Privacy Policy

Privacy Statement

1. Definitions

This Privacy Statement is based on the terms used by the European body that issues directives and regulations in its issuance of the General Data Protection Regulation (GDPR). In what follows, we would like to offer you a brief explanation of these terms:

a. Personal data

‘Personal data’ refers to all information relating to an identified or identifiable natural person (hereinafter referred to as the ‘data subject’). A natural person is deemed identifiable if he or she can be identified, directly or indirectly, in particular through assignment of an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics that are an expression of the physical, physiological, genetic, mental, economic, cultural or social identity of said natural person.

b. Data subject

A data subject is any identified or identifiable natural person whose personal data are processed by the controller in charge of the processing.

c. Processing

‘Processing’ is taken to denote any operation or set of operations performed on personal data, whether or not by automated means. These operations can include the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other provision, alignment or combination, restriction, erasure or destruction of personal data.

d. Restriction of processing

Restriction of processing involves the marking of stored personal data with the aim of limiting their processing in future.

e. Profiling

‘Profiling’ refers to any form of automated processing of personal data consisting of the use of these personal data to assess certain personal aspects relating to a natural person, and specifically to analyze or predict aspects relative to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

f. Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject absent the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures that ensure that these personal data are not attributed to an identified or identifiable natural person.

g. Controller or party responsible for processing

The controller or party responsible for processing is the natural or legal person, public authority, agency or any other body which, acting alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are laid down by the laws of the European Union, or by the laws of the Member States, the controller or the specific criteria for its nomination may be provided under European Union law or the laws of the Member States.

h. Processor

A processor is a natural or legal person, public authority, agency or other body that processes personal data on the controller’s behalf.

i. Recipient

The recipient is a natural or legal person, public authority, agency or other body to which personal data are disclosed, regardless of whether this recipient is a third party or not. Public authorities that may receive personal data under European Union law or the laws of the Member States within the framework of a particular inquiry are not, however, regarded as recipients.

j. Third party

A third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are authorized to process personal data under the direct authority of the controller or processor.

k. Consent

Consent by the data subject is any voluntarily given, specific, informed and unambiguous expression of the data subject’s wishes by which he or she, in the form of a statement or some other clear, affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Name and contact details of the data controller 

This data-protection information applies to data processing carried out by:

Herbacin cosmetic GmbH
represented by Managing Directors Gerd Thien, Nadja E. Thien-Schönhofen
Registered with the District Court [Amtsgericht] of Mühlhausen:
HRB District Court of Jena HRB 400180
VAT ID No. DE 150375437

Herbacin cosmetic GmbH
Kahlenberger Straße 1
99848 Wutha-Farnroda, Germany
Telephone: +49 36921/273-0
Fax: +49 36921/273-40

Data controllers responsible for processing: Gerd Thien, Nadja E. Thien-Schönhofen

For questions pertaining to data protection, please contact our Data Protection Officer:

Attorney Tino Gunkel

Telephone: +49 36921 / 27 30 | Fax: +49 36921 / 27 340

E-mail: datenschutz@herbacin.com

 

3. Collection and storage of personal data as well as the type and purpose of their use

a. When visiting the website

When you visit our website, https://www.herbacin.com, the browser used on your device automatically sends information to our website’s server. This information is temporarily stored in what is referred to as a ‘log file’. The following information is recorded without your intervention and stored until automatically erased:

  • IP address of the requesting computer,
  • Date and time of access,
  • Name and URL of the file called up,
  • The website from which access is provided (referrer URL),
  • The browser used and, where applicable, the operating system of your computer as well as the name of your access provider.

We process the data mentioned above for the following purposes:

  • To ensure a smooth connection to the website,
  • To ensure convenient use of our website,
  • To evaluate system security and stability and
  • For other administrative purposes.

The basis in law for the processing of data is provided under Art. 6 (1) (1) (f) GDPR. Our legitimate interest arises from the purposes for data collection as listed above. Under no circumstances do we use the data collected for the purpose of drawing conclusions about you personally.

In addition, we use cookies and analytics services when you visit our website. You will find more detailed explanations under Sections 4 and 5 of this Privacy Statement.

b. When using our contact form

Please feel free to use the form provided on the website to contact us with any questions you may have. A valid e-mail address is required for this purpose; this way, we can know who has submitted the request and can respond accordingly. Further information can be provided voluntarily. Under Art. 6 (1) (1) (a) GDPR, data processing undertaken in connection with your contact with us is based on your voluntary consent.

The personal data we collect for the use of the contact form will be erased automatically once your request has been processed.

c. When subscribing to our newsletter

Our website gives you the opportunity to subscribe to our company’s newsletter. The personal data transmitted to the data controller when the newsletter subscription is ordered stems from the input screen used for this purpose.

We use a newsletter to inform our customers and business partners of our company’s current offers at regular intervals. As a matter of principle, you can only receive our company’s newsletter if you have a valid e-mail address and have registered to receive the newsletter. For legal reasons, a confirmation e-mail using the double-opt-in procedure will be sent to the e-mail address you first entered for e-mail transmission of the newsletter. This confirmation e-mail serves to verify whether the owner of the e-mail address has authorized receipt of the newsletter in his or her capacity as data subject.

When you register to receive the newsletter, we store the IP address of the computer system you use, as assigned by the Internet Service Provider (ISP), at the time of registration, as well as the date and time of registration. These data must be collected in order to be able to retrace any subsequent abuse of your e-mail address and to this extent aids our legal protection.

The personal data collected in the context of registration for the newsletter will be used exclusively for transmission of our newsletter. Newsletter subscribers may also be notified by e-mail, where this is necessary for the operation of the newsletter service or registration in this connection, as might be the case in the event of modifications to the newsletter offer or changes in the technical conditions involved. The personal data collected in the context of the newsletter service will not be forwarded to third parties. The data subject is free to cancel his or her subscription to our newsletter at any time. Consent to storage of the personal data with which you have provided us for transmission of the newsletter may be revoked at any time. You will find a link in every newsletter that you can use to withdraw your consent. Our website also offers you the option of directly unsubscribing from our newsletter at any time; you may also inform us of your subscription cancellation in other ways.

– Newsletter tracking

Our newsletters contain what are known as ‘tracking pixels’. A tracking pixel is a miniature graphic embedded in e-mails that are sent in HTML format to enable log file recording and log file analysis. This permits a statistical evaluation of the success or failure of online marketing campaigns. We can use the embedded tracking pixel to determine whether and when you have opened an e-mail, and which of the links in the e-mail you called up. We store and evaluate personal data collected using tracking pixels contained in the newsletters in order to optimize newsletter transmission and to tailor the content of future newsletters to create an even closer fit with your interests. These personal data are not forwarded to third parties. At all times, you are entitled to cancel the declaration of consent you have separately provided in this connection using the double-opt-in procedure. We will erase these personal data following a withdrawal. If you unsubscribe to the newsletter, this is automatically interpreted as a withdrawal of consent.

4. Transmission of data

Your personal data will not be transmitted to third parties for purposes other than those listed below.

We will only disclose your personal data to third parties if:

  • you have granted your express consent in accordance with Art. 6 (1) (1) (a) GDPR,
  • the transmission is required pursuant to Art. 6 (1) (1) (f) GDPR in order to establish, exercise or defend legal claims and there is no reason to assume that you have an overriding interest, worthy of protection, in not disclosing your data,
  • a legal obligation exists for the transmission of data pursuant to Art. 6 (1) (1) (c) GDPR, and
  • it is permitted by law and required under Art. 6 (1) (1) (b) GDPR for the settlement of contractual relationships with you.

a. Integration of the Trusted Shops Trustbadge

The Trusted Shops Trustbadge is integrated on this website to display our Trusted Shops Trustmark as well as to offer Trusted Shops products to buyers after an order.

This is necessary to safeguard our legitimate prevailing interests in an optimal marketing by ensuring the safety of your purchase according to Article 6 (1) f GDPR. The Trustbadge and the services advertised with it are an offer of the Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne, _Germany. The Trustbadge is made available by a CDN provider (Content-Delivery-Network) as part of order processing. The Trusted Shops GmbH uses also service provider from the USA. An adequate level of data protection is guaranteed. Further information to the data security of the Trusted Shops GmbH can be found here: https://www.trustedshops.co.uk/imprint/

When the Trustbadge is called up, the web server automatically saves a server log file which contains, for example, your IP address, the date and time of the call, the amount of data transferred and the requesting provider (access data) and documents the call. Individual access data are stored in a security database for the analysis of security problems. The log files are automatically deleted 90 days after creation at the latest.

Further personal data will be transferred to Trusted Shops GmbH if you decide to use Trusted Shops products after completing an order or have already registered for use. The contractual agreement made between you and Trusted Shops applies. For this purpose personal data is automatically collected from the order data. Whether or not you are already registered as a Trusted Shops customer is automatically checked by means of a neutral parameter, the e-mail address hashed by cryptological one-way function. The e-mail address is converted to this hash value, which cannot be decrypted by Trusted Shops before it is transmitted. After checking for a match, the parameter is deleted automatically.

This is necessary for the fulfillment of our and Trusted Shops’ legitimate prevailing interests in the provision of the buyer protection linked to the specific order and the transactional review services in accordance with Art. 6 para. 1 s. 1 lit. f GDPR. Further details, including your right to object, can be found in the Trusted Shops Privacy Policy linked above and within the Trustbadge.

5. Cookies

We use ‘cookies’ on our website. Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) whenever you visit our website. Cookies do not damage your device, and they do not contain viruses, Trojans or other malware. Information is stored in the cookie that arises from the specific device used. This does not give us direct knowledge of your identity, however. Cookies are used, on the one hand, to make our offer more pleasant for you to use. For example, we use what are known as ‘session cookies’ to help us recognize that you have already visited individual pages of our website. These session cookies are automatically deleted after you leave our website.

We also use temporary cookies that are stored on your device for a specified period of time to optimize user-friendliness. If you visit our site again to use our services, the site automatically recognizes that you have already visited us, along with any inputs and settings you have made; this saves you the effort of re-entering these. We also use cookies to collect statistics on the use of our website and to evaluate these for you in the interest of optimizing our offer (see Section 5). If you return to our site, these cookies enable us to automatically recognize that you have already visited us. These cookies are automatically deleted after an individually specified time.

The data processed by cookies are required for the aforementioned purposes in order to protect our legitimate interests and those of third parties pursuant to Art. 6 (1) (1) (f) GDPR. Most Internet browsers accept cookies automatically. On the other hand, you can configure your browser so that no cookies are stored on your computer, or so that a message always appears before a new cookie is created. Complete deactivation of cookies, however, may prevent you from using all the functions of our website.

6. Analytical tools

The tracking measures listed below and used by us are carried out on the basis of Art. 6 (1) (1) (f) GDPR. We deploy these tracking measures to help ensure that our website is designed to meet users’ needs and is continually optimized. We also use tracking measures to collect statistics on the use of our website and to evaluate these in the interest of optimizing our offer for you. These interests are considered legitimate under the aforementioned regulation.

a. Google Analytics

For the purpose of demand-oriented design and continually optimizing our websites, we use Google Analytics, a web-analytics service provided by Google Inc. (https://www.google.com/intl/en/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter: ‘Google’). Pseudonymized user profiles are created, and cookies are used, in this connection (see Section 4). The information generated by the cookie about the use of this website, such as

  • browser type/version,
  • the operating system used,
  • referrer URL (the site visited previously),
  • host name of the accessing computer (IP address),
  • time of the server request

is transmitted to a server hosted by Google in the USA and stored there. The information is used to evaluate use of the website, to compile reports about advertising activities and to provide further services associated with the use of the website and the Internet for purposes of market research and demand-oriented design of these web pages. This information may also be forwarded to third parties where this is required by law, or where these third parties have been commissioned to process these data. Under no circumstances will your IP address be associated with other data collected by Google. IP addresses are anonymized to prevent such assignment (IP masking).

You can set the browser software to deny installation of cookies; we wish to point out, however, that, in this case, full use of all of the functions of this website may not be available.

In addition, you may prevent collection of the data generated by the cookie relative to your usage of the website (incl. your IP address), along with processing of these data by Google, by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=en).

As an alternative to the browser add-on, and particularly for browsers on mobile devices, you can also prevent Google Analytics from collecting data by clicking this link. An opt-out cookie will be set to prevent future collection of your data during visits to this website. The opt-out cookie applies only in this browser and only for our website and is stored to your device. If you delete the cookies in this browser, you must set the opt-out cookie again.

Further information about data protection in connection with Google Analytics can be found under the Google Analytics Help function (https://support.google.com/analytics/answer/6004245?hl=en).

b. Google Adwords Conversion Tracking

We also use Google Conversion Tracking to statistically record and evaluate the use of our website for the purpose of optimizing it for you. Google Adwords will store a cookie (see Section 4) on your computer if you have accessed our website via a Google ad.

These cookies expire after 30 days and are not used for personal identification. Should the user visit certain pages of the Adwords customer’s website and the cookie has not yet expired, Google and the customer can tell that the user has clicked on the ad and been forwarded to that page.

Each Adwords customer receives a different cookie. As a result, cookies cannot be tracked using Adwords customers’ websites. The information obtained using the conversion cookie is used to create conversion statistics for Adwords customers who have opted into conversion tracking. Adwords customers are told the total number of users who clicked on their ad and were forwarded to a page containing a conversion tracking tag. Adwords customers are not, however, provided with any information that can be used to identify users personally.

If you do not wish to participate in the tracking process, you can also decline placement of a cookie that this requires – such as via the browser setting that generally disables the automatic placement of cookies. You can also disable cookies for conversion tracking by setting your browser to block cookies originating from the ‘www.googleadservices.com’ domain. You can find Google’s privacy policy on conversion tracking here: (https://services.google.com/sitestats/en.html).

7. Registration function 

You have the option of registering on our website through the provision of personal data. The personal data transmitted to us are determined by the respective input screen used for registration. The personal data you enter are collected and stored exclusively for our own purposes. We may arrange for transmission to one or more processors – to a parcel service provider, for instance – which will also use the personal data exclusively for an internal purpose attributable to the controller.

By registering on our website, the IP address assigned to you by the Internet Service Provider (ISP) at this time is stored, along with the time and date of registration. These data are stored such because this is the only way to prevent abuse of our services; if need be, these data can also be used to shed light on criminal offenses that have been committed. In this respect, storage of these data is required for the protection of the controller. These data are not passed on to third parties unless required by law, or unless their disclosure is in furtherance of a criminal prosecution. The personal data you voluntarily provide upon registration helps us offer you content or services that can only be offered to registered users due to the nature of the matters involved. Registered persons are free to amend the personal data furnished upon registration at any time, or to have it erased from our database altogether. Upon request submitted at any time, we will provide you with information as to the personal data stored about you. Furthermore, we rectify or erase personal data upon request or notice by the data subject, provided there are no retention obligations to the contrary and stipulated by law. Our entire workforce is available to assist you in this connection.

8. Data protection for applications 

We collect and process the personal data of job candidates for the purpose of handling the application process. Processing may also be carried out electronically. This is particularly the case if a candidate sends us corresponding application documents electronically, such as, e.g., by e-mail or using a web form on the website. If we conclude an employment contract with a candidate, the data transmitted will be stored for the purpose of processing the employment relationship and in compliance with the provisions of statute. If we do not conclude an employment contract with a candidate, the application documents are automatically erased two months after notification of the decision of refusal, provided that we have no other legitimate interests that would stand in the way of erasure. Other legitimate interests in this respect might be, for example, a burden of proof in proceedings under the German General Equal Treatment Act [AGG].

9. Social media plug-ins 

We use various plug-ins from social networks on our website. A social network is an Internet-based social meeting place, an online community that typically enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of views and experiences or can afford members of the Internet community to provide others with personal or enterprise-related information. Facebook enables users of its social network to create private profiles, upload photos and network via friendship requests, among other things.

a. Facebook

We have integrated components of the Facebook company on this website. Facebook is a social network.

The operating company of Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. If a data subject resides outside the US or Canada, the controller responsible for the processing of personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

On each visit to one of the individual pages of this website, which is operated by us and on which a Facebook component (Facebook plug-in) has been integrated, the respective Facebook component automatically causes the Internet browser on your IT system to download a representation of the corresponding Facebook component from Facebook. An overview of all Facebook plug-ins can be found at https://developers.facebook.com/docs/plugins/?locale=en_EN. This technical process provides Facebook with information about the specific subpage of our website visited by you.

If you are simultaneously logged in to Facebook, Facebook recognizes which specific subpage of our website you call up for each visit to our website and throughout the respective stay on our website. This information is collected by the Facebook component and assigned by Facebook to your Facebook account. If you click one of the Facebook buttons integrated on our website – the ‘Like’ button, for example – or enter a comment, Facebook assigns this information to your personal Facebook user account and stores these personal data.

The Facebook component always notifies Facebook if you have visited our website while logged on to Facebook at the time you call up our website. This occurs regardless of whether you click the Facebook component or not. If you do not wish for this information to be transmitted to Facebook, you can prevent its transmission by logging out of your Facebook account before calling up our website.

The data policy published by Facebook and available at https://www.facebook.com/privacy/explanation provides information on the collection, processing and use of personal data by Facebook. That policy also explains what setting options Facebook offers for the protection of your privacy. In addition, various applications are available that make it possible to suppress data transmission to Facebook. You can use such applications to suppress the transmission of data to Facebook.

b. YouTube

On the basis of Art. 6 (1) (1) (f) GDPR, our website utilizes YouTube components to promote awareness of our company in this way. The underlying advertising purpose is to be regarded as a legitimate interest under the GDPR.

YouTube is an Internet video portal that allows video publishers to post video clips, and other users to view, rate and comment on them, free of charge. YouTube permits the publication of all manner of videos, which is why entire film and television programs, as well as music videos, trailers or videos produced by the users themselves, can be called up via the Internet portal.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

On each visit to one of the individual pages of this website, which is operated by us and on which a YouTube component (YouTube video) has been integrated, your respective YouTube component automatically causes your Internet browser to download a representation of the corresponding YouTube component from YouTube. More information about YouTube can be found at https://www.youtube.com/yt/about/. This technical process provides YouTube and Google with information about the specific subpage of our website visited by you.

If you are logged on to YouTube at the same time, YouTube recognizes which specific subpage of our website you are visiting when you call up a subpage containing a YouTube video. This information is collected by YouTube and Google and, where appropriate, associated with your YouTube account (if you have one).

The YouTube component always notifies YouTube and Google if you have visited our website while logged on to YouTube at the time you call up our website. This occurs regardless of whether you click an YouTube video or not. If you do not wish for this information to be transmitted to YouTube and Google, you can prevent its transmission by logging out of your YouTube account before calling up our website.

The privacy policy published by YouTube, which are to be found at https://policies.google.com/privacy?hl=en/, provides information on the collection, processing and use of personal data by YouTube and Google.

c. Twitter

Our website contains integrated plug-ins from the short message network of Twitter Inc. (Twitter). You can recognize the Twitter plug-ins (tweet button) by the Twitter logo on our site. An overview of the tweet buttons can be found here (https://about.twitter.com/resources/buttons).

When you access a page of our website that contains such a plug-in, a direct connection is established between your browser and the Twitter server. This informs Twitter that you have visited our website with your IP address. If you click on the Twitter ‘tweet button’ while logged in to your Twitter account, you can place a link to the content of our website(s) on your Twitter profile. This enables Twitter to assign a visit to our website(s) to your user account. We wish to point out that Twitter does not provide us, the provider of this website, with any information about the content of the data transmitted in this manner, or about the use to which it may be put.

If you would prefer to keep Twitter from being able to assign a visit to our website to your account, please log out of your Twitter user account.

For more information, please see the Twitter Privacy Statement (https://twitter.com/privacy).

d. Google+ 

The Google+ button is integrated as a component on our website. Google+ is what is referred to as a ‘social network’. A social network is an Internet-based social meeting place, an online community that typically enables users to communicate with each other and interact in virtual space. A social network can serve as a platform for the exchange of views and experiences or can afford members of the Internet community to provide others with personal or enterprise-related information. Google+ enables users of its social network to create private profiles, upload photos and network via friendship requests, among other things.

The operating company of Google+ is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

On each visit to one of the individual pages of this website on which a Google+ button has been integrated, the respective Google+ button automatically causes your Internet browser to download a representation of the corresponding Google+ button from Google. This technical process provides Google with information about the specific subpage of our website visited by the data subject. More detailed information about Google+ is available at https://developers.google.com/+/.

If you are simultaneously logged in to Google+, Google recognizes which specific subpage of our website you call up for each visit to our website and throughout the respective stay on our website. This information is collected by the Google+ button and assigned by Google to your Google+ account.

If you click one of the Google+ buttons integrated on our website and submit a Google+1 recommendation, Google assigns this information to your personal Google+ user account and stores these personal data. Google stores your Google+1 recommendation and makes it publicly available in accordance with the conditions you have accepted in this connection. A Google+1 recommendation made by you on this website will subsequently be stored and processed together with other personal data, such as the name of the Google+1 account used by you and the photo stored in this account in other Google services, such as the search engine results of the Google search engine, your Google account or in other places, such as on web pages or in connection with advertisements. Furthermore, Google is able to link the visit to this website with other personal data stored by Google. Google also records this personal information for the purpose of improving or optimizing the various services it provides.

The Google+ button always notifies Google if you have visited our website while logged on to Google+ at the time you call up our website; this occurs regardless of whether you click the Google+ button or not.

If you do not wish for this personal data to be transmitted to Google, you can prevent its transmission by logging out of your Google+ account before calling up our website.

Additional information and the applicable data protection provisions of Google can be found at https://policies.google.com/privacy?hl=en. For more information from Google on the Google+1 button, visit https://developers.google.com/+/web/buttons-policy.

10. Google services

a. Google Maps

On our website, we use the Google Maps API to visualize geographic information. When Google Maps is used, Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, California, 94043) also collects, processes, and utilizes data about the use of the functions of Maps by website visitors. For more information about data processing by Google, refer to Google’s Privacy Policy, which you can access at https://policies.google.com/privacy.

b. Google Webfonts

In order to present our contents correctly and in a graphically appealing way across all browsers, we use font libraries on this website such as Google Webfonts (https://www.google.com/webfonts/). Google Webfonts are loaded into your browser’s cache to avoid multiple loading. If your browser does not support Google Webfonts or does not grant access, content will be displayed in a default font.

Calling up font libraries automatically triggers a connection to the library operator. The privacy policy of Google, the library operator, can be found here: https://policies.google.com/privacy

11. PayPal payment-service provider 

We have integrated components of PayPal on this website. PayPal is an online provider of payment services. Payments are processed via what are known as ‘PayPal accounts’; these are virtual private or business accounts. In addition, PayPal offers the option of processing virtual payments via credit cards if a user does not have a PayPal account. A PayPal account is managed via an e-mail address, which is why there is no classic account number. PayPal makes it possible to initiate online payments to third parties or to receive payments. PayPal also acts as a trustee and provides buyer protection services. The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg. If, when ordering from our online shop, you select the ‘PayPal’ payment option, personal data about you is automatically transmitted. By selecting this payment option, you consent to the transmission of personal data required for payment processing. The personal data transmitted to PayPal is typically the individual’s first name, last name, address, e-mail address, IP address, telephone number, mobile phone number, or other data required for payment processing. Personal data in connection with the respective order are also required to process the purchase agreement. The purpose for data transmission is to process payments and prevent fraud. We will transmit personal data to PayPal particularly if there is a legitimate interest for the transmission. Personal data exchanged between PayPal and us may be transferred by PayPal to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. PayPal will, if necessary, pass on personal data to affiliates and service providers or subcontractors to the extent necessary to meet contractual obligations, or for commissioned processing of data. You have the option of withdrawing your consent to PayPal for the handling of your personal data at any time. A withdrawal does not affect personal data which are required to be processed, used or transmitted for (contractual) payment processing.

The applicable data protection provisions of PayPal may be called up from https://www.paypal.com/us/webapps/mpp/ua/privacy-full.

12. Payment-service provider Concardis GmbH

In the area of card payment (debit/girocard/credit cards) we work with Concardis GmbH (Concardis), Helfmann Park 7, D-65760 Eschborn, represented by its managing directors Mark Freese, Jens Mahlke and Luca Zanotti. In this context, in addition to the purchase amount and date, card data are also transmitted to the above-mentioned company. All payment data, along with data on possible return debits, are stored only as long as they are required for payment processing (including processing of possible return debits and debt collection) and to combating abuse. These data are typically erased no later than 13 months after they have been collected. Further storage may be performed if and as long as necessary to comply with a statutory retention period, or to prosecute specific cases of abuse. The basis in law for the processing of data in this connection is Art. 6 (1) (f) of the General Data Protection Regulation. You may request information and, if necessary, rectification or erasure, as well as restriction on the processing of your data and/or, where appropriate, object to the processing of your data. If you have any questions about data processing by Concardis or the exercise of your aforementioned rights, you may contact the Data Protection Officer, whom you can contact at the address shown or by e-mail to Datenschutzbeauftragter@concardis.com. Furthermore, you have the right to lodge a complaint with a supervisory authority (in Germany, with the State Data Protection Officer). We wish to point out that the provision of payment data is prescribed neither by law nor by contract. If you do not wish to provide your payment details, you are free to use another payment procedure (e.g. cash payment).

13. Payment-service provider American Express

In the area of credit-card payments we work with American Express Services Europe Limited, branch office Frankfurt am Main, a branch of a limited-liability company under the laws of the United Kingdom with headquarters in London, Theodor-Heuss-Allee 112, 60486 Frankfurt am Main, Germany. In this context, in addition to the purchase amount and date, card data are also transmitted to the above-mentioned company. All payment data, along with data on possible return debits, are stored only as long as they are required for payment processing (including processing of possible return debits and debt collection) and to combating abuse. These data are typically erased no later than 13 months after they have been collected. Further storage may be performed if and as long as necessary to comply with a statutory retention period, or to prosecute specific cases of abuse. The basis in law for the processing of data in this connection is Art. 6 (1) (f) of the General Data Protection Regulation. You may request information and, if necessary, rectification or erasure, as well as restriction on the processing of your data and/or, where appropriate, object to the processing of your data. If you have any questions about data processing by the company mentioned above or the exercise of your aforementioned rights, you may contact the Data Protection Officer, whom you can contact at the address shown or by e-mail to DPO-Europe@aexp.com. For more information about data protection in the above-mentioned company, visit https://www.americanexpress.com/us/content/legal-disclosures/online-privacy-statement.html. Furthermore, you have the right to lodge a complaint with a supervisory authority (in Germany, with the State Data Protection Officer). We wish to point out that the provision of payment data is prescribed neither by law nor by contract. If you do not wish to provide your payment details, you are free to use another payment procedure (e.g. cash payment).

14. Payment-service provider Wirecard

In the area of online payments, we work with Wirecard AG, Einsteinring 35, 85609 Aschheim, Germany, Tel.: +49 89 44 24 – 14 00, Fax: +49 89 44 24 – 15 00, e-mail: contact@wirecard.com, Internet: www.wirecard.de. In this context, in addition to the purchase amount and date, card data are also transmitted to the above-mentioned company. All payment data, along with data on possible return debits, are stored only as long as they are required for payment processing (including processing of possible return debits and debt collection) and to combating abuse. These data are typically erased no later than 13 months after they have been collected. Further storage may be performed if and as long as necessary to comply with a statutory retention period, or to prosecute specific cases of abuse. The basis in law for the processing of data in this connection is Art. 6 (1) (f) of the General Data Protection Regulation. You may request information and, if necessary, rectification or erasure, as well as restriction on the processing of your data and/or, where appropriate, object to the processing of your data. If you have any questions about data processing by the company mentioned above or the exercise of your aforementioned rights, you may contact the Data Protection Officer, whom you can contact at the address shown or by e-mail to data.privacy@wirecard.com. For more about data protection in the above-mentioned company, visit https://www.wirecard.com/privacy-protection/. Furthermore, you have the right to lodge a complaint with a supervisory authority (in Germany, with the State Data Protection Officer). We wish to point out that the provision of payment data is prescribed neither by law nor by contract. If you do not wish to provide your payment details, you are free to use another payment procedure (e.g. cash payment).

15. Rights of data subjects

You have the right:

a. to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you may obtain information about the purposes of processing, the category of personal data involved, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of any data about you that has not been collected by us, and the existence of automated decision-making including profiling and, where appropriate, meaningful information about the details thereof;

b. to immediately request the rectification of incorrect information or the completion of personal data about you stored by us in accordance with Art. 16 GDPR;

c. to request the erasure of your personal data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary to exercise the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or to establish, exercise or defend legal claims;

d. pursuant to Art. 18 GDPR, to demand the restriction of processing of your personal data, as far as the accuracy of the data is disputed by you, the processing is unlawful, but you reject its erasure and we no longer need the data, but you need this to establish, exercise or defend legal claims, or you have objected to processing in accordance with Art. 21 GDPR;

e. to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request its transmission to another controller pursuant to Art. 20 GDPR;

f. under Art. 7 (3) GDPR, you may at any time withdraw the consent you have provided to us. The result of this is to prevent our future continuation of the processing of data based on this consent and

g. to lodge a complaint with a supervisory authority pursuant to Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence for this purpose.

16. Right to object

If your personal data are processed on the basis of legitimate interests in accordance with Art. 6 (1) (1) (f) GDPR, you have the right, under Art. 21 GDPR, to object to the processing of your personal data if there are reasons for this that arise from your particular situation, or if the objection is directed against direct advertising. In the latter case, you have a general right to object, with the exercise of which we shall comply without any requirement of specifying a particular situation.

If you wish to exercise your right of withdrawal or objection, simply send an e-mail to: info@herbacin.de

17. Data security

During your website visit, we use the common SSL (Secure Socket Layer) method in combination with the highest level of encryption supported by your browser. Usually, this is a 256-bit encryption. If your browser does not support 256-bit encryption, we use 128-bit v3 technology instead. Whether a single page of our website is transmitted in encrypted form is indicated by the closed display of the key or lock symbol in the lower status bar of your browser.

We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. The security measures we have in place are continuously improved in keeping with technological progress.

18. Updating and amendment of this Privacy Statement

This Privacy Statement is currently valid as of June 2018.

It may be necessary to change this privacy policy as a result of further development of our website and services, or due to changes in statutory or regulatory requirements. You can call up and print out the current Privacy Statement at any time on the website at https://www.herbacin.com/datenschutz/.