Data Protection Policy

In this Data Protection Policy we explain how we handle your personal data. The valid data protection law, in particular the General Data Protection Regulation (GDPR), applies. We do not forward any data to third parties, with the exception of the service providers and third party suppliers that we state in this Data Protection Policy. Please contact us if you require further support.

Contents

  • Controller
  • General information
  • Data processing when the website is visited
  • Cookies, tracking pixels and mobile identifiers
  • Establishing contact
  • Further third party services
  • Data subjects’ rights

Controller

The controller in respect of the data processing is:

estaro GmbH
An der Helle 23b
D-59505 Bad Sassendorf

General Information

Making data available

You are generally neither legally nor contractually required to make personal data available to use our website. If making data available is required to enter into a contract, or if the user undertakes to make personal data available, we shall inform you of this circumstance, and the consequences of not making such data available, in this Data Protection Policy.

Forwarding data to third countries

We may use service providers and third parties located in countries outside the European Union and the European Economic Area. The forwarding of personal data to such third countries is based on an adequacy decision of the European Commission (Article 45, GDPR), or we have provided appropriate safeguards to
ensure data protection (Article 46, GDPR). Insofar as an adequacy decision of the European Commission is in place for the forwarding of data to a third country, we refer to this in this Data Protection Policy. In other respects, users may obtain a copy of the appropriate safeguards from us, if not already included in the data protection policies of the service providers or third parties.

Automated decision-making

In the event that we use automated decision-making, including profiling, we shall inform you in this Data Protection Policy about this circumstance, the logic involved and the scope and intended effects of such processing. In other respects, automated decision-making does not take place.

Processing for other purposes

As a matter of principle, data are only processed for the purposes for which they were collected. If they are to be further processed for other purposes in exceptional cases, we shall inform you about these other purposes prior to such further processing, and make all other relevant information available (Article 13(3), GDPR).

Data processing when the website is visited

Each time our website is used, the user’s browser transmits various data. The following data are processed and stored in log files for the duration of the website visit, including after the connection has ended:

  • Visited website
  • Time at the time of access
  • Amount of data sent in bytes
  • Source/reference from which you reached the page
  • Used browser
  • Used operating system
  • Used IP address

Such data need to be processed to make the website available to the user and optimise it for his or her terminal. The storage in log files is aimed at improving server security (e.g. protection against DDOS attacks).

The legal basis for the processing is Article 6(1), sub-paragraph 1, point f), GDPR. Our legitimate interest is to provide the website and improve website security. Log files are automatically deleted after 14 days.

Cookies, tracking pixels and mobile identifiers

We use technologies on our website to recognise the used terminal. These may be Cookies, tracking pixels and/or mobile identifiers.

The recognition of an end device can, as a matter of principle, take place for different purposes. They may be necessary to provide functions of our website, for example to make a shopping cart available. Furthermore, the aforementioned technologies may be used to track users’ behaviour on the site, for example for advertising purposes. In this Data Protection Policy we describe separately which technologies we use in individual cases and for what purposes.

Below we explain in general terms how Cookies, tracking pixels and mobile identifiers work for a better understanding:

  • Cookies are small text files that contain certain information and are stored on the user’s terminal. In most cases, this is an identification number that is assigned to a terminal (Cookie ID).
  • A tracking pixel is a transparent graphic file that is embedded on a page and enables log file analysis.
  • A mobile identifier is a unique number (mobile ID) that is stored on a mobile device and can be read by a website.

Cookies may be required for our website to function properly. Article 6(1), sub- paragraph 1, point f, GDPR, forms the legal basis for the use of such Cookies. Our legitimate interest is to provide the functions of our website.

We use Cookies that are not necessary for the operation of our website to make our services more user-friendly or to track the use of our website. The legal basis here depends on whether the user’s consent must be obtained or if we can invoke a legitimate interest. The user may withdraw consent at any time by changing the settings in his or her browser, among other things.

The user can prevent and object to the processing of data with the aid of Cookies by making the appropriate settings in his or her browser. In the event of an objection, it may be the case that not all functions of our website shall be available. We provide separate information about other options for objecting to the processing of personal data using Cookies in this Data Protection Policy. Where applicable, we provide links by way of which an objection can be made. These are labelled as “Opt-Outs”.

Establishing contact

In the event of establishing contact, we process the user’s details, date and time for the purpose of processing the enquiry, including any queries.

Article 6(1), sub-paragraph 1, point f), GDPR, forms the legal basis in respect of the data processing. Our justified interest consists of responding to our users’ enquiries. Additional legal basis is Article 6(1), sub-paragraph 1, point b), GDPR, if the processing is necessary to execute a contract or implement pre-contractual measures.

The data are deleted as soon as the request, including any queries, has been answered. We check at regular intervals, at least, however, every two years, whether any data collected in conjunction with contacts are to be deleted.

Orders and payment processing

When an order is placed in our online shop, we process the data provided when the order is placed, such as name, bank details or payment data, to process the order. We only forward payment data to our payment service providers if this is required to process the payment.

Article 6(1), sub-paragraph 1, point b), GDPR, forms the legal basis for the processing of order data. Article 6(1), sub-paragraph 1, point f), GDPR, forms the legal basis if the user places his or her order data in a user account. In other respects, the processing is based on Article 6(1), sub-paragraph 1, point f), GDPR. Our legitimate interest is the processing of repayments and the pursuit of claims.

Order and payment data are deleted as soon as they are no longer required to process the order, including a reversal of the payment (e.g. due to withdrawal of consent or withdrawal from the contract) or process warranty cases, and no legal storage obligations apply. In the event that the user has stored his or her order data for a repeat order in their user account, the data shall be deleted with the user account if they are not required to process a specific order.

Further third party services

Google Tag Manager

We use Google Tag Manager to manage our website tags. Provider: Google Ireland Ltd, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

The Tag Manager is a Cookie-free domain that triggers tags from various providers, which in turn collect data. The Google Tag Manager does not access this data. The user’s IP address needs to be forwarded to Google for technical purposes to trigger tags.

The Google Tag Manager is used on the legal basis of Article 6(1), sub-paragraph 1, point a), GDPR, by way of the user’s consent.

Google data protection policy

Openstreetmap

We use OpenStreetMap to display maps. Provider: the OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom. The user’s IP address needs to be forwarded in that respect for technical purposes.

OpenStreetMap’s registered office is in the United Kingdom. The European Commission has determined by way of an adequacy decision in accordance with Article 45, GDPR, that an adequate level of protection for personal data exists in the United Kingdom.

OpenStreetMap is used on the legal basis of Article 6(1), sub-paragraph 1, point a), GDPR, by way of the user’s consent.

OpenStreetMap data protection policy

Data subjects’ rights

If a user’s personal data are processed, he or she is a data subject within the meaning of the GDPR. Data subjects are entitled to the following rights:

Right to receive information: the data subject has the right to request confirmation as to whether personal data concerning him or her are being processed. If personal data are processed, the data subject has the right to obtain free information as well as a copy of the personal data that are the subject matter of the processing.

Right to rectification: the data subject has the right to obtain the rectification without delay of inaccurate or incomplete personal data.

Right to erasure: the data subject has the right to obtain the erasure without delay of personal data concerning him or her, in accordance with the law.

Right to restriction of the processing: the data subject has the right to request restriction of the processing of personal data concerning him or her in accordance with the law.

Right to data portability: the data subject has the right to obtain the personal data concerning him or her in a structured, commonly used and machine-readable format or to request that such data be transferred to another controller.

Right to object: the data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1), sub-paragraph 1, point e) or (f), GDPR; this also applies to profiling based on these provisions. If personal data are processed to implement direct advertising, the data subject has the right to object at any time to the processing of personal data that affects him or her for the purpose of such advertising. This also applies to pooling where it is associated with such direct advertising.

Right to withdrawal: the data subject has the right to withdraw his or her given consent at any time.

Right to lodge a complaint: the data subject has the right to lodge a complaint with a supervisory authority.

Data Protection Policy status: 19.12.2022