685d7b75aee822df3dc730cd_Logo_CURALUNA_Firm_digital_E-p-500

BACK 

Privacy Policy

 

Controller Responsible for Data Processing:
Dr. Frank Steinmetz
Berner Strasse 38
60437 Frankfurt am Main

wirhelfen@curaluna.de

We are pleased that you are interested in our online shop. Protecting your privacy is very important to us. Below, we provide detailed information about how we handle your personal data.

 

1. Access Data and Hosting

You can visit our websites without disclosing any personal information. Whenever you access a website, the web server automatically saves a so-called server log file, which may contain, for example, the name of the requested file, your IP address, date and time of access, the amount of data transferred, and the requesting provider (access data), and logs the retrieval.

These access data are used exclusively for the purpose of ensuring trouble-free operation of the site and improving our services. This serves to safeguard our legitimate interests in a correct presentation of our offering in accordance with Art. 6(1)(f) GDPR. All access data will be deleted no later than seven days after the end of your website visit.

1.1 Hosting

The services for hosting and displaying the website are partly provided by our service providers as part of processing on our behalf. Unless otherwise stated in this Privacy Policy, all access data as well as all data collected via forms on this website are processed on their servers. If you have any questions about our service providers and the basis of our cooperation with them, please refer to the contact details given in this Privacy Policy.

Our service providers are based in and/or use servers in the following countries: USA.
For these countries, there is no adequacy decision by the European Commission. Our cooperation with them is based on these guarantees: Standard Contractual Clauses of the European Commission.

 

1.2 Content Delivery Network

For faster loading times, we use a so-called Content Delivery Network (CDN) for some of our offerings. This service delivers content, e.g., large media files, via regionally distributed servers of external CDN service providers. Therefore, access data is processed on the servers of these providers. Our service providers act for us as processors. Some providers are located and/or use servers in countries outside the EU and the EEA. For these countries, there is no adequacy decision by the European Commission. Our cooperation with them is based on the Standard Contractual Clauses of the European Commission.

If you have questions about our service providers and the basis of our cooperation with them, please refer to the contact details given in this Privacy Policy.

 

2. Data Processing for Contract Fulfillment and Contact

2.1 Data Processing for Contract Fulfillment

For the purpose of contract fulfillment (including inquiries about and the processing of existing warranty and performance claims as well as statutory update obligations) in accordance with Art. 6(1)(b) GDPR, we collect personal data if you voluntarily provide it to us as part of your order. Mandatory fields are marked as such because we need this data to process the contract and cannot send the order without it. The data collected is apparent from the respective input forms.

Further information about the processing of your data, particularly about transfer to our service providers for order processing, payment, and shipping, can be found in the following sections of this Privacy Policy. Once the contract has been fully executed, your data will be restricted for further processing and deleted after the retention periods required under tax and commercial law, pursuant to Art. 6(1)(c) GDPR, unless you have expressly consented to further use of your data in accordance with Art. 6(1)(a) GDPR, or we reserve the right to use your data beyond this, as permitted by law, and inform you of such use in this statement.

2.2 Customer Account

If you have given your consent pursuant to Art. 6(1)(a) GDPR by choosing to open a customer account, we will use your data to open the account and store your data for future orders on our website.

You may delete your customer account at any time, either by sending a message to the contact details stated in this Privacy Policy or via a function provided for this purpose in the customer account. After deletion of your customer account, your data will also be deleted unless you have expressly consented to further use of your data pursuant to Art. 6(1)(a) GDPR, or we reserve the right to use your data beyond this as permitted by law and inform you about it in this Privacy Policy.

2.3 Contact Requests

As part of customer communication, we collect personal data to process your inquiries pursuant to Art. 6(1)(b) GDPR if you voluntarily provide such data when contacting us (e.g., via contact form or email). Mandatory fields are marked as such because we need this data to process your inquiry. The data collected is apparent from the respective input forms.

Once your inquiry has been fully processed, your data will be deleted unless you have expressly consented to further use of your data pursuant to Art. 6(1)(a) GDPR, or we reserve the right to use your data beyond this as permitted by law and inform you about it in this Privacy Policy.

 

3. Data Processing for Shipping

For contract fulfillment pursuant to Art. 6(1)(b) GDPR, we pass on your data to the shipping service provider entrusted with delivery, insofar as this is necessary for the delivery of ordered goods.

 

4. Data Processing for Payment Handling

To process payments in our online shop, we work with the following partners: technical service providers, credit institutions, and payment service providers.

4.1 Data Processing for Transaction Handling

Depending on the payment method selected, we share the data necessary to process the payment transaction with the relevant technical service providers (who act for us as processors), credit institutions, or the selected payment service provider, insofar as this is necessary for the processing of the payment, pursuant to Art. 6(1)(b) GDPR.

In some cases, payment service providers collect the data necessary for payment processing themselves, e.g., on their own website or via a technical integration in the ordering process. In these cases, the respective payment service provider’s Privacy Policy applies.

If you have any questions about our partners for payment processing and the basis of our cooperation with them, please contact us using the details given in this Privacy Policy.



4.2 Data Processing for Fraud Prevention and Optimization of Our Payment Processes

We may share additional data with our service providers, who will use it—together with the data necessary to process the payment—as our processors for the purposes of fraud prevention and optimizing our payment processes (e.g., invoicing, handling disputed payments, supporting accounting). This serves our overriding legitimate interests in fraud protection and efficient payment management, based on Art. 6(1)(f) GDPR.

 

5. Email Marketing

 

5.1 Email Newsletter with Subscription and Newsletter Tracking

If you subscribe to our newsletter, we will use the data required for this or separately provided by you to regularly send you our email newsletter based on your consent pursuant to Art. 6(1)(a) GDPR. You can unsubscribe from the newsletter at any time, either by sending a message to the contact details specified in this Privacy Policy or via the unsubscribe link provided in the newsletter. After unsubscribing, we will remove your email address from the distribution list unless you have expressly consented to a further use of your data pursuant to Art. 6(1)(a) GDPR, or we reserve the right to use your data for purposes permitted by law and of which we inform you in this Privacy Policy.

Please note that we analyze your user behavior when sending the newsletter. For this purpose, we evaluate your interaction with our newsletter by measuring, storing, and analyzing open rates and click rates to design future newsletter campaigns (“newsletter tracking”).

To enable this analysis, emails contain one-pixel technologies (e.g., web beacons, tracking pixels) stored on our website. For evaluations, we particularly link the following “newsletter data” with your email address or IP address and possibly an individual ID:

  • The page from which the page was requested (so-called referrer URL)

  • Date and time of access

  • Description of the type of web browser used

  • IP address of the requesting device

  • Email address

  • Date and time of registration and confirmation

Links contained in the newsletter may also contain this ID.
If you do not wish to be tracked, you may unsubscribe from the newsletter at any time as described above. The information is stored as long as you are subscribed to the newsletter.

5.2 Newsletter Delivery

The newsletter and the tracking described above may also be sent by our service providers as part of processing on our behalf. If you have questions about our service providers and the basis of our cooperation with them, please use the contact details provided in this Privacy Policy.

Our service providers are located and/or use servers in the following countries: USA, Australia.
For these countries, there is no adequacy decision by the European Commission. Our cooperation with these providers is based on Standard Contractual Clauses of the European Commission.



6. Cookies and Other Technologies

6.1 General Information

To make visiting our website attractive and to enable the use of certain functions, we use various technologies on different pages, including so-called cookies. Cookies are small text files automatically stored on your device. Some of the cookies we use are deleted after your browser session ends, i.e., after closing your browser (so-called session cookies). Other cookies remain on your device, allowing us to recognize your browser upon your next visit (persistent cookies).

Privacy Protection on End Devices

We use strictly necessary technologies to provide the expressly requested online service. Storing or accessing information already stored on your device does not require your consent if it is strictly necessary.
For non-essential functions, storing or accessing information on your device requires your consent. Please note that refusing consent may limit some features of our website. Any consent you provide remains valid until you adjust or reset the relevant settings on your device.

Subsequent Data Processing via Cookies and Other Technologies

We use technologies strictly necessary to provide certain functions of our website (e.g., shopping cart function). Through these technologies, your IP address, visit time, device and browser information, and information about your use of our website (e.g., cart content details) are collected and processed. This is done to protect our overriding legitimate interest in an optimized presentation of our offering, based on Art. 6(1)(f) GDPR.

We also use technologies to fulfill our legal obligations (e.g., to prove consent to process your personal data) and for web analytics and online marketing. You can find more details, including the relevant legal basis, in the following sections of this Privacy Policy.

Some technologies not explicitly listed in this Privacy Policy may also be used. Further details on these technologies, including their legal basis, are available through the Usercentrics platform. You can access this by clicking on the fingerprint icon in the bottom corner of the page.

Cookie settings for your browser can be found at these links:
Microsoft Edge™ / Safari™ / Chrome™ / Firefox™ / Opera™

If you have consented to the use of technologies pursuant to Art. 6(1)(a) GDPR, you may withdraw your consent at any time by contacting us through the methods described in this Privacy Policy. Alternatively, click the fingerprint icon in the bottom corner of the page. Please note that refusing cookies may limit the functionality of our website.

6.2 Use of Usercentrics Consent Management Platform

We use the Usercentrics Consent Management Platform (“Usercentrics”) on our website to inform you about the cookies and other technologies we use, to collect, manage, and document your legally required consent for the processing of your personal data by these technologies. This is necessary to comply with our legal obligation under Art. 7(1) GDPR to be able to prove your consent.

Usercentrics is provided by Usercentrics GmbH, Sendlinger Straße 7, 80331 Munich, Germany, which processes your data on our behalf. When visiting our website, the Usercentrics web server stores a server log file containing your anonymized IP address, date and time of visit, device and browser information, and your consent status. Your data will be deleted after three years unless you have expressly consented to further use of your data under Art. 6(1)(a) GDPR, or we reserve the right to use your data for purposes permitted by law, as stated in this Privacy Policy.

 

7. Use of Cookies and Other Third-Party Technologies

Where you have provided your consent pursuant to Art. 6(1)(a) GDPR, we use the following cookies and technologies from third-party providers on our website. After the intended purpose has been fulfilled and we no longer use the respective technology, the data collected in this context will be deleted. You can withdraw your consent at any time with future effect.

Further information on withdrawal options can be found in the section “Cookies and Other Technologies.”
You can find additional information, including the basis for our cooperation with each provider, in the descriptions of each technology. If you have questions about these providers and the basis of our cooperation with them, please contact us using the details provided in this Privacy Policy.

7.1 Use of Google Services

We use the technologies described below from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Information about your use of our website collected automatically through Google technologies is usually transmitted to a server of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and stored there. For the USA, no adequacy decision by the European Commission exists. Our cooperation with Google is based on Standard Contractual Clauses of the European Commission.
If your IP address is collected via Google technologies, it is anonymized before storage on Google’s servers by activating IP anonymization. Only in exceptional cases will the full IP address be transmitted to a Google server and shortened there. Unless otherwise stated for the individual technologies, data processing takes place based on a joint controllership agreement pursuant to Art. 26 GDPR. Further information on data processing by Google can be found in Google’s Privacy Policy

Google Analytics

For website analysis purposes, data (IP address, time of visit, device and browser information, and information about your use of our website) is automatically collected and stored by Google Analytics, from which usage profiles are created using pseudonyms. Cookies may be used for this purpose. Your IP address is generally not merged with other Google data. Data processing is based on a data processing agreement with Google.

Google Fonts

To ensure a consistent presentation of content on our website, data (IP address, time of visit, device and browser information) is collected through the script code “Google Fonts,” transmitted to Google, and processed by Google. We have no influence on this subsequent data processing.

7.2 Information on Data Transfers to Third Countries)

We use technologies from providers whose servers may be located in third countries outside the EU or EEA, including the USA. In cases like the USA, where no adequacy decision by the European Commission exists, an adequate level of data protection must be ensured through other safeguards.

In July 2020, the CJEU ruled that the EU-U.S. Privacy Shield agreement can no longer be used as a legal basis for transferring personal data to the USA. This means the sector-specific adequacy decision has been invalidated.

Adequate safeguards, such as EU Commission Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), are generally possible but require prior assessment by the contracting parties to ensure sufficient protection. Following the CJEU ruling, it may also be necessary to implement additional protective measures.

We have concluded SCCs with third-party providers processing personal data in countries like the USA, and where possible, we agree on additional safeguards to ensure adequate data protection.

However, despite contractual and technical measures, it is possible that data protection in third countries does not meet EU standards. In such cases, we may request your explicit consent under Art. 49(1)(a) GDPR via the cookie banner for the transfer of your data to a third country. This applies particularly to transfers to the USA. There is a specific risk that U.S. authorities may gain access to your data without sufficient safeguards from an EU perspective, and you may not have effective legal remedies to challenge this.



8. Social Media

Our Online Presence on Facebook (by Meta), Twitter, Instagram (by Meta), YouTube, LinkedIn

If you have given your consent pursuant to Art. 6(1)(a) GDPR to the respective social media operator, your data will be automatically collected and stored for market research and advertising purposes when you visit our profiles on the platforms listed above. Pseudonymous usage profiles are created from this data and may be used to display advertisements on and off these platforms that are likely to match your interests. Cookies are typically used for this purpose.

Detailed information on how each provider processes your data, as well as contact details and your rights and privacy settings, can be found in the privacy policies of each provider linked below. If you need assistance, you can also contact us.

  • Facebook (by Meta) is provided by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland. Data collected by Meta is usually transferred to servers of Meta Platforms, Inc., 1 Hacker Way, Menlo Park, California 94025, USA. No adequacy decision exists for the USA. Our cooperation is based on SCCs. Data processing during a visit to a Facebook Fan Page is based on a joint controllership agreement (Art. 26 GDPR). More information on Insights data here.

  • Twitter is provided by Twitter International Company, One Cumberland Place, Dublin 2, Ireland. Data collected is typically transferred to Twitter, Inc., San Francisco, CA, USA. No adequacy decision exists for the USA. Cooperation is based on SCCs.

  • Instagram (by Meta) is also provided by Meta Platforms Ireland Ltd. Data is usually transferred to Meta Platforms, Inc., USA. No adequacy decision exists for the USA. Cooperation is based on SCCs. Processing for Fan Page visits is based on a joint controllership agreement.

  • YouTube is provided by Google Ireland Ltd. Data is typically transferred to Google LLC, USA. No adequacy decision exists for the USA. Cooperation is based on SCCs.

  • LinkedIn is provided by LinkedIn Ireland Unlimited Company, Dublin, Ireland. Data is usually transferred to LinkedIn Corporation, Sunnyvale, CA, USA. No adequacy decision exists for the USA. Cooperation is based on SCCs.

 

9. Contact Options and Your Rights

 

9.1 Your Rights

Als Betroffener haben Sie folgende Rechte:
  • gemäß Art. 15 DSGVO das Recht, in dem dort bezeichneten Umfang Auskunft über Ihre von uns verarbeiteten personenbezogenen Daten zu verlangen;
  • gemäß Art. 16 DSGVO das Recht, unverzüglich die Berichtigung unrichtiger oder Vervollständigung Ihrer bei uns gespeicherten personenbezogenen Daten zu verlangen;

  • gemäß Art. 17 DSGVO das Recht, die Löschung Ihrer bei uns gespeicherten personenbezogenen Daten zu verlangen, soweit nicht die weitere Verarbeitung
    • zur Ausübung des Rechts auf freie Meinungsäußerung und Information;
    • zur Erfüllung einer rechtlichen Verpflichtung;
    • aus Gründen des öffentlichen Interesses oder
    • zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen erforderlich ist;

  • gemäß Art. 18 DSGVO das Recht, die Einschränkung der Verarbeitung Ihrer personenbezogenen Daten zu verlangen, soweit
    • die Richtigkeit der Daten von Ihnen bestritten wird;
    • die Verarbeitung unrechtmäßig ist, Sie aber deren Löschung ablehnen;
    • wir die Daten nicht mehr benötigen, Sie diese jedoch zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen benötigen oder
    • Sie gemäß Art. 21 DSGVO Widerspruch gegen die Verarbeitung eingelegt haben;

  • gemäß Art. 20 DSGVO das Recht, Ihre personenbezogenen Daten, die Sie uns bereitgestellt haben, in einem strukturierten, gängigen und maschinenlesbaren Format zu erhalten oder die Übermittlung an einen anderen Verantwortlichen zu verlangen;
  • gemäß Art. 77 DSGVO das Recht, sich bei einer Aufsichtsbehörde zu beschweren. In der Regel können Sie sich hierfür an die Aufsichtsbehörde Ihres üblichen Aufenthaltsortes oder Arbeitsplatzes oder unseres Unternehmenssitzes wenden.

Right to Object

Where we process your personal data based on our overriding legitimate interests, you may object to this processing with future effect.
If the processing is for direct marketing, you can object at any time, and your data will no longer be processed for this purpose. For other purposes, you may object only if there are reasons arising from your particular situation.

After an objection, your data will no longer be processed for these purposes unless we demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

If the processing is for direct marketing, your data will not be processed further for this purpose.

 

9.2 Contact Options

If you have questions regarding the collection, processing, or use of your personal data, requests for information, correction, restriction, or deletion of data, as well as withdrawal of consent or objections to a specific data use, please contact us directly using the details provided in our Imprint (Impressum).