Privacy Policy

We, the Hemro International AG, Thurgauerstrasse 80, 8050 Zürich, Switzerland (Hemro/we), thank you for visiting our website and for your interest in Mahlkönig. In the following, we provide information about the type, scope, and purpose of the collection and use of your personal data on this website. Personal data is any information relating to an identified or identifiable natural person. This includes in particular your name, address, and email address. If provisions of the General Data Protection Regulation (GDPR) are named in this Privacy Policy, these shall apply in accordance with Art. 3 GDPR. In all other respects, the applicable statutory provisions on data protection shall apply.

1. Data processing to enable the use of the website

Every time you access content on our website, connection data is transferred to our web server. This data includes:

  • the IP address (Internet Protocol address) of the respective users
  • the date and time of the query 
  • the referrer URL
  • device numbers such as your unique device identifier (UDID) and comparable device numbers, device information (e.g., device type)
  • the browser type/version

    This connection data is neither used to determine a user’s identity nor is it combined with data from other sources. Rather, it serves to make the website available. The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. After no more than seven days, the connection data is anonymized by truncating the IP address at the domain level.

    2. Data processing on request

    The use of our website is generally possible without providing personal data. You are neither obliged to visit this website nor to provide any personal data. Personal data, except for orders, also does not have to be provided in order for a contract to be concluded. If you do not provide us with the personal data listed below, you may not be able to use certain functions or services of this website. Other than that, there will be no consequences for you.

    We process your personal data when you use our following services:

    2.1. Order in the shop

    When you place an order with us, we process the following data from you:
    • registration data from the customer account (see Section 2.2 or Section 2.3) or your guest data
    • purchase data (order/shopping cart)
    • payment data (payment method, account data, and credit card data, billing addresses)

    Your personal data is processed based on Art. 6 para. 1 sentence 1 lit. b GDPR.

    2.2. Dealer area

    If you register with us as a dealer and use the dealer area on our website, we will process your data for this purpose.

    When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.

    Your personal data is processed based on Art. 6 para. 1 sentence 1 lit. b GDPR.

    2.3. Registration as customer

    If you wish to register as our customer, we collect the mandatory information required from you (first name, last name, email address, password)

    Registration is not necessary, but it will make the ordering process easier for you for future orders, as you can reuse the data you have already saved. Alternatively, you can place an order as a guest. In this case, we collect the same data from you as during the registration, except for a password. This data, however, is not stored in a customer account for you, meaning you do not have access to a customer account.

    After registration has been completed, you can log in by providing your email address and password. Please always make sure to log out before leaving the website.

    When using a password, please take appropriate security measures. For example, a password should contain a minimum of 8 characters and should always consist of a combination of upper- and lowercase letters, numbers, and special characters. Trivial words such as “ABC” or keyboard sequences (e.g., “qwert” or “asdfgh”), all kinds of names (e.g., of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are thus problematic.

    The processing of your personal data is based on your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR.

    We also store your IP address and the time of registration during the registration process. This is necessary to ensure the security of our information technology systems. The legal basis for processing your data in this case is Art. 6 para. 1 sentence 1 lit. f GDPR.

    2.4. Login

    If you are a Hemro customer, you may be able to access separate information or updates about the product you are using through this website’s login feature.

    Login data must be kept strictly confidential. If a password has nevertheless been shared, for example, to enable third parties to access certain databases in an emergency, the password must be changed immediately. For your own protection, passwords that have already been used before may not be used again.

    We also store your IP address and the time of access during the login process. This is necessary to ensure the security of our information technology systems.

    We also set a session cookie each time you log in. This session cookie prevents automatic logout during active use of the account or related services. After the respective logout, the session cookie is automatically deleted within a few minutes.

    The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR and, if your contractual relationship is affected, Art. 6 para. 1 sentence 1 lit. b and/or f GDPR.

    2.5. Contact form

    If you use the contact form, we provide to contact us, your details will be stored so that they can be used to process your query. Provision of your email address is sufficient for us to contact you. The additional voluntary information about your person serves only to personalize the address for you.

    The legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest then lies in responding to your query.

    In the event that (pre)contractual measures are implemented, the legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR.

    2.6. Newsletter

    If you expressly consented to receiving our newsletter, information about company news, current events, and the latest coffee grinding product highlights will be sent regularly to the email address you provided. Provision of your email address is sufficient for us to send you the newsletter. The additional voluntary information about you is only used to personalize the newsletter for you.

    In order to subscribe to our newsletter, we use the so-called double-opt-in procedure. This means that once you have subscribed, we will send you an email to the email address you provided, asking you to confirm that you want us to send you the newsletter. If you do not confirm your subscription within three months, your information will be automatically deleted.

    In connection with our newsletter, we use the online marketing platform Mailchimp (“Mailchimp”), which is operated by Intuit Inc, 2700 Coast Ave, Mountain View, CA 94043, 650-944-6000, USA. Mailchimp is a service that can be used to organize the sending of newsletters, among other things. Our newsletters sent via Mailchimp allow us to analyze the behavior of newsletter recipients using a tracking pixel (so-called web beacons). It may be analyzed, for example, how many recipients have opened the newsletter message and how often links in the newsletter have been clicked. Further information about Mailchimp’s Privacy Policy is available at: https://mailchimp.com/legal/cookies/#Cookies_served_through_the_Service and https://www.intuit.com/privacy/statement/

    The legal basis for the processing of data is based on your consent, based on § 25 para. 1 sentence 1 Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You may withdraw your consent at any time with effect for the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. A link is provided at the end of each newsletter for you to exercise your right to withdraw from the newsletter and tracking. Alternatively, you can also withdraw your consent at any time, for example, by sending an email to marketing@hemrogroup.com. 

    Please note that Intuit Inc. is a company from the USA. However, Intuit Inc. is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the U.S. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TXVKAA4&status=Active.

    2.7. Customer rating

    On our website we display customer reviews received about our products. To provide this function, we use the tool REVIEWS.io of the provider REVIEWS.io Ltd, 29 - 35 Forresters Building, St Nicholas Place, Leicester. LE1 4LD, United Kingdom ("REVIEWS.io"). This tool allows us to send you invitations to submit a customer review and to display the customer reviews we receive on our website. In addition, REVIEWS.io provides us with statistical and analytical data about the reviews we receive.

    If you have placed an order with us in the store and have given your corresponding consent (see below), you will receive an invitation e-mail to submit a customer review. If you click on the link from the corresponding invitation e-mail, this will take you to the REVIEWS.io website, where you can write a review. Your review will then be published on the REVIEWS.io website. The provider alone is responsible for data processing in connection with the writing of the review, automatic creation of a personal account by REVIEWS.io and publication on the REVIEWS.io website. Regarding the data processing by REVIEWS.io, we therefore refer to the privacy policy of REVIEWS.io: https://www.reviews.io/front/user-privacy-policy.

    Once you have submitted a review, it will also be published on our website via a widget. To this extent, we use REVIEWS.io as an order processor for the provision of customer reviews.

    As part of your order, we ask for your consent to send you an invitation to submit a customer review as well as to publish your respective review on our website. In this respect, the legal basis for our data processing is your consent pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR. You can revoke your consent at any time with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. You can revoke your consent at any time, e.g., by sending an e-mail to marketing@hemrogroup.com. For the transfer of data to REVIEWS.io in the United Kingdom, the adequate level of data protection is guaranteed by an adequacy decision of the European Commission.

    3. Data processing for the demand-oriented design of the website

    In order to make your user experience of our website as pleasant as possible, we use so-called “web tracking systems.” Cookies are generally used for this purpose. These are small text files, which are sent from a web server to your browser and stored on your computer’s hard drive. This enables us to recognize the end device you are using when you access our website. We are thus able to determine, for example, whether you are logged in, have an active shopping cart, and what the contents of your shopping cart are. The session cookies deployed for using the shop are deleted at the end of the browser session. Other cookies remain on your end device and allow us to recognize your device on your next visit

    A list of the tracking tools and other services that we use and that use cookies is provided in Section 3.1 et seq.

    Most browsers are set to accept cookies by default. You can deactivate the storage of cookies in your browser and delete them from your hard drive at any time. However, you can also use your browser to prevent certain cookies (e.g., from third parties) from being set – to prevent web tracking, for example. Further information about your browser’s help function is available here.  

    We would like to point out that you can also install a plug-in in your browser to protect your privacy. Plug-ins such as AdBlock, Ghostery, or NoScript can prevent tracking (please refer to the privacy policy of the respective plug-in provider).  

    Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be carried out for each browser and each end device.

    Details of the cookies used on the website can be found in the cookie banner and in the following terms and conditions. Unless otherwise stated in the following provisions in Section 3.1 ff., the legal basis for processing your data is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the needs-oriented design of the website.

    3.1. Cookie consent with the cookie consent tool

    In order to be able to manage your consent to the use of tracking tools, we use the cookie consent tool "GDPR Legal Cookie" from the provider beeclever GmbH, Friedrich-Mohr-Straße 1, 56070 Koblenz. In addition to the connection data, the granting or refusal of your consent or the withdrawal of consent is processed in this context. In order to be able to make the corresponding assignment, the cookie consent tool also sets a cookie in your browser. If you wish to undo these settings, simply delete the cookies in your browser (also see Section 3) or configure your individual cookie settings via the cookie banner. For more information on data protection, please visit: https://gdpr-legal-cookie.com/pages/terms-conditions.

    We use the cookie consent tool to obtain the declarations of consent mandated by law for the use of cookies. The legal basis in this case is Art. 6 para. 1 sentence 1 lit. c GDPR.

    In addition to the information in the cookie banner, please also note the following information in sections 3.2 ff.

    3.2. Google Analytics

    Our website uses the “Google Analytics 4 (GA4) tracking tool. This is a service provided by Google Ireland Limited, a company registered and operated in accordance with Irish law, headquartered at Gordon House, 4 Barrow Street, Dublin, Ireland (“Google”). This tracking tool helps us to make our online offers more interesting for you and to improve the user experience. Data on the use of our website is stored in pseudonymized user profiles. In addition to JavaScript and pixels, cookies can also be used for this purpose. Further information on the use of cookies can be found at: https://support.google.com/analytics/answer/11397207. The types of personal data processed include Online identifiers (including cookie identifiers), internet protocol addresses and device identifiers, identifiers assigned by the customer.

    Data from different devices, sessions, and interactions can additionally be linked to a user ID. This information is generally transferred to a Google server in the USA and stored there. 

    As part of the evaluation, Google also uses artificial intelligence (AI) to automatically analyze, classifies, and enrich data. This is done in particular for predictive metrics on future user behavior based on structured event data, such as purchase probability, churn probability and predicted revenue. The forecast measurement values can also be used for forecast target groups. You can find out more about this at: https://support.google.com/analytics/answer/9846734.

    Google uses modeling techniques to estimate online conversions that cannot be captured directly. This enables more realistic statements to be made in reports, advertising campaigns to be optimized and automatic bidding to be improved. You can find more information on this at: https://support.google.com/analytics/answer/10710245.

    Finally, the data is analyzed using Analytics statistics. Google provides automatic and user-defined statistics. You can find out more about this at: https://support.google.com/analytics/answer/9443595.

    By default, Google already automatically anonymizes user IP addresses when collecting user data. Google also does not log or store the IP addresses. The truncating of IP addresses does not mean that data is processed entirely in anonymized form. Thus, when Google Analytics is used, usage data is collected that is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example. 

    On our behalf, Google will use this information to evaluate your usage of our website, to compile reports on website activity, and to provide other services related to website and Internet usage to us. The pseudonymized user profiles are not combined with personal data about the bearer of the pseudonym unless separate consent has been obtained for this. 

    For more information on Google Analytics, see: https://support.google.com/analytics/answer/12017362

     Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. Google may, for example, link this data to other information about you, such as search history, personal account, usage data from other devices, and all other data that Google has about you.

    The legal basis for the use of Google Analytics is based on your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner. Please note that Google is a company from the USA. Information about Google's data centers locations can be found at www.google.com/about/datacenters/locations/. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA. You can find further information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

    3.3. Google Ads Conversion

    We use the "Google Ads Conversion" service to advertise our products on external websites with the help of advertising material and to determine success of our advertising measures. These advertising materials are delivered by Google via so-called "ad servers". If you access our website via a Google ad, Google Ads will store a cookie on your end device. These cookies generally lose their validity after 30 days and are not used to identify you personally. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be addressed) are usually stored as analysis values for this cookie.

    Aforementioned cookies enable Google to recognize your internet browser. Therefore, if you have visited certain websites of an Ads customer and the cookie stored on your computer has not yet expired, Google and the Ads customer can recognize that you clicked on the ad and were redirected to this page. Cookies cannot be tracked via the websites of Ads customers. We ourselves do not collect and process any personal data in aforementioned advertising measures. We only receive statistical evaluations from Google. Based on these evaluations, we can recognize which of the advertising measures used are particularly effective. We do not receive any further data from the use of the advertising material; in particular, we cannot identify you based on this information.

    The legal basis for the use of Google Ads Conversion is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner. Please note that the provider is a company from the USA. Information about Google's data center’s locations can be found at www.google.com/about/datacenters/locations/ The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. You can find more information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

    Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on scope and further use of data collected by Google through use of this tool and therefore inform you according to our level of knowledge as follows: By integrating Ads Conversion, Google receives information that you have accessed the relevant part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will find out your IP address and store it.

    You can find more information on data protection at Google here:
    https://support.google.com/google-ads/answer/93148
    https://ads.google.com/intl/en_uk/home/resources/gdpr/

    3.4. Google Maps

    We use Google Maps via an API on our website. This is a service provided by Google. Your IP address must be stored to use the Google Maps functions. This information is generally transferred to a Google server in the USA and stored there. We have no control over this data transfer. We have also concluded an agreement with Google on mutual responsibility for the processing of personal data. You can view our agreement with Google by clicking the following Link. The legal basis for the use of Google Maps is based on your consent pursuant to § 25 para. 1 sentence 1 TTDSG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA. You can find further information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active

    Further information on how user data is handled is available in Google’s Privacy Policy at: https://www.google.de/intl/de/policies/privacy/.

    3.5. Google Tag Manager

    We use Google Tag Manager "GTM". This Google service allows website tags to be managed via an interface. However, GTM only implements tags. In this respect, no cookies are used. GTM only triggers other tags, which in turn may collect data, but GTM does not access this data. Data is only analyzed in the respective tool (see the tools listed in section 3 for details). However, the GTM records your IP address and online identifiers (including cookie identifiers), which may also be transmitted to Google in the USA. You can find additional information on GTM at https://support.google.com/tagmanager/answer/6102821

    The legal basis for the use of GTM is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent to this via our cookie banner.

    Please note that the provider is a company from the USA. Information about Google's data center’s locations can be found at www.google.com/about/datacenters/locations/ The new EU standard data protection clauses have been agreed as suitable guarantees to ensure an appropriate level of protection when transferring data. In addition, Google LLC is an active participant in the EU-U.S. Data Privacy Framework, which guarantees the secure transfer of personal data to the USA. Further information can be found here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active.

    3.6. YouTube

    Our website uses plug-ins from YouTube, which is operated by Google. If you visit one of our websites featuring a YouTube plug-in and actively click on the corresponding field, a connection to YouTube servers is established. Here the YouTube server is informed about which of our pages you have visited. If you are logged in to your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. 

    The legal basis for the use of YouTube is based on your consent pursuant to § 25 para. 1 sentence 1 TTDSG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Google is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. If you nevertheless wish to consent to the use of this tool, you can select this via the cookie banner. After EU standard data protection clauses have been implemented, this shall provide the legal basis for the transfer of data to third countries.

    Further information on how user data is handled is available in see YouTube’s Privacy Policy at: https://policies.google.com/privacy

    3.7. Privy

    For our online marketing activities, we use the Privy service provided by Privy, LLC, 201 South St, 2nd Floor, Boston, MA 02111, USA (“Privy”). This service allows us to set up marketing campaigns in the form of pop-ups on our website and analyze the success of these campaigns. Privy collects the data you enter in the pop-up window, as well as your IP address and device and browser information. Cookies are used for this purpose.

    The legal basis for the use of Privy is based on your consent pursuant to § 25 para. 1 sentence 1 TTDSG for the storage and access to information in end devices, as well as pursuant to Art. 6 para. 1 sentence 1 lit. a GDPR for the further processing of your data. You give your corresponding consent via our cookie banner. Please note that Privy is a company from the USA. The new EU standard data protection clauses were agreed as appropriate safeguards to ensure an adequate level of protection for the transfer of data. Further information on how user data is handled is available at: https://www.privy.com/privacy-policy and https://www.privy.com/data-processing-addendum

    3.8. Meta Pixel

    With the so-called "meta pixel", an invisible meta pixel is integrated on our website, via which the online behavior of each website visitor is analyzed by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta"). The Meta pixel makes it possible to transmit customer data such as first name, surname, email address, etc. to Meta and to enrich it with existing tracking data. This makes it possible to collect data from non-users of the Facebook social network or to record users who are not logged in to Facebook when they visit a website. As a result, website visitors are tracked via Meta, which deliberately prevents the storage of third-party cookies. This gives us the opportunity to target you on Facebook with an advertisement. However, the meta pixel also makes it possible to acquire new customers and target new people who are similar to website visitors.

    In addition to us, Meta itself is also responsible for data processing. Meta processes the data in accordance with Meta's Data Usage Policy. Details can be found in Meta's privacy policy. Specific information and details about the Meta pixel and how it works can be found in Meta's help section.

    In this respect, we are jointly responsible with Meta within the meaning of Art. 26 GDPR for the processing of your personal data. In this case, you can assert your rights (see Section 9) against both us and Meta. However, Meta serves as the first point of contact. We have concluded an agreement with Meta on joint responsibility for the processing of personal data. You can view this at the following link: https://www.facebook.com/legal/controller_addendum.   

    The legal basis for the use of the Meta pixel is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment and Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

    Please note that Meta is a company from the USA. In the event that data is transferred to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc. In addition, Meta Platforms Inc. is an active participant in the EU-U.S. Data Privacy Framework, which ensures the secure transfer of personal data to the USA. You can find further information here: https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnywAAC&status=Active

    4. Social media presence

    4.1. Links to social networks

    Our website contains links to social networks (Facebook/Meta, X (Twitter), LinkedIn, Pinterest, Instagram, and YouTube). These websites are operated exclusively by third parties. If you click the links, the respective provider may process your personal data. Please refer to the providers’ privacy policies for further information in this regard.

    4.2. Data processing by Hemro and legal basis

    Our social media presences (Facebook/Meta, X (Twitter), LinkedIn, Pinterest, Instagram, and YouTube) are intended to provide you with information about Hemro as well as about our new developments, services, and products. Depending on the respective provider’s offer, you have the option to interact in different ways (comments, recommendations, etc.), for example, in connection with our social media presence. The interaction of users is an important criterion for us in order to carry out targeted marketing. For example, we can determine which posts users prefer to read. We therefore also use the statistics determined by the providers in this regard for our own purposes. If we process the users’ personal data, the legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest thus lies in particular in targeted information/advertising. The providers will inform you separately about the legal basis on which they process your data for their own purposes.

    4.3. Joint responsibility

    In some cases, we may share responsibility for the processing of your personal data with social media providers. In this case, you may assert your rights both against us and against the social media provider (see Section 9). However, the first point of contact is always the social media provider.

    We have concluded an agreement with Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Facebook or Meta) on joint responsibility for the processing of personal data. This applies to the processing of so-called “insights data” – page statistics, in particular on the interactions of Facebook users. Further information on page insights is available here: https://www.facebook.com/business/pages/manage#page_insights. Our agreement with Facebook can be viewed by clicking the following link: https://www.facebook.com/legal/controller_addendum 

    In relation to “page insights,” we have also concluded an agreement with LinkedIn Ireland on joint responsibility. With Page Insights, LinkedIn does not provide us with any personal data about you. We only have access to your aggregated data. It is not possible for us to draw conclusions about individual users by means of page insights information. Detailed information about page insights and our agreement with LinkedIn Ireland can be viewed by clicking the following link:
    https://legal.linkedin.com/pages-joint-controller-addendum.

    Please note that social media providers also process your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes.

    With regard to the storage period for your data processed by us for our own purposes, please refer to our explanations provided under Section 7. Otherwise, please observe the respective social media provider’s privacy policy.

    5. Data transfer

    We will only transfer personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. For example, data is transferred to the Hemro Group’s technical service providers (e.g., in connection with orders) – or in the case of a company transaction – to interested parties/buyers, etc. We also use the services of the service provider Shopify International Limited, Victoria Buildings, 2. Floor, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland (Shopify), for the purposes of hosting our website and in connection with the cookie consent tool. Where necessary, we have concluded data processing agreements with the recipients of your data in accordance with Art. 28 GDPR.

    We process your payment information for the purpose of payment processing. Depending on the payment method, we may forward your payment information to third parties (e.g., to your credit card provider in the case of credit card payments).

    The legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. a, Art. 6 para. 1 sentence 1 lit. b, Art. 6 para. 1 sentence 1 lit. f GDPR.

    Please also note the separate data protection provisions of the payment methods you have selected.

    VISA: https://www.visa.co.uk/legal/privacy-policy.html

    MasterCard: https://www.mastercard.de/de-de/datenschutz.html  

    Shopify Payments: We use the payment service provider Shopify. If you choose a payment method offered by the payment service provider Shopify Payments, the payment will be processed by the technical service provider Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland, to whom we send the information you provided during the ordering process together with the information about your order (name, address, account number, bank code, credit card number if applicable, invoice amount, currency and transaction number) in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR. Your data will only be passed on for the purpose of payment processing with Stripe Payments Europe Ltd. and only insofar as it is necessary for this. For more information about Shopify Payments' privacy policy, visit the following web address: https://www.shopify.com/legal/privacy.

    Data protection information on Stripe Payments Europe Ltd. You will find here: https://stripe.com/de/privacy

    PayPal: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

    When paying via PayPal, credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment by installments" via PayPal, we pass on your payment data to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"), further. The transfer takes place in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR and only to the extent that this is necessary for payment processing.

    PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal or - if offered - "purchase on account" or "payment in installments" via PayPal. For this purpose, your payment data may be passed on to credit agencies in accordance with Art. 6 para. 1 sentence 1 lit. f GDPR on the basis of PayPal's legitimate interest in determining your solvency. PayPal uses the result of the credit check in relation to the statistical probability of non-payment for the purpose of deciding whether to provide the respective payment method. The credit report can contain probability values (so-called score values). As far as score values are included in the result of the credit report, they are based on a scientifically recognized mathematical-statistical process. Among other things, but not exclusively, address data is included in the calculation of the score values. Further data protection information, including information on the credit agencies used, can be found in PayPal's data protection declaration: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

    You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may still be entitled to process your personal data if this is necessary for contractual payment processing.

    Google Pay: If you decide to use the “Google Pay” payment method from Google, please note the Terms of Use:

    https://payments.google.com/payments/apis-secure/u/0/get_legal_document?ldo=0&ldt=googlepaytos&ldl=de

    and the further information on data protection:

    https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice&ldl=de

    Apple Pay: If you decide to use the "Apple Pay" payment method from Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, the payment will be processed using the "Apple Pay" function of your device running iOS, watchOS or macOS by debiting a payment card stored with "Apple Pay". Apple Pay uses security features built into your device's hardware and software to protect your transactions. In order to release a payment, it is therefore necessary to enter a code previously defined by you and to verify it using the "Face ID" or "Touch ID" function of your terminal device.

    For the purpose of payment processing, the information you provide during the ordering process, along with the information about your order, will be sent to Apple in encrypted form. Apple then encrypts this data again with a developer-specific key before the data is sent to the payment service provider of the payment card stored in Apple Pay to carry out the payment. The encryption ensures that only the website through which the purchase was made can access the payment details. After payment is made, Apple will send your device account number and a transaction-specific dynamic security code to the originating website to confirm payment success.

    If personal data is processed in the transmissions described, the processing takes place exclusively for the purpose of payment processing in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

    Apple retains anonymized transaction information, including approximate purchase amount, date and time, and whether the transaction was successfully completed. The anonymization completely excludes any personal reference. Apple uses the anonymized data to improve Apple Pay and other Apple products and services.

    When you use Apple Pay on iPhone or Apple Watch to complete a purchase made through Safari on Mac, the Mac and the authorization device communicate over an encrypted channel on Apple's servers. Apple does not process or store any of this information in a format that personally identifies you. You can disable the ability to use Apple Pay on your Mac in your iPhone's settings. Go to Wallet & Apple Pay and turn off Allow Payments on Mac.

    Further information on data protection with Apple Pay can be found at: https://support.apple.com/de-de/HT203027

    6. Data transfer to countries outside the EU

    Insofar as necessary for our purposes, we will only transfer personal data to recipients outside the EU if you have given your consent, if there is a legal obligation to do so, or if the transfer of data is permitted on another legal basis. Your data will also be transferred to recipients based in the USA within the scope of processing data. Please note: According to a ruling by the European Court of Justice (ECJ), no adequate level of data protection exists in the USA, meaning that there is a risk to the protection of your data. For example, under certain conditions, US authorities may therefore process your data for control and monitoring purposes. For further information regarding the legal basis for the transfer of data, please refer to Art. 49 GDPR for now. An appropriate level of data protection is ensured by the conclusion of the new so-called EU standard contractual clauses and/or the participation of the service provider in the USA in the EU-U.S. Data Privacy Framework. An overview of the participants in the EU-U.S. Data Privacy Framework can be found here: https://www.dataprivacyframework.gov/s/participant-search  

    By using Shopify (see Section 5), personal data may be transmitted to Shopify Inc. in Canada or the USA. If data is transferred to Shopify Inc. in Canada, the adequacy decision of the European Commission guarantees the appropriate level of data protection. For more information about Shopify’s Privacy Policy, please visit the website below: https://www.shopify.com/de/legal/datenschutz

    7. Storage period for personal data / criteria for determining the duration

    We will store your personal data for as long as this is necessary for the aforementioned processing purposes or in case of an objection that no compelling reasons worthy of protection exist for Hemro or in case of a withdrawal of consent if no other legal basis for data processing exists. In certain cases (e.g., if there is a legal obligation to store data), your personal data will not be deleted immediately, but rather blocked initially. For example, the storage period for messages sent via the contact form with business-related content can be ten years.

    8. Security measures to protect your personal data

    We use technical and organizational measures to protect your data from unauthorized access, loss, or destruction. Our security measures are continuously adapted in line with technical developments. Our employees and all persons involved in data processing are obliged to comply with data protection laws and to treat personal data confidentially. Our employees are trained accordingly.

    To protect your personal data on this website, we use a secure online transmission procedure known as “Secure Socket Layer” (SSL) transmission. This can be recognized by the closed lock symbol displayed on the https:// address. Click on this symbol for details of the SSL certificate used. Display of this symbol depends on the browser version used.  SSL encryption guarantees the encrypted and complete transmission of your data. 

    9. Your rights

    Within the framework of the legal requirements, you are in principle entitled to request from Hemro:

    • confirmation of whether Hemro is processing your personal data
    • information about this data and the circumstances of processing
    • correction if this data is incorrect
    • deletion if there is no justification for processing and no obligation to store your personal data (any longer)
    • restriction of processing in certain cases specified by law
    • objection in case of data processing based on Art. 6 para. 1 sentence 1 lit. f GDPR
    • transfer of your personal data – insofar as you have provided it – to you or a third party in a structured, common and machine-readable format

    If you have given your consent to the processing of your personal data, you have the right to withdraw your consent again at any time. Processing of your personal data will then not be allowed in the future. However, this will not affect the lawfulness of the processing carried out with your consent before you withdrew your consent. 

    Please address your specific request to our data protection officer in writing or via email, clearly identifying your person:

    krupna LEGAL
    Data Protection Officer
    Drehbahn 7
    20354 Hamburg

    Email: office@krupna.legal

    Insofar as we use your data in joint responsibility with third parties in the sense of Art. 26 GDPR, the third party is primarily responsible for the exercise of all data subject rights. However, you are also free to assert your rights against us.

    Finally, we would like to draw your attention to your right to lodge a complaint with a supervisory authority.

    10. No automated individual decision

    We do not use your personal data for automated individual decisions.

    11. Amendment of the privacy policy

    New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be adjusted accordingly. The latest version can always be found on our website.