by Facebook takes place within the framework of Facebook's Data Usage Policy. Accordingly, general information on Facebook ads can be found in Facebook's Data Usage Policy. Specific information and details about the Facebook pixel and how it works can be found in Facebook's help section. To set which types of ads are displayed to you within Facebook, you can go to the page set up by Facebook and follow the instructions on the settings for usage-based advertising. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.

Data transfer to third countries

The use of the Facebook pixel results in data being transferred to the USA. Among other things, this can lead to unauthorized access to your personal data or to the restriction of your rights as a data subject. However, Meta is listed in the EU-US Data Privacy Framework, so that there is currently an adequacy decision by the EU Commission for the transfer of data.

Legal basis and right of withdrawal

The legal basis is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR, if you have given your consent via our banner.

Your consent is voluntary and can be revoked at any time. If you wish to withdraw your consent or change your preferences, please click on Privacy Settings in the footer area of this website.


10. TikTok applications

As part of our website, we use advertising applications from TikTok Information Technologies UK Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). We have integrated the TikTok pixel into our website and use TikTok Event APIs. The information generated about your use of this website is transmitted to a TikTok server. With the help of the data, TikTok is able, on the one hand, to determine the visitors to our online offering as a target group for the presentation of ads (so-called “TikTok ads”). Accordingly, we use the pixel to display the ads we place on TikTok only to users who have also shown an interest in our online offering or who exhibit certain characteristics (e.g., interests in certain topics or products determined based on the websites visited) that we submit to TikTok. With the help of the data, we also want to ensure that our TikTok ads match the potential interest of users and are not annoying. With the help of the data, we can also understand the effectiveness of the ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on an ad on TikTok (so-called “conversions”).

TikTok processes the data in accordance with TikTok's Privacy Policy, which contains further information about data processing by TikTok.

Data transfer to third countries

The use of TikTok applications may result in further data transfers by the Irish TikTok company, including to third countries outside the EU / EEA. This may, among other things, lead to unauthorized access to your personal data or to a restriction of your rights as a data subject. For more information, please refer to the above-mentioned linked TikTok privacy policy.

Legal basis and right of withdrawal

The legal basis for the use of cookies is your consent in accordance with Article 6 (1) (a) of the GDPR if you have given your consent via our banner. Your consent is voluntary and can be withdrawn at any time. If you wish to revoke your consent or change your preferences, please click on “Privacy Settings” in the footer of this website.


11. Other tracking applications

Furthermore, we use cookies and tracking technologies for analysis and advertising purposes with your consent, in particular from Hotjar Ltd, Netlify Inc, Tidio Ltd, Klaviyo Inc. and Pinterest Inc. This leads in particular to data transfers to the USA and China. These countries have lower data protection standards than the EU, meaning that we cannot rule out the possibility of unauthorized access to your data or a restriction of your data protection rights. Please take this into account when giving your consent in the cookie banner.


12. Embedded Videos

On our website, you can watch videos that are integrated by YouTube (a product of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). For this purpose, we have activated YouTube's extended data protection application so that YouTube only collects data from you if you click on the respective clip.

We also use Vimeo LLC, New York, USA (Vimeo). Data is only transferred to Vimeo if you have given your consent to the setting of cookies in the cookie banner.

By clicking on the clips or giving your consent in the cookie banner, you consent to the processing of the data collected about you by YouTube, including by Google LLC in the USA, consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR and for the transfer of data to a third country under data protection law pursuant to Art. 49 para. 1 sentence 1 lit. a) GDPR. You can withdraw your consent at any time. Until revocation, data processing based on this consent is permitted. The terms of use and information on the storage period can be found here.


13. Map Services

We embed map services on our websites that are not stored on our servers. This includes Google Maps, the map service of Google LLC. 

To ensure that accessing our websites with embedded map services does not automatically result in the third-party provider's content being reloaded, we only display locally stored maps in a first step. This means that the third-party provider does not receive any information. Only after clicking on the map is content from the third-party provider loaded. As a result, the third-party provider receives the information that you have accessed our site, and the usage data technically required in this context. We have no influence on further data processing by the third-party provider. 

By clicking on the preview image, you give us your consent in accordance with Art. 6 para. 1 lit. a) GDPR to reload content from the third-party provider and thereby transmit the usage data to the third-party provider. If you do not wish such reloading on other pages, please do not click on the preview images.

Please note that the embedding of some map services results in your data being processed outside the EU or the EEA. In the case of Google Maps, this may result in data being transferred to the USA. In some countries, including the USA, there is a risk that authorities may access the data for security and surveillance purposes without you being informed or having the right to appeal. If we use providers in insecure third countries, the transfer to an insecure third country is based on your consent in accordance with Art. 49 para. 1 lit. a) GDPR. Google LLC is also subject to an adequacy decision by the EU Commission (EU-US Data Privacy Framework).


14. Product Reviews and Surveys

The user could rate our products on the website. For this purpose, it is necessary for the user to enter a name or nickname for reasons of assignability. We process this data solely to display the rating on the website.

In addition, users can participate in surveys on a voluntary basis. Typeform is used for this purpose.

If personal data is processed in this context, the legal basis is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR. You can withdraw your consent at any time. Data processing based on this consent is permitted until you withdraw your consent.


15. Trusted Shops

Services and products of Trusted Shops SE ("Trusted Shops"), including the so-called Trustbadge, are integrated on our website to display product reviews and offer buyer protection. For this purpose, the processing of your IP address is technically necessary and is based on Art. 6 para. 1 lit. f) GDPR. The legitimate interest is to be able to advertise with reviews on our website.

Trusted Shops gains access to your IP address through the integration. The Trustbadge is also provided by a US CDN provider (Content Delivery Network) commissioned by Trusted Shops. Further information on data protection at Trusted Shops can be found in their privacy policy.

We are jointly responsible for data processing with Trusted Shops in accordance with Art. 26 GDPR. Please contact Trusted Shops primarily if you have any questions about Trusted Shops and to assert your data protection rights. However, you can of course also contact us and we will forward your request to Trusted Shops if necessary to answer it.


16. Competitions and Promotions

From time to time, we offer participation in competitions or other promotions. Unless otherwise specified in the special data protection information for the respective competition or promotion, the personal data you provide to us as part of your participation in the competition or promotion will be used exclusively for the purpose of running the competition or promotion (e.g. determining the winner, notifying the winner, sending the prize). The legal basis for data processing in the context of competitions and promotions is Art. 6 para. 1 sentence 1 lit. b) GDPR.

If you submit a declaration of consent as part of the competition or other campaign, your data will also be processed for the purposes stated in the respective declaration of consent. The legal basis for the processing in this case is Art. 6 para. 1 sentence 1 lit. a) GDPR. You have the option of withdrawing your consent at any time with effect for the future without this being associated with any disadvantages for you. All you need to do is notify the office specified in the declaration of consent. Data processing based on this consent is permitted until you withdraw your consent.

After the end of the competition or promotion, the participants' data will be deleted. The data of any winners of non-cash prizes will be stored for the duration of the statutory warranty claims to be able to arrange for a repair or replacement in the event of a defect in the prize. The legal basis for processing in this respect is Art. 6 para. 1 sentence 1 lit. f) GDPR. Furthermore, data of winners will be stored for the duration of statutory retention periods.

Further details can be found in any more specific data protection notices for the relevant competition or promotion, which take precedence over the above notices.


17. Applicant Portal

We use the JOIN Solutions GmbH ("join") application portal to process applications.

We process your personal data for the purpose of deciding whether to establish an employment relationship with us. As part of the application process, we process the personal data collected via join, particularly your contact details, such as your name and address, and all data related to the application, e.g. CV, certificates, qualifications. If you apply for reimbursement of travel expenses, we also require your bank details. The legal basis for the processing of your data results from Art. 88 GDPR or Art. 6 para. 1 sentence 1 lit. b) GDPR. 

We also collect and process personal data that you provide to us voluntarily. These fields marked as voluntary or optional do not have to be filled in. This data is processed based on your revocable consent in accordance with Art. 6 para. 1 lit. a) GDPR.

If you are not hired but your application is still of interest to us, we may ask you whether we may keep your application on file for future vacancies. This longer retention period is based on your revocable consent in accordance with Art. 6 para. 1 lit. a) GDPR. This consent is voluntary and not granting the corresponding consent has no effect on other ongoing application procedures. 

Data recipient

It goes without saying that we treat your data confidentially and do not pass it on to third parties. If necessary, we use service providers who are strictly bound by our instructions and who support us, for example, in the areas of IT or the archiving and destruction of documents and with whom they has concluded separate contracts for order processing. This includes join as the provider of the applicant portal.

Storage duration

If there is no statutory retention period, the data will be deleted as soon as storage is no longer necessary or the legitimate interest in storage has expired. If you are not hired, this is usually the case no later than six months after completion of the application process or after receipt of the rejection. We also delete data if you withdraw your consent to the processing of your data.

We will retain your declaration of consent to the longer storage of your applicant data for a further three years to comply with our accountability obligations within the meaning of Art. 5 para. 2 GDPR. 

In individual cases, individual data may be stored for longer (e.g. travel expense reports). The duration of storage then depends on the statutory retention obligations. Further storage of your data is also permitted if further processing is necessary for the assertion, exercise or defense of legal claims after we have weighed up your interests.


18. Links to other Websites or Apps

Insofar as our website contains links to other websites or offers apps for downloading, this Privacy Notice does not apply. Please inform yourself on the respective other websites or apps about the data protection provisions applicable there.


19. Privacy Notice for our Social Media Pages

When you visit our social media pages, it may be necessary for data relating to you to be processed. We would therefore like to inform you below about the handling of your data and your resulting rights.

Controllership

In addition to us, the respective operator of the social media platform is also responsible for the processing of your personal data. Insofar as we can influence this and parameterize the data processing, we work towards data protection-compliant handling by the operator of the social media platform within the scope of the possibilities available to us. In this context, please also note the data protection declarations of the respective social media platform. 

Data processing by us

The data you enter on our social media pages, such as user names, comments, videos, images, likes, public messages, etc., are published by the social media platform and are not processed by us at any time for purposes other than publication and communication. We only reserve the right to delete content if this should be necessary. We may share your content on our site if this is a function of the social media platform and communicate with you via the social media platform. The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f) GDPR. The data processing is carried out in the legitimate interest of conducting public relations work for our company and being able to communicate with you. The operator of the social media platform can view your data, but we do not pass your data on to other parties unless this is permitted by law or with your consent. The use of our social media presence is voluntary (provision of personal data through voluntary interaction).

If you send us an inquiry on the social media platform, we may also refer you to other, secure communication channels that guarantee confidentiality, depending on the content. For example, you have the option of sending us your inquiries at any time to the address or email address stated in the legal notice. The choice of the appropriate communication channel is your own responsibility.

We delete your personal data when it is no longer required, unless there are statutory retention obligations. The data will be deleted after any statutory retention obligations have expired.

Some social media platforms create statistics that are based on usage data and contain information about your interaction with our social media site. We cannot influence or prevent the performance and provision of these statistics. We process this information in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR in the legitimate interest of validating the use of our social media pages and improving our content in a target group-oriented manner.

We use Facebook Ads (also regarding Instagram) to provide and personalize advertising. This is done on the basis of:

  • Demographic data
  • User behavior (based on behavior and interests via consumed content, communications, other information provided by the user)
  • Networks and connections
  • Device information (operating system, device type)
  • Location-specific targeting

For this purpose, we use target group definitions provided to us by the social media provider. We only use anonymous target group definitions - i.e. we define characteristics based on general demographic information, behavior, interests and connections, for example. The operator of the social media platform uses these to display advertisements to its users accordingly. The legal basis for this is the consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR, which the operator of the social media platform has obtained from its users. If you wish to revoke this consent, please use the revocation options provided by the provider of the social media platform, as the social media platform operator is responsible for this processing.

We do not use target group definition based on location data. We do not pass on any personal data to the operator of the social media platform as part of the target group definition.

Occasionally, we also use information about visits to or interactions with other sites (so-called remarketing) to define target groups. We also use cookies for this purpose. In these cases, however, we obtain the user's consent in advance via a consent banner on the respective other pages and provide information about the data processing at this point. You can revoke this consent at any time by calling up the consent banner on the relevant website again. Data processing based on this consent is permitted until revocation.

You consent to personalized advertising in terms of use of social networks (consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR). This data processing can be prevented in the settings of the social networks (withdrawal of consent; this withdrawal is possible at any time. The data processing that takes place until consent is withdrawn is justified based on the consent). If you have indicated in the settings that no personalized advertising should take place, your data will not be used for personalized advertising. We ourselves cannot assign this data to an individual person or profile at any time.

We use an application from Swat.io GmbH (“swat.io”) to manage our social media pages, generate statistical evaluations and communicate with our users. In this context, swat.io may have access to your data if you interact with our social media pages or send us messages via social media. swat.io is contractually obliged to comply with data protection regulations and to maintain confidentiality as a processor.

Data processing by the operator of the social media platform

The operator of the social media platform uses web tracking methods. Web tracking can also take place regardless of whether you are logged in or registered with the social media platform. We would therefore like to point out that it cannot be ruled out that the provider of the social media platform may use your profile and behavioral data to evaluate your habits, personal relationships, preferences, etc., for example. In this respect, we have no influence on the processing of your data by the provider of the social media platform, so that the use of the social media platform is at your own risk.

It is possible that the operator of the social media platform processes your personal data outside the EU or the EEA, as the parent companies are based in the USA and data transfer from the European to the US companies cannot be omitted. There is therefore a risk that authorities may access the data for security and monitoring purposes without you being informed or being able to take legal action. The legal basis for setting a cookie on your end device is your consent, which you can give on the social media platform. When using the social media platform via our websites, personal data is transmitted by using the social media platform in accordance with your consent pursuant to Art. 6 para. 1 sentence 1 lit. a) GDPR and for data transfer to a third country under data protection law pursuant to Art. 49 para. 1 sentence 1 lit. a) GDPR. If you no longer visit our website, data will no longer be transferred. This revocation is possible at any time. The data processing carried out until the withdrawal of consent is justified based on the consent.

Further information on data processing by the provider of the social media platform, configuration options to protect your privacy as well as further objection options and, if available and concluded, the agreement in accordance with Art. 26 GDPR can be found in the privacy policy and other pages of the provider as well as in your profile settings:

Your rights as a user

As a website user, you have the option of asserting the following rights both against us and against the provider of the social media platform if the requirements are met, see the "Your rights" section.

If you wish to object to certain data processing over which we have an influence, please use the contact details provided in the legal notice.


20. Data Recipients and Data Transfers to Third Countries

In addition to the above, we use various third-party providers to provide various services, in particular in the areas of IT and hosting / support, who may receive access to your personal data as part of the provision of services. This access may also take place from third countries (countries outside the EU/EEA) where the level of data protection may be lower than in the EU. This may result in unauthorized access to your data or the restriction of your data protection rights. If there is no adequacy decision by the EU Commission for the third country in question, we agree with the so-called Standard Contractual Clauses provided by the EU Commission with the providers and carry out transfer impact assessments. These contractually oblige the providers to comply with European data protection regulations. Further information on this is available on request from our support team. The standard contractual clauses can be viewed at the following link.


21. Deletion Periods

Personal data of visitors to our website will be deleted when their knowledge is no longer required for the purposes described above, unless legal provisions require longer storage or otherwise stated in the previous sections.

After revocation of consent, the personal data on which the consent is based will be stored for three years from the time of revocation in accordance with Art. 5 para. 2, Art. 83 para. 8 GDPR based on our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR as proof of lawfully obtained consent. However, this does not apply to cookies if they have been deleted.


22. Your Rights

If you have any questions or comments about the data protection settings, please contact us using the contact details given above.

When processing your personal data, the GDPR grants you certain rights as a data subject:

Right of access (Art. 15 GDPR)

You have the right to request confirmation as to whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and to the information listed in detail in Art. 15 GDPR.

Right to rectification (Art. 16 GDPR)

You have the right to demand the immediate correction of incorrect personal data concerning you and, if necessary, the completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You have the right to demand that personal data concerning you be deleted immediately if one of the reasons listed in Art. 17 GDPR applies.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing if one of the conditions listed in Art. 18 GDPR is met.

Right to data portability (Art. 20 GDPR)

In certain cases, which are listed in detail in Art. 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to request the transmission of this data to a third party.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you are of the opinion that the processing of data concerning you violates data protection regulations. The right to lodge a complaint can be exercised in particular with supervisory authorities in the Member State of your habitual residence, place of work or place of the alleged infringement.

Your right of objection

You have the right to object to the processing of your data at any time for personal reasons. If you file an objection, we will no longer process your personal data. This only applies if we can demonstrate compelling legitimate grounds (e.g. legal requirements) for the processing. The objection can be made informally with the subject "Objection" and should be sent to the address given in the introduction or in the legal notice.