Privacy Policy

3. Hosting & Content Delivery Network

3.1 Maxcluster GmbH

For hosting our website and delivering its content, we use the services of maxcluster GmbH, Technologiepark 8, 33100 Paderborn, Germany.
All data collected on our website is processed on maxcluster’s servers.
We have concluded a data processing agreement (DPA) with the provider in accordance with Art. 28 GDPR, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties. Processing is carried out exclusively on servers located in Germany or within the European Union.

3.2 AWS CloudFront

We use a content delivery network provided by: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109, USA.
This service enables us to deliver large media files such as images, page content, or scripts more quickly via a network of regionally distributed servers. Processing is carried out on the basis of our legitimate interest in improving the stability and functionality of our website in accordance with Art. 6(1)(f) GDPR. We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

3.3 Bunny

We use a content delivery network provided by: BUNNYWAY d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia.
This service enables us to deliver large media files such as images, page content, or scripts more quickly via a network of regionally distributed servers. Processing is carried out on the basis of our legitimate interest in improving the stability and functionality of our website in accordance with Art. 6(1)(f) GDPR.
We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.

3.4 Cloudflare

We use a content delivery network provided by: Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA.
This service enables us to deliver large media files such as images, page content, or scripts more quickly via a network of regionally distributed servers. Processing is carried out on the basis of our legitimate interest in improving the stability and functionality of our website in accordance with Art. 6(1)(f) GDPR. We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

4. Cookies

To make visiting our website more attractive and to enable the use of certain functions, we use cookies, which are small text files stored on your device. Some of these cookies are automatically deleted after you close your browser (so-called “session cookies”), while others remain on your device for a longer period and allow the storage of page settings (so-called “persistent cookies”). In the latter case, you can find the storage duration in the overview of the cookie settings of your web browser.

If personal data is processed through individual cookies used by us, the processing is carried out in accordance with Art. 6(1)(b) GDPR for the performance of a contract, in accordance with Art. 6(1)(a) GDPR on the basis of consent given, or in accordance with Art. 6(1)(f) GDPR to safeguard our legitimate interests in the best possible functionality of the website as well as a user-friendly and effective design of the website visit.

You can configure your browser settings to inform you about the use of cookies and decide individually on their acceptance, or to exclude the acceptance of cookies for certain cases or in general.

Please note that if cookies are not accepted, the functionality of our website may be limited.

5. Contact

5.1 Facebook Chat

This website uses a live chat system provided by: Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.
The processing of personal data transmitted via the chat is carried out either in accordance with Art. 6(1)(b) GDPR, insofar as it is necessary for the initiation or performance of a contract, or in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in the effective support of our website visitors.
The data transmitted by you in this way will be deleted, subject to any statutory retention obligations to the contrary, once the relevant matter has been conclusively clarified.

In addition, further information may be collected and evaluated by means of cookies for the purpose of creating pseudonymized user profiles; however, this information does not serve to personally identify you and is not merged with other datasets. If this information has a personal reference, processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in the statistical analysis of user behavior for optimization purposes.
The setting of cookies can be prevented by appropriate browser settings. In this case, however, the functionality of our website may be restricted. You may object to the collection and storage of data for the purpose of creating a pseudonymized user profile at any time with effect for the future.
We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.

5.2 Live Chat System and Email Ticketing System

This website uses the following provider’s live chat and email ticketing system to communicate with users and to process customer inquiries:
Zendesk, Inc., 989 Market Street, San Francisco, CA 94103, USA

The processing of personal data transmitted via chat or email is carried out either in accordance with Art. 6(1)(b) GDPR, if it is necessary for the initiation or performance of a contract, or in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in efficient and user-friendly communication with our website visitors.
Your transmitted data will be deleted – subject to statutory retention obligations – as soon as the inquiry has been conclusively processed.

For statistical evaluation and to optimize our service offering, Zendesk may use cookies to create pseudonymized user profiles. These profiles do not serve personal identification and are not merged with other data sources. If a personal reference arises, processing is carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in analyzing user behavior. You can prevent the storage of cookies by adjusting your browser settings; however, this may lead to functional restrictions. You may object to the processing of pseudonymized data for the purpose of user analysis at any time with effect for the future.

If you submit contact inquiries via our website, these are stored and organized in the Zendesk ticketing system to enable structured processing and to improve the quality of our customer service. Communication takes place via a unique ticket number, which allows the processing status to be tracked at any time.

As part of processing inquiries, personal data such as first name, last name, email address, and the content of the communication is transmitted to, stored by, and processed by Zendesk. The legal basis for this is our legitimate interest in efficient customer support in accordance with Art. 6(1)(f) GDPR.

To ensure an adequate level of data protection, we have concluded a data processing agreement with Zendesk in accordance with Art. 28 GDPR. For the transfer of personal data to the USA, Zendesk relies on the EU-US Data Privacy Framework, which is based on an adequacy decision by the European Commission and thus ensures a comparable level of protection for personal data.

5.3 WhatsApp Business

You have the option to contact us via the WhatsApp messaging service provided by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. For this purpose, we use the so-called WhatsApp Business version.

If you contact us via WhatsApp, we process the personal data you provide (e.g. mobile phone number, name, and the content of the communication) exclusively for the purpose of handling and responding to your inquiry. Processing is carried out in accordance with Art. 6(1)(b) GDPR if the contact is related to a contractual relationship, or in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in efficient and timely communication.

For the operation of our WhatsApp Business account, we use a mobile device in whose address book only the WhatsApp contact data of users who have actively contacted us via WhatsApp is stored. No storage or transmission of contact data of uninvolved third parties takes place.

The purpose and scope of data collection and the further processing and use of data by WhatsApp, as well as your related rights and setting options for protecting your privacy, can be found in WhatsApp’s privacy policy: https://www.whatsapp.com/legal/?eea=1#privacy-policy

We have concluded a data processing agreement with the provider. In the context of the processing activities described above, personal data may be transferred to servers of Meta Platforms Inc. in the USA. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures an adequate level of data protection on the basis of an adequacy decision by the European Commission.

5.4 Contact Requests

When you contact us (e.g. via contact form or email), personal data is processed exclusively for the purpose of handling and responding to your inquiry and only to the extent necessary for this purpose.
The legal basis for this is our legitimate interest pursuant to Art. 6(1)(f) GDPR. If your contact request aims at the conclusion of a contract, the additional legal basis is Art. 6(1)(b) GDPR. Your data will be deleted once the matter has been conclusively clarified, provided that no statutory retention obligations apply.

6. Comment Function

When using the comment function on this website, in addition to your comment, the time the comment was created and the commentator name you chose are stored and published on this website. Furthermore, your IP address is logged and stored. The IP address is stored for security reasons and in the event that a comment infringes the rights of third parties or contains unlawful content. We require your email address in order to contact you if a third party objects to your published content as being unlawful.

The legal basis for storing your data is Art. 6(1)(b) and (f) GDPR. We reserve the right to delete comments if they are objected to by third parties as being unlawful.

7. Data Processing When Creating a Customer Account

In accordance with Art. 6(1)(b) GDPR, we collect and process personal data to the extent necessary for the creation and use of a customer account. The specific data required for this purpose can be seen from the respective input fields in the relevant form on our website.

You may delete your customer account at any time by sending a corresponding request to the data controller at the address stated above.

After deletion of the customer account, the associated personal data will be erased provided that:

• all contracts concluded via the account have been fully performed,
• no statutory retention obligations (e.g. under commercial or tax law) prevent deletion, and
• we have no legitimate interest in further storage (e.g. for the defense or assertion of legal claims).

8. Use of Customer Data for Direct Marketing

8.1 Subscription to Our Email Newsletter

If you subscribe to our email newsletter, we will regularly send you information about our offers. The only mandatory information required to receive the newsletter is your email address. Providing additional data is voluntary and is used to address you personally. We use the so-called double opt-in procedure for sending the newsletter, which ensures that you will only receive the newsletter after you have expressly confirmed your consent to receive it by clicking on a verification link sent to the specified email address.

By activating the confirmation link, you grant your consent to the use of your personal data in accordance with Art. 6(1)(a) GDPR. In this context, we store the IP address transmitted by your internet service provider (ISP) as well as the date and time of registration in order to be able to trace any potential misuse of your email address at a later point in time. The data collected by us when you subscribe to the newsletter is used strictly for its intended purpose.

You may unsubscribe from the newsletter at any time using the link provided in the newsletter or by sending a corresponding message to the data controller named above. After unsubscribing, your email address will be immediately removed from our newsletter distribution list, unless you have expressly consented to further use of your data or we reserve the right to use the data beyond this scope as permitted by law and as explained in this privacy policy.

8.2 Mailchimp

Our email newsletters are sent via the following provider: The Rocket Science Group, LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

Based on our legitimate interest in effective and user-friendly newsletter marketing, we transfer the data you provided when subscribing to the newsletter to this provider in accordance with Art. 6(1)(f) GDPR, so that the provider can send the newsletter on our behalf.

Subject to your explicit consent in accordance with Art. 6(1)(a) GDPR, the provider also carries out a statistical analysis of the success of newsletter campaigns using web beacons or tracking pixels embedded in the emails sent. These are used to measure open rates and specific interactions with the newsletter content. In this process, device-related information (e.g. time of access, IP address, browser type, and operating system) is also collected and evaluated, but not merged with other data sets.

You may withdraw your consent to newsletter tracking at any time with effect for the future.
We have concluded a data processing agreement with the provider, which protects the data of our website visitors and prohibits unauthorized disclosure to third parties.
For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

8.3 WhatsApp Newsletter

If you subscribe to our WhatsApp newsletter, we will regularly send you information about our offers via WhatsApp. The only mandatory information required to receive the newsletter is your mobile phone number.

To send our WhatsApp newsletter, we use a mobile device whose address book contains only the WhatsApp contact details of users who have expressly and voluntarily subscribed to receive the WhatsApp newsletter. The processing of your mobile phone number is carried out exclusively for the purpose of sending the newsletter on the basis of your explicit consent in accordance with Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future. No contact data of individuals who do not use WhatsApp or who have not actively registered for the WhatsApp newsletter is stored or transmitted.

Please refer to WhatsApp’s privacy policy for information on the purpose and scope of data collection and the further processing and use of data by WhatsApp, as well as your rights and options for protecting your privacy:
https://www.whatsapp.com/legal/?eea=1#privacy-policy

We have concluded a data processing agreement with WhatsApp. In the course of the processing activities described above, personal data may be transferred to servers of Meta Platforms Inc. in the USA. For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures an adequate level of data protection on the basis of an adequacy decision by the European Commission.

8.5 Email Notifications for Product Availability

For products that are temporarily unavailable, you may subscribe to receive email notifications about product availability. In this case, we will send you a one-time email notification informing you about the availability of the product you selected. The only mandatory information required for this notification is your email address. Providing additional data is voluntary and may be used to address you personally. We use the double opt-in procedure for sending these emails.

By activating the confirmation link, you grant us your consent to use your personal data in accordance with Art. 6(1)(a) GDPR. In this context, we store the IP address transmitted by your internet service provider (ISP) as well as the date and time of registration in order to be able to trace any potential misuse of your email address at a later stage.

You may unsubscribe from product availability notifications at any time by sending a corresponding message to the data controller named above. After unsubscribing, your email address will be immediately removed from the distribution list created for this purpose, unless you have expressly consented to further use of your data or we reserve the right to use the data beyond this scope as permitted by law and as explained in this privacy policy.

10. Data Processing When Using the Platform as a Seller

If you register as a seller on our marketplace, we collect and process various categories of personal data in order to enable your use of our platform, meet legal obligations, and ensure secure transaction processing.

a) Seller Registration

During registration, we collect personal data such as:

• Name, email address, telephone number
• Business information (e.g. company name, VAT ID, tax number, address, contact person)
• Payment details (e.g. bank details or PayPal address)

Processing is carried out in accordance with Art. 6(1)(b) GDPR, as it is necessary for the performance of the contractual relationship, and in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in operating a functional marketplace.

b) Creating a Seller Account with Stripe and/or PayPal

For payment processing, we create a linked Stripe Connect account as part of registration or initiate the creation of a PayPal seller account. In doing so, we transmit the required data to the respective payment service provider (see Section 9.5). Payment processing is not handled by SuperBuy.store itself, but takes place directly between the buyer, the payment service provider, and the seller.

c) Tax Processing and Statutory Reporting Obligations

To calculate the applicable value-added tax (e.g. VAT, OSS, GST, sales tax) and to meet tax obligations (e.g. under the EU DAC7 Directive, Sec. 22f German VAT Act (UStG), 1099-K), we process tax-relevant seller data automatically with the help of our service provider Avalara (see Section 13.2). This includes, among other things:

• Transaction data
• Turnover/revenue amounts
• Destination and country of origin
• Tax information (e.g. VAT ID, GST number, OSS status)
• Where applicable, accounting information for invoice creation

Processing is carried out in accordance with Art. 6(1)(c) GDPR on the basis of legal obligations to which we are subject as a platform operator.

d) Identity Verification (KYC)

Depending on country-specific legal requirements and risk assessments, we or the payment service provider may be required to carry out identity verification (KYC). In this context, additional data such as copies of identification documents, extracts from commercial registers, or tax certificates may be requested. This processing is carried out in accordance with Art. 6(1)(c) GDPR to comply with legal requirements, in particular for anti-money laundering measures and tax reporting obligations.

e) Retention Period

Your data is stored only for as long as necessary for contract performance or to comply with statutory retention periods. Once storage is no longer required, the data will be deleted unless further statutory obligations apply.

10.1 Sellers’ Information Obligations under Art. 14 GDPR

Sellers operating on our platform receive personal data of buyers (e.g. name, address, email address) for the purpose of fulfilling purchase contracts. In doing so, you act as an independent controller within the meaning of Art. 4(7) GDPR for the further processing of this data and are required to comply with applicable data protection laws.

In particular, sellers are responsible for meeting their own information obligations under Art. 14 GDPR towards the affected buyers, insofar as they do not obtain personal data directly from the data subject but via our platform.

Please note that, as the platform operator, we have no influence over the sellers’ specific data processing activities and do not assume any responsibility for them. For data protection inquiries relating to the processing of personal data by sellers, please contact the respective seller directly.

11. International Data Transfers

In the course of using our platform, it may be necessary to transfer personal data to recipients in so-called third countries outside the European Union (EU) or the European Economic Area (EEA).

This applies in particular to:

• sellers based outside the EU/EEA to whom order data is transmitted for the purpose of contract fulfilment (see Section 9.4),
• payment service providers such as Stripe and PayPal, which operate servers partly outside the EU/EEA,
• service providers such as Zendesk (support system) or Avalara (tax processing), which are based in the United States.

Where no adequacy decision by the European Commission exists for such transfers, we ensure that appropriate safeguards pursuant to Art. 46 GDPR (e.g. EU Standard Contractual Clauses or Binding Corporate Rules) are in place, or that the transfer is based on legally permitted derogations pursuant to Art. 49 GDPR (e.g. where necessary for the performance of a contract).

For providers based in the United States, certification under the EU-US Data Privacy Framework (DPF) may additionally apply.

12. Tax Processing & Reporting Obligations (Avalara, DAC7, OSS)

In order to fulfil our tax obligations as a marketplace operator and to ensure legally compliant taxation of sales conducted via our platform, we automatically transmit certain transaction data to the specialized service provider Avalara, Inc., 255 S King Street, Suite 1800, Seattle, WA 98104, USA.

In this context, personal and transaction-related data is processed, in particular:

• Seller name and address
• Tax information (e.g. VAT ID, OSS status, tax jurisdiction, tax number)
• Sales and shipping data (e.g. amount, item, country of origin and destination)
• Customer data (where legally required for correct tax treatment)

This processing is carried out on the basis of:

• Art. 6(1)(c) GDPR for the fulfilment of statutory obligations under value-added tax regulations (e.g. One-Stop Shop (OSS) pursuant to Sec. 18j German VAT Act (UStG)),
• Art. 6(1)(b) GDPR insofar as the data is required for the processing of taxable transactions under the seller agreement,
• and Art. 6(1)(f) GDPR based on our legitimate interest in legally compliant tax treatment and platform operation.

Reporting Obligations under DAC7 / 1099-K

Under the EU DAC7 Directive and comparable regulations outside the EU (e.g. 1099-K in the United States), we are required to report certain seller data to the competent tax authorities if legally defined thresholds (e.g. turnover or number of transactions) are exceeded.

Such reporting may include the following data:

• Seller identification (name, address, date of birth/company name, tax ID)
• Number and total value of transactions
• Bank details or payment method
• Timing and volume of sales
• Where applicable, the location of the sold goods

Data is transmitted exclusively for the purpose of fulfilling statutory reporting obligations and is based on Art. 6(1)(c) GDPR.

Data Security & Third-Country Transfers

Avalara is based in the United States. Data transfers are carried out on the basis of EU Standard Contractual Clauses in conjunction with additional safeguards pursuant to Art. 46 GDPR. Avalara is also certified under the EU-US Data Privacy Framework.

Further information on data protection at Avalara can be found at:
Avalara.com

13. KYC / Identity Verification

In order to comply with legal requirements for the prevention of money laundering and tax evasion (in particular pursuant to DAC7 and Sec. 22f German VAT Act (UStG)) and to enhance transaction security, we carry out an identity verification process (“Know Your Customer”, or KYC) as part of seller registration.

The KYC verification is performed by specialized payment service providers—such as Stripe Payments Europe, Ltd. or PayPal (Europe) S.à r.l. et Cie, S.C.A.—to whom we transmit certain personal data for this purpose. This includes in particular:

• Name and address
• Email address
• Date of birth
• Bank details or payment information
• Where applicable, identification data and/or business verification documents

The processing of this data is carried out on the basis of Art. 6(1)(c) GDPR in order to comply with legal obligations and, where applicable, on the basis of Art. 6(1)(f) GDPR due to our legitimate interest in fraud prevention and securing platform transactions.

We have concluded data processing agreements with the service providers used, which ensure the protection of the transmitted data.

14. Usage Analysis

For the purpose of statistically analyzing user behavior and optimizing our services, we use various web analytics tools on this website. Any data processing in this context is carried out exclusively on the basis of your voluntary consent pursuant to Art. 6(1)(a) GDPR via the cookie consent tool integrated into the website.

Without your explicit consent, no tracking or analytics cookies will be set. You may withdraw your consent at any time with effect for the future.

Data processing agreements pursuant to Art. 28 GDPR have been concluded with the respective providers for the use of these services. Where data is transferred to third countries (e.g. the United States), this takes place either on the basis of an adequacy decision by the European Commission or by implementing appropriate safeguards (e.g. Standard Contractual Clauses).

14.1 Google Analytics 4

This website uses Google Analytics 4, a web analytics service provided by Google Ireland Limited, Gordon House, 4 Barrow Street, Dublin, D04 E5W5, Ireland (“Google”), which enables an analysis of your use of our website.

Cookies are used for this purpose, which among other things collect your IP address. However, this IP address is anonymized before being transmitted to Google. The data is not merged with other Google data. The data is stored for two months and then deleted.

Google Analytics is used exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR. This consent can be withdrawn at any time via the cookie consent tool.

We have concluded a data processing agreement with Google. Further information can be found at:
Google Safety
Google Privacy Policy
Google Technologies

Demographic Data

Google Analytics 4 may collect demographic data such as age, gender, and interests to enable audience analysis. No personal identification takes place.

Google Signals

Google Signals enables cross-device analysis where personalized advertising is enabled. This data is processed in anonymized form. Further information can be found at:
support.google.com

User IDs

The “User IDs” feature enables analysis of your user behavior across multiple devices, provided that you are logged in to your user account and have expressly given your consent (Art. 6(1)(a) GDPR).

14.2 Google Optimize

This website uses Google Optimize to conduct and evaluate A/B tests aimed at improving the user experience. The provider is Google Ireland Limited.

Cookies are used to collect usage data for statistical testing purposes. This may also involve the transfer of data to servers operated by Google LLC in the United States.

Google Optimize is used exclusively on the basis of your consent pursuant to Art. 6(1)(a) GDPR. This consent can be withdrawn at any time via the cookie consent tool.

Further information can be found at:
Google Safety
Google Privacy Policy

14.3 Google Tag Manager

Google Tag Manager is a tag management system. Google Tag Manager itself does not store personal data, but it may transmit technical access data (e.g. IP address).

Google Tag Manager is used exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR. This consent can be withdrawn at any time via the cookie consent tool.

Further information can be found at:
Google Safety
Google Privacy Policy

14.4 New Relic

This website uses New Relic (New Relic, Inc., USA) to analyze user behavior by means of pseudonymized evaluation of page interactions (e.g. clicks, scrolling behavior, text input, and time spent on pages).

Data processing is carried out by means of cookies and comparable technologies exclusively on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR.

The stored data is pseudonymized and does not allow for direct identification of your person. No merging with other data sets takes place.

Further information on data protection at New Relic can be found at:
newrelic.com/privacy

15. Data Processing When Using Our Mobile App

In addition to our website, our services may also be accessed via a mobile app, provided that it has been installed by the user. The processing of personal data when using the app is likewise carried out in accordance with the GDPR and all other applicable data protection regulations.

Depending on the app’s functionality, the following categories of data may be processed:

• Device information (e.g. operating system, version, device type)
• Usage data (e.g. logins, search queries, navigation behavior)
• Location data (only with explicit consent)
• Access permissions (e.g. camera, microphone, push notifications – each only with consent)
• Account data (when logging in via the app)
• Order and payment data (for in-app purchases or when using the marketplace)

Processing is carried out on the basis of:

• Art. 6(1)(b) GDPR (performance of a contract),
• Art. 6(1)(a) GDPR (where processing is based on voluntary consent, e.g. for location data or push services),
• and Art. 6(1)(f) GDPR, insofar as there is a legitimate interest in optimizing the use of the app.

Where web analytics services or external content (e.g. maps, payment services, or customer support tools) are integrated within the app, the information provided in Sections 9.5 (Payment Services), 10 (Sellers), 11 (International Data Transfers), and 14 (Usage Analysis) shall apply accordingly.

The mobile app is distributed via platforms such as the Apple App Store or Google Play Store. Any data processing carried out by these app platforms is subject to their respective privacy policies. We have no influence over such processing.

16. Website Features

16.1 Facebook Connect

We provide a single sign-on feature from the following provider on our website: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

In addition to transferring data to the provider location named above, data may also be transferred to: Meta Platforms Inc., USA

If you have an account with the provider, you can use those account details to create a user account or register on our website.

When you visit this page, this login function may establish a direct connection between your browser and the provider’s servers, even if you do not have an account with the provider or are not logged in. The provider thereby receives the information that you have visited our website. The information collected in this context (which may include your IP address) is transmitted directly by your browser to a server of the provider and stored there. However, this information is not used to personally identify you and is not shared with third parties.

These processing operations are carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing a user-friendly and interactive online presence.

If you click the login button to register on our website using your account details with the provider, the provider will transmit to us—solely on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR—the general and publicly available information stored in your account (user ID, name, address, email address, age, and gender).

We store and use the data transmitted by the provider to set up a user account with the necessary details (salutation, first name, last name, address details, country, email address, date of birth), provided you have made this information available to the provider. Conversely, based on your consent, we may transmit data (e.g. information about your browsing or purchasing behavior) to your account with the provider.

You may withdraw your consent at any time with effect for the future by notifying us.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

16.2 Google Sign-In

We provide a single sign-on feature from the following provider on our website: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

In addition to transferring data to the provider location named above, data may also be transferred to: Google LLC, USA

If you have an account with the provider, you can use those account details to create a user account or register on our website.

When you visit this page, this login function may establish a direct connection between your browser and the provider’s servers, even if you do not have an account with the provider or are not logged in. The provider thereby receives the information that you have visited our website. The information collected in this context (which may include your IP address) is transmitted directly by your browser to a server of the provider and stored there. However, this information is not used to personally identify you and is not shared with third parties.

These processing operations are carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing a user-friendly and interactive online presence.

If you click the login button to register on our website using your account details with the provider, the provider will transmit to us—solely on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR—the general and publicly available information stored in your account (user ID, name, address, email address, age, and gender).

We store and use the data transmitted by the provider to set up a user account with the necessary details (salutation, first name, last name, address details, country, email address, date of birth), provided you have made this information available to the provider. Conversely, based on your consent, we may transmit data (e.g. information about your browsing or purchasing behavior) to your account with the provider.

You may withdraw your consent at any time with effect for the future by notifying us.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google’s privacy practices can be found here: Google Privacy

16.3 Login with Amazon

We provide a single sign-on feature from the following provider on our website: Amazon EU S.à r.l., 38 avenue John F. Kennedy, L-1855 Luxembourg

In addition to transferring data to the provider location named above, data may also be transferred to: Amazon.com Inc., USA

If you have an account with the provider, you can use those account details to create a user account or register on our website.

When you visit this page, this login function may establish a direct connection between your browser and the provider’s servers, even if you do not have an account with the provider or are not logged in. The provider thereby receives the information that you have visited our website. The information collected in this context (which may include your IP address) is transmitted directly by your browser to a server of the provider and stored there. However, this information is not used to personally identify you and is not shared with third parties.

These processing operations are carried out in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in providing a user-friendly and interactive online presence.

If you click the login button to register on our website using your account details with the provider, the provider will transmit to us—solely on the basis of your explicit consent pursuant to Art. 6(1)(a) GDPR—the general and publicly available information stored in your account (user ID, name, address, email address, age, and gender).

We store and use the data transmitted by the provider to set up a user account with the necessary details (salutation, first name, last name, address details, country, email address, date of birth), provided you have made this information available to the provider. Conversely, based on your consent, we may transmit data (e.g. information about your browsing or purchasing behavior) to your account with the provider.

You may withdraw your consent at any time with effect for the future by notifying us.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

16.4 Google Maps

This website uses an online mapping service from the following provider: Google Maps (API) by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Google Maps is a web service for displaying interactive maps in order to visually present geographical information. By using this service, our location is displayed to you and any directions may be made easier.

As soon as you access the subpages into which the Google Maps map is embedded, information about your use of our website (such as your IP address) is transferred to Google’s servers and stored there. This may also involve a transfer to servers operated by Google LLC in the USA. This occurs regardless of whether Google provides a user account you are logged into or whether such a user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not want your data to be linked to your Google profile, you must log out before activating the button. Google stores your data (including for users who are not logged in) as usage profiles and evaluates them.

The collection, storage, and analysis are carried out in accordance with Art. 6(1)(f) GDPR on the basis of Google’s legitimate interest in displaying personalized advertising, conducting market research, and/or tailoring Google websites to user needs. You have the right to object to the creation of these user profiles; to exercise this right, you must contact Google. If you do not agree to the future transmission of your data to Google in connection with the use of Google Maps, you also have the option of completely disabling the Google Maps web service by switching off JavaScript in your browser. Google Maps, and thus the map display on this website, can then no longer be used.

Where legally required, we have obtained your consent for the processing of your data described above pursuant to Art. 6(1)(a) GDPR. You may withdraw the consent you have given at any time with effect for the future. To exercise your withdrawal, please follow the objection option described above.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google’s privacy practices can be found here: Google Privacy

16.5 OpenStreetMap

This website uses an online mapping service from the following provider: OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, UK

The online mapping service is a tool for displaying interactive maps in order to visually present geographical information. By using this service, our location is displayed to you and any geolocation may be made easier.

As soon as you access the subpages into which the provider’s map is embedded, information about your use of our website (such as your IP address) is transferred to the provider’s servers and stored there.

Your personal data is processed in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in designing our website to meet demand. If you do not agree to the future transmission of your data to the provider, you have the option of completely disabling the provider’s online mapping service by switching off JavaScript in your browser. The online mapping service on this website can then no longer be used.

Where legally required, we have obtained your consent for the processing of your data described above pursuant to Art. 6(1)(a) GDPR. You may withdraw the consent you have given at any time with effect for the future. To exercise your withdrawal, please follow the objection option described above.

For transfers to the provider location, an adequate level of data protection is ensured by an adequacy decision of the European Commission.

16.6 Google Web Fonts

This website uses so-called web fonts from the following provider to ensure consistent font display: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

When you access a page, your browser loads the required web fonts into its cache in order to display text and fonts correctly, and establishes a direct connection to the provider’s servers. In doing so, certain browser information, including your IP address, is transmitted to the provider.

Data may also be transferred to: Google LLC, USA

Personal data is processed when connecting to the font provider only if you have given us your explicit consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future by disabling this service via the “cookie consent tool” provided on the website. If your browser does not support web fonts, a default font on your computer will be used.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google’s privacy practices can be found here: Google Privacy

16.7 Google reCAPTCHA

On this website we use the CAPTCHA service from the following provider: Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Data may also be transferred to: Google LLC, USA. For the visual design of the CAPTCHA window, the provider uses “Google Fonts”, i.e. fonts loaded from Google via the internet. No additional information beyond what is already transmitted to Google through the functionality of reCAPTCHA is processed in this context.

The service checks whether an input is made by a natural person or abusively by automated, machine-based processing, and blocks spam, DDoS attacks, and similar automated malicious access. To ensure that an action is performed by a human and not an automated bot, the provider collects the IP address of the device used, identification data about the browser and operating system type used, as well as the date and duration of the visit, and transmits this data to the provider’s servers for analysis. Cookies may be used in this process, i.e. small text files stored in the browser of the end device.

Where the processing described above is based on cookies, these cookies are set only if you have given us your explicit consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future by disabling this service in the “cookie consent tool” provided on the website.

If the processing described above is carried out without the use of cookies, the legal basis is our legitimate interest in establishing individual responsibility on the internet and preventing abuse and spam pursuant to Art. 6(1)(f) GDPR.

We have concluded a data processing agreement with the provider, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google’s privacy practices can be found here: Google Privacy

16.8 Google Translate

This website uses the translation service “Google Translate” provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”) via an API integration. In order to display the translation into the national language of your choice automatically, the browser you use connects to Google’s servers. In doing so, Google uses so-called cookies, i.e. text files stored on your computer that enable analysis of your use of the website. The information generated by the cookie about your use of this website (including the truncated IP address) is generally transmitted to a Google server and stored there. This may also involve a transfer to servers operated by Google LLC in the USA.

All processing described above, in particular the setting of cookies for reading information on the device used, is carried out only if you have given us your explicit consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future by disabling this service in the “cookie consent tool” provided on the website.

For data transfers to the USA, the provider has joined the EU-US Data Privacy Framework, which ensures compliance with the European level of data protection on the basis of an adequacy decision by the European Commission.

Further information on Google’s privacy practices can be found here: Google Privacy

16.9 Online Applications via a Form

On our website, we publish current job openings in a separate section, for which interested parties can apply via a corresponding form.

Applicants must provide all personal data required for a well-founded assessment, including general information such as name, address, and contact details, as well as performance-related evidence and, where applicable, health-related information. Details of the application can be found in the respective job posting.

When the form is submitted, the applicant data is transmitted to us in encrypted form in accordance with the state of the art, stored by us, and evaluated exclusively for the purpose of processing the application. Processing is carried out on the basis of Art. 6(1)(b) GDPR (or Sec. 26(1) BDSG), under which participating in the application process is regarded as the initiation of an employment contract.

Where, during the application process, special categories of personal data within the meaning of Art. 9(1) GDPR (e.g. health data such as information on severe disability status) are requested from applicants, processing is carried out in accordance with Art. 9(2)(b) GDPR so that we may exercise the rights arising from employment law and the law of social security and social protection and fulfil our related obligations.

Cumulatively or alternatively, processing of special categories of data may also be based on Art. 9(2)(h) GDPR where it is carried out for the purposes of preventive or occupational medicine, assessment of the employee’s working capacity, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services.

If an applicant is not selected or withdraws their application prematurely, the data submitted via the form as well as all electronic correspondence, including the application email, will be deleted no later than 6 months after a corresponding notification. This period is based on our legitimate interest in responding to any follow-up questions regarding the application and, where applicable, meeting our evidentiary obligations under rules on equal treatment of applicants.

In the event of a successful application, the data provided will be processed for the purpose of carrying out the employment relationship on the basis of Art. 6(1)(b) GDPR (in Germany in conjunction with Sec. 26(1) BDSG).

17. Tools and Other Services

17.1 easybill

For accounting purposes, we use the service of the cloud-based accounting software provided by: easybill GmbH, Düsselstr. 21, 41564 Kaarst, Germany.

The provider processes incoming and outgoing invoices and, where applicable, our company’s bank transactions in order to automatically capture invoices, assign them to transactions, and generate financial accounting records in a partially automated process.

Where personal data is processed in this context, processing is carried out on the basis of our legitimate interest in the efficient organization and documentation of our business operations pursuant to Art. 6(1)(f) GDPR.

17.2 Avalara

For the automated calculation of taxes (e.g. VAT, GST, sales tax) and to meet statutory reporting obligations under international tax regulations (e.g. the EU DAC7 Directive, U.S. Form 1099-K, or national OSS schemes), we use the tax service Avalara, Inc., 255 S King Street, Suite 1800, Seattle, WA 98104, USA.

In this context, personal data—especially information relating to seller profiles, location data, turnover/revenue data, tax IDs, and transaction details—is transmitted to Avalara and processed there for the purpose of:

• determining the correct tax amount based on the supply chain,
• issuing tax-compliant invoices,
• fulfilling statutory reporting obligations vis-à-vis domestic and foreign tax authorities.

Processing is carried out pursuant to Art. 6(1)(c) GDPR insofar as it is necessary to comply with legal obligations and, additionally, pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in legally compliant and efficient tax processing for our international marketplace.

We have concluded a data processing agreement with Avalara pursuant to Art. 28 GDPR, which ensures the protection of personal data and excludes unauthorized disclosure to third parties. For data transfers to the USA, Avalara relies on the EU-US Data Privacy Framework, which provides an adequate level of data protection.

17.3 Cookie Consent Tool

This website uses a so-called “cookie consent tool” to obtain, manage, and document valid user consent for cookies and cookie-based applications requiring consent. This is a service provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany.

The “cookie consent tool” is displayed to users when they access the site in the form of an interactive user interface, which allows consent for certain cookies and/or cookie-based applications to be granted by selecting the relevant checkboxes. Non-essential cookies and services are loaded only if the user has given the corresponding consent. This ensures that such cookies are placed on the user’s device only where consent has been granted.

The tool sets technically necessary cookies in order to store your cookie preferences and to document the consent options you have selected. When using the cookie consent tool, personal data may be processed, in particular the truncated IP address, device and browser information, and the consent status, including the time the consent was given.

Processing is carried out pursuant to Art. 6(1)(c) GDPR to comply with our legal obligation to obtain valid user consent and, additionally, pursuant to Art. 6(1)(f) GDPR on the basis of our legitimate interest in legally compliant, user-friendly, and traceable consent management.

Where required, we have concluded a data processing agreement with the provider pursuant to Art. 28 GDPR, which ensures the protection of our website visitors’ data and prohibits unauthorized disclosure to third parties.

You can withdraw or adjust your consents at any time with effect for the future via the “Cookie Settings” button provided on our website. Further information about the provider and the configuration options of the cookie consent tool can be found directly in the relevant user interface on our website.

18. Rights of the Data Subject

18.1 Data Protection Rights

As a data subject, you are entitled to the following rights under the General Data Protection Regulation (GDPR):

• Right of access pursuant to Art. 15 GDPR: You have the right to obtain confirmation from us as to whether personal data concerning you is being processed. Where this is the case, you have the right to access such personal data and to receive further information in accordance with Art. 15 GDPR.
• Right to rectification pursuant to Art. 16 GDPR: You have the right to request the rectification of inaccurate personal data and the completion of incomplete personal data.
• Right to erasure pursuant to Art. 17 GDPR (“right to be forgotten”): You have the right to request the erasure of your personal data, provided that no statutory grounds for continued storage apply.
• Right to restriction of processing pursuant to Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data, provided that one of the conditions set out in Art. 18 GDPR is met.
• Right to data portability pursuant to Art. 20 GDPR: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller, insofar as this is technically feasible.
• Right to object pursuant to Art. 21 GDPR: Where we process your data on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object at any time, on grounds relating to your particular situation, to such processing.
• Right to withdraw consent pursuant to Art. 7(3) GDPR: Where we process your data on the basis of consent pursuant to Art. 6(1)(a) GDPR, you may withdraw this consent at any time with effect for the future.
• Right to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR: You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data by us.

The supervisory authority responsible for us is:

The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 20459 Hamburg, Germany
Phone: +49 40 428 54 4040
Email: [email protected]
Website: https://datenschutz-hamburg.de

18.2 RIGHT TO OBJECT

IF WE PROCESS YOUR PERSONAL DATA ON THE BASIS OF A BALANCING OF INTERESTS DUE TO OUR OVERRIDING LEGITIMATE INTEREST, YOU HAVE THE RIGHT AT ANY TIME, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, TO OBJECT TO THIS PROCESSING WITH EFFECT FOR THE FUTURE.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE DATA CONCERNED. FURTHER PROCESSING MAY REMAIN RESERVED WHERE WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, FUNDAMENTAL RIGHTS AND FREEDOMS, OR WHERE THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

WHERE YOUR PERSONAL DATA IS PROCESSED BY US FOR THE PURPOSE OF DIRECT MARKETING, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING PURPOSES.

IF YOU EXERCISE YOUR RIGHT TO OBJECT, WE WILL CEASE PROCESSING THE PERSONAL DATA CONCERNED FOR DIRECT MARKETING PURPOSES.

19. Duration of Storage of Personal Data

The duration for which personal data is stored is determined by the respective legal basis, the purpose of the processing, and—where applicable—by the relevant statutory retention periods (e.g. retention obligations under commercial and tax law).

Where personal data is processed on the basis of explicit consent pursuant to Art. 6(1)(a) GDPR, the data concerned will be stored until you withdraw your consent.

Where statutory retention periods apply to data processed in the context of contractual or quasi-contractual obligations pursuant to Art. 6(1)(b) GDPR, such data will be routinely deleted after the expiry of the respective retention periods, provided that it is no longer required for the performance or initiation of a contract and/or that no legitimate interest in continued storage exists on our part.

Where personal data is processed on the basis of Art. 6(1)(f) GDPR, such data will be stored until you exercise your right to object pursuant to Art. 21(1) GDPR, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.

Where personal data is processed for the purposes of direct marketing on the basis of Art. 6(1)(f) GDPR, such data will be stored until you exercise your right to object pursuant to Art. 21(2) GDPR.

Unless otherwise stated in the remaining provisions of this Privacy Policy regarding specific processing situations, stored personal data will be deleted once it is no longer necessary for the purposes for which it was collected or otherwise processed.

20. Amendments to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time in order to adapt it to changes in the legal framework, technological developments, or new services offered on our website or within our app.

The version of the Privacy Policy in force at the time of your subsequent visit shall apply. The current version can be accessed at any time on our website under the menu item “Privacy Policy”.

Where your participation is required (e.g. for new consents), we will inform you separately and, where applicable, request your consent.