Privacy Statement

We are pleased about your use of our website. The protection of your personal data is important to us and we want you to feel safe when using this website. This privacy statement is issued in compliance with the Philippines’ Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, its corresponding implementing rules and procedures (“IRR), and other issuances of the National Privacy Commission (“NPC”) (hereinafter, collectively referred to as the “DPA”). Please read this privacy statement carefully.

1. Information concerning the collection of personal data

a. This privacy statement applies to our collection, processing and utilization of your personal data through this website. “Personal data” means all information relating to an identified or identifiable natural person whether recorded in a material form or not, which, by itself or when put together with other information, would reasonably and directly reveal the identity of a natural person. Our website does not knowingly collect nor process “sensitive personal data” as defined under the DPA.

b. Personal information controller (the “Controller”) as per the DPA is: 

Emma Sleep GmbH
Wilhelm-Leuschner-Street 78
60329 Frankfurt am Main
Germany

You can reach our Data Protection Officer (“DPO”) through the following details:
Emma Sleep GmbH
Datenschutzbeauftragter
Wilhelm-Leuschner-Street 78
60329 Frankfurt am Main
Germany
privacy@emma-sleep.com

c. If we use contracted service providers for individual functions to present our services to you or to your data for advertising purposes, we will inform you in detail about the respective processes below.

2. Your rights as a data subject

a.

You have the following rights against us with respect to the personal data concerning you: • Right to be informed (Section 16(a) & 16(b), DPA)

You have the right to request for information regarding the existence of past, present, or planned future processing of your personal data. This privacy statement further provides the information required by the DPA to be furnished to you prior to the processing of your personal data or at the next practical opportunity.

 

• Right of access (Section 16(c), DPA):

You have the right to request from us the following information about the personal data we hold about you: contents of your personal data that were processed, sources of your personal data, names and addresses of recipients of your personal data, manner by which your personal data were processed, reasons for the disclosure of your personal data, information on automated processes which use your personal data as sole basis for decisions significantly affecting you, date when your personal data were last accessed and modified, and the identity and contact details of the Controller.

• Right to rectification (Section 16(d), DPA):

You have the right to dispute your personal data that we process which are inaccurate, incomplete, obsolete, or contains any error (hereinafter referred to as “Erroneous Personal Data”). Upon substantial proof, you may request that we correct the Erroneous Personal Data immediately and to inform third parties to whom we previously transferred your Erroneous Personal Data of the rectification once made. We will take appropriate steps to keep your personal data that we process on an ongoing basis as accurate, complete, and current as possible based on the most up-to-date information available to us.

• Right to erasure or blocking (Section 16(e), DPA):

You have the right to demand the suspension, withdrawal, blocking, removal, anonymization, deletion, or destruction your personal data that we process upon discovery and substantial proof of any of the grounds enumerated in the DPA.

• Right to damages (Section 16(f), DPA):

You have the right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal data.

• Right to data portability (Section 18, DPA):

You have the right to request for a copy of your personal data in an electronic or structured format which is commonly used and allows for your further use in accordance with the standards set out by the NPC, if any, and subject to commercial and industrial secrets. Note, that we may charge you for the reproduction costs.

• Right to object (Section 34(b), IRR):

You have the rights to object to the processing of your personal data, including

processing for direct marketing, automated processing, or profiling.

 b. Inquiries and requests regarding your rights as a data subject, including any objections to or complaints regarding our processing of your personal data, can be sent to us at privacy@emma-sleep.com.

c. If you feel that we have not responded in an appropriate manner to your requests or complaints regarding our processing of your personal data, you have the right to complain to the NPC through their website (https://privacy.gov.ph).

3. Collection of personal data when visiting our website

If you use the website simply for informational purposes (i.e. if you do not register yourself or send us any personal data) we collect only the personal data which your browser sends to our server. If you wish to view our website, we collect the following technical personal data on the legal basis of legitimate interests (Section 12(f), DPA) to enable us to show you our website and ensure stability and security:

a. IP address

b. date and time of the query

c. time zone difference relative to Greenwich Mean Time (GMT)

d. content of the query (specific site)

e. access status/HTTP status code

f. data volume transmitted in each case

g. website from which the request emanates

h. browser

i. operating system and its user interface

j. language and version of the browser software

The personal data mentioned above gets processed for the following purposes:

a. To ensure a smooth connection of the website;

b. Guarantee a comfortable use of the website;

c. Evaluation of system security and stability as well as for other administrative purposes.

These personal data are temporarily stored in so-called log files, recorded without your intervention, and stored until the same are automatically deleted.

4. Recipients or categories of recipients of personal data

a. Within the scope of our activities and services, it may become necessary for us to disclose the personal data stored about you to natural persons, legal entities or public authorities. We conclude contracts with our service providers, which ensure that they may only process your personal data in a way that we have explicitly instructed them to do so. Furthermore, we ensure that they take the necessary technical and organizational measures to process your data securely and store your personal data only as long as necessary. External service providers who may receive personal data generally fall into the following categories of recipients:

• Subsidiaries and affiliates

 

 

  

5.

• Credit institutions and providers of payment services for billing and payment processing (online payment providers)

• Parcel Shipper

• Non-Governmental/Charitable Organization that collects product returns

• IT service provider to maintain our IT infrastructure

• Cloud provider

• Service provider for the optimization of the online offer

• Collection service providers or lawyers to collect receivables and enforce claims in court.

If, in the event of a collection case, personal data (customer and contact data, payment and consumption data and data on the claim) is transferred to a collection service provider, we will inform you in advance about the intended transfer.

b. If personal data is processed in countries outside the Philippines, we will ensure that your personal data is transferred to countries that provide a level of protection of personal data that is adequate to the provisions of the DPA or that there are acceptable contractual guarantees in place to ensure the processing of your personal data in accordance with the DPA’s data protection level. In the absence of these, we will request your explicit consent for the international transfer of your personal data.

Contact form

a. When you contact us, the personal data you provide will be processed for the purpose of processing your request and for the event that follow-up questions arise based on legal obligations (Section 12(c), DPA).

b. The personal data collected by us in this context will be deleted when the data subject request associated with the contact has been completely clarified and it is also not to be expected that the specific contact will become relevant again in the future, unless legal storage obligations stand against this. We will retain a copy of the final communication regarding your data subject request in order to evidence our compliance with our legal obligations as controller (Section 12(c), DPA) and in our legitimate interest to protect and defend against future litigation (Section 12(f), DPA).

Use of our webshop, Orders

7.

If you would like to order from our webshop, it is necessary for the conclusion of the contract (Section 12(b), DPA) that you provide your personal data, which we need to process your order. Mandatory personal data necessary for the processing of the contracts are marked in our forms. Further data are voluntary. We use the personal data you provide to process your order. For this purpose, we can pass on your payment data to our house bank or to the selected payment service provider. If we deliver goods to you, we will pass on your data to the assigned shipping company for delivery. Failure to provide this personal data may mean that the order cannot be carried out.

 

 

8.

Newsletter

a. We send newsletters, e-mails and other electronic notifications containing promotional information. Our newsletters contain information about our products, offers, promotions and our company. With the following notes we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your right of objection.

b. For the subscription to our newsletter we use a logged double-opt-in procedure. This means that after subscription you will receive an e-mail asking you to confirm your registration. This confirmation is necessary so that nobody can register with e-mail addresses they do not own. Newsletter subscriptions are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your personal data stored by the service provider are also logged. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

c. To subscribe to the newsletter, it is sufficient to enter your e-mail address. The provision of further data is voluntary and is used to address you personally. After your confirmation we will save your e-mail address for the purpose of sending the newsletter. The newsletter dispatch and the measurement of performance are based on your consent (Section 12(b), DPA).

d. You may withdraw your consent to receive our newsletter at any time and stop receiving the newsletter. You can declare your revocation by clicking on the link provided in every newsletter e-mail, or by sending an e-mail to privacy@emma-sleep.com.

Cookies

a. In addition to the beforementioned data categories we use cookies to make the experience of visiting our website as user-friendly as possible and to allow you to make use of certain functions. Cookies are little text files that are saved on your browser’s delegated hard drive, through which certain information flows back to the person who sets the cookie (in this case us). Cookies are used to improve the user experience and effectiveness of our website.

b. Kinds of Cookies

This website uses the following types of cookies:

• Transient Cookies

Transient cookies are automatically deleted when you close your browser. These are mostly session cookies, which save a so-called “session-ID”, which allows for the assigning of different queries within your browser during a particular session. This can

 6.

 

 

be used to identify your device when one repeatedly visits a website during a session.

These cookies are deleted once you log out or the browser window is closed. • Persistent Cookies

Persistent cookies enable the website to remember your information and settings on your next visit. This gives you faster and more convenient access to the website, as you do not have to change your language settings again, for example. How long the cookie remains on your device depends on the duration or expiration date of the respective cookie and your browser settings. These cookies are automatically deleted after a set period of time which can differ from cookie to cookie. Persistent cookies can be deleted via the security settings in your browser at any time.

c. Depending on the kind of cookie, we use cookies either on the basis of our legitimate interests (technically necessary cookies) or on the basis of your consent (optional cookies), according to your selection of the cookie banner displayed when you access the website. You can also configure your browser settings according to your preferences and, for example, refuse to accept third-party cookies or all cookies. This may result in a functional limitation of our offers.

10. Social-Media, portals

a. We are represented in the social networks and employer evaluation portals mentioned below. These presences are operated exclusively by the respective provider. They serve to communicate directly with customers, interested parties and users. If you contact us via our social media channels, we process the personal data that you provide us with on the basis of consent (Section 12(b), DPA) while we process your personal data that is necessary to process your request on the basis of our legal obligation (Section 12(c), DPA) or legitimate interests (Section 12(f), DPA) depending on the type of request.

b. When you visit our social media pages, your user data is recorded and provided to us by the operator. The exact types of data differ from provider to provider, but generally include the following information:

• Follower: number and stored profiles; information about growth and development over a defined time frame.

• Reach: number of people who see a specific contribution; number of interactions with a contribution. From this, it can be deduced, for example, which content is better received by the community than others.

• Ad performance: How many people were reached by a contribution or a paid ad and have interacted with it.

• Demographics: Average age of visitors, gender, location, language.

c. Since our social media channels are operated by the providers of the respective social networks, there may be a supplementary use of your personal data by the respective

 

 

operator, over which we have no influence. This often involves the recording of your IP address, the creation of static evaluations and the processing of further information stored in the form of cookies. We have no influence on the generation and presentation of this personal data and can neither turn off this function nor prevent the processing of the personal data.

d. The assertion of data subject rights and requests can most effectively be addressed directly to the platform providers, since only they have access to your data and can take immediate action and provide information. Should our cooperation be necessary for this, we will support you in enforcing your rights as a data subject.

e. More detailed information about the terms of use of the respective platform as well as a detailed description of further data processing and the respective possibilities of objection can be found on the pages of the providers under:

• Facebook (Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA): http://www.facebook.com/policy.php; weitere Informationen zur Datenerhebung: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications sowie http://www.facebook.com/about/privacy/your-info#everyoneinfo.

• Instagram (Instagram LLC., 1601 Willow Road, Menlo Park, CA 94025, USA): http://instagram.com/legal/privacy/

11. Social-Media Plug-Ins

a. We have integrated Plug-ins on our web services. These plug-ins are indicated by the respective button belonging to the service. With the help of the plug-ins, users can share or post links to the corresponding websites in social networks such as Facebook or Twitter or recommend the contents there. Through your active interaction with these plugins (e.g. by clicking the respective button or leaving a comment) the information is transmitted directly to the respective service and stored there.

b. When you visit one of our web services that contain an activated plugin, your browser establishes a connection with the servers of the respective service, which in turn transmits the content of the plugin to your browser, which then integrates it into the displayed page. Thus, the information about the visit of our web services is forwarded to the respective service. We do not collect personal data ourselves by means of the social plugins or about their use and have no influence on which data an activated plugin collects and how these are used by the provider. It must be assumed that at least the IP address and device-related information is collected and used. It is also possible that the service provider will attempt to store cookies on the computer used. If you are logged in to the respective service at the same time as visiting our web services via your personal user account (e.g., via another browser session), the service provider can assign the visit to our web services to your account.

 

 

     

c. Usual social media plug-ins transfer the above-mentioned user personal data to the operator of the social network each time the website is accessed. This also applies when you the website user is not logged in or a member of the network. In order to prevent the unconscious and unintentional collection and transmission of personal data to the service provider, we use the so-called "2-click solution" on our web services: In order to activate a desired plugin, it must first be activated by clicking on the corresponding button. Only when the plugin is activated, the collection of personal data and its transfer to the service provider is triggered. Without activating the plugin, which is only done at your own request, you can therefore surf our web services without transmitting personal data to the operators of social networks in a data protection compliant manner. In this case, data processing is carried out on the basis of legitimate interests (Section 12(f), DPA) of preserving your freedom of opinion and making contributions more easily (co-)shareable.

For data protection reasons, we use the so-called “Shariff solution” developed by c't magazine. The Shariff solution functions in a way that as a first step, all personal data and functions required to display the buttons are provided by our web server. Only when you decide to share an article via the corresponding button and click on it, personal data will be transferred to the operator of the respective social media service. In this case, data processing is carried out on the basis of legitimate interests of preserving your freedom of opinion and making contributions more easily (co-)shareable (Section 12(f), DPA).

d. The plug-ins used are limited to applications of the companies listed under "Social media, portals". We have no influence on the collected personal data and personal data processing procedures, nor are we aware of the full scope of personal data collection, the purposes of processing, the storage periods. We also have no information about the deletion of the collected personal data by the plug-in provider. We make every effort to comply with our duty to inform and to offer those affected maximum transparency of information. Should you require more detailed information about personal data processing by these companies, we recommend that you contact the controller of the respective service. Should our cooperation be necessary, we will of course support you in enforcing your rights as a data subject.

12. Facebook Insights - "Facebook Fanpages"

a. Upon a visit of our Facebook page collects Facebook among others your IP address as well as other information, which is saved on your device in form of cookies. This information will be used to provide us as the operator of the Facebook page with statistical information on Facebook usage. We can access these statistics through so-called Facebook “insights”. These statistics are collected and provided solely by Facebook. We as the operator of the page have no influence over their generation and presentation. We cannot either stop or prevent their generation and data processing. You can find further information about “Insights” provided by Facebook here: https://www.facebook.com/help/pages/insights.

 

 

 

b. Following information will be provided to us by Facebook through “Insights”: Number of page views, “likes”, page activities, reach, impressions, video views, post clicks and reactions, post reach, comments, shared content, answers, gender ratio, regional distribution of the users (origin based on country and city), language, opens and clicks in the shop, clicks on the address and on the telephone number.

c. The operation of this Facebook page and processing of personal data of the users arising out of it is based on legitimate interests (Section 12(f), DPA) to inform and interact with users and visitors of our Facebook page.

d. We as the operator of this fan page are responsible for personal data processing together with Facebook. For this reason, we have agreed with Facebook under the framework of so-called “Page Insights” add-on, which party bears which obligations. The main responsibility for processing of the insight data stays with Facebook. Facebook is bound to duly fulfill all obligations connected to processing of insight data. You can claim your data subject rights either with us or with Facebook Ireland Limited (“Facebook Ireland”). Should you as a data subject contact us with regard to processing of the insight data and obligations of Facebook Ireland connected to “Page Insights” add-on, we are obliged to forward all relevant information in this regard to Facebook Ireland. You can find comprehensive information about page insights add-on and the obligations of the data controller here: https://www.facebook.com/legal/terms/page_controller_addendum

e. Please find Facebook address and Facebook’s Privacy Policy below:

Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; for more information about Facebook’s data collection and processing: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications and http://www.facebook.com/about/privacy/your-info#everyoneinfo.

13. Google Analytics

a. This website uses Google Analytics, a web analysis service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

b. We use Google Analytics to analyze the use of our website in order to improve it regularly. With the statistics obtained, we can improve our offer, make it more interesting for you as a user and increase the success of our marketing campaigns. For this purpose, your usage data is recorded, e.g. your IP address, the pages you have called up (click path), conversions such as newsletter registrations or downloads, clicks, length of stay, region or the technical information on your browser. For this Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The

 

 

     

information generated by the cookie about your use of this website is usually transferred and stored in a Google server in the US.

c. The legal basis for this data processing is according to legitimate interests (Section 12(f), DPA). Processing is performed to analyze and optimize our website. You can also prevent the storage of cookies by changing the settings of your browser software. However, we would like to point out that in this case you may not be able to use all functions of our website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

This website uses Google Analytics with the extension "anonymizeIp". This means that IP addresses are processed in abbreviated form, which means that it is not possible for us to identify a person. Only in exceptional cases the full IP address is transferred to a Google server in the USA and shortened there. The IP address transmitted by your browser within the framework of Google Analytics is not merged with other data from Google.

This website also uses Google Analytics for a cross-device analysis of visitor flows, which is carried out via a user ID. You can deactivate the cross-device analysis of your usage in your customer account under "My data", "Personal data".

d. Recipient of the data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as a processor. For this purpose, we have concluded a data processing agreement with Google and concluded the EU standard data protection clauses. Google LLC, based in California, USA, and, where applicable, U.S. authorities may have access to the data stored by Google. Please see Google’s Privacy Policy for more information about the purpose and scope of the data collected and processed by Google and for further information about your privacy rights and setting options: www.google.com/policies/privacy, http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, privacy policy: http://www.google.de/intl/de/policies/privacy.

14. Google Remarketing

a. Our website uses the Google Analytics Remarketing function in connection to the across functions from Google AdWords and Google DoubleClick providers. The responsible service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

b. This function enables the advertising target groups, created with the Google Analytics Remarketing-Tool, to be connected with the cross-device function of Google AdWords and Google DoubleClick. In this way, interested-based, personalized advertising messages, that have been adapted to you, depending on your previous usage and surfing behavior on one device (e.g. mobile phone), can also be displayed on another of your devices (e.g. Tablet or

 

 

     

Laptop). Supporting this function, Google Analytics collects Google-authenticated user IDs in order to define and create target groups for cross-device advertising.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA). You can also prevent the storage of cookies by setting your browser-software. Accordingly, we would like to inform you, that in this case, you may not be able to use all the functions of our website. You can also prevent Google from collecting the personal data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by permanently contradicting the cross-device remarketing tool by deactivating personalized advertising in your Google-Account, following this link: https://www.google.com/settings/ads/onweb/.

d. The recipient of personal data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as the processor. We have concluded with Google an order processing contract for this purpose and the EU Standard Data Protection Clauses (SCC). Google LLC, based in California, and possibly U.S. American authorities, can access the data stored by Google. Further information and the data protection regulations can be found in the Google data protection declaration: https://www.google.com/policies/technologies/ads/.

15. Facebook Custom Audiences

a. The Website also uses the remarketing-function “Custom Audiences” of the Facebook Inc. (“Facebook”). This allows users of the website to be shown interest-related advertisements (“Facebook-Ads”), when visiting the social network Facebook or other websites that also use the process. We are pursuing the interest of showing you advertisements, that are of interest to you in order to make our website more interesting for you.

b. Due to the marketing-tools used, your browser automatically establishes a direct connection with the Facebook server. We have no influence on the scope and further use of the data, that is collected through the use of this tool by Facebook and therefore we inform you according to our level of knowledge. By integrating Facebook Custom Audiences, Facebook receives information, that you have accessed our website or that you have clicked on an ad from us. If you are registered with a Facebook service, Facebook can assign the visit of our website to your account. Even if you are not registered or logged in to Facebook, there is a possibility, that Facebook will find out and save your IP address and other identification features.

c. The function “Facebook Custom Audiences” can be deactivated (here and) for logged-in users under the following link:

https://www.facebook.com/settings/?tab=ads#._

d. The legal basis for the processing of your personal data is legitimate interest (Section 12(f), DPA). Further information about the data processing is available at the following: https://www.facebook.com/about/privacy.

 

 

    

16. Google AdWords

a. This website uses Google Adwords, a web service of Google LLC. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

b. We use Google Adwords to draw attention to our offers by means of advertising material (so-called Google Adwords) on external websites. We can determine in relation to the data of the advertising campaigns, how successful the individual advertising measures are. With this, we pursue the interest to show you advertising that is of interest to you, to make our website more interesting and to achieve a fair calculation of advertising costs. These advertising media are delivered by Google via so-called "Ad Servers". For this purpose, we use ad server cookies, which allow us to measure certain parameters to measure success, such as the display of ads or clicks by users. If you reach our website via a Google ad, Google Adwords will store a cookie on your device. The unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (marking that the user no longer wishes to be contacted) are usually stored as analysis values for this cookie. These cookies enable Google to recognize your internet browser. If a user visits certain pages of an AdWords client's website and the cookie stored on their computer has not expired, Google and the client can recognize that the user clicked on the ad and was redirected to that page. A different cookie is assigned to each Adwords client. Cookies cannot be tracked through the websites of Adwords clients.

c. We receive statistical evaluations from Google. By means of these evaluations we can recognize which of the advertising measures used are particularly effective. We do not receive any further personal data from the use of the advertising material, in particular we cannot identify the users on the basis of this information. Due to the marketing tools used, your browser automatically establishes a direct connection with the Google server. We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: Through the integration of AdWords Conversion, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider will find out and save your IP address.

d. The legal basis for this personal data processing is according to legitimate interests (Section 12(f), DPA). You can also prevent the storage of cookies by adjusting your browser software settings accordingly. However, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent. Furthermore, you can prevent the collection of the personal data generated by the cookie and related to your use of the website (including your IP address) to Google as well as the processing of this personal data by Google by permanently contradicting the cross-device remarketing/targeting by

 

 

deactivating personalized advertising in your Google account; follow this link to do so: https://www.google.com/settings/ads/onweb/.

e. Recipient of the personal data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as a processor. For this purpose, we have concluded a data processing agreement with Google and concluded the EU standard data protection clauses. Google LLC, based in California, USA, and, where applicable, U.S. authorities may have access to the data stored by Google. Further privacy information on Google AdWords, Google Conversion Tracking and the privacy policy can be found at: https://www.google.de/policies/privacy/.

18. DoubleClick by Google

a. This website continues to use the online marketing tool DoubleClick online marketing tool DoubleClick by Google. DoubleClick uses cookies to display ads relevant to users, to improve campaign performance and reports, or to prevent a user from seeing the same ads multiple times. Using a cookie ID, Google records which browser and can this prevent them from being displayed multiple times. In addition, DoubleClick can use cookie IDs to collect so- called conversions related to ad requests. This is the case, for example, when a user sees a DoubleClick ad and later uses the same browser to access the advertiser’s website and buy something there. According to Google, DoubleClick cookies do not contain any personal information.

b. Due the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have to influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge: by integrating DoubleClick, Google receives the information, that you have accessed the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit not registered with Google or have not logged in, there is a possibility, that the provider will find out and store your IP-address.

c. You may prevent participation in this tracking process in several ways: i) by setting your browser software accordingly, in particular, suppressing third-party advertisements; ii) by disabling the cookies for conversion tracking by setting your browser to the block cookies from the www.googleadservices.com domain, http://www.google.de/settings/ads, deleting this setting, when you delete cookies; iii) by disabling the interest-based ads of the providers that are part of the self-regulatory campaign ”About Ads”, http://www.aboutads.info/choices via the link, deleting this setting, when you delete your cookies; iv) by permanently disabling Firefox, Internet Explorer or Google Chrome in your browsers, you can http://www.google.com/settings/ads/plugin. We would like to point out, that in this case, you may not be able to use all functions of this offer to the full extent

 

 

    

    19.

d. The legal basis for the processing of your data is Art. 6 para. 1 lit. f GDPR. For more information about DoubleClick by Google, please visit http://www.google.de/double/doubleclick and http://support.google.com/adsense/answer/2839090, as well as Google’s privacy policy in general: http://www.google.en/intl./en/policies/privacy. Alternatively, you can visit the Network Advertising Initiative (NAI) website at http://www.networkadvertising.org.

Google Maps

a. This website uses Google Maps. This allows us to display interactive maps directly on our website and provides you with comfortable use of a map function.

b. By visiting our website, Google will be notified about what page you opened on our website. In addition, the personal data will be transmitted. This will be done irrespective of whether you are logged in to a user account provided by Google or not. If you are logged in to Google, your personal data will be assigned directly to your account. If you do not wish assignments to be made to your account, you must log out before activating the button. Google will save your personal data as a user profile and use your personal data for market advertisement, market research and/or need-based website design purposes. Such assessments are specifically used (even for users not logged in) to offer need-based advertisements and to inform other users about your activities on our website. You have the right to object to the creation of such user profiles which you may exercise by contacting Google.

c. The legal basis for this personal data processing is according to legitimate interests (Section 12(f), DPA). Processing is performed to analyze and optimize our website.

d. Recipient of the personal data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as processor. For this purpose, we have concluded a contract processing agreement with Google and concluded the EU standard data protection clauses. Google LLC, based in California, USA, and, where applicable, U.S. authorities may have access to the data stored by Google.

    20.

e. Please see Google’s Privacy Policy for more information about the purpose and scope of the data collected and processed by Google and for further information about your privacy rights and setting options: www.google.com/policies/privacy, http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, privacy policy: http://www.google.de/intl/de/policies/privacy.

Google Optimize

Our website uses Google Optimize, a web service of Google LLC integrated within Google Analytics. The responsible service provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

a.

 

 

b. We use Google Optimize to analyze the use of our website in order to improve it regularly with the statistics we obtain. Google Optimize analyses the use of different variations of our website and helps us to improve the usability according to the behavior of our users on the Website. Google Optimize monitors the results of your experiment and tells us which variant is the leader. For this purpose, your usage personal data is recorded, e.g. your IP address, the pages you have called up (click path), conversions such as newsletter registrations or downloads, clicks, length of stay, region or the technical information on your browser. For this Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of our website is usually transferred and stored in a Google server in the US.

c.

The legal basis for this personal data processing is according to legitimate interests (Section 12(f), DPA). Processing is performed to analyze and optimize our website. You can also prevent the storage of cookies by changing the settings of your browser software. However, we would like to point out that in this case you may not be able to use all functions of our website to their full extent. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

d. Recipient of the personal data is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland as a processor. For this purpose, we have concluded a data processing agreement with Google and concluded the EU standard data protection clauses. Google LLC, based in California, USA, and, where applicable, U.S. authorities may have access to the data stored by Google. Please see Google’s Privacy Policy for more information about the purpose and scope of the data collected and processed by Google and for further information about your privacy rights and setting options: www.google.com/policies/privacy, http://www.google.com/analytics/terms/de.html, overview of data protection: http://www.google.com/intl/de/analytics/learn/privacy.html, privacy policy: http://www.google.de/intl/de/policies/privacy.

AdTriba

Our website uses the services of AdTriba. The responsible service provider is AdTriba GmbH, Große Theatherstraße 39, 20354 Hamburg, Germany.

     21.

a.

b. Our websites uses AdTriba to collect information about your use of our website, application or service in order to track the marketing touchpoints of users with our digital marketing campaigns. These include views or clicks of display banner ads and clicks on other digital marketing campaigns. For this purpose, your personal data is recorded, which may include information about the pages that you visit and the actions that you take while using our website, service or application, cookie ID, IP address (pseudonymized, without last octet), user agent data (browser, operating system, device data), marketing touchpoint (channel,

 

 

22.

d. The recipient of personal data is AdTriba GmbH, Große Theatherstraße 39, 20354 Hamburg, Germany. Further information about the personal data processing is available at the following: https://privacy.adtriba.com/.

Mouseflow

Our website uses the services of Mouseflow. The responsible service provider is Mouseflow Inc. from Flaesketorvet 68, 1711 Copenhagen, Denmark / Mouseflow Germany: Neuer Wall 63, 20354 Hamburg, Germany.

source, campaign, timestamp), onsite touchpoint (location URL, referrer URL, action, timestamp)

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) for user analysis and to get a more detailed evaluation of our marketing activities. You can prevent the storage of cookies by setting your browser-software or clicking the opt-out button located at https://privacy.adtriba.com/.

  a.

b. Our websites uses Mouseflow to randomly record the movement of your computer mouse and create heat maps on product and category pages. For this purpose, your personal data is recorded, which may include browser information, click path, viewed content, geographical location, location information, IP address, mouse movements, information about the operating system, pages visited, usage data, time spent on one side, and scrolling activity. The records are anonymous and every site that contains any kind of personal data is not tracked (e.g. checkout page).

c.

The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to make our pages more user-friendly. You can click on the opt-out button in the following link to disable Mouseflow for your browser: https://mouseflow.com/opt-out/.

d. The recipient of personal data is Mouseflow Inc. from Flaesketorvet 68, 1711 Copenhagen, Denmark / Mouseflow Germany: Neuer Wall 63, 20354 Hamburg, Germany. Further information about the personal data processing is available at the following: https://mouseflow.com/privacy/ and https://support.mouseflow.com/support/solutions/articles/44001550895-what-is-your- cookie-policy-.

NewRelic

Our website uses the services of New Relic. The responsible service provider is New Relic Inc. 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA.

    23.

a.

 

 

 24.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to improve our server performance.

d. The recipient of personal data is New Relic Inc. 188 Spear Street, Suite 1200, San Francisco, CA 94105, USA. More details and information about New Relic's specific privacy policy can be found at https://newrelic.com/privacy.

Criteo

Our website uses the services of Criteo. The responsible service provider is Criteo SA 32 Rue Blanche, 75009 Paris, France.

25.

b. Our website uses New Relic web analytics to monitor the accessibility and performance of our servers by measuring the technical performance data (such as response and loading times) using pseudonymized usage profiles. For this purpose, the following personal data is recorded, which may include browser information, the date and time of the visit, device information, device operating system, domain name, geographical location, IP address, performance data, unique device identifier, usage data, user ID, and database query.

a.

b. Our website uses Criteo to collect a limited amount of data relating to your browsing for advertising, marketing personalization, and retargeting purposes. This navigation data is linked to a unique identifier, namely an identification cookie or any other similar technology (such as mobile advertising identifiers and non-cookie technologies) depending on your navigation environment. For this purpose, the following personal data is recorded, which may include browser information, click path, the date and time of the visit, device information, files viewed, location information, IP address, mobile advertising IDs, number of page views, viewed products, referrer URL, search terms, technical IDs, usage data, and number of advertisements placed.

c.

The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to make personalized advertising banners with targeted product recommendations on our website. You can click the opt-out button in this link to disable Criteo for your browser: https://www.criteo.com/privacy/disable-criteo-services-on-internet-browsers/.

d. The recipient of personal data is Criteo SA 32 Rue Blanche, 75009 Paris, France. More details and information about Criteo's specific privacy policy can be found at https://www.criteo.com/privacy/.

Bing Ads retargeting

Our website uses the services of Bing Ads. The responsible service provider is Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.

  a.

 

26.

b. Our website uses Bing for its retargeting service that allows websites to be reconnected with previous visitors and provides us with statistics regarding how many individuals clicked on a particular ad to access our website. For this purpose the following personal data is recorded, which may include IP address, version of UET, page title, screen height, page load time, digital signature, browser language setting, cookie information, event category, Microsoft click ID, screen resolution, referrer URL, URLs.

c.

The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to make personalized advertising banners with targeted product recommendations on our website. You can click the opt-out button in this link to disable Bing Ads for your browser: https://about.ads.microsoft.com/en-us/resources/policies/opt-out-of-the- microsoft-advertising-optimization-program.

d. The recipient of personal data is Criteo SA 32 Rue Blanche, 75009 Paris, France. More details and information about Microsoft's specific privacy policy can be found at https://privacy.microsoft.com/en-us/PrivacyStatement

Facebook Pixel/Facebook Retargeting

Our website uses the Facebook Pixel/Facebook Retargeting services of Facebook. The responsible service provider is Facebook Ireland Limited 4 Grand Canal Square, Grand Canal Harbor, Dublin, D02, Ireland.

   a.

b. Our website uses the tracking technology and retargeting service of Facebook for analysis, marketing, advertising, and retargeting purposes. Facebook Pixel/Facebook Retargeting services help us analyze our online offering through insights obtained from users' actions after they've seen or clicked on a Facebook ad. This in turn allows us to measure the effectiveness of Facebook advertising for optimization, statistical, and market research purposes. For these purposes the following personal data are recorded, which may include Facebook user ID, browser information, usage data, non-sensitive custom date, referrer URL, pixel ID, user behavior, ads viewed, interactions with advertising, services and products, marketing information, viewed content, IP address, device information, success of marketing campaigns, geographical location, and hashed email.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to make personalized advertising banners with targeted product recommendations on our website. You can click the opt-out button in this link to disable Facebook Pixel/Facebook Retargeting: https://www.facebook.com/ads/preferences/.

d. The recipient of personal data is Facebook Ireland Limited 4 Grand Canal Square, Grand Canal Harbor, Dublin, D02, Ireland. More details and information about Facebook's specific privacy policy can be found at https://www.facebook.com/privacy/explanation.

   

 

27.

Spoteffects

a. Our website uses the services of Spoteffects. The responsible service provider is XAD spoteffects GmbH Saarstr. 7 80797 Munich Germany.

b. Our website uses the tracking technology and retargeting service of Spoteffects to gain a better understanding of the effect of our TV advertising. For this purpose the following personal data are recorded, which may include your login information, your IP address (which allows to uniquely identify your computer), the remote host (name and IP address of the computer requesting the site), the time, status, query, quantity of transferred data, website that has led you to the requested site (referrer), as well as product and version details of the used browser (user agent).

c.

The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to make personalized advertising banners with targeted product recommendations on our website.

d. The recipient of personal data is XAD spoteffects GmbH Saarstr. 7 80797 Munich Germany. More details and information about Spoteffect's specific privacy policy can be found at https://xadspoteffects.com/en/privacy-policy/#page-content.

Realytics

Our website uses the services of Realytics. The responsible service provider is Realytics, 14 rue d’Uzès 75002 Paris France.

 28.

 

b. Our website uses Realytics to gain a better understanding of the impact of our TV advertising by measuring whether a user has visited the site while a TV advertisement was being broadcasted. For this purpose the following personal data are recorded in a pseudonymized form, which may include audience and statistic measurement cookies, marketing cookies, cookies on advertisers’ websites that keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to analyze and optimize TV advertisements. You can click the opt-out button in this link to disable https://www.realytics.io/optout/.

d. The recipient of personal data is XAD spoteffects GmbH Saarstr. 7 80797 Munich Germany. More details and information about Spoteffect's specific privacy policy can be found at https://www.realytics.io/platform-privacy-policy/.

  

 

29.

Outbrain

a. (1) Our website uses the services of Outbrain. The responsible service provider is Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011.

b. Our website uses Outbrain to show you, through the use of cookies stored on your computer/device, of any other content that may be of interest to you within our website or on third-party sites. Outbrain provides built-in recommendations of content based on your previously read content. For this purpose the following personal data are recorded which includes the device source, browser type, IP address, identifiers, online identifiers, geolocation data, time of visit, pages visited, referring URLs and other information normally transmitted in HTTP requests, and inferences.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) to offer you interesting content on our website. You may opt-out of Outbrain's interest- based referral tracking by following the steps in the https://www.outbrain.com/legal/privacy.

d. The recipient of personal data is Outbrain Inc., 39 West 13th Street, 3rd floor, New York, NY 10011. More details and information about Outbrain’s specific privacy policy can be found at https://www.outbrain.com/legal/privacy.

  30.

Taboola

Our website uses the services of Taboola. The responsible service provider is Taboola Inc. 1115 Broadway, 7th Floor, New York, NY 10010, USA.

a.

b. Our website uses Taboola to determine what content you use and which of the pages on the website you visit so that so we can tailor our recommendations to your personal preferences and interests. For this purpose the following personal data are recorded which includes the cookie ID, crash data, geographical location, hash version of the email address, IP address, log file data, mobile advertising IDs, settings, referrer URL, and websites visited.

c. The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) for advertising, personalization, and targeting. You may opt-out of Taboola's by clicking the opt-out buttons in this link https://www.taboola.com/policies/privacy-policy#user- choices-and-opting-out.

d. The recipient of personal data is Taboola Inc. 1115 Broadway, 7th Floor, New York, NY 10010, USA More details and information about Taboola’s specific privacy policy can be found at https://www.taboola.com/policies/privacy-policy#.

    

31.

Freshdesk and Freshchat

a. Our website uses the Freshdesk customer service platform and ticketing system. The responsible service provider is Freshworks Inc. 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403.

b. Our website uses Freshdesk to handle customer complaints and requests and Freshchat to allow us to communicate with our customers in real time. The main function is to assist users directly on the website and solve problems as quickly as possible. For these purposes, necessary data such as your last name, first name, postal address, telephone number, e-mail address are collected via the website, in order to be able to answer your inquiries and requests.

 32.

 

The legal basis for the processing of your personal data is legitimate interests (Section 12(f), DPA) for purposes of handling customer complaints and requests.

d. The recipient of personal data is Freshworks Inc. 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403. More details and information about Freshwork’s specific privacy policy can be found https://www.freshworks.com/privacy.

Personal data collected from minors, legally-incompetent persons, and other individuals

Our Website is intended only for persons who are of legal age and are deemed legally competent to provide their valid and binding consent under Brazilian law. If you are an individual below legal age or an individual deemed legally competent to give valid and binding consent (hereinafter, collectively referred to as a “Minor” or “Minors”), If you are a Minor, please do not provide any personal data to us including, but not limited to, your name, age, gender, email address, contact information and the like. Kindly consult your parent(s) or legal guardian(s) first before visiting this website.

33.

b. We neither offer products or services to, nor knowingly collect personal data of Minors without any legal basis. Should we learn that we were provided with personal data of Minors without any legal basis, we will delete the same.

c. To the extent that you have provided (or will provide) personal data about your family members, spouse, other dependents, and/or other natural persons, you represent and warrant that, prior to sharing their personal data, you have explained to them that you will provide their personal data to us and that they consented to the same being processed (including disclosure and transfer) in accordance with this privacy statement.

Data retention and deletion

Your personal data shall not be kept for longer than is necessary. Subject to exceptions under the DPA or other applicable laws, your personal data shall be deleted or anonymized in a secure manner after the accomplishment of the relevant purpose/s or when no longer needed.

 

34. Changes and updates to the privacy statement

We may modify or amend this privacy statement from time to time to keep up with any changes in relevant laws and regulations applicable to us or how we collect, use, protect, store, share or dispose of your personal data. Any changes or updates will be posted on our website and the same shall be effective immediately upon such posting.