Privacy Policy
The purpose of this privacy policy is to inform you and the public about the nature, scope, and purpose of the personal data we collect, use, and process, and at the same time to inform you of the rights to which you are entitled.
1. Definitions
Our privacy policy is based on the terminology used in the General Data Protection Regulation (GDPR). When we use the following terms in our privacy policy, we mean the following:
- Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is considered “identifiable” if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. - Data subject
A person is a “data subject” if their personal data is processed by the controller responsible for the processing. - Processing
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. - Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future. - Profiling
“Profiling” means any form of automated processing of personal data used to evaluate, analyse, or predict certain aspects (in particular relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements). - Pseudonymisation
Pseudonymisation means the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data is not attributed to an identified or identifiable natural person. - Controller or controller responsible for the processing
Controller or controller responsible for the processing means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. - Processor
Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. - Recipient
Recipient means a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients. - Third party
Third party means a natural or legal person, public authority, agency, or other body other than the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorised to process personal data. - Consent
Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
2. Name and address of the controller responsible for the processing
Ayurveda Parkschlösschen Bad Wildstein GmbH, represented by the managing directors Ms Brigitte Preuß and Ms Katja Lemmler,
Wildbadstraße 201-207,
56841 Traben-Trarbach, Germany,
Telephone: 0049 6541705160,
Email:
3. Collection of data and legal basis for processing
When placing an order, the legal basis for the processing of personal data is the processing of the order and the fulfilment of the contract to which the data subject is a party. The processing is based on Art. 6(1)(b) GDPR.
When contacting us independently of an order (e.g. by email or via the contact form), the legal basis is our legitimate interest in dealing with your enquiry. The processing is based on Art. 6(1)(f) GDPR.
In the case of direct marketing, the legal basis is our legitimate interest. The processing is based on Art. 6(1)(f) GDPR.
Where personal data is processed on the basis of explicit consent, the legal basis for the processing of personal data is consent pursuant to Art. 6(1)(a) GDPR.
Where personal data is processed on the basis of contractual obligations regarding updates for goods with digital elements or for digital products, the legal basis is our statutory duty to inform pursuant to Art. 6(1)(c) GDPR.
a) Collection of general data and information
When you access our website, information of a general nature is automatically collected. This information (so-called “server log files”) includes, for example, the type of internet browser, the operating system used, the domain name of your internet service provider, and similar information. This information does not allow any conclusions to be drawn about your identity. This information is technically necessary to correctly deliver the content of websites requested by you and is inevitably generated when using the internet. Anonymous information of this kind is statistically evaluated by us in order to optimise our website and the technology behind it.
The following information is collected and stored when you access our website:
- The IP address of your computer or internet-enabled device
- Date of access
- Name and URL of the file accessed
- Referrer URL
- Browser / operating system / access provider
The collection and storage of this data serves the following purposes:
- Establishing a connection to the website
- Technical use of the website
- System security
- Administration
The data processing is carried out in accordance with Art. 6(1) sentence 1 (f) GDPR.
For security reasons and to protect the transmission of personal data and other confidential content (e.g. orders or enquiries to the controller), this website uses SSL or TLS encryption. You can recognise an encrypted connection by the “https://” prefix and the padlock symbol in your browser bar.
b) Registration and ordering on our website
If you register on our website or create a user account, personal data is also collected from you in this process. Please note that although registration may provide broader access to the content of our website, it is not a mandatory prerequisite for using our website. The personal data transmitted to the controller responsible for the processing is determined by the respective input form used for registration. The personal data entered by the data subject is collected and stored exclusively for internal use by the controller responsible for the processing and for its own purposes. The controller responsible for the processing may arrange for the data to be passed on to one or more processors, such as a parcel delivery company, for the purpose of delivery to you by post; such processors will likewise use the personal data exclusively for internal purposes attributable to the controller responsible for the processing.
During a registration process on our website, the data entered by you during registration is stored.
The purpose of collecting and storing this data is:
- Customer identification
- Processing and handling of the order and correspondence with you
- Invoicing
- Handling any liability claims that may arise, and asserting any claims against you
- Technical administration of the website
- Administration
Your consent is obtained from you during the ordering process before this data is processed.
The data processing is carried out in accordance with Art. 6(1) sentence 1 (b) GDPR.
c) Newsletter
If you voluntarily subscribe to our newsletter (a regular promotional information email with offers or other information from our company), the data you provide will be used exclusively for this purpose and will not be passed on to third parties.
This also includes information relevant to the service or registration. The validity of the email address is verified using the so-called “double opt-in” procedure. For this purpose, the newsletter subscription is checked by sending a confirmation email and verifying the response. No further data is collected.
You may unsubscribe from the newsletter (withdraw your consent) at any time, either by sending a message to the contact option described below or via a link provided for this purpose in the newsletter. Unsubscribing does not incur any costs for you beyond the standard transmission costs (e.g. the cost of a phone call). The data processing based on your consent is carried out in accordance with Art. 6(1) sentence 1 (a) GDPR.
d) Sending of the newsletter
Existing customers
We reserve the right to regularly send you offers for goods or services similar to those already purchased from our range by email. Pursuant to Section 7(3) of the German Act Against Unfair Competition (UWG), we are not required to obtain your separate consent for this. The data processing is based solely on our legitimate interest in personalised direct marketing pursuant to Art. 6(1)(f) GDPR. If you initially objected to the use of your email address for this purpose, we will not send you such emails. You are entitled to object to the use of your email address for the aforementioned advertising purpose at any time with future effect by notifying the controller named at the beginning. This will only incur transmission costs based on the basic rates. Once we receive your objection, your email address will be removed from the distribution list.
Contact option via the website
If you send us enquiries via the contact form or by email, the information you provide in the enquiry form or email, including the contact details you provide there, will be stored by us for the purpose of processing your enquiry and/or contacting you. This data is not passed on to third parties. The legal basis for the processing of this data is our legitimate interest in responding to your enquiry pursuant to Art. 6(1)(f) GDPR. If your enquiry is aimed at concluding a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR. The data processing based on your consent is carried out in accordance with Art. 6(1) sentence 1 (a) GDPR. The personal data collected for use of the contact form is automatically deleted once your enquiry has been dealt with. You have the right to withdraw your consent to data processing at any time.
e) Electronic withdrawal from distance contracts
Consumers who have a statutory right of withdrawal in respect of distance contracts have the option of declaring the withdrawal via the electronic withdrawal function provided on our website.
The use of this function involves the collection and processing of the personal data required to process the withdrawal. This includes, in particular, details for identifying the relevant contract as well as the contact details you have provided or that are already on file, such as your first and last name and email address.
This data is processed for the purpose of receiving, assigning, and processing your withdrawal declaration, as well as confirming receipt of the withdrawal on a durable medium. The legal basis for the processing is Art. 6(1)(b) GDPR, as the processing is necessary for the implementation of pre-contractual measures and/or the handling of the contractual relationship and the rights and obligations arising therefrom.
Insofar as the processing is carried out in order to fulfil statutory obligations relating to the provision of an electronic withdrawal function and the confirmation of receipt of the withdrawal declaration, the additional legal basis is Art. 6(1)(c) GDPR.
The data collected is used exclusively for the processing of your withdrawal and is not processed for any other purpose, unless a statutory obligation or other data protection permission exists for further processing.
4. Storage period / collection and storage of personal data, and the nature and purpose of its use / disclosure of data
The purpose of using and transmitting personal data is customer identification, contract fulfilment, order processing, customer correspondence, invoicing, direct marketing, and the handling of any liability claims that may arise or the assertion of any claims against you.
As a general rule, your stored personal data is deleted once it is no longer required for the purposes for which it was collected or otherwise processed.
We store the personal data collected and transmitted to us for the processing of your order until the expiry of the statutory retention period. After this period, your data will be deleted by us, unless we are obliged to store it for a longer period pursuant to Art. 6(1) sentence 1 (c) GDPR due to tax and commercial law retention and documentation obligations (arising from the German Commercial Code (HGB), the German Criminal Code (StGB), or the German Fiscal Code (AO)) or statutory information obligations, or unless you have consented to further storage pursuant to Art. 6(1) sentence 1 (a) GDPR.
In the case of contact independent of an order (e.g. via email or the contact form), we store your data until the processing of your enquiry and the related matter have been concluded and no statutory retention obligations apply.
Where personal data is processed on the basis of explicit consent, we store this data until the consent is withdrawn by the data subject.
Where personal data is processed on the basis of Art. 6(1)(f) GDPR, we store this data until the data subject exercises the right to object pursuant to Art. 21(1) GDPR.
Where personal data is processed on the basis of Art. 6(1)(f) GDPR for the purpose of direct marketing, we store this data until the data subject exercises the right to object pursuant to Art. 21(1) GDPR.
Where we are required, on the basis of contractual obligations, to provide you with updates for goods with digital elements or for digital products, we will use the data you provided as part of your order to inform you of updates (by email or by post).
Disclosure of data
We only disclose your personal data to third parties who are service partners involved in processing the contract, such as the logistics company commissioned with delivery and the credit institution commissioned with payment matters. In cases where your personal data is disclosed to third parties, the scope of the data transmitted is always limited to the necessary minimum.
Your personal data will not be transmitted to third parties for any purposes other than those stated below.
We only disclose your personal data to third parties if:
- You have given your explicit consent to do so pursuant to Art. 6(1) sentence 1 (a) GDPR,
- the disclosure is necessary pursuant to Art. 6(1) sentence 1 (f) GDPR for the assertion, exercise, or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in your data not being disclosed,
- there is a statutory obligation for the disclosure pursuant to Art. 6(1) sentence 1 (c) GDPR, or
- this is legally permissible and necessary pursuant to Art. 6(1) sentence 1 (b) GDPR for the handling of contractual relationships with you.
5. Requirement to provide data – possible consequences of not providing it
The provision of personal data is partly required by law (tax law) or may result from contractual provisions (transparency of the contractual partner). Failure to provide personal data would prevent the conclusion of a contract and will therefore not be permitted. The controller will provide any information regarding the statutory or contractual requirement to provide personal data.
6. Existence of automated decision-making
We do not use automated decision-making or profiling.
7. Routine erasure and blocking of personal data
Once the storage period explained in more detail under item 4 above has expired, the personal data is routinely deleted.
8. Rights of the data subject
As a data subject, you have the following rights:
- Art. 15 GDPR: You have the right to request information about the personal data we process concerning you. In particular, you may request information about the purposes of processing, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing, or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making, including profiling, and, where applicable, meaningful information about the details thereof;
- Art. 16 GDPR: You have the right to request the rectification of inaccurate data or the completion of your personal data stored by us;
- Art. 17 GDPR: You have the right to request the erasure of your personal data stored by us, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defence of legal claims;
- Art. 18 GDPR: You have the right to request the restriction of the processing of your personal data if you contest the accuracy of the data, if the processing is unlawful but you oppose its erasure, if we no longer need the data but you require it for the establishment, exercise, or defence of legal claims, or if you have objected to the processing pursuant to Art. 21 GDPR;
- Art. 20 GDPR: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, or to have it transmitted to another controller;
- Art. 7(3) GDPR: You have the right to withdraw your consent to data processing at any time. This means that we may no longer continue the data processing based on this consent in the future;
- Art. 77 GDPR: You have the right to lodge a complaint with a supervisory authority in your usual place of residence, workplace, or at our registered office regarding the data processing (right to lodge a complaint).
8.1 Right to object
- You have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR, provided such grounds arise from your particular situation, or where the objection relates to direct marketing. In the latter case, you have a general right to object.
9. Cookies
Use, legal basis, and purpose
In order to optimise and continually improve the functionality and technical presentation of our website, we use so-called “cookies”. These are small text files that are stored or saved on your device. With the help of these “cookies”, data can be stored on your computer when you visit our website.
Furthermore, our website uses cookies that enable an analysis of users’ browsing behaviour.
When you visit our website, you are informed of the use of cookies for analysis purposes and your consent to the processing of the personal data used in this context is obtained. In this context, reference is also made to this privacy policy.
The legal basis for the processing of personal data using technically necessary cookies is Art. 6(1)(f) GDPR.
The legal basis for the processing of personal data using cookies for analysis purposes, where the user’s consent has been obtained in this regard, is Art. 6(1)(a) GDPR.
The purpose of using technically necessary cookies is to make it easier for users to use our website. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognised even after a page change. We require cookies for the following applications: retaining language settings. The user data collected by technically necessary cookies is not used to create user profiles.
The purpose of using analysis cookies is to improve the quality of our website and its content. Through analysis cookies, we learn how the website is used and can continuously optimise our offering as a result.
Storage period, right to object, and removal options
Cookies are stored on the user’s computer and transmitted to our site from there. As a user, you therefore have full control over the use of cookies. You can disable or restrict the transmission of cookies by changing the settings in your internet browser. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to their full extent.
Cloudflare Turnstile
We use the Cloudflare Turnstile service on our website. The provider is Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. Cloudflare Turnstile is used to protect our website against misuse, spam, and automated access by bots. Technical information may be processed for this purpose, in particular the IP address, information about the browser and operating system used, technical signals from the end device, and information about the website accessed. The processing is carried out for the purpose of security verification and to distinguish between human users and automated access. The legal basis for the processing is Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure provision of our website, the prevention of spam and misuse, and the protection of our technical systems. Insofar as information is stored on or retrieved from the user’s device in connection with the use of Cloudflare Turnstile, this is done, to the extent technically necessary, on the basis of Section 25(2) of the German Telecommunications Digital Services Data Protection Act (TDDDG). A transfer of personal data to the USA cannot be ruled out. According to its own statements, Cloudflare processes data partly as a processor and partly as an independent controller. Further information on data processing by Cloudflare Turnstile can be found in Cloudflare’s privacy notices.
10. Social media
Data processing on social media
Our company is active on various social media platforms. In the course of communicating with users, user data may be processed outside the European Union, which may give rise to risks due to the difficulty of enforcing your rights. Regarding US providers certified under the Privacy Shield, we note that they thereby commit to complying with EU data protection standards.
As a rule, user data is processed for advertising and market research purposes in order to create user profiles based on usage behaviour. These user profiles may, for example, be used to place targeted advertisements. For these purposes, cookies are generally stored on users’ computers, in which the users’ usage behaviour and interests are stored.
Legal basis for the processing
The legal basis for the processing of users’ personal data is our legitimate interest in effectively informing and communicating with users pursuant to Art. 6(1)(f) GDPR. If users are asked by the respective platform providers to consent to the aforementioned data processing, the legal basis for the processing is Art. 6(1)(a), Art. 7 GDPR.
The respective provider has the fastest access to user data and can take the most effective measures. The rights of the data subject can therefore be asserted most quickly directly with the provider. Otherwise, we are available to assist you at any time.
YouTube
Our website incorporates YouTube. This is an internet video platform that allows video publishers to upload video clips free of charge and other users to view, rate, and comment on them, likewise free of charge. YouTube permits the publication of all kinds of videos, which means that complete film and television broadcasts, as well as music videos, trailers, and videos made by users themselves, can be accessed via the internet platform.
YouTube is operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
As soon as you visit pages of our website that are equipped with a YouTube plugin, a connection to YouTube’s servers is established. This tells the YouTube server which specific page of our website you have visited. If you are also logged into your YouTube account, this would allow YouTube to associate your browsing behaviour directly with your personal profile. You can prevent this association by logging out of your account beforehand. Further information on the collection and use of your data by YouTube can be found in YouTube’s privacy notices at www.youtube.com.
The privacy policy published by YouTube provides information on the collection, processing, and use of personal data by YouTube and Google.
Instagram Feed / Smash Balloon
Our website incorporates an Instagram social feed. For this purpose, we use the “Smash Balloon” service. The provider is Smash Balloon LLC, USA.
This service enables us to display content from our Instagram presence on our website. Depending on the technical configuration, content from Instagram or the Instagram feed may be cached and delivered via our website or via servers operated by Smash Balloon. When the relevant areas of the website are accessed, technical access data may be processed, in particular IP address, browser information, date and time of access, and information about the page accessed.
The integration is carried out on the basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in the appealing presentation of our online offerings and the integration of current content from our Instagram presence. Insofar as third-party calls, cookies, or comparable technologies that are not technically necessary for the display are used, processing is carried out only on the basis of your consent pursuant to Art. 6(1)(a) GDPR and Section 25(1) TDDDG.
If you click on an image or post within the Instagram feed, you will be redirected to Instagram. From that point on, the privacy policy of Instagram or Meta applies. We have no influence over the data processing carried out there.
11. Payment processing
PayPal
PayPal components are integrated into our website. PayPal is an online payment service provider. Payments are processed via accounts, which represent virtual private or business accounts. PayPal also offers the option of processing virtual payments via credit cards if a user does not hold an account. An account is managed via an email address, which means there is no traditional account number. PayPal enables online payments to be made to third parties or received. PayPal also acts as a trustee and offers buyer protection services.
The European operating company of PayPal is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg.
If you use such payment options, we will pass on your personal data required for payment processing to PayPal. As a rule, the scope of the personal data disclosed includes: first name, last name, address, email address, IP address, telephone number, mobile phone number, or other data necessary for payment processing. Personal data associated with the respective order is also necessary for the fulfilment of the purchase contract.
The purpose of the data disclosure is the processing of payment and fraud prevention. We will transfer data to PayPal in particular where there is a legitimate interest in doing so. As part of its own privacy policy, PayPal may transmit the personal data it receives to credit reporting agencies. This transmission serves the purpose of identity and creditworthiness checks. PayPal may pass on personal data to affiliated companies and service providers or subcontractors, insofar as this is necessary to fulfil contractual obligations or the data is to be processed on its behalf. The data subject has the option of withdrawing their consent to the handling of personal data from PayPal at any time. A withdrawal does not affect personal data that must be processed, used, or transmitted for the (contractual) processing of payments.
The disclosure of data to PayPal described in this section explicitly takes place only if you select this payment option.
PayPal’s applicable privacy policy can be accessed at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.
Deutsch