Privacy Policy according to GDPR

This privacy policy explains the type, scope, and purpose of processing personal data (hereinafter referred to as "data") within our online offerings and related websites, functions, content, and external online presences, such as our social media profiles (collectively referred to as "online offerings"). Regarding the terminology used, such as "personal data" or their "processing," we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Responsible party:

Name/Company: millepondo services GmbH & Co. KG
Address: Falkenburgstraße 31-33
Postal Code, City, Country: 50935 Cologne, Germany
Commercial Register/No.: Cologne District Court HRA 28744
Managing Director: Michael Pütz
Phone Number: 0221 / 677 80 420
Email: info@millepondo.de

Types of processed data:

• Inventory data (e.g., names, addresses).
• Contact data (e.g., email, telephone numbers).
• Content data (e.g., text input, photographs, videos).
• Contract data (e.g., subject matter of the contract, duration, customer category).
• Payment data (e.g., bank details, payment history).
• Usage data (e.g., visited websites, interest in content, access times).
• Meta/communication data (e.g., device information, IP addresses).

Processing of special categories of data (Art. 9 (1) GDPR):
No special categories of data are processed unless they are provided for processing by the users, e.g., entered in online forms.

Categories of persons affected by the processing:

• Customers / prospects / suppliers.
• Visitors and users of the online offering.
• Employees.

Hereinafter, we also refer to the affected persons collectively as "users."

Purpose of processing:

• Provision of the online offering, its contents, and functions.
• Provision of contractual services, service, and customer care.
• Response to contact inquiries and communication with users.
• Marketing, advertising, and market research.
• Security measures.

As of: May 7, 2018

Relevant legal bases:
In accordance with Art. 13 GDPR, we inform you of the legal bases of our data processing. Unless the legal basis is mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 (1) a and Art. 7 GDPR; the legal basis for processing for the fulfillment of our services and implementation of contractual measures and response to inquiries is Art. 6 (1) b GDPR; the legal basis for processing to fulfill our legal obligations is Art. 6 (1) c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 (1) f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) d GDPR serves as the legal basis.

Changes and updates to the privacy policy:
We ask you to regularly inform yourself about the content of our privacy policy. We adapt the privacy policy as soon as the changes in the data processing processes we operate make it necessary. We will inform you as soon as the changes require your participation (e.g., consent) or other individual notification.

Security measures:
We take appropriate technical and organizational measures in accordance with Art. 32 GDPR, considering the state of the art, the costs of implementation, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk. Measures include, in particular, securing the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as related access, input, transfer, ensuring availability, and its separation. Furthermore, we have established procedures that ensure the enjoyment of data subject rights, deletion of data, and response to data risk. Moreover, we consider the protection of personal data already in the development or selection of hardware, software, and procedures, according to the principle of data protection through technology design and through privacy-friendly default settings (Art. 25 GDPR).

Collaboration with processors and third parties:
If we disclose data to other persons and companies (processors or third parties) in the course of our processing, transmit them to them, or otherwise grant access to the data, this is done only on the basis of a legal permission (e.g., if a transfer of data to third parties, such as payment service providers, is required by Art. 6 (1) b GDPR for contract fulfillment), you have consented, a legal obligation provides for this or based on our legitimate interests (e.g., when using agents, web hosts, etc.).

If we commission third parties with the processing of data based on a so-called "order processing contract," this is done on the basis of Art. 28 GDPR.

Transfers to third countries:
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this is done in the context of the use of third-party services or disclosure, or transmission of data to third parties, this is only done if it is done to fulfill our (pre)contractual obligations, on the basis of your consent, on a legal obligation, or based on our legitimate interests. Subject to legal or contractual permits, we process or let the data be processed in a third country only in the presence of the special requirements of Art. 44 ff. GDPR. That means, the processing is carried out, e.g., on the basis of special guarantees, such as the officially recognized level of data protection corresponding to the EU (e.g., for the USA by the "Privacy Shield") or compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").

Rights of the data subjects:
You have the right to request confirmation as to whether the data in question is being processed and to be informed of this data and to ask further information and a copy of the data in accordance with Art. 15 GDPR.

According to Art. 16 GDPR, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.

In accordance with Art. 17 GDPR, you have the right to demand that the relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Art. 18 GDPR.

You have the right to demand that the data concerning you, which you have provided to us, be obtained in accordance with Art. 20 GDPR and request their transmission to other persons responsible.

You also have the right to file a complaint with the competent supervisory authority pursuant to Art. 77 GDPR.

Right of withdrawal:
You have the right to revoke consents granted pursuant to Art. 7 (3) GDPR with effect for the future.

Right to object:
You can object to the future processing of the data concerning you according to Art. 21 GDPR at any time. The objection may, in particular, be made against processing for direct marketing purposes.

Cookies and right of objection in direct advertising:
We set temporary and permanent cookies, i.e., small files that are stored on users' devices (explanation of the term and function, see the last section of this privacy policy). Partly the cookies are used for security or are necessary to operate our online offering (e.g., for the presentation of the website) or to save the user decision when confirming the cookie banner. In addition, we or our technology partners use cookies for reach measurement and marketing purposes, about which users are informed in the course of the privacy policy. A general objection to the use of cookies used for online marketing purposes can be declared for a variety of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by switching them off in the browser settings. Please be aware that not all functions of this online offer can be used.

Deletion of data:
The data processed by us is deleted or limited in their processing in accordance with Articles 17 and 18 GDPR. Unless explicitly stated in this privacy policy, the data stored by us are deleted as soon as they are no longer required for their purpose and the deletion does not conflict with any statutory storage requirements. Unless the data is deleted because it is required for other and legally permissible purposes, its processing will be restricted. That means, the data is blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons.

According to legal requirements, the storage takes place in particular for 6 years according to § 257 (1) HGB (trade books, inventories, opening balance sheets, annual financial statements, trade letters, accounting documents, etc.) and for 10 years according to § 147 (1) AO (books, records, management reports, accounting documents, trade and business letters, documents relevant for taxation, etc.).

Provision of contractual services:
We process inventory data (e.g., names and addresses as well as contact information of users), contract data (e.g., services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services according to Art. 6 Paragraph 1 lit b. GDPR. The entries marked as obligatory in online forms are required for the conclusion of the contract.

Users can optionally create a user account, in which they can, in particular, view their orders. As part of the registration, the required mandatory information is communicated to the users. The user accounts are not public and cannot be indexed by search engines. When users have terminated their user account, their data regarding the user account are deleted, subject to their retention is necessary for commercial or tax reasons according to Art. 6 (1) c GDPR. It is the responsibility of the users to secure their data upon termination before the end of the contract. We are entitled to irretrievably delete all the user's data stored during the term of the contract.

As part of the registration and again login and use of our online services, we store the IP address and the time of the respective user action. The storage is based on our legitimate interests, as well as the user's protection against abuse and other unauthorized use. A transfer of these data to third parties does not take place unless it is necessary to pursue our claims or there is a legal obligation in accordance with Art. 6 Paragraph 1 lit. c GDPR.

We process usage data (e.g., the visited web pages of our online offering, interest in our products) and content data (e.g., entries in the contact form or user profile) for advertising purposes in a user profile, to show the user e.g., product hints based on their previously taken services.

The deletion occurs after expiry of statutory warranty and comparable obligations, the necessity of the retention of the data is reviewed every three years; in the case of the statutory archiving obligations, deletion takes place after their expiry (end of commercial (6 years) and tax (10 years) retention obligation); information in the customer account remains until its deletion.

Contact:
When contacting us (via contact form or e-mail), the user's details for processing the contact request and its processing according to Art. 6 (1) lit. b) GDPR are processed.

User information can be stored in our Customer Relationship Management System ("CRM System") Redmine or comparable system. Redmine is open-source software that we operate on a rented server from Hetzner Online GmbH. All information about Hetzner Online GmbH can be found in the section of this privacy policy.

User information in contact forms may be stored within the content management system (CMS) WordPress along with the time of submission and the sender's IP address.

We delete the requests if they are no longer necessary. We review the necessity every two years; requests from customers who have a customer account are permanently stored and refer to the information on the customer account for deletion. In the case of statutory archiving obligations, deletion takes place after their expiry (end of commercial (6 years) and tax (10 years) retention obligation).

Collection of access data and log files:
We, on the basis of our legitimate interests within the meaning of Art. 6 (1) f. GDPR data about every access to the server on which this service is located (so-called server log files). Access data includes the name of the accessed website, file, date and time of access, transferred data volume, notification of successful retrieval, browser type plus version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.

Logfile information is stored for security reasons (e.g., to investigate abuse or fraud) for a maximum period of 90 days and then deleted. Data whose further retention is required for evidence purposes are exempt from deletion until the final clarification of the respective incident.

Online presences in social media:
We maintain online presences within social nets and platforms to communicate with customers, prospects and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines apply to their respective operators.

Unless otherwise stated in our privacy policy, we process users' data as long as they communicate with us within social networks and platforms, e.g., write posts on our online presences or send us messages.

Google Analytics:
Based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 (1) f. GDPR), we use Google Analytics, a web analysis service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google uses cookies. The information generated by the cookie about users' use of the online offering by users is generally transmitted to a Google server in the USA and stored there.

Google is certified under the Privacy Shield Agreement and thereby offers a guarantee to comply with European data privacy law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on the activities within this online offering and to provide us with further services associated with the use of this online offering and the internet usage. In this process, anonymous user profiles of the users can be created from the processed data.

We use Google Analytics to display the ads placed within advertising services of Google and its partners to users who have shown an interest in our online offer or who have certain traits (e.g., interest in certain topics or products determined by the websites visited) that we transmit to Google (so-called "remarketing" or "Google Analytics audiences"). With the help of the Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of users and are not annoying.

We only use Google Analytics with activated IP anonymization. This means that the IP address of the users is shortened by Google within member states of the European Union or in other states contracting to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.

The IP address transmitted by the user's browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent Google from collecting the data generated by the cookie and related to their use of the online offer as well as the processing of this data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

As an alternative to the browser plugin or within browsers on mobile devices, please click the following link to prevent the collection by Google Analytics on this website in the future (the opt-out only works in the browser and only for this domain). An opt-out cookie will be stored on your device. If you delete your cookies in this browser, you must click this link again:[Disable Google Analytics]

More information about Google's use of data, setting and opt-out options, see Google's websites: https://www.google.com/intl/en/policies/privacy/partners ("Data use by Google when you use our partners' sites or apps"), https://policies.google.com/technologies/ads ("Data use for advertising purposes"), https://adssettings.google.com/authenticated ("Manage information Google uses to show you ads").

Google Re/Marketing Services:
We use the marketing and remarketing services ("Google Marketing Services" herein) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, ("Google") based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offer in accordance with Art. 6 (1) lit. f. GDPR).

Google is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

The Google Marketing Services allow us to better target advertisements for and on our website so that we only present ads to users that potentially match their interests. If a user is shown ads for products he was interested in on other websites, this is called "remarketing." For these purposes, when Google and other websites on which Google Marketing Services are active are called up, Google immediately executes a code and so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com, or googleadservices.com. In this file, it is noted which websites the user visits, what content he is interested in, and what offers he has clicked on, as well as technical information about the browser and operating system, referring websites, visit time, and other information on the use of the online offer. The IP address of the users is also recorded, whereby we inform within the framework of Google Analytics that the IP address is shortened within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only in exceptional cases completely transferred to a Google server in the USA and shortened there. The IP address is not merged with the user's data within other Google offers. The above-mentioned information can also be linked by Google with such information from other sources. If the user subsequently visits other websites, he can be shown ads tailored to him according to his interests.

The data of the users are processed pseudonymously within the framework of the Google Marketing Services. That is, Google stores and processes e.g. not the name or e-mail address of the users, but processes the relevant data cookie-related within pseudonymous user profiles. That is, from the perspective of Google, the ads are managed and displayed not for a specifically identified person, but for the cookie owner, regardless of who this cookie owner is. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymization. The information collected about users is transmitted to Google and stored on Google's servers in the USA.

Among the Google marketing services, we use is the online advertising program "Google AdWords." In the case of Google AdWords, each AdWords customer receives a different "conversion cookie." Cookies, therefore, cannot be tracked via the websites of AdWords customers. The information collected using the cookie is used to generate conversion statistics for AdWords customerswho've decided on conversion tracking. AdWords customers can find out the total number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive information that personally identifies users.

Furthermore, we can use the "Google Tag Manager" to integrate and manage Google analysis and marketing services into our website.

Additional information on Google's use of data for marketing purposes can be found on the overview page: https://policies.google.com/technologies/ads, Google's privacy policy is available at https://policies.google.com/privacy.

If you wish to opt-out of interest-based advertising through Google Marketing Services, you can use the setting and opt-out options provided by Google: https://adssettings.google.com/authenticated.

Facebook Social Plugins:
We use based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6 (1) lit. f. GDPR) social plugins ("plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can be interaction elements or content (e.g., videos, graphics, or text posts) and can be recognized by one of the Facebook logos (white "f" on a blue tile, the terms "Like," "Like" or a "thumbs up" sign) or are labeled with the addition "Facebook Social Plugin." The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

Facebook is certified under the Privacy Shield Agreement, thereby providing a guarantee to comply with European data protection law (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).

When a user accesses a feature of this online offering that includes such a plugin, their device establishes a direct connection with Facebook's servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offering by the device. In doing so, user profiles can be created from the processed data. We, therefore, have no influence on the amount of data that Facebook collects with the help of this plugin and therefore informs users according to our knowledge.

By integrating the plugins, Facebook receives the information that a user has accessed the corresponding page of the online offering. If the user is logged into Facebook, Facebook can assign the visit to their Facebook account. If users interact with the plugins, for example, press the Like button or leave a comment, the corresponding information is transmitted directly from your device to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will find out and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the related rights and setting options for protecting the privacy of the users, can be read in Facebook's privacy policy: https://www.facebook.com/about/privacy/.

If a user is a Facebook member and does not want Facebook to collect data about them via this online offering and link it to their member data stored on Facebook, they must log out of Facebook and delete their cookies before using our online offering. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e., they are adopted for all devices, such as desktop computers or mobile devices.

Newsletter:

With the following notes, we inform you about the contents of our newsletter as well as the registration, shipping, and statistical evaluation procedures, and your rights to object. By subscribing to our newsletter, you agree to receive it and the procedures described.

Content of the Newsletter: We send newsletters, emails, and other electronic notifications containing advertising information (hereafter referred to as "newsletter") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described during registration, they are crucial for the users' consent. Otherwise, our newsletters contain information about our products, offers, promotions, and our company.

Double Opt-In and Logging: The registration for our newsletter is done in a so-called double opt-in procedure. This means you will receive an email after registering asking you to confirm your registration. This confirmation is necessary so that no one can register with other people's email addresses. Registrations for the newsletter are logged to be able to demonstrate the registration process according to legal requirements. This includes storing the registration and confirmation time, as well as the IP address. Changes to your data stored with the mail service provider are also logged.

Dispatch: The newsletters are sent either via our content management system (CMS) WordPress in conjunction with our mail servers or through "MailChimp," a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. The privacy policy of the mailing service provider can be viewed here: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield Agreement, thereby guaranteeing compliance with European data protection levels (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active).

Furthermore, the mailing service provider may use this data in anonymous form, i.e., without being assigned to a user, to optimize or improve its own services, e.g., for the technical optimization of sending and the presentation of newsletters or for statistical purposes, to determine from which countries the recipients come. However, the mail service provider does not use the data of our newsletter recipients to write to them or to pass them on to third parties.

Registration Data: To subscribe to the newsletter, it is sufficient if you provide your email address. Optionally, we ask you to provide a name for personal address in the newsletter.

Success Measurement: The newsletters may contain a so-called "web beacon," i.e., a pixel-sized file retrieved from the mail service provider's server when the newsletter is opened. Initially, technical information, such as information about the browser and your system, as well as your IP address and the time of retrieval are collected. This information is used to technically improve services based on technical data or the target groups and their reading habits based on their retrieval locations (which can be determined using the IP address) or access times. Statistical surveys also include determining whether newsletters are opened, when they are opened, and which links are clicked. Although these pieces of information can technically be linked to individual newsletter recipients, it is neither our intention nor that of the mail service provider to observe individual users. The evaluations serve us much more to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.

The dispatch of the newsletter and the success measurement are based on the recipients' consent according to Art. 6 Para. 1 lit. a, Art. 7 GDPR in conjunction with § 7 Abs. 2 Nr. 3 UWG or based on legal permission according to § 7 Abs. 3 UWG.

Cancellation/Revocation: You can cancel the receipt of our newsletter at any time, i.e., revoke your consent. A link to cancel the newsletter can be found at the end of each newsletter. If users have only registered for the newsletter and have canceled this registration, their personal data will be deleted.

Hosting Service Provider: We operate our online services and web services on self-managed rental servers from Hetzner Online GmbH (https://www.hetzner.de). An appropriate order data processing agreement has been concluded with Hetzner Online GmbH. The Technical-Organizational Measures (TOM) of Hetzner Online GmbH can be found at https://www.hetzner.de/pdf/ADV_TOM.pdf.

We use the email services for businesses offered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (referred to as "G-Suite" or "Google Apps"). Incoming and outgoing emails are stored on Google's servers and sent and received via the respective protocols. Google is subject to the Privacy Shield (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI) and has concluded an appropriate Data Processing Amendment.

Integration of Third-Party Services and Content: We use, based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offer in the sense of Art. 6 Para. 1 lit. f. GDPR), content or service offers from third-party providers within our online offer to integrate their content and services, such as videos or fonts (collectively referred to as "content"). This always presupposes that the third-party providers of this content perceive the IP address of the users, since they could not send the content to their browser without the IP address. The IP address is thus required for the display of this content. We make an effort to use only those contents whose respective providers use the IP address solely for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Through the "pixel tags," information such as visitor traffic on the pages of this website can be evaluated. The anonymous information can also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring web pages, visit time, and other information regarding the use of our online offer, as well as being linked with such information from other sources.