Privacy Policy

Responsible according to the General Data Protection Regulation

Aquasabi GmbH & Co. KG
Salzdahlumer Str. 196
38126 Braunschweig
Germany

Phone: +49 531 2086358
Fax: +49 531 2086359
E-Mail: info@aquasabi.de

Represented by the general partner
Aquasabi Verwaltungs GmbH
CEO: Tobias Coring

Data protection officer

E-Mail: privacy@aquasabi.com

We appreciate your interest in our website and our company.

The protection of your personal data is very important to us. Your data is protected in accordance with the law, so that our data protection practice is in accordance with the General Data Protection Regulation (GDPR), the Federal Data Protection Act (FDPA) and the Telemedia Act (TMA). Below you will find information about our processing of personal data and your rights:

I. Data processing in general

1. Scope and purpose of processing

In principle, the responsible party processes personal data only if this is necessary to maintain the functions of his website and to provide his services. The processing takes place to the extent of the consent of the user or as far as it is permitted by legal regulations.

2. Lawfulness of processing

If the responsible party obtains consent for processing, legal basis is article 6 (2)(a), GDPR. Any processing necessary to fulfill a contract to which the data subject is a party shall have its legal basis in article 6(1)(b), GDPR. This also applies to processing required for the execution of pre-contractual measures, which is carried out on request of the data subject. The legal basis for the processing of personal data required to fulfill the legal obligations of the controller is article 6 (1)(c) GDPR. Article 6(1)(d), GDPR is the legal basis in the event that vital interests of the data subject or any other natural person require the processing of personal data. Article 6(1)(f), GDPR is the legal basis for the processing of personal data when it is necessary to safeguard a legitimate interest of the business of the controller or a third party and which outweighs the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data.

3. Storage and deletion

The responsible party deletes or blocks personal data if the purpose of the storage is omitted. Storage can also take place if required by law or regulation. In particular, there may be statutory storage obligations of six years under commercial law and ten years under fiscal law. Blockages or deletions also occur if specified periods of storage end according to laws or regulations and the data for the conclusion of contract, the fulfillment of contract or the termination of contract are no longer required. Data storage is also possible for the preservation of evidence under the statute of limitations. The regular limitation period is three years, whereby limitation periods of 30 years can also be possible.

II. Provision of internet presence and log files

1. Scope of processing

Every access to the website of those responsible as well as every retrieval of a file stored on their website are by default logged automatically. In this case, the date and time of access, web browser and version, operating system, the website from which the user accesses the page of the responsible party and the websites that the user accesses via the website of the responsible party, as well as the ISP of the user and his IP address can be logged.

This data may be stored in the log files of the system of the responsible parties. A combination of this data with other data sources, in particular other personal data of the user, does not take place.

2. Lawfulness of processing

The temporary storage of these data and log files has its legal basis in article 6(1)(f), GDPR.

3. Purpose

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the computer of the user. To do this, the user's IP address must be kept for the duration of the session. Data storage in log files is done to ensure the functionality of the website. In addition, the responsible party uses the data to optimize the Internet presence and to ensure the security of his IT systems.

The above-mentioned purposes also represent the predominant legitimate interests of the controllers in this data processing in accordance with Article 6(1)(f), GDPR.

4. Storage and deletion

The data will be deleted as soon as it is no longer necessary for the realization of the purposes above. In the case of the collection of data for the provision of the Internet presence, this is the case at the end of the respective session and in the case of storage of data in log files at the latest after seven days.

III. Cookies

1. Scope of processing

The websites of those responsible use cookies. A "Cookie" is a small text file, which is stored in the browser, respectively, saved on the user?s computer by the browser. With this file, the web server can store preferences and settings on the user's computer, that are automatically restored on the next visit. Likewise, it is possible for a server to recognize the user without having to constantly re-enter the username and password.

Two types of cookies can be used on the pages of those responsible. First, the so-called session cookies, which are deleted when the browser is closed. On the other hand, the so-called persistent cookies that may remain on the computer of the person concerned for a prolonged period of time. Using the collected information, usage patterns and structures of websites can be analyzed. For example, those responsible can continue to optimize their internet presence by improving their content or personalization and making it easier to use.

2. Lawfulness of processing

The legal basis for the processing of personal data using cookies is article 6(1)(f) GDPR.

3. Purpose

The purpose of the use of cookies is to make the visit of the website of the responsible party more pleasant and to provide certain functionalities. In addition, the controller can further optimize the website by improving the content or personalization and simplify it using the data collected by the cookies.

In the aforementioned purposes processing is necessary for the purposes of the legitimate interests pursued by the controller according to article 6(1)(f) GDPR.

3. Storage, objection or removal options

In all current browsers, the handling of cookies can be expressly regulated. Most browsers accept cookies by default. Users can allow or deny both temporary (session) cookies and persistent cookies independently in the security settings. However, if the data subject deactivates the cookies, they may not be able to access the web site of those responsible and some pages may not be displayed correctly.

IV. Contact

1. Scope of processing

For example, if the data subject contacts the responsible party by e-mail, the personal data communicated and the date and time of the transmission will be stored by the responsible party.

These data are used exclusively for the processing of communication between the data subject and the responsible party and are not disclosed to third parties.

2. Lawfulness of processing

Legal basis for the processing of this personal data is art. 6(1)(a), GDPR, if consent has been given. Otherwise the legal basis is art. 6(1)(f), GDPR and as far as the establishment, fulfillment or termination of a contract are concerned, art. 6(1)(b) GDPR, too.

2. Purpose

The processing of personal data from the communication takes place exclusively to handle the contact and answer the request of the person concerned as well as to prevent misuse of the contact form and to protect the IT systems of those responsible.

2. Storage and deletion

The processing of personal data from the communication takes place exclusively to handle the contact and answer the request of the person concerned as well as to prevent misuse of the contact form and to protect the IT systems of those responsible.

2. Possibility to object

The data subject has the option of revoking consent to the processing of this personal data at any time. The data subject may also object to the storage of their personal data at any time, in which case the conversation can not be continued. In fact, in such a case, all personal data stored during the establishment of contact will be deleted.

V. Order data (guest orders), registration and setup of a customer account and contract processing

1. Scope of data processing

The party responsible offers users of their internet presence the options to order as a guest or register themselves with personal data before ordering from a user account. The data are entered into an input mask and transmitted to the party responsible to be stored by them. As part of the order- and registration process, gender, name, date of birth (optional), address, e-mail address, telephone number, possibly deviating delivery address and payment information are collected.

When choosing the "Amazon Pay" method of payment, payment details and payment order information are transferred directly to Amazon Payments Europe S.C.A. and indirectly to Amazon Services Europe SARL and Amazon Media EU SARL, all three located at 38 avenue J.F. Kennedy, L-1855 Luxemburg (hereinafter referred to as "Amazon Payments").

The disclosure of this data is solely for the purpose of processing payments with the payment service Amazon Payments and only to the extent necessary for this purpose.

Legal basis is Article 6 (1) (b) GDPR. For more information about data usage and privacy by Amazon Payments, click here:
https://pay.amazon.com/uk/help/201751600

Personal data will be passed on to third parties only if this is necessary for the conclusion and execution of contracts. This is done by passing on the address data to the freight carrier and the payment information to the payment service provider.

When payment is done via PayPal, credit card via PayPal, direct debit by PayPal or ? if offered - "purchase on account" or "instalment" by PayPal as well as PayPal Express, within the scope of processing of payment, the party responsible transmits payment information to PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg ("PayPal"). PayPal reserves the right to request a credit check for the payment methods credit card via PayPal, direct debit by PayPal as well as "purchase on account" and "instalment" by PayPal. For this purpose name, date of birth, address, and account details may be passed on to credit agencies.

Legal basis is Article 6 (1) (f) GDPR on the basis of PayPal's legitimate interest in determining customer's solvency.
The result of the credit check on the statistical probability of default is used by PayPal to decide if the respective payment method is offered.

The credit report can contain probability values (scoring). If so, they are based on a mathematical-statistical process. The scoring includes, but is not limited to, address information. For further details, in particular regarding the credit bureaus used, please refer to PayPal's privacy statement:

https://www.paypal.com/en/webapps/mpp/ua/privacy-full

You can object to this processing of your data at any time by sending a message to PayPal. However, PayPal may continue to be entitled to process your personal data, if this is necessary for the contractual payment.

If the payment method "SOFORT" is selected, the payment is processed via the payment service provider Klarna GmbH, Theresienhöhe 12, 80339 Munich, Germany ("SOFORT"). The party responsible will pass on the information provided during the ordering process to them. It is part of the Klarna Group (Klarna Bank AB (publ), Sveavägen 46, 11134 Stockholm, Sweden).

The transfer of the data takes place exclusively for the purpose of the payment transaction with the payment service provider Klarna and only insofar as it is necessary for this.

Legal basis is Article 6 (1) (b) GDPR. For more information concerning the privacy policy of SOFORT, please see the following Internet address:

https://www.klarna.com/uk/privacy-policy/

In case of shipment via transport service provider DHL Express (DHL Express Germany GmbH, Heinrich-Brüning-Str. 5, 53113 Bonn, Germany), we will forward your e-mail address to DHL Express in order to coordinate the delivery date or to announce delivery.

The legal basis is article 6 §1 lit. f GDPR.

For more information about DHL Express's Privacy Policy, please refer to the following internet address:

https://www.dhl.de/en/toolbar/footer/datenschutz-express.html

2. Lawfulness of processing

Legal basis for the processing of this data is - user consent given - Article 6 (1) (a) GDPR, and as far as the registration serves the purpose of executing pre-contractual measures or fulfillment of a contract of the party responsible with the data subject, additionally Article 6 (1) (b) GDPR.

3. Purpose

The purpose of the data processing in the context of guest orders or registration is first the execution of pre-contractual measures and then the conclusion and completion of contracts with the user. The collection of these data takes place in order to have knowledge of who the (initially potential) contracting party is, for the establishment, design, processing and modification of contractual relationships with the data subject, to check the specified data for plausibility and to establish contact. The name and address are collected to determine who the contracting party is and to whom the person in charge has to provide and bill the services. The contact details are collected in order to provide the contracting party with information regarding the execution of the contractual relationship. The address data are used for passing on to the freight carrier and for sending the ordered goods, while the payment information is used for payment processing. Provided that the user registers as a regular customer, the collection of data ensures that in the case of follow-up contracts the customer does not have to re-enter the data and can also view the orders placed via his customer account.

4. Storage, objection or removal options

The data collected for guest orders or customer registration purposes will be deleted as soon as they are no longer necessary for serving the purpose of their collection. This is the case for data collected during the registration process for the creation and execution of a contract or for the implementation of pre-contractual measures when they are no longer necessary for the execution of the contracts. The registration as a regular customer, however, can be annulled at any time. Complete deletion of the data collected in this case is only possible if there are no contractual or statutory obligations preventing deletion.

VI. Clerk

1. Scope of data processing

The responsible party uses the service "Clerk" of company Clerk.io, Kigkurren 8, Obgang G, 2 Sal., 2300 Copenhagen, Denmark on its website.

With the help of "Clerk", the usage behavior of the data subject on the website of the responsible party is analyzed and on this basis given appropriate content and product recommendations. In addition, "Clerk" is used for the product search on the website of the responsible party.

"Clerk" is used without the use of e-mail addresses and there is no merging or transfer of personal data to third parties by means of "Clerk".

2. Lawfulness of processing

Legal basis for the use of "Clerk" with processing personal data is art. 6(1)(f) GDPR., where the legitimate and overriding interest of those responsible lies in the aforementioned purposes.

Further details on "Clerk" and its data processing can be found here: https://help.clerk.io/using-clerk-io/gdpr.

VII. Google Maps

The party responsible uses the "Google Maps" service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

Google is certified under the Privacy Shield framework, which provides a guarantee to be compliant with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

When using the "Google Maps" service, Google may process information, in particular user configurations and -data by setting a persistent cookie. Here, Google also perceives the requesting IP address and stores it, e.g. for statistical purposes. The information about the use of the online service is usually transmitted to a Google server in the USA and stored there.

The responsible party has no influence on the handling of this data by Google. Google?s privacy policy can be found here:

https://www.google.com/policies/privacy/.

You can find the Google terms of use and additional terms for Google Maps through the links below: .

https://www.google.de/intl/de/policies/terms/regional.html https://www.google.com/intl/de_de/help/terms_maps.html

Legal basis for the use of Google Maps is art. 6 (1)(f) GDPR and insofar justification, fulfillment or termination of a contract are concerned, art. 6 (1)(b) GDPR. The use of Google Maps is for the purpose of cartographic representations.

You can deactivate the map service of "Google Maps" and thereby prevent a data transmission to Google. Opt-Out: https://www.google.com/settings/ads/

VIII. Google Analytics

1. Scope of processing

The responsible party uses Google Analytics on its website, a web analysis service of Google Inc. (https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter ?Google?). In this context, pseudonymised usage profiles are created and cookies (see III.) are used. The information generated by the cookie about the use of this website by the person concerned such as

  • browser type / version,
  • OS used,
  • referrer-URL (previously visited site),
  • host name of the accessing computer (IP address),
  • time of server request,

are transmitted to a Google server in the USA and stored there. The IP addresses are anonymized so that an assignment is not possible (IP masking). In no case will the IP address of the person concerned be merged with other data provided by Google. This information may also be transferred to third parties if required by law or if third parties process this data on order.

This website uses the ?demographic features? function of Google Analytics. As a result, reports can be produced that contain statements on the age, gender and interests of the site visitors. This data comes from interest-based advertising from Google and third-party visitor data. This data can not be assigned to a specific person. You can disable this feature at any time through the ad settings in your Google Account, or generally prohibit Google Analytics from collecting your data, as shown below.

2. Lawfulness of processing

The legal basis for the processing of personal data using Google Analytics is Article 6 (1)(f) GDPR.

3. Purpose

Google Analytics is used for the purpose of needs-based design and continuous optimization of the Internet presence.

Google Analytics is used to statistically record the use of the internet presence and to evaluate it for the purpose of optimizing the service.

The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to website activity and internet usage for the purposes of market research and tailor-made website design.

In the above-mentioned purposes, the legitimate and overriding interest of the responsible parties lies in the processing according to art. 6 (1)(f) GDPR.

4. Storage, objection and deleting options

The affected person can prevent the installation of cookies by setting the browser software accordingly; It should be noted, however, that in this case not all features of this website may be fully used.

In addition, the data subject can prevent the collection of data related to your use of the website (including the IP address) generated by the cookie, as well as the processing of this data by Google by downloading and installing a browser add-on (https://tools.google.com/dlpage/gaoptout?hl=de).

As an alternative to the browser add-on, in particular for browsers on mobile devices, the person concerned can also prevent data collection by Google Analytics by clicking on this link: (Click here to disable Google Analytics). An opt-out cookie is set which prevents the future collection of data when visiting this website. The opt-out cookie is only valid in this browser and only for this website and is stored on the used device. If the cookies are deleted in this browser, the opt-out cookie must be set again.

For more information about privacy in connection with Google Analytics, refer the Google Analytics Help Center.
(https://support.google.com/analytics/answer/6004245?hl=de).

IX. YouTube Videos

1. Scope of processing

The party responsible used the embedding feature of the platform "YouTube" to display and play videos on its website. "YouTube" is part of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

It uses the advanced data protection mode, which according to "YouTube" initiates storage of user information only when the video is playing. When the playback of embedded YouTube videos is started, "YouTube" sets cookies to collect information about user behavior. If the data subject is logged in to Google upon playback, the data is assigned directly to the data subject's Google Account. To prevent this association with your profile, you can log out before activating the video. Google stores your data (even for logged-out users) as usage profiles and analyzes them.

Regardless of the playback of the embedded video, every time you visit this website you will be connected to the Google Network "DoubleClick", which may trigger further data processing.

2. Lawfulness of processing

Legal basis for the processing of personal data using YouTube is art. 6(1)(f) GDPR.

3. Purpose

According to "YouTube", this is done by YouTube to capture video statistics, improve user-friendliness and prevent abusive practices while the responsible party uses "YouTube videos" to visualize their services.

In the aforementioned purposes there is a legitimate and overriding interest in the data processing according to art. (6)(1)(f) GDPR.

4. Objection- and deletion options

Data subjects have the right to object to the creation of usage profiles.The objection is exercised towards "YouTube"

Google LLC, based in the United States, is EU-US Privacy Shield certified, which ensures compliance with the level of data protection in the EU.

For more information on "YouTube" privacy, please refer to the Google Privacy Policy: https://www.google.de/intl/de/policies/privacy

X. Application procedure

The controller collects and processes the personal data provided by applicants for the purpose of executing the application process. If necessary, the processing can also be carried out electronically. In the case of a contract of employment with an applicant, the transmitted data will be stored for the purpose of the employment relationship in compliance with legal provisions. If no employment contract is finalized with the applicant, the application documents will be automatically deleted within 10 weeks of notification of rejection, provided that deletion does not prejudice the legitimate interests of the controller (eg, a burden of proof in a case based on the General Equal Treatment Act).

XI. Rights of the data subject

Concerning the processing of a data subject?s personal data, the data subject is the party concerned and is entitled to the following rights towards the party responsible:

1. Right of confirmation

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.

2. Right of access

Right to access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to article 46 relating to the transfer.

The controller shall provide a copy of the personal data undergoing processing as long as its posessal does not adversely affect the rights and freedoms of others.

3. Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4. Right to erasure ("right to be forgotten")

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
  4. the personal data have been unlawfully processed
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
  4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. the processing is carried out by automated means

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7. Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except it is necessary for entering into, or performance of, a contract between the data subject and a data controller, is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject?s rights and freedoms and legitimate interests or is based on the data subject?s explicit consent.
  2. If it is necessary for entering into, or performance of, a contract between the data subject and a data controller, or is based on the data subject?s explicit consent the data controller shall implement suitable measures to safeguard the data subject?s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

9. Right of withdrawal

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.