PRIVACY POLICY

1. Name and contact details of the controller and company data protection officer

This Privacy Policy applies to the processing of data by:

Controller: Calida Group Digital GmbH (hereinafter Calida Group Digital)

Gewerbepark BWB 2, 83052 Bruckmühl, Germany

Phone: +49 8062 72133-10

Fax: +49 8062 72133-499

The company data protection officer of Calida Group Digital can be contacted under the above address, marked for the attention of the Data Protection department, or at [email protected].

2. Collection, storage, nature, purpose and use of personal data

a) When you visit the website

When you call up our website www.calida.com, the browser used on your device automatically sends information to our website’s server. This information is stored temporarily in a log file. The following information is recorded without any action on your part and is stored until it is automatically erased:

• The IP address of the computer system accessing the site

• The date and time of access

• The name and URL of the file accessed

• The website from which you accessed our site (referrer URL)

• The browser type and version and other information sent by the browser (such as your computer’s operating system, the name of your access provider, geographic origin, language setting, etc.).

These data are processed by us for the following purposes:

• to ensure a connection to the website is established smoothly,

• to ensure our website is convenient to use,

• to analyse system security and stability, and

• for other administrative purposes.

The legal basis for processing the data is Article 6 (1) sentence 1 point (f) GDPR (for data processing) and Section 25 (2) no. 2 TTDSG (for technical provision). Our legitimate interests are founded on the above-listed purposes for collection of the data. We never use the data we collect for the purpose of identifying you. Data have to be processed for the website to be used.

We also use cookies and analytics services when you visit our website. You can find more details in sections 5 and 6 of this Privacy Policy.

The retention period depends on the purpose. The data are usually deleted when the browser is closed or the cookies are removed.

b) When ordering as a guest

If you wish to order products from our website as a guest, we collect the following information:

• Your form of address, first name and surname

• A valid email address

• Your address

• Payment data, depending on the method of payment you select (such as credit card data, bank details or PayPal account data)

• For purchases on account: date of birth, telephone number

These data are collected so we can

• identify you as our contractual partner,

• check the plausibility of the data you have entered,

• handle payment for your order,

• handle any warranty claims and assert any claims against you.

The data processing is carried out at your request and is necessary in accordance with Article 6 (1) sentence 1 (b) GDPR for the purposes stated for the fulfilment of the contract and for pre-contractual measures.

You can also provide the following data to ensure smooth and easy handling of your order and so that any queries can be dealt with faster:

• your telephone number and

• an alternative delivery address.

You disclose these data voluntarily. The legal basis for this processing is Article 6 (1) sentence 1 (f) GDPR. Our legitimate interest is to provide additional communication channels and delivery addresses.

If you select the ordering option Click & Collect

If you select the ordering option Click & Collect and so wish your order to be delivered to one of our stores, we send your email address to the store so that you are notified as soon as the goods arrive there and are ready for you to collect. The data processing is carried out at your request and is necessary in accordance with Article 6 (1) sentence 1 (b) GDPR for the purposes stated for the fulfilment of the contract and pre-contractual measures.

The personal data we collect for the order will be stored until the statutory warranty period expires and then erased automatically and not used further, unless we are required to store them for longer in accordance with Article 6 (1) sentence 1 (c) GDPR pursuant to retention and documentation obligations under fiscal and commercial law (such as the German Commercial Code (HGB), the German Penal Code (StGB) or the German Fiscal Code (AO)) or if you have consented to further storage of them in accordance with Article 6 (1) sentence 1 point (a) GDPR. You may revoke your consent at any time with future effect.

c) When setting up a user account

You have the option of setting up a password-protected user account, in which we store your personal data. The purpose of this is to enable easier, faster and more personal handling of your purchases and thus ensure maximum convenience for you when you place orders.

If you wish to set up a password-protected user account, we need the following information from you:

• your form of address, first name and surname,

• your address, and

• a valid email address.

You must also select a password when setting up a user account. In conjunction with your email address, this allows you to access your user account. You can view and change the data stored in your user account at any time.

You can also provide your telephone number so that queries can be clarified more quickly. This is voluntary and not required for setting up the user account.

In addition, you can state your date of birth so that we can surprise you with a present (such as a discount or a special offer) if you subscribe to the newsletter.

We only store your personal data in a user account subject to your voluntary consent in accordance with Article 6 (1) sentence 1 point (a) GDPR. You may revoke your consent at any time with future effect.

It is not necessary to create a user account in order to be able to use our site and to order goods from us. We offer you the option of placing orders as a guest (see section 2 b) below). If you do that, however, you need to enter your data in full again each time you place an order.

After your user account has been deleted, your data are then erased automatically and not used further, unless we are required to store them for longer in accordance with Article 6 (1) sentence 1 (c) GDPR pursuant to retention and documentation obligations under fiscal and commercial law (such as the German Commercial Code (HGB), the German Penal Code (StGB) or the German Fiscal Code (AO)) or you have consented to the further storage of them in accordance with Article 6 (1) sentence 1 point (a) GDPR. You may revoke your consent at any time with future effect.

d) When subscribing to our newsletter

We distribute newsletters that contain personalised product recommendations from our own range and information about special benefit programmes for customers (including contests, discounts and sales). As part of the compilation and distribution of newsletters, we process personal data, including behaviour-related information, about you and work with the company Emarsys eMarketing Systems GmbH, Willi-Schwabe-Strasse 1, 12489 Berlin, Germany (hereinafter ‘Emarsys’).

Provided that you have given your explicit consent in accordance with Article 6 (1) sentence 1 point (a) GDPR, we will use your email address for the purpose of sending you our newsletter regularly. The provision of an email address is the only requirement for subscribing to the newsletter.

You will subsequently receive a registration confirmation via email that you must confirm in order to receive our newsletter (double opt-in). This serves as proof to us that you actually initiated the registration process.

If you have not registered for our newsletter, we regularly use your email address following an order to send you our newsletter with information about products similar to the ones that you just ordered, provided that you do not object to this practice. The processing of personal data is authorised in this regard under Article 6 (1) sentence 1 point (f) GDPR as a result of our legitimate interest in conducting direct marketing activities.

You may cancel the newsletter at any time without stating your reasons by using the unsubscribe link in the email, by making the request directly in your user account or by notifying [email protected] directly. You will then no longer receive the newsletter.

Our newsletter is offered exclusively as personalised information in order to draw your attention to special offers that may be of interest to you and fulfil your needs. For this reason, other available information about you, including customer data from your user account, purchasing history and usage behaviour (e.g. wish lists, basket contents, finding favourite products, CALIDA friends+forever and product pages accessed), is used in addition to your email address to offer personalised content. Your purchasing and usage behaviour in the online shop is tracked and analysed on the basis of your consent or our legitimate interest in conducting optimised direct marketing for the purpose of selecting content, and is linked to your user account. We do not make additional use of the profile information or transmit it to third parties.

You can find more information about data processing related to newsletter registration in the section on the Emarsys service in this data protection information.

The data processed here are deleted when the purpose no longer applies, usually when you unsubscribe from the newsletter.

e) When using our contact form

We offer you the possibility of contacting us using a form provided on the website if you have any questions, of whatever nature. You must specify a valid email address and your first name and surname so that we know by whom the request was made and can respond to it. You can provide your telephone number voluntarily.

Data are processed for the purpose of contacting us on the basis of your voluntary consent in accordance with Article 6 (1) sentence 1 point (a) GDPR. You may revoke your consent at any time with future effect.

Generally speaking, the personal data we collect when you use the contact form are automatically erased when your request has been dealt with.

f) Advertising by post

We will use the address provided by you within the framework of your order to regularly send you information on our products and offers by post, as long as you have not indicated your objection to us. In this context, we process your name and address in accordance with Article 6 (1) sentence 1 (f) GDPR and our legitimate interest in informing our customers about our product range.

g) Participation in a contest

If you participate in one of the contests on our website, we will use your data (name, address, email address, possibly gender and birthday) that you enter into the input box. We will use the data to conduct the contest and determine whether you are eligible to participate, to inform you about any prize that you may have won and to improve our future contests. For this purpose, we work with Emarsys eMarketing Systems GmbH, Willi-Schwabe-Strasse 1, 12489 Berlin, Germany (hereinafter referred to as ‘Emarsys’). Upon presentation of your voluntary authorisation, the legal basis for processing data in connection with the contest will be Article 6 (1) point (a) GDPR. The processing of data required to conduct each contest is based on Article 6 (1) point b GDPR.

Data will be stored and processed for as long as these data are required to conduct the contest. We will generally erase all of your personal data collected in connection with the contest no later than two weeks after the contest has ended, provided that you have not authorised their continued use beyond this date.

The winners’ personal data will usually be erased no later than three years after the end of the contest. The data may not be erased at an earlier point in time due to the potential need to reconstruct the contest as part of a legal recourse process initiated against it.

Emarsys sends confirmation of participation to contestants on our behalf and notifies winners using their email addresses and names. You will find more information regarding the sharing of data with Emarsys in section 3 g) of this data protection document .

3. Transmission of data to third parties

Your personal data are not transferred to third parties for purposes other than those specified in the following.

a) Transmission of data to CALIDA AG

Your personal data are also forwarded to CALIDA AG, Industrie Münigen, Bahnhofstrasse, 6208 Oberkirch, Switzerland. Switzerland is a third country within the meaning of the General Data Protection Regulation (see section 4). There is an adequacy decision by the European Commission for Switzerland. In this adequacy decision, the European Commission has confirmed that Switzerland has a level of data protection comparable to that to be found within the European Union.

Data are forwarded as part of the shared responsibility for data backup purposes, internal administration purposes and to ensure central customer management.

The data are forwarded on the basis of Article 6 (1) sentence 1 point (f) GDPR; these interests are deemed to be legitimate interests within the meaning of the above provision.

b) For the performance of contracts

Your personal data will be forwarded to third parties if this is legally permissible and necessary according to Article 6 (1) sentence 1 point (b) GDPR for performing contracts with you. This includes in particular the forwarding of information to shipping companies for the purpose of delivering goods you have ordered. The third party may use the data given to it solely for the above purposes.

c) For handling payments

When fulfilling the contract, we sometimes work with payment service providers for handling payments. So that payments can be handled, it may be necessary to disclose the purchase amount and, if applicable, other data about you to the provider. The categories of data forwarded for this purpose differ according to the provider and the option selected. Where we forward personal data to providers, that is done to perform the contract and pursuant to our legitimate interests on the basis of Article 6 (1) sentence 1 points (b) and (f) GDPR. We have a legitimate interest within the meaning of the above regulation, namely that of being able to offer you the respective payment option. Details of the providers are as follows:

Adyen: if a payment is made with a credit card or a SEPA direct debit mandate, the payment will be processed by our payment service provider Adyen (Adyen N.V., Simon Carmiggeltstraat 6 – 50, 1011 DJ Amsterdam, Netherlands). In such instances, your IP address; such order information as your invoice total, customer number, email address and payment ID; and the credit card or bank account data that you input will be provided to Adyen for the purpose of further payment processing. Adyen will provide this information to other third parties when it is necessary to process the payment (e.g. banks and credit card companies).

Adyen will be solely responsible for the processing of payment data that subsequently occurs as part of payment processing. Data will be collected and transmitted in encrypted form. We do not have access to this information. You can find more information on data protection regarding Adyen here.

Adyen also provides us with other payment-related services. In this case, your IP address, customer data, order and invoice data as well as payment data related to the payment service being used will be provided to Adyen if this information is required in order to include the payment services on our website for you. You will find information about the individual payment services and possible integration via Adyen below.

Your individual payment data will be stored in encrypted form by Adyen if you have consented to this step. We do not have access to these payment data. If necessary, we will store only a portion of the payment information (e.g. the last four digits of a credit card number) to provide you with an overview of means of payment on your user account on our website. You may revoke your consent for this payment data to be stored at any time with future effect. The data will then be promptly erased, provided that this information is not needed to process selected payments.

PayPal: we offer handling of payments by means of the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg (‘PayPal’). If you decide to pay using PayPal, you are taken to the PayPal website. You can log on there using your account data and instruct payment. We have no access to the data collected by PayPal after you are taken to the PayPal website. You can find more information on data protection in relation to PayPal here .

Amazon Pay: we offer handling of payments by means of the payment service provider Amazon Payments Europe s.c.a., 38 avenue J.F. Kennedy, 1855 Luxembourg (‘Amazon Pay’). If you decide to pay using Amazon Pay, you are taken to the Amazon Pay website. You can log on there using your account data and instruct payment. We have no access to the data collected by Amazon Pay after you are taken to the Amazon Pay website. You can find more information on data protection in relation to Amazon Pay here .

Klarna: if you select the payment options provided by Klarna (‘purchase on account’, ‘direct payment with Sofort’ and ‘direct debit mandate’), personal data such as contact and order data will be transmitted to Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (‘Klarna’). Klarna can thereby assess whether you can make use of the payment options it offers and tailor the payment options to your needs. The integration of Klarna direct payment with Sofort and direct debit mandate of Klarna is conducted via Adyen (see above). Information about data protection at Klarna can be found in their data protection regulations and here .

d) For checking identity and creditworthiness

If we deliver your purchase before receiving payment, for example if you purchase products on account, we may conduct a check on your creditworthiness on the basis of mathematical-statistical methods.

We send the personal data required to check your creditworthiness (your first name and surname, street and house number, postcode, city, date of birth, telephone number and, in the case of purchases by direct debit, the account details you provide) to an external service provider. We work with creditpass GmbH (Mehlbeerenstrasse 2, 82024 Taufkirchen bei München, Germany) to check your identity and creditworthiness.

On the basis of your personal data, creditpass GmbH provides us with information about the statistical probability of your defaulting. The data are therefore collected, stored and forwarded for the purpose of checking your creditworthiness and pursuant to our interest in avoiding defaults and to prevent fraud on the basis of Article 6 (1) sentence 1 points (b) and (f) GDPR. This information is used to calculate the statistical probability of default and so your solvency (creditworthiness). If the creditworthiness check returns a positive result, you can order goods on account. If the creditworthiness check returns a negative result, our shop system will not allow you to pay on account. The creditworthiness check may contain probabilities (score values), which are calculated on the basis of scientifically recognised mathematical-statistical methods and also using your address data and date of birth, among other pieces of information.

If we make automated decisions with legal effect, you have the right to obtain information on the logic involved, as well as the significance and the envisaged consequences of such data processing. You can request that we review the automated decision, expressing your point of view, and have the right to obtain human intervention on our part.

For more information, please refer to the privacy statement of creditpass GmbH https://creditpass.de/service/datenschutz/. You can also contact creditpass directly: [email protected].

The data processed here are deleted when the purpose no longer applies, usually when the contractual relationship ends.

e) To protect our systems against misuse

Our website uses Google reCAPTCHA, a service provided by Google Cloud Platform LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as ‘Google’). It is intended to ensure that certain offerings are actually requested by a human being and to prevent misuse resulting from data entered by bots, as far as possible.

To enable that, Google processes various items of information, including the IP address of the device from which the request has been received, but also other information that can be used to deduce a human act.

These data are processed on the basis of a general weighing-up of interests within the meaning of Article 6 (1) point (f) GDPR (for data processing) and Section 25 (2) no. 2 TTDSG (for technical provision). Protecting our IT systems and, specifically, ensuring that our website functions properly are deemed to be legitimate interests within the meaning of the law. This also constitutes a technical necessity.

Google states that it does not combine the IP address transmitted as part of the reCAPTCHA system with data from other Google services. The data processed may be transferred to servers in the USA and other unsafe third countries and processed there.

The EU Commission has certified a level of data protection comparable to that of the GDPR for some third countries through an adequacy decision. An overview of third countries with an adequacy decision can be found here.

For service providers headquartered in the USA, this only applies if they base such data transmission on the EU-US Data Privacy Framework (DPF) of 10 July 2023. This is the case for the recipient in question.

You can find more information on data protection in relation to reCaptcha in Google’s Privacy Policy .

We do not store your IP address in connection with the reCaptcha service.

f) For the mobile POS solution

In the context of our mobile POS solution (tablets) at our retail stores, we offer you the option of purchasing our products using the tablets and viewing your customer data.

In the context of our mobile POS solution (‘omni-channel’), we transmit your customer master data and order history data (see section 2 b) and c)) to CaperWhite GmbH, Ludwigstrasse 73A, 70176 Stuttgart, Germany.

As part of our group of companies, CALIDA AG has concluded a data processing agreement with CaperWhite GmbH in accordance with Article 28 GDPR. Under this agreement, CaperWhite GmbH affirms that it will process data in compliance with the General Data Protection Regulation and guarantees that the rights of data subjects will be protected.

The data are transmitted pursuant to our legitimate interests and those of CALIDA AG in accordance with Article 6 (1) sentence 1 point (f) GDPR. The need to optimise and improve customer management and our portfolio of offerings constitutes our legitimate interest.

The data processed here are deleted when the purpose no longer applies, usually when the contractual relationship ends.

g) Provision of data to Emarsys and shipcloud

As part of our offerings, we need to send you notifications on occasion and provide information to you in the process. In connection with this, we share your personal data with third parties who help us disseminate the notifications. We share this personal data with third parties on the basis of our legitimate interests under Article 6 (1), page 1, point f GDPR. It is in our interest to be able to inform you about the shipping status.

aa) Provision of data to Emarsys

We work with the service provider Emarsys to distribute your notifications. Emarsys performs a number of jobs on our behalf, including the sending of order confirmations, shipping confirmations, cancellations, confirmations of contest participation and prizes as well as notifications related to user accounts and other confirmation notifications.

We provide your data (surname, first name, email address, address, shipping address, delivery address, account details) to Emarsys for the sole purpose of processing your online order.

We have concluded a data processing agreement with Emarsys. Under this agreement, Emarsys affirms that it will process data in compliance with our instructions and guarantees that the rights of data subjects are protected. You will find more information on data protection in connection with Emarsys here .

bb) Provision of data to shipcloud

As part of our order processing, we also work with the service provider shipcloud GmbH, Heinz-Fangman-Strasse 2-4, Haus 4, 42287 Wuppertal (‘shipcloud’). shipcloud handles the dispatch of the dispatch confirmation (complete and/or partial delivery of the goods) and the dispatch of your invoice for your order. You can also track your order with the help of shipcloud’s service. Finally, with the help of shipcloud, we inform you about the processing status of any products you return. We provide your data (surname, first name, email address, address, shipping address, delivery address, billing address, if applicable, account details) to shipcloud for the sole purpose of processing your online order.

We have concluded a data processing agreement with shipcloud. Under this agreement, shipcloud affirms that it will process data in compliance with our instructions and guarantees that the rights of data subjects are protected. You will find more information on data protection in connection with shipcloud here .

4. Transmission of data to third countries

Data may be transmitted to third countries, i.e. to recipients outside the EU or the European Economic Area (EEA), in connection with data processing. If there is a decision by the European Commission regarding the existence of an adequate level of protection (see Article 45 (3) GDPR) with reference to the third country, no additional measures are required for data transmission. If data are transmitted to recipients based in the USA, this shall be done on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided that the recipient has the appropriate certification. A list of the companies currently certified can be found here. In other cases and when data are transferred to other non-secure third countries, data will only be transferred if the requirements of Article 46 et seqq. GDPR are met. In specific terms, this means that data will only be transferred to third countries if:

the recipient offers appropriate safeguards for protecting personal data in accordance with Article 46 GDPR,

you explicitly consent to the transfer of the data, after we have informed you of the risks, in accordance with Article 49 (1) point (a) GDPR,

the transfer is necessary for the performance of contractual obligations between you and us, or

another exception under Article 49 GDPR applies.

Which of the aforementioned principles applies in individual cases will be explained to you during the processing.

Data transmission to recipients based in the USA who do not have DPF certification and for whom an appropriate level of data protection cannot be established through guarantees within the meaning of Article 46 GDPR will only take place with your consent within the meaning of Article 49 (1) point (a) GDPR. We would like to point out that a level of data protection comparable to that in the EU cannot be guaranteed for recipients based in the USA without DPF certification. The following risks therefore exist when personal data are transmitted in this way: there is a risk that US authorities could gain access to personal data due to the PRISM and UPSTREAM surveillance programmes based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens do not have any effective legal means of preventing such access in the USA or EU.

5. Cookies and similar technologies

We use cookies or other similar features and technologies (such as pixel tags) on our site. These are small files which your browser automatically creates and are stored on your device (laptop, tablet, smartphone or the like) when you visit our site. Cookies do not cause any damage on your device and do not contain any viruses, Trojans or other malware.

Information relating to the specific device used is stored in the cookie. However, that does not mean that we can directly identify you from that.

We use pixel tags (also called pixels, tracking pixels or beacon trackers) in our online offering. Pixels are small graphics that are embedded in the HTML code of our pages. No information is stored or changed on your device as a result of the pixel tag, which means that the pixels do not cause any damage on your device, nor do they contain any viruses, Trojans or other malware.

The pixels send your IP address, the referrer URL of the website visited, the time when the pixel was viewed, the browser used, and previously placed cookie information to a web server. That makes it possible to measure reach and carry out other statistical analysis so that we can optimise our offering.

Cookies and pixel tags help us make the use of our offering more appealing for you. For instance, we use ‘session cookies’ to recognise if you have already visited individual pages of our website or you are logged on to your user account, or for showing the shopping basket. They are automatically deleted when you leave our site. The data processed by these cookies are necessary for the aforementioned purposes to protect our legitimate interests in accordance with Article 6 (1) sentence 1 point (f) GDPR and technically necessary in accordance with Section 25 (2) no. 2 TTDSG in order to offer a service that you have requested.

We also use temporary cookies, which are stored on your device for a specific defined period of time, to optimise the user-friendliness of our site. When you visit our site again in order to make use of our services, we automatically recognise that you have previously visited us and what inputs and settings you made, meaning you do not have to enter them again. The data processed by these cookies are required for the aforementioned purposes in order to safeguard our legitimate interests and those of third parties in accordance with Article 6 (1) sentence 1 point (f) GDPR and technically necessary in accordance with Section 25 (2) no. 2 TTDSG in order to offer a service that you have requested.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message is always displayed before a new cookie is created. If, however, you completely disable cookies, you may not be able to use all the features of our website.

We also use cookies and pixel tags to record statistics on the use of our website and analyse them so as to optimise our offering for you (see section 6). They enable us to automatically recognise that you previously visited us the next time you access our site. These cookies and pixel tags are automatically erased after a defined time.

We use such cookies and pixel tags only if you have given your consent using the cookie management tool. We process the data processed by cookies and pixel tags on the basis of your consent in accordance with Article 6 (1) point (a) GDPR and Section 25 (1) TTDSG.

You can withdraw your consent at any time with future effect using the cookie management tool. You can access the tool again at any time by clicking on ‘Cookie settings’ at the bottom of the website.

a) Consent management with Usercentrics

We use the consent management service from Usercentrics GmbH, Rosental 4, 80331 Munich, Germany (hereinafter referred to as ‘Usercentrics’) on our website to manage consent to the use of cookies and similar technologies. The date and time of your visit, browser information, information on your consent, device information and the anonymised IP address of the device accessing the site are processed in this context. The legal basis for that is Article 6 (1) point (f) GDPR. Obtaining and administering legally required consents is deemed to be a legitimate interest within the meaning of the above statutory provision.

Your consent is usually stored until it is revoked or the cookie is deleted. Information on the withdrawal of previously granted consent is stored for a period of three years.

b) Google Tag Manager

Our website uses Google Tag Manager from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as ‘Google’). We use Google Tag Manager to manage the tools we inform you about in this Privacy Policy. We provide separate details of these tools in this policy.

Tag Manager (which implements the tags) itself causes other tags to be activated, which may in turn record data. Google Tag Manager does not access those data. If recording has been deactivated at the domain or cookie level, this setting will still apply to all tracking tags implemented with Google Tag Manager. Google Tag Manager itself does not store or read information on user devices. The service also does not carry out any independent data analysis. However, when you access a page, Google Tag Manager transmits your IP address to Google and may store it there. Data may also be transmitted to servers of Google LLC in the USA.

You can find more information about Google Tag Manager here .

Such processing will only be carried out if you have given us your express consent in accordance with Article 6 (1) point (a) GDPR (to data processing) and Section 25 (1) sentence 1 TTDSG (to technical provision). You may revoke your consent at any time with future effect.

The storage period is usually 90 days.

6. Services used for tracking and targeting

The tracking and targeting activities listed below and used by us are carried out on the basis of your consent in accordance with Article 6 (1) sentence 1, point (a) GDPR (to data processing) and Section 25 (1) sentence 1 TTDSG (to technical provision). You may revoke your consent at any time with future effect.

Our objective with the tracking measures we use is to ensure our website is tailored to needs and is continuously optimised. We also use the tracking measures to record statistics on the use of our website and analyse them so as to optimise our offering for you.

We use these targeting measures to ensure that you only see advertising tailored to your actual or presumed interests on your devices.

More information can be found in the relevant tracking and targeting tools.

a) Criteo

In shared responsibility with Criteo SA (32 Rue Blanche, 75009 Paris, France) under Article 26 GDPR, the following information is collected and stored on our website:

• the browser type and version,

• the operating system you use,

• the host name of the computer system accessing the site (IP address), and

• the time of the server request; along with other information on your possible interests, and is used for the purposes of marketing and optimisation.

These technologies from Criteo enable us to assess our advertising campaigns and the content of our advertising. These data are used to create pseudonymous user profiles. Cookies are used as part of that (see section 5). The data collected by Criteo technology will not be used to personally identify the visitor to this website and will not be linked to personal data associated with the pseudonymous individual without the separate consent of the data subject. Criteo uses an algorithm to analyse

browsing behaviour and can then display targeted product recommendations in the form of personalised advertising banners on other websites (termed ‘publishers’). No other data is used or transmitted to third parties. You can find more information on Criteo’s technology in Criteo’s Privacy Policy.

By using Criteo, additional pixels are loaded from contractual partners with whom Criteo works. An overview of all the publishers and networks from which pixels are loaded can be found here.

You can also disable Criteo services as a whole under the following link:

https://www.criteo.com/privacy/disable-criteo-services-on-internet-browsers/

Please note that, if you disable the display of personalised ads from Criteo and other advertising partners, you will continue to receive ads, but they will be tailored less precisely to your interests and browsing behaviour.

When using Criteo, we also have the option of supplementing conversions with additional personal data in order to increase the accuracy of conversion measurement and close gaps in data collection. Ad interactions can subsequently be assigned to conversions. This processing enables us to calculate and determine the success of individual advertising measures with greater precision. In doing so, we are pursuing our interest in displaying suitable advertising to our website visitors and making our offer appealing on our website and in the context of the placement of advertisements on Google.

When a conversion is carried out on our website (e.g. a product is purchased in the online shop), personal data (usually an email address) are collected. These personal data are collected by Criteo and hashed using the one-way hash algorithm SHA256. These hash values are then transmitted to Criteo, compared by Criteo with its own information and personal data and then made available to us in the form of anonymised statistics to improve conversion measurement.

We have concluded a joint data controller agreement (JCA) with Criteo in order to define the respective responsibilities for the fulfilment of the obligations arising from the GDPR. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers.

The contact details of Criteo’s Data Protection Officer are:

Data Protection Officer – 32 Rue Blanche, 75009 Paris, FRANCE

Email: [email protected]

You can find more information on Criteo’s technology in Criteo’s Privacy Policy at https://www.criteo.com /privacy/.

The data are deleted when the purpose no longer applies.

b) Google Marketing Platform (Google Analytics and Google DoubleClick)

We use the Google Marketing Platform provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as ‘Google’) on our website. This service combines the Google products DoubleClick Digital Marketing and Google Analytics. In this context, pseudonymised user profiles are created and cookies are used. The information generated by the cookie and relating to your use of this website includes

• the browser type and version,

• the operating system you use,

• the referrer URL (the page you previously visited),

• the host name of the computer system accessing the site (IP address), and

• the time of the server request.

You can find more information on data protection in relation to the Google Marketing Platform here .

aa) Analytics 4

As part of Analytics 4, information is used to evaluate use of the website, to compile reports on website activities and to provide other services relating to website and internet use for the purposes of market research and tailoring these websites to needs. The IP addresses are anonymised so that they cannot be associated with a particular person (IP masking).

We use the advertising functions of Google Analytics, depending on the scope of your consent. This results in reports on target groups, demographic attributes (such as age and gender) and the interests of site visitors, as well as on our marketing campaigns. The data for these reports come from campaigns conducted using Google services, interest-based advertising by Google, the Google Display Network, and visitors’ data from third-party providers. Your identity is not disclosed directly to us as part of that. We can use these reports to improve analysis of user behaviour even further in connection with our online offerings, and optimise the way we address our target groups.

We also use the ‘Extended Conversions’ function as part of Google Analytics. This function enables us to improve the accuracy of cross-channel conversion measurement and analysis and close gaps in data collection. This processing enables us to calculate and determine the success of individual advertising measures with greater precision. In doing so, we are pursuing our interest in displaying suitable advertising to our website visitors and making our offer appealing on our website and in the context of the placement of advertisements on Google.

When a conversion is carried out on our website (e.g. a product is purchased in the online shop), personal data (usually email address and mobile phone number) are collected. These personal data are collected via Google Analytics and hashed using the one-way hash algorithm SHA256. These hash values are then transmitted to Google, compared by Google with its own information and personal data and then made available to us in the form of anonymised statistics to improve conversion analysis. In particular, Google can conduct a successful comparison if the data subject also has a Google profile or account.

The user data collected in this way are generally deleted automatically after 14 months.

bb) DoubleClick Digital Marketing

As part of DoubleClick Digital Marketing, information is recorded and analysed in order to optimise insertion of advertisements. The technologies used enable us to address you with advertising tailored to your specific individual interests. Information on the content that has interested you is recorded, for example. On the basis of that information, we can display offerings to you – even on third-party sites – that are specifically geared to your interests as ascertained from your previous user behaviour. Your user behaviour is recorded and analysed only in pseudonymised form and we are not able to identify you from that.

The user data collected in this way are generally deleted automatically after 14 months.

c) Google Ads

We use the service Google Ads from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter: ‘Google’) on our website. The service enables us to design advertising content tailored to needs, record statistics on it, optimise it and broadcast it.

Google Ads uses cookies and pixel tags if you accessed our website by clicking on a Google ad. If you visit specific pages of our website and the cookie has not yet expired, we and Google will be able to tell that you have clicked on the ad and so were forwarded to that page.

Every Google Ads customer receives a different cookie. That means cookies cannot be tracked via the websites of Google Ads customers. The information collected by the conversion cookie is used to create conversion statistics for Google Ads customers who have opted in for conversion tracking. As a Google Ads customer, we are informed about the total number of users who clicked on an ad and were forwarded to a page with a conversion tracking tag. However, we do not obtain any information enabling us to identify you personally. These cookies lose their validity after 30 days.

In addition, we use extended conversion. When a conversion is carried out on our website (e.g. a product is purchased in the online shop), personal data (usually email address and mobile phone number) are collected. These personal data are recorded in the conversion tracking tag and hashed with the one-way hash algorithm SHA256. These hash values are then transmitted to Google, compared by Google with its own information and personal data and then made available to us in the form of anonymised statistics to improve conversion measurement. In particular, Google can conduct a successful comparison if the data subject also has a Google profile or account. The data are stored until the purpose no longer applies.

Finally, we also use the Google Ads remarketing pixel, which collects and evaluates information about your use of this website. That enables us to address you with content of relevance to you on other websites. According to Google, the data collected with the remarketing pixel are not combined with personal data Google may have stored. In addition, Google pseudonymises these data. Remarketing data based on tags are stored for 30 days.

d) Meta Pixel, Custom Audience and Conversion API

We use the Pixel, Custom Audience and Conversion API services provided by Meta Platforms Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland on our website.

We use the aforementioned services for the analysis and optimisation of our online content and the economic operation of this website.

Meta uses the Meta Pixel for this purpose. We also use the Conversions API. The pixel is installed when you access our website or respond to an ad we have placed on Meta, for example because you click on a link to our site in the ad. With the help of the Meta Pixel, we can track the effectiveness of Facebook adverts for statistical and market research purposes by seeing whether users have been redirected to our website after clicking on a Meta advert (‘conversion’). In addition to the Meta Pixel, we also use the Conversions API. Meta uses the Conversions API to send a unique ID to the server as soon as you click on a Facebook ad. We use the service to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offering or who have certain characteristics (e.g. interests in certain topics or products ascertained on the basis of websites they have visited), which we communicate to Facebook (‘custom audiences’). With the help of the Meta Pixel and the Conversions API, Meta is able to determine the visitors to our online offer, including across multiple end devices, as a target group for the display of adverts (‘Facebook ads’). Other cookies are also set in this regard in which personal data about the use of this website are stored. These may include the website accessed, search terms used, login data and the HTTP header (IP address, browser information, referrer). If we transmit data to Facebook for comparison purposes using the Meta Pixel and the Conversions API, these data are encrypted locally in the browser and only then sent to Facebook via a secure https connection. This is done for the sole purpose of creating a comparison with the data that are also encrypted by Meta. Custom Audience is not used to identify you personally. However, the data are stored and processed by Meta, which means they may be connected to the respective user profile.

We and Meta are joint controllers in accordance with Article 26 GDPR in relation to the use of Facebook Custom Audience. We have concluded a joint controller agreement to define our respective responsibilities for complying with the obligations under the GDPR. Accordingly, we are responsible for informing the users of our website, while Meta is responsible for fulfilling requests regarding the rights of data subjects in accordance with Articles 15 to 21 GDPR with regard to the personal data stored by Meta after joint processing. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers.

You can find more information on data protection at Meta here .

You can find more information about Meta as the controller and Meta’s data protection officer in Meta’s data protection information here. You can contact Meta’s data protection officer here.

The user data collected in this way are generally deleted after 180 days.

e) Emarsys Web Extend and Smart Insight

We use Emarsys Web Extend and Smart Insight provided by Emarsys eMarketing Systems AG (Willi-Schwabe-Strasse 1, 12489 Berlin, Germany (hereinafter: Emarsys) to evaluate the behaviour of our website visitors and to personalise our newsletters.

Details of data processing relating to basic newsletter registration can be found in this data protection information under ‘When subscribing to our newsletter’.

Pseudonymous user profiles are created and cookies and JavaScript snippets used in connection with this.

Information about the use of our website (e.g. IP address, browsing information and the item numbers of products that were viewed or placed in the basket)

is processed with Emarsys Web Extend. We use the information obtained by Web Extend to enhance existing customer profiles and to enable individualised content. For this purpose, we use information such as confirmations of receipt and reading of emails, information about computers and internet connections, operating systems and platforms, your browsing history on our site or your order history, the date and time of visiting the homepage, and products/items that you have viewed. These data are linked to any existing user account. Emarsys Smart Insights enables us to evaluate the information received.

The data are usually stored for 13 months.

f) AWIN

We use the advertising network of AWIN AG (Eichhornstrasse 3, 10785 Berlin, Germany (hereinafter referred to as ‘AWIN’). AWIN allows us to play out advertising content and analyse the success of campaigns.

Under its service, AWIN saves cookies on the devices of users who visit our website in order to document transactions (such as leads and sales). The sole purpose of these cookies is to ensure the correct assignment of the success of advertising and appropriate billing within the advertising network. Only information on when a certain ad was clicked on from a device is placed in a cookie. An individual sequence of digits that cannot be used to identify the individual user is stored in the tracking cookies and documents

• the partner programme of an advertiser,

• the publisher, and

• the time of the user’s action (click or view). As part of that, AWIN also collects information on the device from which a transaction is carried out, such as the operating system and the browser accessing the site. AWIN likewise uses session tracking and fingerprinting for these purposes.

We have concluded a contract with AWIN on joint responsibility in accordance with Article 26 GDPR and are jointly responsible with AWIN for data processing. The contract defines our respective responsibilities for complying with the obligations under the GDPR. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers. Both parties are equally responsible for complying with the information obligations under data protection law.

g) Yahoo! Dot Tag

We use the Yahoo! Dot Tag provided by Yahoo EMEA Limited, 5–7 Point Square, North Wall Quay Dublin 1 Ireland to measure campaign progress and assign successful advertising measures.

This is a pageview tag. If a Calida advertising campaign is clicked on (e.g. on yahoo.com), the subpages of the Calida domain that are subsequently visited are linked to this campaign so that the effectiveness of the campaign can be measured. Data that allow personal identification are not transmitted.

For service providers headquartered in the USA, this only applies if they base such data transmission on the EU-US Data Privacy Framework (DPF) of 10 July 2023. This is not the case with the recipient in question. The recipient therefore bases the data transmission on standard contractual clauses of the EU Commission in order to be able to provide a proper guarantee of an adequate level of data protection. A copy of these clauses can be found here.

The storage period is usually 90 days.

h) Hotjar

We use the service Hotjar (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta), hereinafter referred to as ‘Hotjar’, to better understand the needs of our users and to optimise the content and experience on this website.

Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to align our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. These data include a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website.

The storage period is usually 365 days.

i) Pinterest Tag

We use the Pinterest Tag provided by Pinterest Europe Ltd., Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland.

This pixel can be used to collect, store and evaluate information about the browsing behaviour of visitors to the website in pseudonymised form. The information can be assigned to the user’s person with the help of other information that Pinterest has stored about the user, e.g. due to the ownership of an account on the Pinterest social network. Pinterest uses an algorithm to analyse browsing behaviour and can then display targeted product recommendations in the form of personalised advertising banners on the user’s Pinterest account.

When using the Pinterest Tag, we also have the option of supplementing conversions with additional personal data in order to increase the accuracy of conversion measurement and close gaps in data collection. Ad interactions can subsequently be assigned to conversions. This processing enables us to calculate and determine the success of individual advertising measures with greater precision. In doing so, we are pursuing our interest in displaying suitable advertising to our website visitors and making our offer appealing on our website and in the context of the placement of advertisements on Google.

When a conversion is carried out on our website (e.g. a product is purchased in the online shop), personal data (usually an email address) are collected. These personal data are recorded in the Pinterest Tag and hashed with the one-way hash algorithm SHA256. These hash values are then transmitted to Pinterest, compared by Pinterest with its own information and personal data and then made available to us in the form of anonymised statistics to improve conversion measurement. In particular, Pinterest can conduct a successful comparison if the data subject also has a Pinterest profile or account.

We process the data with Pinterest under a joint responsibility arrangement in accordance with Article 26 GDPR. We have concluded a joint responsibility contract for this purpose. Accordingly, we are responsible for providing the data protection information and for the data protection-compliant implementation of Pinterest Tag on our website. Among other aspects, Pinterest is responsible for data security and the fulfilment of data subject rights (Articles 15–20 GDPR).

j) RTB House

We use technology from RTB House, Kurfürstendamm 226, 10719 Berlin, Germany, to carry out personalized advertising campaigns by means of retargeting.

In order to carry out personalized advertising campaigns, we process certain data about the online activities of users on this website. This data may include online identifiers (e.g. cookie ID / mobile advertising ID), information about specific pages visited, products viewed, added to the shopping cart and purchased, together with timestamps, as well as technical device and search program details. Based on this data, RTB House runs advertising campaigns and displays personalized ads to users.

We have concluded a data processing agreement with RTB House. Through this agreement, RTB House ensures that it processes the personal data in accordance with our instructions and guarantees the protection of the rights of the data subject. Further information on data protection in connection with RTB House can be found here.

7. Map services

a) Google Maps

We use the Google Maps offering from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter referred to as ‘Google’) on our website.

Data processing takes place on the basis of your prior consent in accordance with Article 6 (1) sentence 1 point (a) GDPR (for data processing) and Section 25 (1) no. 1 TTDSG (for technical provision).

You may revoke your consent at any time with future effect.

When activated, Google records device-related information, log data including the IP address, and location information. Data are not transferred to Google solely by our website being accessed.

The storage period is usually 18 month.

b) MaxMind

If you use integrated maps to search for a nearby store, your IP address is transferred to the service provider MaxMind, Inc. (14 Spring Street, 3rd Floor, Waltham, MA 02451, USA, hereinafter referred to as ‘MaxMind’) to determine your approximate location (e.g. country, town, district). Your location data are erased when you leave our sites.

You can block geolocation by adjusting the appropriate setting in your browser; however, we point out that if you do so, some of the features of this website (e.g. store finder) may not be able to be used in full.

The storage period is usually 30 days.

8. Trusted Shops seal of approval

We use the service offered by Trusted Shops GmbH, Subbelrather Strasse 15c, 50823 Cologne, Germany.

If you have granted your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR during or after your order by checking the relevant checkbox or clicking on the button provided for that purpose (‘Rate later’), we send your email address to the service provider, so that it can remind you by email that you can submit a rating. You can withdraw that consent at any time by sending a mail to our contact address below or by contacting Trusted Shops directly.

Such further processing serves to protect overriding legitimate interests, based on a weighing-up of interests, of ensuring the optimal marketing of our product range pursuant to Section 6 (1) sentence 1 point (f) GDPR.

When the Trustbadge of Trusted Shops is accessed online, the web server will automatically store a server logfile, which contains such information as your IP address, date and time of access, the amount of data transferred and the requesting provider (access data) and will document access. These access data will not be analysed and will be automatically overwritten no later than seven days after your visit to the site is over.

The storage period is usually 180 days.

9. SOVENDUS vouchers

After you make a purchase at www.calida.com, we offer you the possibility of obtaining vouchers for online portals via the network of Sovendus GmbH, Hermann-Veit-Strasse 6, 76135 Karlsruhe, Germany.

As soon as you choose a voucher, we transmit the hash value of your email address and your IP address to the service provider in pseudonymised and encrypted form, unless you object to advertising. We also transmit the order number, order value with currency, session ID, coupon code and time stamp to Sovendus in pseudonymised form for billing purposes.

The legal basis for the transfer of your data to SOVENDUS is Article 6 (1) sentence 1 point (f) GDPR. Our legitimate interest is in making this voluntary offer of vouchers available to you.

The storage period is 7 days.

10. Rights of data subjects

You have the right to:

demand, in accordance with Article 15 GDPR, information on and access to your personal data we have processed. In particular, you can request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or

objection, the existence of a right to lodge a complaint, the origin of your data if they were not collected from us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information on its details;

demand, in accordance with Article 16 GDPR, the immediate rectification of inaccurate personal data we have stored concerning you and demand that incomplete personal data are completed;

demand, in accordance with Article 17 GDPR, the erasure of personal data we have stored concerning you, unless processing of them is required for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;

demand, in accordance with Article 18 GDPR, that the processing of your personal data be restricted, if you dispute the correctness of the data, if the processing of them is unlawful, but you oppose their erasure and we no longer need the data, but you need them to establish, exercise or defend legal claims, or if you have objected to the processing of your data in accordance with Article 21 GDPR;

receive the personal data you have provided in a structured, commonly used and machine-readable format, or demand that your data be transmitted to another controller in accordance with Article 20 GDPR;

revoke your consent to the processing of your data at any time in accordance with Article 7 (3) GDPR. As a consequence, we will no longer be allowed to continue processing the data on the basis of this prior consent with future effect; and

lodge a complaint with a supervisory authority in accordance with Article 77 GDPR. As a rule, you can contact the

supervisory authority of your usual place of residence or

place of work or our company headquarters.

11. Right to object

If your personal data are processed to safeguard legitimate interests in accordance with Article 6 (1) sentence 1 (f) GDPR, you have the right under Article 21 GDPR to object to the processing of your personal data if there are grounds relating to your particular situation or the objection is to direct marketing. In the latter case, you have a general right to object and we will comply with that right without any need for you to specify grounds relating to your particular situation.

12. Data security

All the data you personally transfer will be sent in encrypted form using the customary and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard which is also used for online banking, for example. You can recognise a secure TLS connection in various ways, including by the ‘s’ appended to http (i.e. https://..) in the address bar of your browser or by the padlock icon at the bottom of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, complete or partial loss and destruction, or access by unauthorised third parties. Our security measures are constantly improved to reflect technological advances.

13. Up-to-dateness of and amendments to this Privacy Policy

This Privacy Policy is currently valid and is dated May 2024.

This Privacy Policy may need to be amended if our website and offerings on it are developed further or pursuant to changes in the law or official requirements. You can obtain and print out the up-to-date Privacy Policy at any time on the website at https://www.calida.com/en-GB/cms/Legal-and-general-information/data-privacy/.