Data privacy policies

I. Name and address of the controller

The controller in the sense of Article 4 Para. 7 EU regulation 2016/679, referred to as the General Data Protection Regulation (GDPR), other national data protection laws of the member states and other data protection regulations is:

momox GmbH
represented by managing directors Christian Wegner, Heiner Kroke Frankfurter Allee 77
10247 Berlin

II. Name and address of the data protection officer

The controller’s data protection officer is

Mr Christian Regnery intersoft consulting services AG
Fischerinsel 16
10179 Berlin

Email: privacy(at)momox.co.uk

III. General information about data processing

1. Scope of processing personal data

You can generally visit us (Internet services, notably momox GmbH websites) without telling us who you are. Your browser automatically transmits various data when visiting our website, see below “IV. Provision of the website and creation of log files”. This information is analysed purely for statistical purposes and then deleted. Our services are reserved for adult visitors.

Personal data is only collected on our website if you provide it to us of your own accord (e.g. when opening a user account or as part of the order process). We use this data exclusively for the purposes stated in each case, as listed below.

We contractually bind external service providers who process personal data for us, so-called “external processors”, in accordance with Article 28 GDPR. These external processors have been carefully selected by us, specifically commissioned and are bound to our instructions. The GDPR refers to states outside the European Union/European Economic Area as third countries and regulates transfers there separately in accordance with Articles 44 to 49 GDPR. In some cases, we use external processors in third countries and name them below. For the USA, the EU Commission has assessed the adequacy of the data protection level there in accordance with Article 44 Para.

3 GDPR the EU-US Privacy Shield (C(2016) 4176 final). Our external processors in the USA are certified according to this.

We maintain up-to-date technical measures to guarantee the protection of personal data. These are always adapted to state-of-the-art technology.

2. Legal basis for processing personal data

If we obtain the consent of the data subject for processing personal data, Article 6 Para. 1 Lit. a GDPR serves as the legal basis for processing personal data.

When processing personal data required for the performance of a contract to which the data subject is a party, Article 6 Para. 1 Lit. b serves as the legal basis. This also applies to processing required for executing precontractual measures.

In accordance with Article 6 Para. 1 Lit. f), processing personal data is also lawful if it is necessary to safeguard the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail, in particular if the data subject is a child.

3. Date deletion and storage duration

The personal data of the data subject is deleted or blocked as soon as the purpose for storage ceases to exist. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

On every visit to our website, our system automatically collects data and information from the computer system of the computer being used.

The following data is collected:

  1. information about the browser type, language and version used
  2. the user’s operating system
  3. amount of data transferred
  4. websites accessed by the user’s system via our website
  5. websites from which the user’s system reaches our website
  6. access status/HTTP status code
  7. content of the request (specific site)
  8. data and time of access/time zone
  9. the user’s IP address
  10. the user’s Internet service provider

The data is also stored in the log files of our system. This data is not stored together with that of the user’s other personal data. However, in the event of an error in an interface query, we also log the ID (identification under a pseudonym), the IP address and the relevant http query, if used by the requesting user to enable subsequent error analysis and correction.

The use of the scan function when collecting media for sale to us requires access to the camera function. However, this does not allow access to image files etc. created so far. The product's barcode (ISBN, EAN) is recognized by the device and only this information (i.e. no images) is transmitted to us.

2. Legal basis for data processing

If our log files mean the processing of personal data, the legal basis is Article 6 Para. 1 Let. b and f GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is necessary within the meaning of Article 6 Para. 1 Lit. b GDPR to enable delivery of the website to the user’s computer. The user’s IP address must be stored for its duration for this purpose. The repeated automatic reading of websites (so-called “scraping”) is also made more difficult by recording the IP address. Data storage in the event on an error is necessary in the meaning of Article 6 Para. 1 Lit. f GDPR to ensure the functionality of the website.

4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. In the case of the IP address, this is truncated, therefore made anonymous when the respective session has ended. The data therefore no longer contains personal references. All log files are deleted after 50 days.

5. Objection or removal option

The collection of the data for website provision and data storage in log files is necessary for operating the website. As a result, there is no objection option for the user.

V. Use of cookies

1. Description and scope of data processing

The websites use so-called “cookies” in several places. Their purpose is to make our website more user-friendly and effective. Cookies are small text files that are placed on your computer and saved by your browser. Some of the cookies we use are so-called “session cookies” that are automatically deleted when you close your browser. In addition, there are also some persistent cookies that we use to recognise you as a visitor. Cookies do not harm your computer and do not contain any viruses. If you do not want cookies to be installed, you can deactivate the acceptance of cookies in your browser. However, we would like to point out that you may not be able to use our website in full with deactivated cookies.

The user data collected in this way is pseudonymised by technical precautions. Therefore, it is not possible to assign the data to the accessing user as a person. The data will not be stored together with the user’s other personal data unless otherwise described below.

The first time our website is accessed, users are informed about the use of cookies via an info banner and are referred to this data privacy policy.

This also includes an indication of how the storage of cookies can be prevented in the browser settings.

The following data is stored and transmitted in the technically necessary cookies:

  1. language settings
  2. items in the shopping basket
  3. login information: email address, first name and surname, gender, session ID (no password)

We also use cookies on our website that enable an analysis of the usage behaviour, the advertising success (so-called conversion) and retargeting of the users on websites of third parties. Third parties can store cookies on the user’s device directly when visiting our websites or we transmit IDs without personal reference.

The following data can be transmitted in this way:

  1. search terms entered
  2. frequency of page views
  3. use of website functions
  4. Login (email address)

We use the following third-party providers to analyse usage behaviour:

  1. Google Analytics, a web analysis service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) in the context of an external processor and with the appropriate level of data protection (see EU-US Privacy Shield above). Google Analytics also uses cookies, which enable an analysis of the use of the website by the user. The information generated by the cookie about your use of the website (including your IP address) will normally be transmitted to and stored by Google on servers in the USA. We activate IP anonymisation by adding the code “gat._anonymizeIp();” to the websites so that Google truncates your IP address within EU/EEA member states beforehand (so-called “IP masking”). Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there. Google will use this information on our behalf to evaluate your use of the website (also optimise function for A/B testing, meaning response to various representations of the website), to compile reports on website activities for us and to provide other services relating to website and Internet use. Google will also transfer this information to third parties if this is required by law or if the third party process the data on behalf of Google. Information that Google receives as part of Interest-based advertising and third parties (e.g. demographics, gender and interests) may be collected in the cookie information. You will find more information on Google at http://www.google.com/intl/de/analytics/privacyoverview.html (general information on Google Analytics and data privacy). Google offers an add-on for web browsers to prevent data collection by Google Analytics and processing of this data by Google. The add-on can be downloaded and installed at your own risk at https://tools.google.com/dlpage/gaoptout. This website also uses Google Analytics for a cross-device analysis of visitor flows when selling goods, which is carried out via a user ID. In your medimops customer account, you can deactivate the cross-device analysis of your usage under “Personal settings”; “Data protection setting User ID”.
  2. “Hotjar”, an analysis software from Hotjar Ltd, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, is used on the websites to measure and evaluate user behaviour (mouse movements, clicks, scroll height etc.). This is done in accordance with external processing. For this purpose, Hotjar uses cookies on the user’s end devices and may collect non-personal data from users, such as browser information, operating system, length of stay, etc. (only with anonymised IP address). More information here: https://www.hotjar.com/privacy, Option to turn off this function here: https://www.hotjar.com/opt-out

We use the following third-party providers to re-target the user (remarketing):

  1. Remarketing by Google using “Double Click” and “Audiences” technology in order to approach users who have already visited our websites through Interest-based advertising on the pages of the Google Partner Network. With the help of cookies, interests can be analysed when visiting the website and subsequently used for relevant product advertising. If users have agreed that their web and app Google browsing history is linked to their Google Account and information from our Google Account is used to personalise advertising they see on third-party websites, Google will use data from those registered users together with Google Analytics data to create and define cross-device remarketing target group lists. To support this feature, Google Analytics collects the Google-authenticated IDs of these users. This personal data from Google is temporarily linked to our Google Analytics data in order to form target groups. You will find more information and options to deactivate these ad placements at http://www.google.com/settings/u/0/ads/anonymous?hl=de (Link “Ad settings”, then “Deactivation”).
     
  2. Criteo SA, 32 Rue Blanche, 75009 Paris, France (“Criteo”) for advertising on the websites and emails of third parties (https://emailprivacy.criteo.com/de/index.html) to address our previous customers. The service works with us as a general data processor. In doing so, the customer is not personally identified but rather only recognised under a pseudonym. This is done across various customer devices using an encrypted (non-reversible) email address. Further information: https://support.criteo.com/hc/de/articles/202427141-Cross-Device-Integration. At http://www.criteo.com/de/privacy you also have the option of objecting to the use of usage data and other data for certain purposes (your preference – “Opt-out”). The advertising is therefore no longer controlled based on usage data collected by Criteo. To extend its reach, Criteo works with a network of partners who implement similar technology and may set cookies on our website in their own name.
     
  3. “Website Custom Audiences” by Facebook Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland (“Facebook”) is implemented as a pixel to advertise in the social network. Facebook works with an appropriate level of data protection (see EU-US Privacy Shield above). If you visit our websites, a direct connection between your browser and the Facebook server is established via the pixel. If you are a Facebook user and do not delete cookies before you login to Facebook, Facebook can associate your visit to our website with your user account. We can only choose which segments of Facebook users (such as age, interests) to whom our advertising should be displayed. No personal data records, in particular none of our users’ email addresses – either encrypted or unencrypted – are transmitted to Facebook. Facebook may be informed about browser and device types, cookie ID, number and amount of orders. You will find more information on Facebook’s data privacy policy https://www.facebook.com/about/privacy. Please click here if you, as a Facebook user, do not want data collection via Custom Audiences: https://www.facebook.com/settings?tab=ads
     
  4. “Adobe Marketing Cloud” from Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart D24, Dublin, Ireland and Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA95110, USA. This is done in the context of external processing and with the appropriate level of data protection (see EU-US Privacy Shield above). You can opt-out here: https://www.adobe.com/de/privacy/opt-out.html
     
  5. “emetriq”, the service of emetriq GmbH, Vorsetzen 35, 20459 Hamburg. We and emetriq insert advertisements on websites on the Internet and use cookies to insert advertisements based on a user’s previous visits to our site. You can deactivate this technology for interest-based advertising here: http://www.emetriq.com/opt-out/
     
  6. Affiliate network “AWIN” from AWIN AG, AWIN AG, Eichhornstraße 3, 10785 Berlin, as a general data processor with us. Affiliate marketing is an Internet-based form of selling that enables commercial operators of websites, the so-called “merchants” or “advertisers”, to display advertising, which is usually remunerated via click or sale commissions, on third-party websites, i.e. with sales partners who are also called affiliates or publishers. The merchant provides advertising material via the affiliate network, therefore an advertising banner or other suitable means of Internet advertising, which are subsequently integrated by an affiliate on its own websites or advertised via other channels, such as keyword advertising or email marketing. AWIN places a cookie on the data subject’s IT system. Cookies have already been explained above. AWIN’s tracking cookie does not store any personal data. Only the identification number of the affiliate, meaning that of the partner referring potential customers, as well as the status number of the visitor of a website and the clicked advertising material are stored. The purpose of storing this data is to process commission payments between a merchant and the affiliate, which are processed via the affiliate network, in this case AWIN. AWIN’s valid data privacy provisions can be viewed at https://www.awin.com/de/rechtliches/privacy-policy.
  7. “Bing” advertising network from the Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, (“Microsoft”). The service is as a general data processor with us and works with the appropriate level of data protection (see EU-US Privacy Shield above). Microsoft will place a cookie if the user accessed the website via a Microsoft Bing advert. In this way Microsoft Bing and we can see that someone has clicked on an ad, has been redirected to our website and has reached a previously defined target page (conversion page). Furthermore, the same requirements apply as for Google's aforementioned conversion tracking. Further information about data privacy at Microsoft and the cookies used at https://www.microsoft.com/privacystatement/de-de/core/default.aspx. Customers can also object to tracking by Microsoft by opting out http://choice.microsoft.com/de-de/opt-out for the future.
     
  8. Market research/analysis “Neory” from NEORY GmbH to conduct effective market research/analysis, to collect statistical data for campaign tracking or to optimise the user-friendliness of our websites. This is done by means of pseudonymous user profiles in which no personal data and only anonymised or pseudonymised data is used. Cookies can be used for this purpose. The following data is collected, among other things: Time of the visit, channel information, including possible parameters and referrer domain. The data is not used to personally identify the visitor to this website. NEORY GmbH will use the transmitted data on our behalf notably to implement campaign tracking. All aforementioned data is collected solely for this purpose and stored without any personal reference. You can prevent campaign tracking by NEORY GmbH and the processing of this dataBy opting out using the following link: http://d.neory-tm.net/privacy/l661hfqafe4v/optout
     
  9. “RichRelevance” from RichRelevance, Inc., 303 Second Street, Suite 350, San Francisco, CA 94107, USA, to display relevant product recommendations for all channels.  For this purpose, a user ID (MD5 hashed), browser info, viewed products, viewed category, time, purchases are transmitted to RichRelevance by pseudonym, meaning not traceable to you. The service is as an external processor and works with the appropriate level of data protection (see EU-US Privacy Shield above). You will find information about data privacy here: http://richrelevance.de/richrelevance-datenschutzrichtlinie/ Collection can be objected to using the following link: http://richrelevance.de/richrelevance-datenschutzrichtlinie/opt-out/

We use the following third-party providers to analyse advertising effectiveness:

  1. Google Adwords, to draw attention to our attractive offers with the help of advertising materials (Google Adwords) on external websites. The advertising materials are delivered by Google via so-called “AdServers”. We use AdServer cookies to measure certain parameters for measuring success, such as the insertion of advertising or clicks by users. If you access our website via a Google advert, Google Adwords stores a cookie on your device. For this cookie, the unique cookie ID, number of ad impressions per placement (frequency), last impression (relevant for post-view conversions) and opt-out information (mark that user does not want to be addressed) are usually stored as analysis values. These cookies enable Google to recognise your browser. If a user visits certain pages of an Adwords customer’s website and the cookie stored on their computer has not expired, Google and the customer can recognise that the user has clicked on the ad and has been redirected to this page. Every AdWords user receives a different cookie. Cookies can therefore not be tracked via the websites of AdWords users. AdWords users do not receive any personal information. Further information on data privacy at Google at https://www.google.com/policies/?hl=de. Users can also deactivate or object to Google ads in whole or in part at https://privacy.google.com/?hl=de#google-experience (opt-out).
     
  2. Microsoft Bing conversion tracking, see above.
     
  3. AWIN, see above
     
  4. “Kelkoo” and “ProductsUp” for measuring the success of our offers in price comparisons, etc., whereby a cookie from the price comparison page records whether and to what extent a sale was made on our website. Providers are Kelkoo Deutschland GmbH, Hausvogteiplatz 10, 10117 Berlin (http://www.kelkoo.de/unternehmen/datenschutz) and Products Up GmbH, Bahnhofstr. 5, 91245 Simmelsdorf (https://productsup.io/de/rechtlicher-hinweis/).
  5. Realytics' Analytics cookie is a cookie used by Realytics (Realytics SAS, 73 Rue D'Anjou, 75008, Paris, France) to measure the performance of advertisers' TV campaigns on digital channels. The Realytics cookie does not collect any personal or sensitive data. It can be deactivated via the Opt-Out function https://www.realytics.io/optout/

2. Legal basis for data processing

If our use of cookies means the processing of personal data, the legal basis is Article 6 Para. 1 Let. b and f GDPR.

3. Purpose of data processing

The purpose of using of technically necessary cookies according to Article 6 Para. 1 Lit. b GDPR is to simplify the use of websites for users. Some functions on our website cannot be offered without using cookies. For this it is necessary that the browser is recognised even after a page change.

We require cookies for the following applications:

  1. Registration
  2. Login
  3. Shopping basket for buying and selling

The user data collected by technically necessary cookies is not used to create user profiles.

If the other cookies are processed, we have a legitimate interest in processing the personal data in accordance with Article 6 Para. 1 Lit. f GDPR:

the use of analysis cookies is for the purpose of improving the quality of our website and its content. Through analysis cookies, we learn how the website is used and can therefore constantly optimise what we offer. We recognise which advertising measures caused our websites to be visited (conversion tracking). We can determine how successful the individual advertising measures are in relation to the data of the advertising measures. We are interested in showing you advertisements that are of interest to you, in making our website more interesting and easier for you and in achieving a fair calculation of advertising costs.

Retargeting is done to address previous users of our websites again on third party websites and to motivate them to interact. Users receive advertising content on third party websites that is related to their interests rather than general.

4. Storage duration

Cookies are stored on the user’s computer and transmitted to our site. Therefore, you as the user also have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that are already stored can be deleted at any time. This can be done automatically. If cookies are deactivated for our website, it is possible that not all functions can be used to their full extent (see “technically necessary cookies” above).

The cookie storage duration is indicated above. Otherwise, they are set indefinitely until you delete the memory in the browser.

5. Objection or removal option

You can disable or restrict the processing of cookies by the service providers used by us using the aforementioned links. Furthermore, you can use the preference management of the “yourchoices” commitment for Internet-based advertising: http://www.youronlinechoices.com/de/praferenzmanagement/

The objection is valid as long as the related opt-out cookie is not deleted. This cookie is set for the domain, per browser and user of a computer. If you access our website from multiple devices and browsers, you must therefore object to data collection separately and again on each of these devices and in each browser.

VI. Advertising emails (newsletter)

1. Description and scope of data processing

On our website there is the option of subscribing to a free newsletter. This data is transmitted to us when you register for the newsletter:

  1. email address as specified
  2. title, first and last name (optional)
  3. IP address of the visiting computer
  4. date and time of registration

Your consent is obtained for data processing and reference is made to this data privacy policy during the registration process. You will then receive an email asking you to confirm your registration (double opt-in process). If you are a customer, we will create the newsletter for you as individually as possible, taking into account your previous purchases and sales.

If you buy or sell goods on our website and provide us with your email address, we may subsequently use it to send you a newsletter. If this is the case, only direct advertising for our own similar goods or services will be sent via the newsletter. We will send you reminders for incomplete transactions (shopping basket) and ask you to participate in surveys by email. In addition, you will receive loyalty messages by email if you did not carry out any transactions at all on a particularly regular basis or for a longer period of time.

This regulation will be brought to your attention when you register or when buying or selling.

We would like to point out that we measure the use of the newsletter. For the evaluation, the emails sent contain so-called “web beacons” or “tracking pixels” which represent single-pixel image files stored on our website. For the evaluation we link the data and the web beacons with your email address and an individual ID. Links contained in the newsletter are also provided with an ID. We create a user profile with the data obtained in this way to tailor the newsletter to your individual interests.  When you read our newsletter, we record which links you click on in it and deduce your personal interests. We link this data to your actions on our website.

No data is passed on to third parties for their own purposes in connection with data processing for sending of newsletters.

We use the optivo broadmail service from Episerver GmbH, Wallstraße 16, 10179 Berlin for sending the newsletter. Data may also be transferred to third countries within the Episerver group. The agreement on external data processing and certification according to EU-US Privacy Shield is available.

2. Legal basis for data processing

The legal basis for processing the data after the user has registered for the newsletter is Article 6 Para. 1 Lit. a GDPR if the user has given consent.

The legal basis for sending the newsletter as a result of the sale of goods or services is Section 7 Para. 3 Unfair Competition Act (UWG).

The legal basis for providing shopping basket reminders, surveys and measuring usage is Article 6 Para. 1 Lit. a Lit. f GDPR.

3. Purpose of data processing

Collecting the user’s email address is for delivering the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.

Messages to customers for shopping basket reminders or loyalty campaigns offer targeted communication for users and us. Requests for surveys and reviews are also in our legitimate interests because they improve our services.

Profiling based on previous purchases, sales and use of the newsletter is in our legitimate interest in order to send relevant news to users.

4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. The user’s email address will therefore be stored as long as the newsletter subscription is active.

The other personal data collected during the registration process will generally be deleted after a period of seven days.

After cancellation, we store the data purely statistically and anonymously.

5. Objection or removal option

The newsletter subscription can be cancelled by the user concerned at any time. There is a corresponding link in each newsletter for this purpose. Furthermore, you have the option of cancelling the newsletter in your customer account. For more information see “Rights of the data subject” below.

You can also restrict usage measurements by deactivating the images displays in your email program as standard.

VII. Emails for reviews

1. Description and scope of data processing

If you register, buy or sell goods on our website and provide your e-mail address or subscribe to the newsletter, we may ask you by email to review our performance and/or the product. This is done using the services specified in the email or on third platforms (such as Shopauskunft or Trustpilot). Participation in reviews is always voluntary. The platforms do not receive any personal data from us unless otherwise stated here.

We use the following third parties:

  1. we send emails for reviews via the service provider Mandrill Inc., 512 Means Street, Sweet, 404, Atlanta, GA 30318, USA, a company of the Rocket Science Group, LLC d/b/a MailChimp LLC. Mandrill manages customers’ emails and organises processing. Mandrill processes content and communication for us. This is done in the context of external processing and with the appropriate level of data protection (see EU-US Privacy Shield above). You fill find more information on data processing by Mandrill in the data privacy policy at https://mailchimp.com/legal/privacy.
     
  2. We use the analysis software “wootric” from Wootric, Inc. 220 27th St., San Francisco, CA 94131, USA to survey users (of the newsletter). Wootric processes the user’s email address, review and optional comments for us and is an external processor and works with the appropriate level of data protection (see EU-US Privacy Shield above).

2. Legal basis for data processing

The legal basis for asking for reviews is Article 6 Para. 1 Lit. f GDPR.

3. Purpose of data processing

The purpose of collecting the email address and information about using our service is to send the message with a review request. Data processing by us or our contractors is in the legitimate interest of improving our services for users and increasing our reach through (positive) reviews.

4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection.

5. Objection or removal option

Cancelling the newsletter means that you will no longer receive emails from us asking for reviews.

VIII. Push notifications

1. Description and scope of data processing

There is an option on our website to consent to push notifications. These are brief pieces of information that you receive via your browser. This data is transmitted to us when you register for push notifications:

  1. IP address of the visiting computer
  2. date and time of registration

Please note that we measure the use of push notifications.

We use the service accengage from accengage S. A., 31 rue du 4 septembre, 75 002 Paris, France for managing push notifications. In this context, data (name, email address) is collected and stored from which user profiles are created using pseudonyms. These usage profiles are used to analyse visitor behaviour and are evaluated to improve and design our offer in line with demand. You will find more information on Accengage and data privacy at https://www.accengage.com/privacy-policy. Accengage only receives the relevant data if the user accepts push notifications (in the browser). Accengage will automatically delete this user data after opting out (in the browser) or after 12 months of inactivity by the user.

2. Legal basis for data processing

The legal basis for processing the data after the user has registered for push notifications is Article 6 Para. 1 Lit. a GDPR if the user has given consent.

​​​​​​​3. Purpose of data processing

Collection of the aforementioned data is for delivering push notifications.

​​​​​​​​​​​​​​4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. It is therefore stored as long as the subscription is active. The other personal data collected during the registration process will generally be deleted after a period of seven days. After cancellation, we store the data purely statistically and anonymously.

​​​​​​​5. Objection or removal option

The push notification subscription can be cancelled by the user concerned at any time. Please use your browser configuration: settings for contents/websites, then switch off the notifications/messages. You can also use the symbol to the left of the URL in the browser for the respective website’s settings. For more information see “Rights of the data subject” below.

IX. Advertising mail

1. Description and scope of data processing

If you buy or sell goods on our website and provide us with your postal address, we may subsequently use it to send you advertising mail. If this is the case, only direct advertising for our own similar goods or services will be sent.  This regulation will be brought to your attention when you register or when buying or selling.

For sending advertising mail, we use the letter shop adressdruck.de, Wilhelm-Kabus-Straße 21-35, 10829 Berlin.

​​​​​​​2. Legal basis for data processing

The legal basis for sending advertising mail as a result of the sale of goods or services is Section 7 Para. 3 Unfair Competition Act (UWG).

​​​​​​​3. Purpose of data processing

Collection of the postal address is for delivering advertising mail.

​​​​​​​​​​​​​​4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. The user’s postal address will therefore be stored until there is no further registration (see below).

​​​​​​​5. Objection or removal option

You can object to the receipt of advertising mail for the future according to Article 21 Para. 2, 3 GDPR.

X. Registration

1. Description and scope of data processing

On our website, we offer users the option of registering by providing personal data. The data is entered into an input screen, transmitted to us and saved. No data is passed on to third parties. The following data is collected as part of the registration process:

  1. title, first and surname
  2. email address
  3. self-chosen password
  4. address (street, house number, postcode, location)
  5. optional consent for newsletter
  6. optional entry for telephone number
  7. optional entry date of birth
  8. your account data (for buying on momox, after registration)

The following data will also be stored at the time of registration:

  1. date and time of registration
  2. access source of registration: web, iOS app, Android app

As part of the registration process, the user’s consent to the processing of this data is obtained with reference to our general terms and conditions and this data privacy policy.

​​​​​​​2. Legal basis for data processing

The legal basis for processing the data is Article 6 Para. 1 Lit. a and Lit. b GDPR.

​​​​​​​​​​​​​​3. Purpose of data processing

The user gives his/her consent. The user’s registration is necessary for fulfilling a contract with the user and/or for executing precontractual measures. This concerns our purchase and sale of goods by or to the user.

​​​​​​​4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. This is the case for the data for fulfilling a contract or executing precontractual measures 

if the data is no longer required for executing the contract. Even after conclusion of the contract, it may still be necessary to store the contractual partner’s personal data in order to fulfil contractual or legal obligations.

​​​​​​​5. Objection or removal option

As the user, you have the option of cancelling registration at any time by sending an email to our support team or using our contact form. You can change the data stored about you at any time. For more information see “Rights of the data subject” below.

If the data is required to fulfil a contract or to execute precontractual measures, premature deletion of the data is only possible if there are no contractual or statutory obligations to the contrary.

XI. Buying and selling goods

1. Description and scope of data processing

On our website, we offer customers the option of selling us good and buying goods from us. The user’s consent to the processing of this data is obtained as part of the buying and selling process.

The data will be transmitted to us and stored in accordance with the user’s registration data in connection with goods, means of payment and shipping information selected by the user. The following user data is collected during the purchase and sale process and transmitted to the service providers named here:

  1. email address
  2. title, first and surname, address
  3. goods
  4. payment information: Your payment details will be sent to the appropriate payment service provider depending on the payment method you have chosen. The payment service provider is responsible for your payment data. When selecting certain means of payment, payment service providers may carry out a credit risk assessment on the basis of mathematical-statistical procedures (so-called “scoring”) at a credit agency. We have no influence on the assessment and do not receive any results. The payment service providers will provide you with information, in particular about the payment service providers’ controller, the contact details of the payment service providers’ data protection officers and the categories of personal data processed by the payment service providers:

​​​​​​​​​​​​​​a. Klarna: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden, is the responsible party. You will find information on data privacy and also possible credit checks, etc. by BillPay GmbH, Zinnowitzer Str. 1, 10115 Berlin, here: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

b. Paypal: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg, is the responsible party. You will find information on data privacy and also possible credit checks by other service providers here: https://www.paypal.com/de/webapps/mpp/ua/privacy-full?locale.x=de_DE

c. PayOne: BS PAYONE GmbH, Lyoner Straße 9, 60528 Frankfurt am Main, is the responsible party (credit cards and direct debits). You will find information on data privacy and also possible credit checks by other service providers here: https://www.bs-card-service.com/de/datenschutz/

d. Amazon Payments: All personal data that you provide to Amazon Payments or that is collected during the payment process is primarily checked by Amazon Payments s.c.a. (as the responsible party) and secondarily by Amazon EU SARL, Amazon Services Europe SARL and Amazon Media EU SARL, all three located on 5, Rue Plaetis L 2338, Luxembourg. You confirm the data privacy policy when you register for Amazon: https://pay.amazon.com/de/help/201751600

5. Delivery information: if we have goods delivered to you, we pass your data on to the transport company commissioned with delivery if this is required for delivery or status update. The service provider is always indicated in the order. These are currently:

a. Deutsche Post AG and DHL Paket GmbH

b. Hermes Germany GmbH

c. PIN Mail AG

d. Asendia Management SAS

e. Postcon Deutsch-land B.V. & Co. KG

6. Inclusion in the Trusted Shops quality label: The Trusted Shops trust badge is included on this website to display our Trusted Shops quality label and the collected reviews as well as to offer Trusted Shops products to buyers after an order. This serves to protect our prevailing legitimate interests in the optimal marketing of our offer as part of balanced interests. The trust badge and associated services are an offer of Trusted Shops GmbH, Subbelrather Str. 15C, 50823 Cologne. When clicking the trust badge, the web server automatically saves a so-called “server log file”, which contains e.g. your IP address, date and time of the click, transferred data volume and the requesting provider (access data) and documents the click. This access data is not evaluated and is automatically overwritten seven days after the end of your website visit at the latest. Other personal data is only transferred to Trusted Shops if you decide to use Trusted Shops products after completing an order or have already registered for use. In this case, the contractual agreement between you and Trusted Shops applies.

7. If you purchase new books on our website, we use the dealer Libri GmbH, Friedensallee 273, 22763 Hamburg, for selling the goods. Libri GmbH therefore receives information regarding the ordered book and the delivery address.

2. Legal basis for data processing

The legal basis is Article 6 Para. 1 Lit. a, b and f GDPR.

​​​​​​​3. Purpose of data processing

The user gives his/her consent. Processing data for logistics, payment and delivery is necessary for the fulfilment of the contract in accordance with Article 6 Para. 1 Lit. b GDPR. This concerns our purchase and sale of goods by or to the user. With regard to the

inclusion of the Trusted Shop quality label and work of Libri GmbH, there is a legitimate interest in accordance with Article 6 Para. 1 Lit. f GDPR.

​​​​​​​4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection.

This is the case for data during the purchase and sale contract or for executing precontractual measures if the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store the contractual partner’s personal data in order to fulfil contractual or legal obligations.

​​​​​​​5. Objection or removal option

If the data is required to fulfil a contract or to execute precontractual measures, premature deletion of the data is only possible if there are no contractual or statutory obligations to the contrary.

You can change the data stored about you at any time. For more information see “Rights of the data subject” below.

XII. Contact form and email contact

1. Description and scope of data processing

There is a contact form on our website that can be used for electronic contact. If a user uses this option, the data entered in the input screen will be transmitted to us and stored. The user’s message and email address are required. Other information is optional:

  1. title, first and surname
  2. order number
  3. telephone number

Your consent is obtained for data processing and reference is made to this data privacy policy during the sending process.

Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted by email will be stored.

  1. We user software from the company Zendesk Inc., 1019 Market St San Francisco, CA 94103 (“Zendesk”) for processing customer enquiries. Zendesk manages customers’ emails and organises processing. Zendesk processes the name, content and technical information of the communication for us. This is done in the context of external processing and with the appropriate level of data protection (see EU-US Privacy Shield above). You fill find more information on data processing by Zendesk in Zendesk’s data privacy policy at http://www.zendesk.com/company/privacy.
  2. We send emails in connection with buying and selling goods (transaction emails) via the service provider Mandrill Inc., 512 Means Street, Sweet, 404, Atlanta, GA 30318, USA, a company of the Rocket Science Group, LLC d/b/a MailChimp LLC. Mandrill manages customers’ emails and organises processing. Mandrill processes content and communication for us. This is done in the context of external processing and with the appropriate level of data protection (see EU-US Privacy Shield above). You fill find more information on data processing by Mandrill in the data privacy policy at https://mailchimp.com/legal/privacy.

2. Legal basis for data processing

The legal basis for processing data is Article 6 Para. 1 Lit. a GDPR if the user has given consent.

If the aim of the email is concluding a contract, the additional legal basis for processing is Article 6 Para. 1 Lit. b GDPR.

​​​​​​​3. Purpose of data processing

The user gives his/her consent. Processing personal data from the input screen is for processing any contact.

​​​​​​​4. Storage duration

The data is deleted as soon as it is no longer necessary for achieving the purpose of its collection. For personal data from the contact form input screen and that which was sent by email, this is the case when the respective conversation with the user is finished. The conversation is terminated when the circumstances show that it is certain that the matter in question has been conclusively resolved.

​​​​​​​5. Objection or removal option

The user has the option of revoking his/her consent to the processing of personal data at any time. If the user contacts us via email, he/she can object to the storage of his/her personal data at any time. In a case such as this, the conversation cannot be continued. For more information see “Rights of the data subject” below.

XIII. Rights of the data subject

If your personal data is processed, you are the data subject according to GDPR and you are entitled to the following rights with regard to the controller:

​​​​​​​1. Right to information

You can ask the controller to confirm whether personal data concerning you will be processed by us.

If processing has taken place, you can request the following information from the controller:

  1. the purposes for which personal data is being processed;
  2. the category of personal data being processed;
  3. the recipient or categories of recipients to whom the personal data concerning you has been or is still being disclosed;
  4. the planned storage duration the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
  5. the existence of a right to have the personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to this kind of processing;
  6. the existence of a right to complain to a supervisory authority;
  7. all available information regarding the origin of the data if the personal data is not collected from the data subject;
  8. the existence of automated decision-making, including profiling in accordance with Article 22 Para. 1 and 4 GDPR and – at least in these cases – significant information on the logic involved and the scope and intended effects of this kind of processing for the data subject.
  9. You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate guarantees according to Art. 46 GDPR in connection with the transmission.

​​​​​​​2. Right to correction

You have a right to the correction and/or completion by the controller if the personal data processed concerning you is incorrect or incomplete. The controller must make the correction without delay.

​​​​​​​3. Right to restrict processing

You may request that the processing of personal data concerning you be restricted under the following conditions:

  1. if you dispute the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
  2. processing is unlawful and you refuse the deletion of the personal data and instead request that the use of the personal data be restricted;
  3. the controller no longer needs the personal data for processing purposes but you do need it to assert, exercise or defend legal claims, or
  4. if you have filed an objection to the processing according to Article 21 Para. 1 GDPR and it has not yet been determined whether the legitimate reasons of the controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may only be processed – aside from being stored – with your consent or for the purpose of asserting, exercising or defending rights or for protecting the rights of another natural or legal person or on grounds of important public interest of the European Union or a member state.

If the processing restriction has been restricted in accordance with the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

​​​​​​​4. Right to deletion

a) Deletion obligation

You can request that the controller delete the personal data concerning you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. You revoke your consent on which the processing was based according to Article 6 Para. 1 Lit. a or Article 9 Para. 2 Lit. a GDPR and there is no other legal basis for processing.
  3. You file an objection against processing according to Article 21 Para. 1 GDPR and there are no overriding legitimate reasons for processing or you file an objection against processing according to Article 21 Para. 2 GDPR.
  4. The personal data concerning you has been unlawfully processed.
  5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under EU law or the member state law to which the controller is subject.
  6. The personal data concerning you has been collected in relation to information society services offered according to Article 8 Para. 1 GDPR.

b) Information to third parties

If the controller has made personal data concerning you public and is obliged to delete it according to Article 17 Para. 1 GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.

  1. Exceptions

The right to deletion does not exist if processing is required

  1. to exercise the right to freedom of expression and information;
  2. to perform a legal obligation required for processing under EU law or member states’ law to which the controller is subject or to perform a task in the public interest or to exercise public authority that has been assigned to the controller (this is, for example, commercial and tax-related retention obligations);
  3. for reasons of public interest in the field of public health according to Article 9 Para. 2 Lit. h and i and Article 9 Para. 3 GDPR;
  4. for archiving purposes in the public interest, academic or historical research purposes or for statistical purposes according to Article 89 Para. 1 GDPR, if the right referred to in a) is likely to make it impossible or seriously impair the attainment of the objectives of this processing or
  5. for asserting, exercising or defending legal claims.

​​​​​​​5. Right to notification

If you have exercised your right to have the controller correct, delete or limit processing, it is obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or processing restriction, unless this proves impossible or involves a disproportionate effort.

You shall also have the right to be informed about these recipients by the controller.

​​​​​​​6. Right to data transferability

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. Furthermore, you have the right to transmit this data to another controller without any obstruction by the controller to whom the personal data was made available provided that

  1. processing is based on consent according to Article 6 Para. 1 Lit. a GDPR or Article 9 Para. 2 Lit. a GDPR or on a contract according to Article 6 Para. 1 Lit. a GDPR and
  2. processing is carried out using automated methods.

In exercising this right, you also have the right to affect that the personal data concerning you be transferred directly from one controller to another if this is technically feasible. Freedoms and rights of other people may not be affected because of this.

The right to data transferability does not apply to processing personal data necessary for performing a task in the public interest or in the exercise of public authority assigned to the controller.

​​​​​​​7. Right to objection

You have the right, for reasons arising from your particular situation, to object to the processing of personal data concerning you under Article 6 Para. 1 Lit. e or f GDPR at any time; this also applies to profiling based on these provisions.

The controller no longer processes the personal data concerning you, unless it can prove compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If the personal data concerning you is processed for direct marketing purposes, you have the right to object to the processing of personal data concerning you for the purpose of this kind of advertising at any time according to Article 21 Para. 2, 3 GDPR; this also applies to profiling if it is in connection with this kind of direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the option of exercising your right of objection using automated procedures in which technical specifications are used, in connection with the use of information society services, notwithstanding Directive 2002/58/EC.

​​​​​​​8. Right to revoking the declaration of consent relating to data privacy

You have the right to revoke your declaration of consent relating to data privacy at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.

​​​​​​​9. Automated decision on a case-by-case basis, including profiling

You have the right not to be subject to a decision based exclusively on automated processing, including profiling, that has legal effect against you or significantly impairs you in a similar manner. This does not apply if the decision

  1. is necessary for concluding or fulling a contract between you and the controller,i
  2. s admissible due to EU law or the member state law to which the controller is subject and where this law contains appropriate measures to safeguard your rights, freedoms and legitimate interests or
  3. takes place with your explicit consent.

However, these decisions may not be based on special categories of personal data according to Article 9 Para. 1 GDPR unless Article 9 Para. 2 Lit. a or g applies and appropriate measures have been taken to protect your rights, freedoms and legitimate interests.

In the cases referred to in (1) and (3), the controller shall take reasonable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to obtain the intervention of a person by the controller, to state its own position and to challenge the decision.

​​​​​​​10. Right to complain to a supervisory authority

Irrespective of any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state in which you are residing, working or suspected of violation, if you believe that the processing of personal data concerning you is contrary to the GDPR. 

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

​​​​​​​11. Validity of this data privacy policy

We reserve to right to makes changes to these data privacy guidelines from time to time. The current version can be seen on our website. If a change significantly restricts the rights of registered users, we will notify them. Furthermore, the currently available data privacy policy is valid for our website users.