Data privacy protection
As of 25 May 2018
Who is responsible?
In accordance with the applicable data protection law, bleed clothing GmbH bears the responsibility for your personal data.
Name / Company: bleed clothing GmbH
Street, no.: Münchberger Str. 42
Postcode, City, Country: 95233 Helmbrechts, Germany
Commercial Register / No.: HRB 4443 AG Hof
Managing Director: Michael Spitzbarth
Telephone number: 09252 350267
Email address: firstname.lastname@example.org
Which data do we process?
Personal data is transmitted to us by you in various ways. This happens, for instance, when you place an order on our website, contact us via email or contact form or keep a customer account with us. These data include:
- Inventory data (e.g., names, addresses)
- Contact information (e.g., email, phone numbers)
- Content data (e.g., text input, photographs, videos)
- Contract data (e.g., contract object, order history)
- Payment details (e.g., bank details, payment history)
- Usage data (e.g., websites visited, interest in content, access times, user account)
- Meta / communication data (e.g., device information, IP addresses)
From whom do we process data?
Through business operations we operate with a variety of people. These include:
- Customers / interested parties
- Suppliers / business partners
- Website visitors / Registered website users with customer account
- Employees / applicants
In the following, we also refer to the persons concerned as "users".
For what purpose do we process data?
In order to provide, perform and improve our services, it is necessary to collect data in compliance with the relevant data protection regulations. These reasons include:
- Providing the online offer, its contents and functions
- Provision of contractual services, service and customer care
- Answering contact requests and communicating with users
- Marketing, advertising and market research
- Safety measures
Are special categories of data processed by bleed clothing GmbH according to Article 9 (1) GDPR?
In principle, no particular categories of data are processed or collected except if they are explicitly processed by the users (e.g., a candidate), for example by indication in applications or input in the contact form.
1. Relevant legal bases
In accordance with Article 13 GDPR, we inform you about the legal basis of our data processing. Unless the legal basis in the data protection declaration is mentioned, the following applies: The legal basis for obtaining consent is Article 6 (1) a and Article 7 GDPR, the legal basis for the processing for the performance of our services and the execution of contractual measures as well as the response to inquiries is Article 6 (1) b) GDPR, the legal basis for the processing in order to fulfill our legal obligations is Article 6 (1) c) GDPR, and the legal basis for the processing in order to safeguard our legitimate interests is Article 6 (1) f) GDPR.
3. Safety measures
3.1. In accordance with Article 32 GDPR, we take appropriate technical an organizational measures, taking into account the state of the art, the implementation costs and the nature, extent, circumstances and purposes of the processing as well as the different likelihood of occurence and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk; measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, availability and their separation. In addition, we have established procedures that ensure the perception of the rights of the persons affected, data erasure and reaction on data vulnerability. Furthermore, we consider the protection of personal data already in the development, or selection of hardware, software as well as procedures, according to the principle of data protection by technology design and by privacy-friendly default settings taken into account (Article 25 GDPR).
3.2. One of the security measures is the encrypted transfer of data between your browser and our server.
4. Cooperation with processors and third parties
4.1. If, in the context of our processing, we disclose data to other persons and companies (processors or third parties), transmit them to them or otherwise grant access to the data, this will only be done on the basis of a legal permission (e.g. if a data transmission to third parties is required, as for example to payment service providers, pursuant Article 6 (1) b) GDPR to fulfill the contract), if you have consented, if a legal obligation requires it or if it is based on our legitimate interests (e.g. the use of agents, webhosters, etc.).
4.2. If we commission third parties to process data on the basis of a so-called "processing contract", this is done on the basis of Article 28 GDPR.
5. Transfers to third countries
In general, bleed clothing GmbH does not transmit data to third countries. If, in exceptional cases, we process data in a third country (ie outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of third-party services or disclosure or transmission of data to third parties, this is done only if it is to fulfill our (pre) contractual obligations, on the basis of your consent, due to a legal obligation or due to our legitimate interests. Subject to legal or contractual permissions, we will or let process the data in a third country only if the special conditions of Article 44 et seq. GDPR are fulfilled. That means that the processing takes place e.g. on the basis of specific guarantees, such as the officially recognized determination of a data protection level according to the EU (e.g. for the US through the “Privacy Shield”) or in compliance with officially recognized special contractual obligations (so-called "standard contractual clauses").
6. Rights of the persons concerned
6.1. You have the right to ask for confirmation as to whether the data in question is being processed and to ask for information about this data as well as for further information and a copy of this data in accordance with Article 15 GDPR.
6.2. In accordance with Article 16 GDPR, you have the right to demand the completion of the data concerning you or the correction of the incorrect data concerning you.
6.3. In accordance with Article 17 GDPR, you have the right to ask for immediate deletion of the concerned data, or, alternatively, in accordance with Article 18 GDPR to require a restriction of the processing of this data.
6.4. You have the right to demand that the data relating to you, which you have provided to us, be obtained in accordance with Article 20 GDPR and request their transmission to other persons responsible.
6.5. You have the right to free information about your stored data as well as the right to correction, deletion or blocking at any time (see 6.1 to 6.4). To submit your request, please use the contact form on our website or contact us directly at email@example.com.
6.6. Furthermore, in accordance with Article 77 GDPR you are entitled to file a complaint with the relevant supervisory authority. You may also like to contact the bleed clothing GmbH under the above-mentioned contact data, should you be of the opinion that your personal data was not processed legally compliant.
7. Right of withdrawal
You have the right to revoke your granted consent in accordance with Article 7 (3) GDPR for the future.
8. Right to object
You can object to the future processing of your data in accordance with Article 21 GDPR at any time. The objection may in particular be made against processing for direct marketing purposes.
9. Cookies and right to object direct mail
10. Deletion of data
10.2. According to legal requirements, the storage takes place in particular for 6 years in accordance with § 257 (1) HGB (trading books, inventories, opening balance sheets, annual accounts, trade letters, accounting documents, etc.) and for 10 years in accordance with § 147 (1) AO (books, records, management reports, accounting documents, commercial and business letters, documents relevant to taxation, etc.).
11. Provision of contractual services
11.1. We process inventory data (e.g. names and addresses as well as user contact information), contract data (e.g. services used, contact names, billing information) for the purpose of fulfilling our contractual obligations and services in accordance with Article 6 (1) b) GDPR. The entries marked as obligatory in online forms are required for the conclusion of the contract.
11.2. Users can optionally create a user account, in particular to be able to view their orders. As part of the registration, the necessary mandatory information will be communicated to the users. The user accounts are not public and cannot be indexed by search engines. If users have terminated their user account, their data with regard to the user account will be deleted, subject to their retention is necessary for commercial or tax law reasons in accordance with Article 6 (1) c) GDPR. It is the responsibility of the users to secure their data upon termination before the end of the contract. We are entitled to irretrievably delete all user data stored during the term of the contract.
11.3. As part of the registration and re-registration as well as use of our online services, the IP address and the time of the respective user action will be saved. The storage is based on our legitimate interests, as well as the user's protection against misuse and other unauthorized use. The deletion takes place after 30 days. A transfer of these data to third parties does not take place, unless it is necessary for the prosecution of our claims or there is a legal obligation in accordance with Article 6 (1) c) GDPR.
11.4. We process usage data (e.g. the visited web pages of our online offering, interest in our products) and content data (e.g. entries in the contact form or user profile) for advertising purposes in a user profile to inform the user e.g. about product instructions based on their previously used services.
11.5. The deletion takes place after the expiry of legal warranty and comparable obligations, the necessity of keeping the data is checked every three years; in the case of legal archiving obligations, the deletion takes place after its expiry (end of commercial law (6 years) and tax law (10 years) retention obligation); information in the customer account remains until its deletion.
12. Postal direct advertising
12.1 Of legitimate interest under Article 6 (1) f) GDPR the bleed clothing GmbH may process personal data of customers for the purpose of postal direct advertising. The recipient of direct advertising has the right to contradict the processing for this purpose according to Article 21 (2) GDPR.
13. Ordering process
13.1. Only DHL deliver ordered goods to customers. For this reason, your address will be transferred to DHL according to the legal permission of Article 6 (1) sentence 1 b) GDPR.
13.2. Users of our webshop can track their orders through a package announcement. For this service, which is provided by DHL, it requires the consent of the recipient. In addition to the address, your e-mail address will be sent to DHL for the package announcement.
13.3. Furthermore, users of our webshop can arrange a desired location for parcel storage by stating the order field with DHL. These data are automatically sent to DHL upon completion of the order. This service requires the consent of the recipient.
13.4. For dealer orders delivered by freight forwarders is the transfer of the telephone number to the freight forwarders necessary to fulfill the contract in accordance with Art. 6 (1) sentence 1 b) GDPR.
13. Establishment of contact
13.1. When contacting us (via contact form or e-mail), the information provided by the user is processed in order to handle the contact request and its processing in accordance with Article 6 (1) b) GDPR.
13.3. We will delete your requests and related data if they are no longer required. In the case that the data are subject to the legal archiving obligations, the deletion takes place after their expiry (end of commercial law (6 years) and tax law (10 years) retention obligation).
14. Collection of access data and log files
14.1. Based on our legitimate interests within the meaning of Article 6 (1) f) GDPR, we collect data on every access to the server on which this service is located (so-called “server log files”). The access data includes the name of the retrieved web page, file, date and time of retrieval, amount of data transferred, message about successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
14.2. Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of seven days and will then be deleted. Data whose further retention is required for evidential purposes shall be exempted from deletion until final clarification of the incident.
15. Online presence in social media
15.1. We maintain online presence within social networks and platforms in order to communicate with active customers, interested parties as well as users and to inform them about our services. When calling the respective networks and platforms, the terms and conditions and the data processing guidelines of to the respective operators apply.
16. Cookies & Reach measurement
16.1. Cookies are information transmitted from our web server or third-party web servers to users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
16.2. We use "session cookies" that are stored on our online presence only for 24 hours (for example, to enable the storage of your login status or the shopping cart function and thus the use of our online offer at all). In a session cookie, a randomly generated and unique identification number is stored, a so-called “session ID”. In addition, a cookie contains information about its origin and the retention period. These cookies cannot save any other data. Session cookies will be deleted if you have finished using our online offer and you e.g. log out or close the browser.
16.4. If users do not want cookies to be stored on their computer, they are asked to disable the respective option in their browser's system settings. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
17. Google Analytics
17.2. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with the European data protection law. (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
17.3. Google will use this information on our behalf to evaluate the use of our online offer by users, to compile reports on the activities within this online offer and to provide us with further services related to the use of this online offer and the internet usage. In this case, pseudonymous usage profiles of the users can be created from the processed data.
17.4. We use Google Analytics to display advertisements displayed within Google and its affiliate advertising services only those users who have shown an interest in our online offering or who have certain characteristics (e.g. interests in specific topics or products that are determined through the visited web pages) that we submit to Google (so-called "remarketing" or "Google Analytics audiences"). With the aid of remarketing audiences, we also want to make sure that our ads are in line with the potential interest of users and are not annoying for them.
17.5. We only use Google Analytics with activated IP anonymization. This means that the users’ IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be sent to a Google server in the US and shortened there.
17.6. The IP address submitted by the user's browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly; Users may also prevent the collection of the data generated by the cookie and related to their use of the online offer to Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
17.7. For more information about Google's data usage, setting and opt-out options, please visit Google's websites: https://www.google.com/intl/de/policies/privacy/partners (Google's use of your data when you use websites or apps of its partners), https://policies.google.com/technologies/ads (Advertising use of data), https://adssettings.google.com/authenticated (Managing information Google uses to show you advertising).
18. Google Re/Marketing-Services
18.1. On the basis of our legitimate interests (ie interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) f) GDPR) we use the marketing and remarketing services ("Google Marketing Services") from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, („Google“).
18.2. Google is certified under the Privacy Shield Agreement, which provides a guarantee to comply with the European data protection law. (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
18.3. Google Marketing Services allows us to better target advertisements for our website so that we only present ads to users that potentially match their interests. If a user is shown ads e.g. for products he has been interested in on other websites it is called “remarketing”. For these purposes, when our and other websites are being accessed that have Google Marketing Services activated, Google will directly execute a Google code and so-called “(re)marketing tags” (invisible graphics or code, also called "web beacons") will be incorporated into the website. With their help, the user device is provided with an individual cookie, ie a small file is saved (instead of cookies, comparable technologies can also be used). The cookies can be set by different domains, including google.com, doubleclick.net, invitemedia.com, admeld.com, googlesyndication.com or googleadservices.com. In this file it is noted which web pages the user visited, what content he is interested in and what offers he has clicked, as well as technical information about the browser and operating system, referring web pages, visit time and other information on the use of the online offer. The IP address of the user is also recorded, whereby in the context of Google Analytics we announce that the IP address is shortened within member states of the European Union or other parties to the Agreement on the European Economic Area and is only transmitted in exceptional cases in its whole length to a Google server in the US and then shortened there. The IP address will not be merged with data of the user within other offers from Google. The above information may also be linked by Google with such information from other sources. If the user then visits other websites, he can be displayed ads according to his interests.
18.4. In the context of the Google Marketing Services, user data is pseudonymously processed. That means Google stores and processes e.g. not the name or email address of the users, but processes the relevant data cookie-related within pseudonymous user profiles. This means, from the perspective of Google, that the ads are not managed and displayed to a specifically identified person, but to the cookie owner, regardless of who that cookie owner is. This does not apply if a user has explicitly allowed Google to process the data without this pseudonymization. The information collected about users through Google Marketing Services is transmitted to Google and stored on Google's servers in the US.
18.5. To the Google Marketing Services we use counts, inter alia, the online advertising program "Google AdWords". In the case of Google AdWords, each AdWords client receives a different "conversion cookie". Therefore, cookies cannot be tracked through AdWords clients' websites. The information collected through the cookie is used to generate conversion statistics for AdWords clients who have opted for conversion tracking. AdWords clients will see the total number of users who clicked their ad and were redirected to a conversion tracking tag page. However, they do not receive any information that personally identifies users.
18.6. Likewise, we may use the service "Google Optimizer". Using the so-called "A/B testings", Google Optimizer allows us to understand how various changes to a website may have an impact (such as changes to the input fields, the design, etc.). For these testing purposes, cookies are stored on users' devices. Thereby only pseudonymous data of the users are processed.
18.7. In addition, we may use the service "Google Tag Manager" to integrate and manage the Google Analytics and Marketing Services on our website.
18.9. If you wish to opt-out of interest-based advertising through Google Marketing Services, you can make use of Google's setting and opt-out options: https://adssettings.google.com/authenticated.
19.1. With the following notice we inform you about our newsletter’s content as well as the used methods in regards to registration, distribution and statistical analysis as well as your right of objection. By registering for our newsletter you accept its reception as well as the described methods.
19.2. Newsletter content: Newsletters, emails and other electronic notifications containing commercial information (in the following referred to as “newsletter”) are only sent if the recipient has accepted it or if we hold a legal authorization. If there is a detailed newsletter content description provided during the registration, then this content is relevant for the user’s acceptance. Moreover, our newsletters contain information on our products, offers, special offers and our company.
19.3. The registration for our newsletter takes place in a so-called “Double-Opt-In” method: After you have registered for the newsletter, you will receive an email asking you to confirm your registration. This confirmation is needed in order that no third party uses your email address without your permission. In order to comply with law, all registrations for the newsletter are recorded to provide evidence about the registration process. This implies the storage of the registration and confirmation time as well as the storage of the IP address. Likewise, changes made to your data which is stored at the email marketing provider are recorded.
19.4. Email marketing provider: The newsletter distribution takes place via CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, hereinafter referred to as “email marketing provider”. You can view the email marketing provider’s privacy policies at: https://www.cleverreach.com/de/datenschutz/.
19.5. The email marketing provider may use data in in a pseudonymous form, meaning that there is no link to the user. This can take place to optimize his own services, e.g. to technically optimize the distribution and display of the newsletter or for statistical reasons, e.g. to determine the user’s geographical provenance. However, the email marketing provider does not use our newsletter subscribers’ data to contact them or to hand it over to a third party.
19.6. Login details: In order to register for the newsletter, it is sufficient if you indicate your email address.
19.7. Performance measurement: The newsletters contain a so-called “web-beacon”. This is a one pixel-sized data file that is being fetched from the email marketing provider’s server while opening the newsletter. In the course of this retrieval, first of all technical data like information regarding your browser, your system, your IP address and time of retrieval are being collected. This information is used to technically enhance the services by means of the provided technical data or target groups and their reading behavior on the basis of the retrieval location (that are determinable with the aid of the IP address) or the access time. Furthermore, the statistical surveys imply the determination if the newsletter was opened, when it was opened and which links were clicked. For technical reasons, this information can be linked to the newsletter subscribers - but neither do we, nor the email marketing provider aspire to observe single users. In fact, the evaluation serves to identify the reading behavior of our users and to adapt our content accordingly - or to distribute differing contents according to our users’ interests.
19.8. The newsletter transmission as well as the performance measurement is conducted on the basis of a subscriber agreement in accordance with Article 6 (1) a), Article 7 GDPR in conjunction with § 7 (2) point 3 UWG, respectively on the basis of the legal allowance in accordance with § 7 (3) UWG.
19.9. The record keeping of the registration process is conducted on the basis of our legitimate interest in accordance with Article 6 (1) f) GDPR and serves for proving the user agreement to receive our newsletter.
19.10. Termination/cancellation: You can terminate the newsletter reception at all times, meaning that you dismiss your agreement. You can find a link to unsubscribe the newsletter at the end of every newsletter. Contacting us directly will also allow you to unsubscribe from the newsletter. In case of cancellation, your personal data will be deleted.
20. Integration of third party services and contents
20.1. Within our online offer, based on our legitimate interests (ie interest in the analysis, optimization and economic operation of our online offer within the meaning of Art. 6 (1) f) GDPR), we make use of content or services offered by third-party providers in order to embed their content and services, such as videos or fonts (collectively referred to as "content"). This always presupposes that the third-party providers of this content perceive the users’ IP address, since - without an IP address - they would not be able to send the content to their browser. Therefore, the IP address is required in order to display the respective content. We endeavor to use only content whose respective providers use the IP address solely for the delivery of the content. Third parties may also use so-called “pixel tags” (invisible graphics, also referred to as "web beacons") for statistical or marketing purposes. The pixel tags can be used to evaluate information such as visitor traffic on the single pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring web sites, visit time and other information regarding the use of our online offer. Likewise, the pseudonymous information may also be linked to such information from other sources.
20.2. The following presentation provides an overview of third-party providers as well as their contents, along with links to their data protection statements, which contain further information on the processing of data and, partly already mentioned here, possibilities to object (so-called “opt-out”):
- If our customers use the payment services of third parties (e.g. PayPal or Sofortüberweisung (immediate transfer)), the terms and conditions as well as the data protection notices of the respective third party are applicable, which are available within the respective websites or transactional applications.
- External fonts from Google, LLC, https://www.google.com/fonts („Google Fonts“). The integration of Google fonts is done by a server call on Google (usually in the US). Data protection statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
- Geographical maps of the "Google Maps" service of the third party Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement: https://www.google.com/policies/privacy/, Opt-Out: https://www.google.com/settings/ads/.
- Videos from the third party platform "YouTube" Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated.
- Within our online offer no functions of the service Instagram are involved. However, a user account of bleed clothing GmbH is maintained at Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA for promotional purposes. Please note that we are not aware of the content of the submitted data and their use by Instagram. Data protection statement: http://instagram.com/about/legal/privacy/.
- For promotional purposes, bleed clothing GmbH maintains an account with Facebook Inc., Menlo Park, CA, 94025, USA. Features of Facebook are not included in our online offer. We point out that we are not aware of the content of the data transmitted and their use by Facebook. Data protection statement: https://www.facebook.com/about/privacy/update.