PRIVACY POLICY

1. Name and contact details of the controller and company Data Protection Officer

This Privacy Policy applies to data processing by:

Controller: Reich Online Services GmbH (hereinafter referred to as Reich Online)
Högeringer Str. 27, 83071 Stephanskirchen, Germany

E-mail: [email protected]
Telephone: +49 8036 94394-10
Fax: +49 8036 94394-99

The company Data Protection Officer of Reich Online can be contacted under the above address, for the attention of the Data Protection department, or at [email protected].

2. Collection and storage of personal data, the nature and purpose of that, and use of the data

a) When you visit the website

When you call our website www.calida.com, the browser used on your device automatically sends information to our website’s server. This information is stored temporarily in a log file. The following information is recorded without any action on your part and is stored until it is automatically erased:

  • The IP address of the computer system calling the site

  • The date and time of access

  • The name and URL of the file called

  • The website from which you accessed our site (referrer URL)

  • The browser type and version and other information sent by the browser (such as your computer’s operating system, the name of your access provider, geographic origin, language setting, etc.).

These data are processed by us for the following purposes:

  • To ensure a connection to the website is established smoothly

  • To ensure our website is convenient to use

  • To analyse system security and stability, and

  • For other administrative purposes.

The legal basis for processing of the data is Article 6 (1) sentence 1 point (f) GDPR. Our legitimate interests are founded on the above-listed purposes for collection of the data. We never use the data we collect for the purpose of identifying you.

We also use cookies and analytics services when you visit our website. You can find more details in sections 4 and 5 of this Privacy Policy.

b) When ordering as a guest

If you wish to order products from our website as a guest, we collect the following information:

  • Your form of address, first name and surname

  • A valid e-mail address

  • Your address

  • Payment data, depending on the method of payment you select (such as credit card data, bank details or PayPal account data)

  • If you purchase products on account: your date of birth and telephone number.

These data are collected in order to

  • be able to identify you as our customer;

  • check the plausibility of the data you have entered;

  • handle payment for your order;

  • handle any warranty claims and assert any claims against you.

The data are processed pursuant to your request and are required for the above purposes so that a contract or steps prior to entering into a contract can be performed in accordance with Article 6 (1) sentence 1 point (b) GDPR.

You can also provide the following data to ensure smooth and easy handling of your order and so that any queries can be dealt with faster:

  • Your telephone number, and

  • An alternative delivery address.

You disclose these data voluntarily.

The personal data collected by us for handling your order are stored until the statutory warranty period expires and are then erased automatically, unless we are required to store them for longer in accordance with Article 6 (1) sentence 1 (c) GDPR pursuant to retention and documentation obligations under fiscal and commercial law (such as the German Commercial Code (HGB), the German Penal Code (StGB) or the German Fiscal Code (AO)) or you have consented to further storage of them in accordance with Article 6 (1) sentence 1 point (a) GDPR.

c) If you select the ordering option Click & Collect

If you select the ordering option Click & Collect and so wish your order to be delivered to one of our stores, we send your e-mail address to the store so that you are notified as soon as the goods arrive there and are ready for you to collect. The data are processed pursuant to your request and are required for the above purposes so that a contract or steps prior to entering into a contract can be performed in accordance with Article 6 (1) sentence 1 point (b) GDPR.

d) If you set up a user account

You have the option of setting up a password-protected user account, in which we store your personal data. The purpose of that is to enable easier, faster and more personal handling of your purchases and thus ensure maximum convenience for you when you place orders.

If you wish to set up a password-protected user account, we need the following information from you:

  • Your form of address, first name and surname

  • Your address, and

  • A valid e-mail address.

You must also select a password when setting up a user account. It in conjunction with your e-mail address allows you to access your user account. You can view and change the data stored in your user account at any time.

You can also provide your telephone number so that queries can be clarified more quickly. That is voluntarily and not required for setting up the user account.

In addition, you can state your date of birth so that we can surprise you with a present (such as a discount or a special offer) if you subscribe to the newsletter.

We store your personal data in a user account only subject to your voluntary consent in accordance with Article 6 (1) sentence 1 point (a) GDPR.

It is not necessary to create a user account in order to be able to use our site and to order goods from us. We offer you the option of placing orders as a guest (see section 2. b)). If you do that, however, you have to enter your data in full again each time you place an order.

After your user account has been deleted, your data are then erased automatically and not used further, unless we are required to store them for longer in accordance with Article 6 (1) sentence 1 (c) GDPR pursuant to retention and documentation obligations under fiscal and commercial law (such as the German Commercial Code (HGB), the German Penal Code (StGB) or the German Fiscal Code (AO)) or you have consented to further storage of them in accordance with Article 6 (1) sentence 1 point (a) GDPR.

e) In connection with our newsletters

We distribute newsletters that contain personalised product recommendations from our own product range and information about special benefit programmes for customers (including contests, discounts and sales). As part of the compilation and distribution of newsletters, we process personal data, including behaviour-related information, about you and work with the company Emarsys eMarketing Systems AG (hereinafter referred to as “Emarsys”) in this area.

Provided that you have given your explicit consent in accordance with Article 6 (1) sentence 1 point (a) GDPR, we will use your e-mail address for the purpose of sending you our newsletter regularly. The provision of an e-mail address is the only requirement for subscribing to the newsletter.

You will subsequently receive a registration confirmation via e-mail that you must confirm in order to receive our newsletter (double opt-in). This serves as proof to us that you actually initiated the registration process.

If you have not registered for our newsletter, we regularly use your e-mail address following an order to send you our newsletter with information about products similar to the ones that you just ordered, provided that you do not object to this practice. The processing of personal data is authorised in this connection under Article 6 (1) sentence 1 point (f) GDPR as a result of our legitimate interest in conducting direct marketing activities.

You may cancel the newsletter at any time without stating your reasons by using the unsubscribe link in the e-mail, by making the request directly in your user account or by directly notifying [email protected] You will then no longer receive the newsletter.

Our newsletter is offered exclusively as personalised information in order to draw your attention to special offers that may be of interest to you and fulfil your needs. For this reason, other available information about you, including customer data from your user account, purchasing history and usage behaviour (e.g. wish lists, basket contents, finding favourite products, CALIDA friends+forever and accessed product pages), is used in addition to your e-mail address to offer personalised content. On the basis of your consent or our legitimate interest in conducting optimised direct marketing, your purchasing and usage behaviour in the online shop is tracked and analysed for the purpose of selecting content, and is linked to your user account. We do not make additional use of the profile information or transmit it to third parties.

We use the services of Emarsys to technically implement customisation. Emarsys analyses the information described above on our behalf for the purpose of planning content for the newsletter. In this process, opening, clicking, bounce, delivery, log-off and conversion rates are evaluated. The analysis also uses cookies or pixel tags that collect information such as the IP address, browser type/version, e-mail client and time of access. As a result, we can see who opened the e-mail and clicked the links contained in it. You can cancel our newsletter at any time if you object to this analysis.

A data processing agreement pursuant to Article 28 GDPR has been concluded with Emarsys. Under this agreement, Emarsys warrants that it will process data in compliance with the General Data Protection Regulation and guarantees that the rights of data subjects will be protected.

You can find more information on Emarsys’ tracking activities in section 5 j) of this Privacy Policy.

f) Registering for “CALIDA friends+forever”

You can find information on data protection in connection with registration for the “CALIDA friends+forever” loyalty programme at: www.calida.com/en-DE/cms/friends-forever/data-privacy/?updateShop_1_DE.

g) When you use our contact form

We offer you the possibility of contacting us using a form provided on the website if you have any questions, of whatever nature. You must specify a valid e-mail address and your first name and surname so that we know from whom the request is and can respond to it. You can furnish your telephone number voluntarily.

Data are processed for the purpose of contacting us on the basis of your voluntary consent in accordance with Article 6 (1) sentence 1 point (a) GDPR.

The personal data we collect when you use the contact form are automatically erased when your request has been dealt with.

h) Advertising by mail

We will use the address provided by you within the framework of your order to regularly send you information on our products and offers by mail, as long as you have not indicated your objection to us. In this context, we process your name and address in accordance with Article 6 (1) sentence 1 (f) GDPR and our legitimate interest to inform our customers about our product range.

3. Transmission of data to third parties

Your personal data are not transferred to third parties for purposes other than those specified in the following.

a) Transmission of data to CALIDA AG

Your personal data are also forwarded to CALIDA AG, Industrie Münigen, Bahnhofstrasse, 6208 Oberkirch, Switzerland. Switzerland is a third country within the meaning of the General Data Protection Regulation (see section 3 g)). There is an adequacy decision by the European Commission for Switzerland. In this adequacy decision, the European Commission has confirmed that Switzerland has a level of data protection comparable to that in the European Union.

Data are forwarded as part of the shared responsibility for data backup purposes, internal administration purposes and to ensure central customer management.

The data are forwarded on the basis of Article 6 (1) sentence 1 point (f) GDPR; these interests are deemed to be legitimate interests within the meaning of the above provision.

b) For the performance of contracts

Your personal data will be forwarded to third parties if this is legally permissible and necessary according to Article 6 (1) sentence 1 point (b) GDPR for performing contracts with you. This includes in particular the forwarding of information to shipping companies for the purpose of delivering goods you have ordered. The third party may use the data given to it solely for the above purposes.

c) For handling payments

When fulfilling the contract, we sometimes work with payment service providers for handling payments. So that payments can be handled, it may be necessary to disclose the purchase amount and, if applicable, other data about you to the provider.  The categories of data forwarded for this purpose differ according to the provider and the selected option. Where we forward personal data to providers, that is done to perform the contract and pursuant to our legitimate interests on the basis of Article 6 (1) sentence 1 points (b) and (f) GDPR. We have a legitimate interest within the meaning of the above regulation, namely that of being able to offer you the respective payment option. Details of the providers follow here:

PayPal: We offer handling of payments by means of the payment service provider PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg (“PayPal”). If you decide to pay using PayPal, you are taken to the PayPal website. You can log on there using your account data and instruct payment. After you are taken to the PayPal website, we have no access to the data collected by PayPal. You can find more information on data protection in relation to PayPal here.

Amazon Pay: We offer handling of payments by means of the payment service provider Amazon Payments Europe s.c.a., 38 avenue J.F. Kennedy, 1855 Luxembourg (“Amazon Pay”). If you decide to pay using Amazon Pay, you are taken to the Amazon Pay website. You can log on there using your account data and instruct payment. After you are taken to the Amazon Pay website, we have no access to the data collected by Amazon Pay. You can find more information on data protection in relation to Amazon Pay here.

Klarna: If you select the payment options provided by Klarna (“purchase on account” and “direct payment with Sofort”), we will send personal data, such as contact and order data, to Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (“Klarna”). Klarna can thereby assess whether you can make use of the payment options it offers and tailor the payment options to your needs. You can obtain general information on Klarna here. Your personal data will be handled by Klarna in compliance with Klarna’s Privacy Policy.

Unzer: When paying by credit card, the name and address of the credit card holder as well as the credit card number and expiry date will be forwarded to the payment service provider Unzer GmbH, Vangerowstraße 18, 69115 Heidelberg, Germany. You can find more information on data protection in relation to Unzer here.

d) For checking your identity and creditworthiness

If we deliver your purchase before receiving payment, for example if you purchase products on account, we may conduct a check on your creditworthiness on the basis of mathematical-statistical methods.

We send the personal data required to check your creditworthiness (your first name and surname, street and number, postcode, city, date of birth, telephone number and, in the case of purchase by direct debit, the account details you provide) to an external service provider. We work together with creditpass GmbH to check your identity and creditworthiness.

On the basis of your personal data, creditpass GmbH provides us with information about the statistical probability of your defaulting. The data are therefore collected, stored and forwarded for the purpose of checking your creditworthiness and pursuant to our interest in avoiding defaults and to prevent fraud on the basis of Article 6 (1) sentence 1 points (b) and (f) GDPR. This information is used to calculate the statistical probability of default and so your solvency (creditworthiness). If the creditworthiness check returns a positive result, you can order goods on account. If the creditworthiness check returns a negative result, our shop system will not allow you to pay on account.

The creditworthiness check may contain probabilities (score values), which are calculated on the basis of scientifically recognised mathematical-statistical methods and also using your address data and date of birth, among other things.

If we take automated decisions with legal effect, you have the right to obtain information on the logic involved, as well as the significance and the envisaged consequences of such data processing. You can request us to review the automated decision, expressing your point of view, and have the right to obtain human intervention on our part.

For more information, please refer to the privacy statement of creditpass GmbH https://creditpass.de/service/datenschutz/. You can also contact creditpass directly: info(at)creditpass.de.

e) To protect our systems against misuse

Our website uses Google reCAPTCHA, a service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (hereinafter referred to as “Google”). It is intended to ensure that certain offerings are actually requested by a human being and to prevent as far as possible misuse resulting from data entered by bots.

To enable that, Google processes various items of information, including the IP address of the device from which the request has been received, but also other information that can be used to deduce a human act.

These data are processed on the basis of a general weighing of interests within the meaning of Article 6 (1) point (f) GDPR. Protecting our IT systems and, specifically, ensuring that our website functions properly are deemed to be legitimate interests within the meaning of the law.

Google states that it does not combine the IP address transmitted as part of the reCAPTCHA system with data from other Google services. The processed data may be transferred to servers in the U.S. and other unsafe third countries and processed there (see section 3 g)). Google refers in this regard to the standard contractual clauses approved by the EU Commission as guaranteeing that a level of data protection comparable to that in the European Union is ensured.

You can find more information on data protection in relation to reCAPTCHA in Google’s Privacy Policy.

f) Transmission of data to CaperWhite GmbH

In the context of our mobile POS solution (tablets) at our retail stores, we offer you the option of purchasing our products using the tablets and viewing your customer data

In the context of our POS solution (“Omni-Channel”), we transmit your customer master data and order history data (see section 2 b) and c)) to CaperWhite GmbH, Ludwigstr. 73A, 70176 Stuttgart, Germany.

This service provider was carefully selected and commissioned by CALIDA AG, as part of our group of companies, is obligated to comply with its instructions and is controlled on a regular basis, in particular as regards appropriate technical and organisational measures for ensuring data security. CaperWhite GmbH uses servers located in Europe as part of its activity; no data are transmitted to the U.S.

The data are transmitted pursuant to our legitimate interests and those of CALIDA AG in accordance with Article 6 (1) sentence 1 point (f) GDPR. The need to optimise and improve customer management and our portfolio of offerings constitutes our legitimate interest.

g) Transmission of data to third countries

Personal data are transmitted to third countries only if the requirements stipulated in Article 44 et seq. GDPR are met.

“Third country” denotes a country outside the European Economic Area (EEA) in which the General Data Protection Regulation is not directly applicable. A third country is deemed unsafe if the EU Commission has not adopted an adequacy decision in accordance with Article 45 (1) GDPR confirming that the country has an adequate level of protection for personal data.

The ruling by the European Court of Justice on 16 July 2020 (C-311/18) invalidated the (partial) adequacy decision for the U.S., termed the Privacy Shield. The U.S. is thus an unsafe third country. That means a level of data protection comparable to that in the European Union is not offered in the U.S. There are the following risks if personal data are transmitted to the U.S. There is the risk that U.S. authorities may gain access to personal data pursuant to the PRISM and UPSTREAM surveillance programmes under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and on the basis of Executive Order 12333 or Presidential Policy Directive 28. EU citizens do not have any effective legal means of preventing such access in the U.S. or EU.

We inform you in this Data Policy when and how we transmit personal data to the U.S. or other unsafe third countries. We transmit your personal data only if

  • the recipient offers appropriate safeguards for protecting personal data in accordance with Article 46 GDPR,

  • you explicitly consent to transfer of the data, after we have informed you of the risks, in accordance with Article 49 (1) point (a) GDPR,

  • the transfer is necessary for the performance of contractual obligations between you and us, or

  • another exception under Article 49 GDPR applies. 

Safeguards in accordance with Article 46 GDPR may be what are termed standard contractual clauses. In these standard contractual clauses, the recipient pledges to protect the data adequately and ensure a level of protection comparable to that under the General Data Protection Regulation.

4. Cookies and similar technologies

We use cookies or other similar features and technologies (such as pixel tags) on our site. These are small files which your browser automatically creates and are stored on your device (laptop, tablet, smartphone or the like) when you visit our site. Cookies do not cause any damage on your device and do not contain any viruses, Trojans or other malware.

Information relating to the specific device used is stored in the cookie. However, that does not mean that we can directly identify you from that.

We use pixel tags (also called pixels, tracking pixels or beacon trackers) in our online offering. Pixels are small graphics that are embedded in the HTML code of our pages. No information is stored or changed on your device as a result of the pixel tag, which means that the pixels do not cause any damage on your device, nor do they contain any viruses, Trojans or other malware.

The pixels send your IP address, the referrer URL of the visited website, the time when the pixel was viewed, the browser used, and previously placed cookie information to a web server. That makes it possible to measure reach and carry out other statistical analyses so that we can optimise our offering.

Cookies and pixel tags help us make use of our offering more pleasant for you. For instance, we use what are termed session cookies to recognise if you have already visited individual pages of our website or you are logged on to your user account, or for showing the shopping basket. They are automatically deleted when you leave our site.

We also use temporary cookies, which are stored on your device for a specific defined period of time, to optimise the user-friendliness of our site. When you visit our site again in order to make use of our services, we automatically recognise that you have previously visited us and what inputs and settings you made, meaning you do not have to enter them again. The data processed by these cookies are required for the above purposes in order to safeguard our legitimate interests and those of third parties in accordance with Article 6 (1) sentence 1 point (f) GDPR.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or a message is always displayed before a new cookie is created. If, however, you completely disable cookies, you may not be able to use all the features of our website.

We also use cookies and pixel tags to record statistics on use of our website and analyse them so as to optimise our offering for you (see section 5). They enable us to automatically recognise that you previously visited us the next time you call our site. These cookies and pixel tags are automatically erased after a defined time.

We use such cookies and pixel tags only if you have given your consent using the cookie management tool. We process the data processed by cookies and pixel tags on the basis of your consent in accordance with Article 6 (1) point (a) GDPR. You can withdraw your consent at any time with future effect using the cookie management tool. You can call the tool again at any time by clicking on “Cookie settings” at the bottom of the website.

a) Consent management with Usercentrics

We use the consent management service from Usercentrics GmbH, Rosental 4, 80331 Munich, Germany (hereinafter referred to as “Usercentrics”) on our website to manage consent to the use of cookies and similar technologies. The date and time of your visit, browser information, information on your consent, device information and the anonymised IP address of the device calling the site are processed in this context. The legal basis for that is Article 6 (1) point (f) GDPR. Obtaining and administering legally required consents are deemed to be a legitimate interest within the meaning of the above statutory provision. Information on the withdrawal of previously granted consent is stored for a period of three years.

b) Google Tag Manager

Our website uses Google Tag Manager from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (hereinafter referred to as “Google”). We use Google Tag Manager to manage the tools we inform you about in this Privacy Policy. We provide separate details of these tools in this policy.

Tag Manager (which implements the tags) itself causes other tags to be activated, which may in turn record data. Google Tag Manager does not access those data. If recording has been deactivated at the domain or cookie level, this setting will still apply to all tracking tags implemented with Google Tag Manager.

You can find more information on Google Tag Manager here.

5. Tracking and targeting with consent

The legal basis for the following tracking and targeting measures we use is your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR.

Our objective with the tracking measures we use is to ensure our website is tailored to needs and is continuously optimised. We also use the tracking measures to record statistics on use of our website and analyse them so as to optimise our offering for you.

We use these targeting measures to ensure that you only see advertising tailored to your actual or presumed interests on your devices.

The purposes of processing the data and the categories of data can be referred to in the descriptions of the tracking and targeting tools.

a) Criteo

On the basis of your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR and in shared responsibility with Criteo SA (32 Rue Blanche, 75009 Paris, France), the following information is collected and stored on our website:

  • The browser type you use and its version      

  • The operating system you use

  • The referrer URL (the page you previously visited)

  • The host name of the computer system accessing the site (IP address)

  • The time of the server request

along with further information on your possible interests, and is used for the purposes of marketing and optimisation.

These technologies from Criteo enable us to assess our advertising campaigns and the content of our advertising. These data are used to create pseudonymous user profiles. Cookies are used as part of that (see section 4). The data collected by Criteo technology will not be used to personally identify the visitor to this website and will not be linked to personal data associated with the pseudonymous individual without the separate consent of the data subject. Criteo uses an algorithm to analyse surfing behaviour and can then display targeted product recommendations in the form of personalised advertising banners on other websites (termed “publishers”). The data are not used otherwise or transmitted to third parties. You can find more information on Criteo’s technology in Criteo’s Privacy Policy.

The use of Criteo means that further pixels from contractual partners with whom Criteo cooperates are installed. You can find an overview of all the publishers and networks from which pixels are installed here.

You can also disable the Criteo services as a whole under the following link:

https://www.criteo.com/privacy/disable-criteo-services-on-internet-browsers/

Please note that, if you disable the display of personalised ads from Criteo and other advertising partners, you will continue to receive ads, but they will be tailored less precisely to your interests and surfing behaviour.

We have concluded a Joint Data Controller Agreement with Criteo to define our respective responsibilities for complying with the obligations under the General Data Protection Regulation. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers.

The contact details of Criteo’s Data Protection Officer are:

Data Protection Officer – 32 Rue Blanche, 75009 Paris, FRANCE

E-mail: [email protected]

You can find more information on Criteo’s technology in Criteo’s Privacy Policy at https://www.criteo.com/de/privacy/.

b) intelliAd

We use the service intelliAd from diva-e Products GmbH, St. Martin Str. 78 (Building BT3/ground floor), 81541 Munich, Germany (hereinafter referred to as “intelliAd”). Data are collected and stored with the aid of pixel tags and cookies and are then used to create pseudonymous user profiles. These profiles are used to analyse visitor behaviour as well as to improve and tailor our offering to needs. The pseudonymous user profiles will not be linked to direct personal data associated with the pseudonymous individual without your separate explicit consent. In particular, IP addresses will be rendered unrecognisable directly after entry to the site. As a result, it is impossible to connect user profiles to IP addresses.  The cookies are deleted after 30 days. You can find intelliAd’s Privacy Policy at https://www.intelliad.com/privacy-policy/.

c) MaxMind

If you use integrated maps to search for a nearby store, your IP address is transferred using an embedded JavaScript (see section 4) to the service provider MaxMind, Inc. (14 Spring Street, 3rd Floor, Waltham, MA 02451, U.S., hereinafter referred to as “MaxMind”) to determine your approximate location (e.g. country, town, district). Your location data are erased when you leave our sites.

You can find more information on data protection in relation to MaxMind at https://www.maxmind.com/de/privacy_policy.

You can block geolocation by making the appropriate setting in your browser; however, we point out that if you do so, some of the features of this website (e.g. Storefinder) may not be able to be used in full.

The data collected by MaxMind are transferred to servers in the U.S. and processed there. The data transferred are only in pseudonymised form and cannot be used to identify your name. We have concluded a data processing agreement, including the EU standard contractual clauses, with MaxMind. That ensures there is a level of data protection comparable to that in the European Union (see details on the transfer of data to the U.S. in Section 3 g)). 

d) Google Marketing Platform (Google Analytics and Google DoubleClick)

On the basis of your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR, we use the Google Marketing Platform, a web analytics and advertising service from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (hereinafter referred to as “Google”) on our website. This service combines the Google products DoubleClick Digital Marketing and Google Analytics. In this context, pseudonymised user profiles are created and cookies are used. The information generated by the cookie and relating to your use of this website includes

  • the browser type and version,   

  • the operating system you use,

  • the referrer URL (the page you previously visited),

  • the host name of the computer system accessing the site (IP address), and

  • the time of the server request.

We have concluded a data processing agreement with Google. Under that agreement, Google warrants that it will process data in compliance with our instructions as well as guarantee that the rights of data subjects are protected.

The information may be transferred to third parties if this is prescribed by law or third parties process these data on behalf of Google. The processed data may be transferred to servers in the U.S. and other unsafe third countries and processed there (see section 3 g)). Google refers in this regard to the standard contractual clauses approved by the EU Commission as guaranteeing that a level of data protection comparable to that in the European Union is ensured. We transfer data to Google only subject to your consent.

You can also make settings for the display of interest-based advertising by DoubleClick Digital Marketing using the Google advertising settings manager.

You can find more information on data protection in relation to the Google Marketing Platform here.

aa)Analytics

As part of Analytics, information is used to evaluate use of the website, to compile reports on website activities and to provide other services relating to website and Internet use for the purposes of market research and tailoring these websites to needs. The IP addresses are anonymised so that they cannot be associated with a particular person (IP masking).

We use the advertising functions of Google Analytics, depending on the scope of your consent. This results in reports on target groups, demographic attributes (such as age and gender) and the interests of site visitors, as well as on our marketing campaigns. The data for these reports comes from campaigns conducted using Google services, interest-based advertising by Google, the Google Display Network, and visitors’ data from third-party providers. Your identity is not disclosed directly to us as part of that. We can use these reports to improve analysis of user behaviour even further in connection with our online offerings, and optimise the way we address our target groups.

The user data recorded by means of cookies are automatically erased after 14 months.

bb)DoubleClick Digital Marketing

As part of DoubleClick Digital Marketing, information is recorded and analysed in order to optimise insertion of advertisements. The technologies used enable us to address you with advertising tailored to your specific individual interests. Information on the content that has interested you is recorded, for example. On the basis of that information, we can display offerings to you – even on third-party sites – that are specifically geared to your interests as ascertained from your previous user behaviour. Your user behaviour is recorded and analysed only in pseudonymised form and we are not able to identify you from that. The user data recorded by means of cookies are automatically erased after 14 months.

e) Google Ads

We use Google Ads from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (hereinafter referred to as “Google”). The service enables us to design advertising content tailored to needs, record statistics on it, optimise it and play it out.

Google Ads uses cookies and pixel tags if you accessed our website by clicking on a Google ad. These cookies lose their validity after 30 days. If you visit specific pages of our website and the cookie has not yet expired, we and Google will be able to tell that you have clicked on the ad and so were forwarded to that page.

Every Google Ads customer receives a different cookie. That means cookies cannot be tracked via the websites of Google Ads customers. The information collected by the conversion cookie is used to create conversion statistics for Google Ads customers who have opted-in for conversion tracking. As a Google Ads customer, we are informed about the total number of users who clicked on an ad and were forwarded to a page with a conversion tracking tag. However, we do not obtain any information enabling us to identify you personally.

On the basis of your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR, we also use the Google Ads remarketing pixel, which collects and analyses information on your use of this website. That enables us to address you with content of relevance to you on other websites. According to Google, the data collected with the remarketing pixel are not combined with personal data Google may have stored. In addition, Google pseudonymises these data. Remarketing data based on tags are stored for 30 days.

The processed data may be transferred to servers in the U.S. and other unsafe third countries and processed there (see section 3 g)). Google refers in this regard to the standard contractual clauses approved by the EU Commission as guaranteeing that a level of data protection comparable to that in the European Union is ensured. We transfer data to Google only subject to your consent.

f) Facebook pixel with Facebook Custom Audiences

We use the Facebook pixel from Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (hereinafter referred to as “Facebook”) on our site. The Facebook pixel is a JavaScript code that enables tracking of activities by visitors on websites where the pixel is used. Your IP address, browser information, the starting and destination pages and referrer data are collected and stored by the Facebook pixel.  In addition, the pixel detects what activities were performed on the website, such as click behaviour.

You can find more information on data protection at Facebook here.

(1) Facebook pixel for measurement solutions and analytics services

With the aid of the Facebook pixel, we can use measurement solutions and analytics services to detect how you respond to our ads on Facebook, such as if you click on a link in the ad that takes you to our website. As a result, we gain a better overview of the success of our campaigns on Facebook and can continually optimise them. The pixel also enables us to recognise you when you visit our website. This information makes it possible for ads we place on Facebook to be displayed only to Facebook users who are also probably interested in our offerings, either because they have visited our website previously or because they have certain characteristics (such as interest in certain subjects or products as ascertained on the basis of the websites they have visited).

The pixel is installed when you call our website or respond to an ad we have placed on Facebook, for example because you click on a link to our site in the ad. In this context, a pixel ID is created and stored in a cookie, with the result that we obtain analyses of your user behaviour. The pixel is not used by us to identify you personally.

We have concluded a data processing agreement in this regard, under which Facebook undertakes to process the data in compliance with the General Data Protection Regulation and to safeguard the rights of data subjects.

(2) Facebook Custom Audience for target groups

On the basis of your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR, we use Facebook Custom Audience from the social network Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, a company of Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, U.S., hereinafter referred to as “Facebook”). Facebook Custom Audience allows us to tailor advertising campaigns to persons. A Facebook Custom Audience pixel tag is integrated on our website. It is a JavaScript code with which pseudonymised data on use of the website are processed. The data include your IP address, the browser used, and the starting and destination pages. With the aid of the Facebook pixel, we can detect how you respond to our ads on Facebook, such as if you click on a link in the ad that takes you to our website. As a result, we gain a better overview of the success of our campaigns on Facebook and can continually optimise them. The pixel also enables us to recognise you when you visit our website in order to identify you as a target group for the display of advertising. Accordingly, we use the Facebook pixel so that the ads we place on Facebook are displayed only to Facebook users who are also probably interested in our offerings, either because they have visited our website previously or because they have certain characteristics (such as interest in certain subjects or product as ascertained on the basis of the websites they have visited).

The information obtained on our sites is automatically compared by Facebook with the aid of a Facebook cookie to determine whether you belong to the target group of relevance to us. If you belong to the target group, you are shown relevant ads on Facebook. In this process, you are not personally identified by us or Facebook by means of comparison of the data.

We and Facebook Ireland are joint controllers in accordance with Article 26 GDPR in relation to use of the Facebook Custom Audience pixel. We have concluded a joint controller agreement to define our respective responsibilities for complying with the obligations under the General Data Protection Regulation.  This agreement specifies that we are responsible for informing users of our website, while Facebook is responsible for handling requests about the rights of data subjects in accordance with Articles 15 to 21 GDPR. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers.

Facebook bases processing of the data on the consent of Facebook users in accordance with Article 6 (1) point (a) GDPR and the legitimate interests of Facebook in accordance with Article 6 (1) point (f) GDPR in ensuring that advertisers on Facebook are provided with precise and reliable reports and precise performance statistics. You can find more information on this subject in Facebook’s Data Policy or here. You can contact Facebook’s Data Protection Officer here.

Facebook bases data transfers by Facebook Ireland to the U.S. or other unsafe third countries on standard contractual clauses approved by the EU Commission (see section 3 g)). We transfer data to Facebook only with your prior consent.

You can opt out of using the Custom Audiences service globally on the website of Facebook. After logging onto your Facebook account, you are taken to the settings for Facebook ads.

g) trbo

On this website we use technology provided by trbo GmbH, Römerstrasse 6, 80801 Munich, Germany (hereinafter referred to as “trbo”) and process data from which pseudonymous user profiles are created.

To this end, cookies and pixels which enable a browser to be recognised (see section 4) may be used. Before being sent to trbo, your IP address is shortened at the end by 8 characters in order to guarantee anonymised recording of IP addresses.

The pseudonymous profiles are used to analyse visitor behaviour as well as to improve and tailor our offering to needs. The pseudonymous user profiles will not be linked to personal data associated with the pseudonymous individual without the separate explicit consent of the data subject.

We have concluded a data processing agreement with trbo. Under that agreement, trbo warrants that it will process data in compliance with the General Data Protection Regulation as well as guarantee that the rights of data subjects are protected. The cookies are automatically deleted after 36 months.

You can find more information on data protection at trbo here.

h) Stylight

We use the content and e-commerce service of Stylight GmbH, Nymphenburger Straße 86, 80636 Munich, Germany (hereinafter referred to as “Stylight”) on our website. We use the service to analyse and optimise the search and online behaviour of users. We use it to analyse your usage behaviour for purposes of market research and to measure reach (“web analytics”). A Stylight JavaScript is embedded in our pages (see section 4) so that certain data on your user behaviour can be collected. When you visit our pages, your browser information, device information, IP address, user activity, referrer URL, pages visited, request ID, the device’s operating system, session ID, access status, the date and time of your visit and your e-mail address are collected.

i) Performance Media

We task our media agency Performance Media GmbH, Gorch-Fock-Wall 1a, 20354 Hamburg, Germany (hereinafter referred to as “Performance Media”) to process browser data with the aid of cookies and scripts (see section 4) so that your browser is recognised when you visit our website again. In this context, Performance Media processes IP addresses, cookie IDs and information on your usage behaviour on our behalf. These data are used to analyse visitors’ behaviour and for creating pseudonymous user profiles. Performance Media uses these data to conduct targeting campaigns for us so that you can be shown more relevant and more useful advertising. If Performance Media engages further partners and service providers, they are – like Performance Media – also obligated to comply with data protection regulations.

Apart from withdrawing your consent on our site, you can also issue a “global opt-out” for Performance Media and its partners. You can find more details about that here.    

j) Emarsys Web Extend and Smart Insight

We use Emarsys Web Extend and Smart Insight from Emarsys eMarketing Systems AG (hereinafter referred to as “Emarsys”) to evaluate the behaviour of our website visitors and to personalise our newsletters (see section 2 e)). In this connection, pseudonymous user profiles are created and cookies and JavaScript snippets are used (see section 4).

Information about the use of our website (e.g. IP address, browsing information and the item numbers of products that were viewed or placed in the basket) is processed with Emarsys Web Extend.  We use the information obtained by Web Extend to enhance existing customer profiles and to enable individualised content. As part of that, we use information such as receipt and read confirmations of e-mails as well as information about the computer and Internet connection, operating system, platform, your surfing history, your ordering history, the date and time of your visit to the homepage and products/items that you viewed.

If you have registered for our newsletter and you have a user account and have logged onto it or if you visit our site by clicking on a link in a newsletter, we will link the collected information to your profile on the basis of your consent.

A data processing agreement pursuant to Article 28 GDPR has been concluded with Emarsys. Under this agreement, Emarsys warrants that it will process data in compliance with the General Data Protection Regulation and guarantees that the rights of data subjects will be protected.

k) AWIN

We use the advertising network of AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany (hereinafter referred to as “AWIN”). AWIN allows us to play out advertising content and analyse the success of campaigns.

Under its service, AWIN saves cookies on the devices of users who visit our website in order to document transactions (such as leads and sales). The sole purpose of these cookies is to ensure correct assignment of the success of advertising and appropriate billing within the advertising network. Only information on when a certain ad was clicked on from a device is placed in a cookie. An individual sequence of digits that cannot be used to identify the individual user is stored in the tracking cookies and documents

  • the partner programme of an advertiser,

  • the publisher, and

  • the time of the user’s action (click or view).

 As part of that, AWIN also collects information on the device from which a transaction is carried out, such as the operating system and the browser calling the site. AWIN likewise uses session tracking and fingerprinting for these purposes.

We have concluded a joint controller agreement with AWIN and are responsible together with AWIN for processing of the data. We have defined the responsibility of each party for complying with the obligations under the General Data Protection Regulation in this agreement. Under this shared responsibility, however, you can in principle exercise your rights as a data subject towards each of the joint controllers.

l) elaboratum with behamics

We use technologies from behamics AG, Fürstenlandstr. 35, 9001 St. Gallen, Switzerland (www.behamics.com, hereinafter referred to as “behamics”), which are provided to us by elaboratum – new commerce consulting, Kaflerstrasse 2, 81241 Munich, Germany.

The technologies help us personalise website content, play out incentives, and conduct tests to optimise user-friendliness.

Information on user behaviour on our websites is processed in this context. Apart from a cookie ID, information on use of the shopping basket (added or removed items, the total item prices), the order number, information on the articles that are called and/or selected as they are displayed to the user, and information on the pages visited as they are displayed to the user are also recorded as part of that. Where we can identify it by technical means, the location of the user is also recorded, but confined only to the country and (nearby) city. The recorded information is transmitted to behamics together with a session ID that has been created, processed by elaboratum for analytical purposes, and erased after 30 days.

This information is assigned on our behalf to segments on the basis of various criteria so that it can be analysed for the above purposes so as to enable us to offer user groups a tailored experience.

The information is not used to identify individual users or combined with other data on individual users. Instead, analysis of the information and any tailored playout of content are carried out solely on the basis of aggregated data as part of the segments that are created. In particular, no information on names, contact data, addresses or a customer number is recorded.

The session ID and data in the segments assigned to it are processed for a maximum of 36 months so that seasonal effects can be analysed. Individual users are not re-identified as part of that.

The behamics solution is used on the basis of data processing agreements.

Data are transmitted to Switzerland as part of behamics’ use. The EU Commission has determined that Switzerland offers an adequate level of data protection and so transmission of data to places in Switzerland is permissible subject to the same conditions as transmission of data within the European Union.

You can find further information on data protection a behamics and elaboratum here.

6. Google Maps

On the basis of your consent in accordance with Article 6 (1) point (a) GDPR, we use the Google Maps offering from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S. (hereinafter referred to as “Google”) on our website in order to present an interactive map. You can withdraw your consent at any time with future effect using the consent management tool. You can find the tool under “Cookie settings” at the bottom of our website. As a result of the implementation, Google records device-related information, log data including the IP address, and location information. Data is not transferred to Google solely by our website being called. You activate the interactive map of Google Maps and so consent to the data being transferred to Google only once you click on the map. These personal data collected by Google are transferred to a Google server in the U.S. and stored there. The U.S. is an unsafe third country (see also section 3 f)). That means a level of data protection comparable to that in the European Union is not guaranteed in the U.S. We have concluded a data processing agreement, including the EU standard contractual clauses, with Google. That ensures there is a level of data protection comparable to that in the European Union (see details on the transfer of data to the U.S. in Section 3 g)).

Google uses the personal data to evaluate use of the website, to compile reports on website activities and to provide other services relating to website and Internet use for the purposes of market research and tailoring these web pages to needs. This information may also be transferred by Google to third parties if this is prescribed by law or third parties process this data on behalf of Google. You can prevent any transfer of data as part of using Google Maps to Google’s servers by disabling JavaScript in your browser. However, that means you will not be able to display the map. You can find more information on data protection in relation to Google Maps in Google’s Privacy Policy.

7. Trusted Shops seal of approval

If you have granted your consent in accordance with Article 6 (1) sentence 1 point (a) GDPR during or after your order by checking the relevant checkbox or clicking on the button provided for that purpose (“Rate later”), we send your e-mail address to Trusted Shops GmbH, Subbelrather Str. 15c, 50823 Cologne, Germany, so that it can remind you by e-mail that you can submit a rating. You can withdraw that consent at any time by sending a mail to our contact address below or by contacting Trusted Shops directly.

This serves to protect overriding legitimate interests, based on a weighing of interests, of ensuring the optimal marketing of our product range pursuant to Section 6 (1) sentence 1 point (f) GDPR. The Trustbadge and the services advertised with it are offered by Trusted Shops GmbH, Subbelrather St. 15C, 50823 Cologne, Germany.

When Trustbadge is accessed online, the web server will automatically store a server logfile, which contains such information as your IP address, date and time of access, the amount of transferred data and the requesting provider (access data) and will document access[SK2] . These access data will not be analysed and will be automatically overwritten no later than seven days after your visit to the site is over.

Other personal data will transmitted to Trusted Shops only if you have given your consent, have decided to use Trusted Shops’ products after completing an order or have already registered to use them. In this case, the contractual agreement between you and Trusted Shops will apply.

8. SOVENDUS vouchers

After you make a purchase at www.calida.com, we offer you the possibility of obtaining vouchers for online portals via the Sovendus GmbH network.

Voucher offers from Sovendus GmbH: As part of a process for selecting a voucher offering that might currently interest you, we will send the hash value of your e-mail address and IP address in pseudonymised and encrypted form to Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe, Germany (Sovendus) (Article 6 (1) point (f) GDPR). The pseudonymised hash value of the e-mail address will be used to determine whether any objection to receiving advertising from Sovendus has been received (Article 21 (3) and Article 6 (1) point (c) GDPR). The IP address will be used by Sovendus solely for the purpose of data security and, as a rule, will be anonymised after seven days (Article 6 (1) point (f) GDPR). For billing purposes, we also send the order number, order value along with the currency, session ID, coupon code and time stamp to Sovendus in pseudonymised form on the basis of the consent you gave to us using the cookie management tool (Article 6 (1) point (a) DSGVO). If you are interested in receiving a voucher offer from Sovendus, no objection to advertising has been linked to your e-mail address and you click only on the voucher banner displayed for this sale, we will send your form of address, name, postcode, country and e-mail address to Sovendus in encrypted form for the purpose of preparing the voucher (Article 6 (1) points (b) and (f) GDPR).

You can find more information on how Sovendus processes your data in its online privacy policy at https://online.sovendus.com/en/online-privacy-notice/.

9. Rights of data subjects

You have the right to:

  • demand, in accordance with Article 15 GDPR, information on and access to your personal data we have processed. In particular, you can demand information on the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the length of time they are to be stored for, the existence of a right to rectification, erasure or restriction of processing of your data or to object to their being processed, the existence of a right to lodge a complaint, and the origin of your data if they have not been collected by us, as well as the existence of automated decision-making, including profiling, and any meaningful information about the details of that;

  • demand, in accordance with Article 16 GDPR, immediate rectification of inaccurate personal data we have stored concerning you and demand that incomplete personal data are completed;

  • demand, in accordance with Article 17 GDPR, erasure of personal data we have stored concerning you, unless processing of them is required for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims;

  • demand, in accordance with Article 18 GDPR, restriction of processing of your personal data, if you dispute the correctness of the data, processing of them is unlawful, but you oppose their erasure and we no longer need the data, but you need them to establish, exercise or defend legal claims, or you have objected to processing of your data in accordance with Article 21 GDPR;

  • receive the personal data you have provided, in a structured, commonly used and machine-readable format, or demand that your data be transmitted to another controller in accordance with Article 20 GDPR;

  • revoke your consent to processing of your data at any time in accordance with Article 7 (3) GDPR. As a consequence, we will no longer be allowed to continue processing the data on the basis of this prior consent with future effect; and

  • lodge a complaint with a supervisory authority in accordance with Article 77 GDPR. You can usually do so with the supervisory authority responsible for your habitual residence, place of work or the location of our company’s registered offices.

10. Right to object

If your personal data are processed to safeguard legitimate interests in accordance with Article 6 (1) sentence 1 (f) GDPR, you have the right under Article 21 GDPR to object to processing of your personal data if there are grounds relating to your particular situation or the objection is to direct marketing. In the latter case, you have a general right to object and we will comply with that right without any need for you to specify grounds relating to your particular situation.

If you wish to make use of your right to object to processing, simply send an e-mail to [email protected].

11. Data Security

All the data you personally transfer will be sent in encrypted form using the customary and secure TLS (Transport Layer Security) standard. TLS is a secure and proven standard which is also used for online banking, for example. You can recognise a secure TLS connection inter alia by the “s” appended to http (i.e. https://..) in the address bar of your browser or by the padlock icon at the bottom of your browser.

We also use appropriate technical and organisational security measures to protect your data against accidental or intentional manipulation, complete or partial loss and destruction, or access by unauthorised third parties. Our security measures are constantly improved to reflect technological advances.

12. Up-to-dateness of and amendments to this Privacy Policy

This Privacy Policy is currently valid in its version dated 07 May 2021.

This Privacy Notice may need to be amended if our website and offerings on it are developed further or pursuant to changes in the law or official requirements. You can obtain and print out the up-to-date Privacy Notice at any time on the website at https://www.calida.com/en-DE/cms/Legal-and-general-information/data-privacy/?updateShop_1_DE.